# please help, desktop and icons disappeared



## fmonte

Well, I googled "flat bottom boats" and when I clicked on a link for building instructions, I got a porn site and a number of virus warnings. My AVG software healed all the virus warning popups and then I let the AVG software do a complete scan but now when I go to boot up, my desktop and icons appear for a few seconds and then goes black and then comes on again for a few more seconds and then goes black and this cycle continues 3 times. The last time it turns black and freezes up. During the 3 cycles, I can execute programs but I must get them up and running before that third time. I tried to go to a earlier restore point but it seems that that feature is not working because I am not seeing any bold dates. Please help. Thank you. Frank


----------



## mep916

Post a hijackthis log. Download the program here.


----------



## fmonte

Thank you. 

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:28:02 AM, on 5/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\imapi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe

O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Panasonic Device Monitor Wakeup] C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
O4 - HKLM\..\Run: [Panasonic Device Manager for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
O4 - HKLM\..\Run: [Panasonic PCFAX for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\KmPcFax.exe -1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O20 - AppInit_DLLs:  
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panasonic Local Printer Service - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe

--
End of file - 7767 bytes


----------



## cohen

Read more tommorow i'm going to bed! I'll post something tommorow


----------



## Punk

You're HJT log doesn't show any spyware. let's look deeper:
*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## fmonte

Here is the log that you asked for. The whole process only took about 10 minutes. By the way, I was not online during this process. I downloaded the file from my other computer. I was told to stay offline on the infected computer. Please let me know if I need to rerun combo fix again while being online. Thank you.

ComboFix 08-05-15.3 - Frank 2008-05-19 14:25:14.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1342 [GMT -4:00]
Running from: J:\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Frank\g2mdlhlpx.exe
C:\WINDOWS\system32\JjlSBJlm.ini
C:\WINDOWS\system32\JjlSBJlm.ini2

.
(((((((((((((((((((((((((   Files Created from 2008-04-19 to 2008-05-19  )))))))))))))))))))))))))))))))
.

2008-05-19 14:24 . 2008-05-19 14:25	1,024	--ah-----	C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-19 07:26 . 2008-05-19 07:26	<DIR>	d--------	C:\Program Files\Trend Micro
2008-05-19 07:11 . 2001-08-17 22:36	8,704	--a------	C:\WINDOWS\system32\kbdjpn.dll
2008-05-18 21:47 . 2008-05-18 21:47	<DIR>	d--------	C:\Documents and Settings\Guest\Application Data\Panasonic
2008-05-18 21:47 . 2008-05-18 21:47	<DIR>	d--------	C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-18 21:42 . 2008-05-18 21:42	<DIR>	d--------	C:\Documents and Settings\Problem correction\Application Data\Panasonic
2008-05-18 21:42 . 2008-05-18 21:42	<DIR>	d--------	C:\Documents and Settings\Problem correction\Application Data\AVG7
2008-05-18 18:47 . 2007-09-06 00:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-05-18 18:47 . 2006-04-27 17:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-05-18 18:47 . 2008-05-15 23:22	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-05-18 18:47 . 2008-04-28 08:03	82,944	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-05-18 18:47 . 2008-04-28 08:03	82,944	--a------	C:\WINDOWS\system32\404Fix.exe
2008-05-18 18:47 . 2003-06-05 21:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-05-18 18:47 . 2004-07-31 18:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-05-18 18:47 . 2007-10-04 00:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-05-18 15:24 . 2008-05-18 15:24	1,390,340	--a------	C:\SmitfraudFix.exe
2008-05-18 13:40 . 2008-05-18 18:48	3,050	--a------	C:\WINDOWS\system32\tmp.reg
2008-05-18 13:28 . 2008-05-18 13:28	<DIR>	d--------	C:\Documents and Settings\Guest
2008-05-18 13:28 . 2008-05-19 14:28	1,024	--ah-----	C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-05-18 13:20 . 2006-02-28 08:00	221,184	--a------	C:\WINDOWS\system32\wmpns.dll
2008-05-18 13:19 . 2008-05-18 13:19	<DIR>	d--------	C:\Documents and Settings\Problem correction
2008-05-18 13:19 . 2008-05-19 14:28	1,024	--ah-----	C:\Documents and Settings\Problem correction\ntuser.dat.LOG
2008-05-18 10:53 . 2008-05-18 10:53	319,872	--a------	C:\WINDOWS\system32\mlJBSljJ.dll
2008-05-18 10:48 . 2008-05-18 10:48	<DIR>	dr-h-----	C:\$VAULT$.AVG
2008-05-18 10:48 . 2008-05-17 17:14	286,720	--a------	C:\WINDOWS\pxgdslro.dll
2008-05-18 10:48 . 2008-05-17 17:15	245,760	--a------	C:\WINDOWS\nldfmtappek.dll
2008-05-18 10:48 . 2008-05-18 10:48	28,800	--a------	C:\WINDOWS\system32\cbXQkhFu.dll
2008-05-07 17:43 . 2008-05-08 13:51	<DIR>	d--------	C:\Program Files\Avalon Health Care
2008-05-03 11:53 . 2008-05-03 11:53	<DIR>	d--------	C:\Program Files\Common Files\xing shared
2008-05-03 11:52 . 2008-05-03 11:53	<DIR>	d--------	C:\Program Files\Common Files\Real
2008-05-03 11:50 . 2008-05-03 11:50	<DIR>	d--------	C:\Program Files\Real
2008-04-28 11:21 . 2008-04-28 11:21	<DIR>	d--------	C:\Program Files\SiteChallenge
2008-04-28 11:21 . 2007-05-03 10:15	68,496	--a------	C:\WINDOWS\system32\MLSecurityCOM.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-19 04:13	---------	d-----w	C:\Program Files\LogMeIn
2008-05-18 14:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg7
2008-05-17 13:12	---------	d-----w	C:\Program Files\COMODO
2008-05-17 13:12	---------	d-----w	C:\Documents and Settings\Frank\Application Data\Comodo
2008-05-12 15:34	---------	d-----w	C:\Documents and Settings\Frank\Application Data\AdobeUM
2008-04-15 12:09	1,880	----a-w	C:\WINDOWS\AUTOLNCH.REG
2008-04-02 15:27	---------	d-----w	C:\Program Files\Microsoft Works
2008-03-30 14:44	---------	d-----w	C:\Program Files\2nd Story Software
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}]
2008-05-18 10:48	28800	--a------	C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{966CE0C2-7AD7-40CE-ABB9-87D9E632FD50}]
2008-05-18 10:53	319872	--a------	C:\WINDOWS\system32\mlJBSljJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:15 579584]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26 217088]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 01:16 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 01:35 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"Panasonic Device Monitor Wakeup"="C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 15:54 303104]
"Panasonic Device Manager for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 13:46 126976]
"Panasonic PCFAX for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\KmPcFax.exe" [2007-05-29 11:31 757760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 11:52 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-02 11:19 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-12-16 02:47:49 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 05:54 38400]
"{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\cbXQkhFu.dll [2008-05-18 10:48 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQkhFu]
cbXQkhFu.dll 2008-05-18 10:48 28800 C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-01-07 18:30 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 12:43 8466432 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2007-12-05 11:47 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 18:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-01 09:48 16208384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 18:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 14:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2000-02-14 18:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 Panasonic Local Printer Service;Panasonic Local Printer Service;C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 05:33]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 18:39]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 18:36]

.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files: 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXQkhFu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-05-19 14:30:33 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-19 18:30:29

Pre-Run: 279,903,870,976 bytes free
Post-Run: 280,056,901,632 bytes free

234	--- E O F ---	2008-05-18 19:42:34


----------



## cohen

Do a scan on the admin account


----------



## fmonte

Thank you Cohen but what do you mean "do a scan". Please advise in detail because I know very little about all of this.


----------



## cohen

fmonte said:


> Thank you Cohen but what do you mean "do a scan". Please advise in detail because I know very little about all of this.



The log above that you posted you need to do it again but on the admin account so we can have more information.


----------



## fmonte

I'm confused. Before this problem I had two account show up. One is called Frank(computer admisistrator) and the other is called Guest(guest account is on). Yesterday when I asked for help, someone suggested I make a new account and see if that we make the computer work properly but it made no difference. So now I have a third account called Problem Correction(computer admisistrator). So, in other words, I think I have already provided what you have asked for above. By the way, should I just delete that new account since it did not do any good. Thanks again.


----------



## GameMaster

You don't have to delete it, but just log in as administrator and perform the ComboFix scan again ( run it again and post a new log ).


----------



## fmonte

I'm still not sure what you are asking. I don't know what you mean as sign on as administrator. In any event, what I did is boot the computer to the welcome screen where there are the 3 icons that I mentioned above. I clicked on the one that said Frank and then I clicked on the desktop icon Combofix to run the scan. After completion the text doc popped up. Here are the results:

ComboFix 08-05-15.3 - Frank 2008-05-20  8:25:36.2 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1363 [GMT -4:00]
Running from: J:\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\JjlSBJlm.ini
C:\WINDOWS\system32\JjlSBJlm.ini2

.
(((((((((((((((((((((((((   Files Created from 2008-04-20 to 2008-05-20  )))))))))))))))))))))))))))))))
.

2008-05-19 14:24 . 2008-05-19 14:25	1,024	--ah-----	C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-19 07:26 . 2008-05-19 07:26	<DIR>	d--------	C:\Program Files\Trend Micro
2008-05-18 21:47 . 2008-05-18 21:47	<DIR>	d--------	C:\Documents and Settings\Guest\Application Data\Panasonic
2008-05-18 21:47 . 2008-05-18 21:47	<DIR>	d--------	C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-18 21:42 . 2008-05-18 21:42	<DIR>	d--------	C:\Documents and Settings\Problem correction\Application Data\Panasonic
2008-05-18 21:42 . 2008-05-18 21:42	<DIR>	d--------	C:\Documents and Settings\Problem correction\Application Data\AVG7
2008-05-18 18:47 . 2007-09-06 00:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-05-18 18:47 . 2006-04-27 17:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-05-18 18:47 . 2008-05-15 23:22	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-05-18 18:47 . 2008-04-28 08:03	82,944	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-05-18 18:47 . 2008-04-28 08:03	82,944	--a------	C:\WINDOWS\system32\404Fix.exe
2008-05-18 18:47 . 2003-06-05 21:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-05-18 18:47 . 2004-07-31 18:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-05-18 18:47 . 2007-10-04 00:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-05-18 15:24 . 2008-05-18 15:24	1,390,340	--a------	C:\SmitfraudFix.exe
2008-05-18 13:40 . 2008-05-18 18:48	3,050	--a------	C:\WINDOWS\system32\tmp.reg
2008-05-18 13:28 . 2008-05-18 13:28	<DIR>	d--------	C:\Documents and Settings\Guest
2008-05-18 13:28 . 2008-05-20 08:29	1,024	--ah-----	C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-05-18 13:20 . 2006-02-28 08:00	221,184	--a------	C:\WINDOWS\system32\wmpns.dll
2008-05-18 13:19 . 2008-05-18 13:19	<DIR>	d--------	C:\Documents and Settings\Problem correction
2008-05-18 13:19 . 2008-05-20 08:29	1,024	--ah-----	C:\Documents and Settings\Problem correction\ntuser.dat.LOG
2008-05-18 10:53 . 2008-05-18 10:53	319,872	--a------	C:\WINDOWS\system32\mlJBSljJ.dll
2008-05-18 10:48 . 2008-05-18 10:48	<DIR>	dr-h-----	C:\$VAULT$.AVG
2008-05-18 10:48 . 2008-05-17 17:14	286,720	--a------	C:\WINDOWS\pxgdslro.dll
2008-05-18 10:48 . 2008-05-17 17:15	245,760	--a------	C:\WINDOWS\nldfmtappek.dll
2008-05-18 10:48 . 2008-05-18 10:48	28,800	--a------	C:\WINDOWS\system32\cbXQkhFu.dll
2008-05-07 17:43 . 2008-05-08 13:51	<DIR>	d--------	C:\Program Files\Avalon Health Care
2008-05-03 11:53 . 2008-05-03 11:53	<DIR>	d--------	C:\Program Files\Common Files\xing shared
2008-05-03 11:52 . 2008-05-03 11:53	<DIR>	d--------	C:\Program Files\Common Files\Real
2008-05-03 11:50 . 2008-05-03 11:50	<DIR>	d--------	C:\Program Files\Real
2008-04-28 11:21 . 2008-04-28 11:21	<DIR>	d--------	C:\Program Files\SiteChallenge
2008-04-28 11:21 . 2007-05-03 10:15	68,496	--a------	C:\WINDOWS\system32\MLSecurityCOM.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-20 04:02	---------	d-----w	C:\Program Files\LogMeIn
2008-05-18 14:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg7
2008-05-17 13:12	---------	d-----w	C:\Program Files\COMODO
2008-05-17 13:12	---------	d-----w	C:\Documents and Settings\Frank\Application Data\Comodo
2008-05-12 15:34	---------	d-----w	C:\Documents and Settings\Frank\Application Data\AdobeUM
2008-04-15 12:09	1,880	----a-w	C:\WINDOWS\AUTOLNCH.REG
2008-04-02 15:27	---------	d-----w	C:\Program Files\Microsoft Works
2008-03-30 14:44	---------	d-----w	C:\Program Files\2nd Story Software
.

(((((((((((((((((((((((((((((   snapshot@2008-05-19_14.30.16.78   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 18:28:46	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-05-20 12:29:04	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}]
2008-05-18 10:48	28800	--a------	C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E2937F69-9299-4609-AD57-536278226A08}]
2008-05-18 10:53	319872	--a------	C:\WINDOWS\system32\mlJBSljJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:15 579584]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26 217088]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 01:16 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 01:35 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"Panasonic Device Monitor Wakeup"="C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 15:54 303104]
"Panasonic Device Manager for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 13:46 126976]
"Panasonic PCFAX for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\KmPcFax.exe" [2007-05-29 11:31 757760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 11:52 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-02 11:19 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-12-16 02:47:49 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 05:54 38400]
"{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\cbXQkhFu.dll [2008-05-18 10:48 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQkhFu]
cbXQkhFu.dll 2008-05-18 10:48 28800 C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-01-07 18:30 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 12:43 8466432 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2007-12-05 11:47 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 18:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-01 09:48 16208384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 18:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 14:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2000-02-14 18:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"CiSvc"=3 (0x3)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
R2 Panasonic Local Printer Service;Panasonic Local Printer Service;C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 05:33]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 18:39]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 18:36]

.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files: 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXQkhFu.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\BRSS01A.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\LogMeIn\x86\ramaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-05-20  8:31:13 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-20 12:31:08
ComboFix2.txt  2008-05-19 18:30:33

Pre-Run: 280,088,997,888 bytes free
Post-Run: 280,074,104,832 bytes free

237	--- E O F ---	2008-05-18 19:42:34


----------



## fmonte

I just noticed after running that last combofix, the problem seems to be gone. My icons are not disappearing anymore and the performance seems normal. I will continue to monitor things and let you know. Not that I am complaining but what happened. Also, is it now safe to get back on the internet with this computer? Thanks again.


----------



## fmonte

Problem returned, please help. Thank you.


----------



## Punk

Yes, There is still a few malicious files that are downloading the deleted files. I'm really busy right now until mid-June, got my SAT exams (the BAC in France).

If either GameMaster or Ceewi1 wants to continue on disinfecting you, they can.


----------



## GameMaster

Well seems that I'm online the most.
Since I couldn't find any nasties in your HijackThis log and since ComboFix log shows some random files, we can try couple more scans. But before that I want to make sure it's not some XP setting problem.

1. Please right click on Desktop>Properties>General tab>uncheck the *Run wizard every xx days*

2. If that doesn't help, open your Task manager ( Ctrl+Alt+Del) and find a process *sysu.exe*

If found, stop it.
After, delete this folder: *ddm* if found. It should be in C:/Programs/ddm

3. If didn't help:

Please use the *Internet Explorer* browser (or FireFox with IETab), and do an online scan with *Kaspersky Online Scanner*

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(*Note*.. _for Internet *Explorer 7* users: If at any time you have trouble with the "*Accept*" button of the license, click on the "*Zoom*" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%_.)
The program launches and downloads the latest definition files. 
Once the files are downloaded click on *Next*
 Click on *Scan Settings* and configure as follows:
 Scan using the following Anti-Virus database:
*Extended*

Scan Options:
*Scan Archives*

*Scan Mail Bases*


 Click *OK* and, under select a target to scan, select *My Computer*
When the scan is done, in the _Scan is completed _window (below), any infection is displayed. 
There is no option to clean/disinfect, however, we need to analyze the information on the report. 








To obtain the report:
Click on: *Save Report As* (above - red blinking arrow)
Next, in the _Save as _prompt, _Save in_ area, select: *Desktop*
In the _File name_ area, use KScan, or something similar
In _Save as type_, click the drop arrow and select: *Text file [*.txt]* 
Then, click: *Save* 
Please post the *Kaspersky Online Scanner Report *in your reply.


----------



## fmonte

1. I could not do. I right clicked on an open spot on the desktop and left clicked on properties but there was no general tab.

2. In task manager processes there was no sysu.exe

3. i could not get to ddm.I clicked on c drive and then program files but by that time my screen goes blank so I did not have time to search for ddm.

Finally, here is the report you asked for:

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Tuesday, May 20, 2008 6:47:00 PM
 Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 20/05/2008
 Kaspersky Anti-Virus database records: 788626
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\
	E:\
	F:\
	G:\
	H:\
	J:\

Scan Statistics:
	Total number of scanned objects: 95541
	Number of viruses found: 2
	Number of infected objects: 7
	Number of suspicious objects: 0
	Duration of the scan process: 01:10:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\Frank\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Frank\Desktop\SmitfraudFix.exe/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Frank\Desktop\SmitfraudFix.exe	RAR: infected - 1	skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Frank\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Frank\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Frank\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Frank\ntuser.dat	Object is locked	skipped
C:\Documents and Settings\Frank\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\master.mdf	Object is locked	skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\mastlog.ldf	Object is locked	skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\model.mdf	Object is locked	skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\modellog.ldf	Object is locked	skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\tempdb.mdf	Object is locked	skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Data\templog.ldf	Object is locked	skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\LOG\ERRORLOG	Object is locked	skipped
C:\SmitfraudFix.exe/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\SmitfraudFix.exe	RAR: infected - 1	skipped
C:\System Volume Information\MountPointManagerRemoteDatabase	Object is locked	skipped
C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP196\A0049551.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\change.log	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\nldfmtappek.dll	Object is locked	skipped
C:\WINDOWS\pxgdslro.dll	Object is locked	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\edb.log	Object is locked	skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb	Object is locked	skipped
C:\WINDOWS\system32\cbXQkhFu.dll	Infected: Trojan.Win32.Inject.cdi	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\Internet.evt	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP	Object is locked	skipped
C:\WINDOWS\Temp\Perflib_Perfdata_778.dat	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## GameMaster

Hello!
Please search for this file : C:\WINDOWS\system32\*cbXQkhFu.dll* and delete it.
To find it, go to Start>Search>All files and folders> on advanced options, check all: Search hidden files and folders, search subfolders, search system files and folders...

Then type *cbXQkhFu.dll* when found, delete it.

AFter you've deleted it, reboot your computer and post a fresh HijackThis log.


----------



## fmonte

Sorry, can't do. Did what you said but when I clicked on the file to delete it a message pops up that says cannot delete, this file is being used by another person or program. Close any programs that might be using the file and try again.


----------



## fmonte

FYI, earlier I told you I could not get into safe mode. I figured out a way. First I run combofix and when it reboots I click on F8 and get into safe mode okay. Please note: At the welcome screen I now see a button that is called "Administrator". On a normal boot I don't see that button but it shows up in the safe mode. The other day you asked me to create a log as the admisistrator. Would it still be helpful if I do that now? Thank you.


----------



## fmonte

Earlier in the disscussion, Cohen asked me to run a log as the administrator. I just located it as I mentioned above. Here is the loc requested. I hope it helps give you the additional info you need. Thank you.

ComboFix 08-05-15.3 - Frank 2008-05-21  9:21:16.9 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1358 [GMT -4:00]
Running from: J:\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\JjlSBJlm.ini
C:\WINDOWS\system32\JjlSBJlm.ini2

.
(((((((((((((((((((((((((   Files Created from 2008-04-21 to 2008-05-21  )))))))))))))))))))))))))))))))
.

2008-05-21 08:57 . 2007-12-02 00:10	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Templates
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	dr-------	C:\Documents and Settings\Administrator\Start Menu
2008-05-21 08:57 . 2007-12-02 00:13	<DIR>	dr-h-----	C:\Documents and Settings\Administrator\SendTo
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Recent
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	d--h-----	C:\Documents and Settings\Administrator\PrintHood
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	d--h-----	C:\Documents and Settings\Administrator\NetHood
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	d--------	C:\Documents and Settings\Administrator\My Documents
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	d--h-----	C:\Documents and Settings\Administrator\Local Settings
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	d--------	C:\Documents and Settings\Administrator\Favorites
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	d--------	C:\Documents and Settings\Administrator\Desktop
2008-05-21 08:57 . 2007-12-02 00:16	<DIR>	d---s----	C:\Documents and Settings\Administrator\Cookies
2008-05-21 08:57 . 2007-12-13 09:38	<DIR>	d---s----	C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-05-21 08:57 . 2007-12-01 19:03	<DIR>	dr-h-----	C:\Documents and Settings\Administrator\Application Data
2008-05-21 08:57 . 2008-05-21 08:57	<DIR>	d--------	C:\Documents and Settings\Administrator
2008-05-21 08:57 . 2008-05-21 09:25	524,288	--ah-----	C:\Documents and Settings\Administrator\NTUSER.DAT
2008-05-21 08:57 . 2008-05-21 09:25	65,536	--ah-----	C:\Documents and Settings\Administrator\ntuser.dat.LOG
2008-05-20 16:59 . 2008-05-20 16:59	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-05-20 16:59 . 2008-05-20 16:59	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 08:51 . 2008-05-20 09:35	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\comodo
2008-05-19 14:24 . 2008-05-21 09:25	1,024	--ah-----	C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
2008-05-19 07:26 . 2008-05-19 07:26	<DIR>	d--------	C:\Program Files\Trend Micro
2008-05-18 21:47 . 2008-05-18 21:47	<DIR>	d--------	C:\Documents and Settings\Guest\Application Data\Panasonic
2008-05-18 21:47 . 2008-05-18 21:47	<DIR>	d--------	C:\Documents and Settings\Guest\Application Data\AVG7
2008-05-18 21:42 . 2008-05-18 21:42	<DIR>	d--------	C:\Documents and Settings\Problem correction\Application Data\Panasonic
2008-05-18 21:42 . 2008-05-18 21:42	<DIR>	d--------	C:\Documents and Settings\Problem correction\Application Data\AVG7
2008-05-18 18:47 . 2007-09-06 00:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-05-18 18:47 . 2006-04-27 17:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-05-18 18:47 . 2008-05-15 23:22	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-05-18 18:47 . 2008-04-28 08:03	82,944	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-05-18 18:47 . 2008-04-28 08:03	82,944	--a------	C:\WINDOWS\system32\404Fix.exe
2008-05-18 18:47 . 2003-06-05 21:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-05-18 18:47 . 2004-07-31 18:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-05-18 18:47 . 2007-10-04 00:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-05-18 15:24 . 2008-05-18 15:24	1,390,340	--a------	C:\SmitfraudFix.exe
2008-05-18 13:40 . 2008-05-18 18:48	3,050	--a------	C:\WINDOWS\system32\tmp.reg
2008-05-18 13:28 . 2008-05-20 09:36	<DIR>	d--------	C:\Documents and Settings\Guest
2008-05-18 13:28 . 2008-05-21 09:25	1,024	--ah-----	C:\Documents and Settings\Guest\ntuser.dat.LOG
2008-05-18 13:20 . 2006-02-28 08:00	221,184	--a------	C:\WINDOWS\system32\wmpns.dll
2008-05-18 13:19 . 2008-05-20 09:36	<DIR>	d--------	C:\Documents and Settings\Problem correction
2008-05-18 13:19 . 2008-05-21 09:25	1,024	--ah-----	C:\Documents and Settings\Problem correction\ntuser.dat.LOG
2008-05-18 10:53 . 2008-05-18 10:53	319,872	--a------	C:\WINDOWS\system32\mlJBSljJ.dll
2008-05-18 10:48 . 2008-05-20 20:34	<DIR>	dr-h-----	C:\$VAULT$.AVG
2008-05-18 10:48 . 2008-05-18 10:48	28,800	--a------	C:\WINDOWS\system32\cbXQkhFu.dll
2008-05-07 17:43 . 2008-05-08 13:51	<DIR>	d--------	C:\Program Files\Avalon Health Care
2008-05-03 11:53 . 2008-05-03 11:53	<DIR>	d--------	C:\Program Files\Common Files\xing shared
2008-05-03 11:52 . 2008-05-03 11:53	<DIR>	d--------	C:\Program Files\Common Files\Real
2008-05-03 11:50 . 2008-05-03 11:50	<DIR>	d--------	C:\Program Files\Real
2008-04-28 11:21 . 2008-04-28 11:21	<DIR>	d--------	C:\Program Files\SiteChallenge
2008-04-28 11:21 . 2007-05-03 10:15	68,496	--a------	C:\WINDOWS\system32\MLSecurityCOM.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 12:49	---------	d-----w	C:\Program Files\LogMeIn
2008-05-20 12:51	---------	d-----w	C:\Program Files\COMODO
2008-05-20 12:51	---------	d-----w	C:\Documents and Settings\Frank\Application Data\Comodo
2008-05-18 14:52	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg7
2008-05-12 15:34	---------	d-----w	C:\Documents and Settings\Frank\Application Data\AdobeUM
2008-04-15 12:09	1,880	----a-w	C:\WINDOWS\AUTOLNCH.REG
2008-04-02 15:27	---------	d-----w	C:\Program Files\Microsoft Works
2008-03-30 14:44	---------	d-----w	C:\Program Files\2nd Story Software
.

(((((((((((((((((((((((((((((   snapshot@2008-05-19_14.30.16.78   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-19 18:28:46	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-05-21 13:24:55	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-05-20 02:11:28	441,402	----a-w	C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1033.dat
+ 2008-05-20 02:11:28	441,402	----a-w	C:\WINDOWS\pchealth\helpctr\Config\Cache\Professional_32_1033.dat.bak
+ 2005-05-24 16:27:16	213,048	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20	94,208	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54	950,272	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
- 2008-05-18 15:46:37	8,712	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
+ 2008-05-20 13:36:47	184,196	----a-w	C:\WINDOWS\system32\Restore\rstrlog.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{47551F98-CC7F-4701-A650-D7231EEA60BD}]
2008-05-18 10:48	28800	--a------	C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FA630BA-0B92-42A2-9485-4634ACE73682}]
2008-05-18 10:53	319872	--a------	C:\WINDOWS\system32\mlJBSljJ.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 08:15 579584]
"HP Lamp"="C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe" [2001-04-27 12:00 53248]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2005-03-15 05:46 196608]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-03-23 19:26 217088]
"nwiz"="nwiz.exe" [2007-06-28 12:43 1626112 C:\WINDOWS\system32\nwiz.exe]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2003-09-06 01:16 57393]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2003-09-06 01:35 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-28 12:43 8466432]
"Panasonic Device Monitor Wakeup"="C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe" [2006-11-02 15:54 303104]
"Panasonic Device Manager for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe" [2007-05-21 13:46 126976]
"Panasonic PCFAX for Multi-Function Station software"="C:\Program Files\Panasonic\MFStation\KmPcFax.exe" [2007-05-29 11:31 757760]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-05-03 11:52 185896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-12-02 11:19 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26 29696]
Device Detector 3.lnk - C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe [2007-12-16 02:47:49 114688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{A213B520-C6C2-11d0-AF9D-008029E1027E}"= C:\Program Files\Symantec\WinFax\WfxSeh32.Dll [1998-07-27 05:54 38400]
"{47551F98-CC7F-4701-A650-D7231EEA60BD}"= C:\WINDOWS\system32\cbXQkhFu.dll [2008-05-18 10:48 28800]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQkhFu]
cbXQkhFu.dll 2008-05-18 10:48 28800 C:\WINDOWS\system32\cbXQkhFu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-15 19:46 87352 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Service Manager.lnk
backup=C:\WINDOWS\pss\Service Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
--a------ 2005-05-03 11:43 69632 C:\WINDOWS\Alcmtr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlCenter2.0]
--------- 2005-01-07 18:30 864256 C:\Program Files\Brother\ControlCenter2\brctrcen.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2006-02-28 08:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
--a------ 2007-08-03 16:09 63048 C:\Program Files\LogMeIn\x86\LogMeInSystray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-06-28 12:43 8466432 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoboForm]
--a------ 2007-12-05 11:47 160592 C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
--a------ 2003-07-18 18:23 868352 C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
--a------ 2003-05-01 19:44 65536 C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
--a------ 2006-06-01 09:48 16208384 C:\WINDOWS\RTHDCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SetDefPrt]
--------- 2004-11-11 18:14 49152 C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 11:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
--a------ 2006-09-28 14:16 185896 C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFaxAppPortStarter]
--a------ 2000-02-14 18:36 43008 C:\WINDOWS\system32\WFXSNT40.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"BITS"=2 (0x2)
"WZCSVC"=2 (0x2)
"W32Time"=2 (0x2)
"CiSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Panasonic\\TrapMonitor\\Trapmnnt.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009

S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-08-03 16:09]
S2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\system32\drivers\LMIRfsDriver.sys [2007-08-03 16:09]
S2 Panasonic Local Printer Service;Panasonic Local Printer Service;C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe [2004-08-03 05:33]
S3 brfilt;Brother MFC Filter Driver;C:\WINDOWS\system32\Drivers\Brfilt.sys [2001-08-17 14:12]
S3 brparimg;Brother Multi Function Parallel Image driver;C:\WINDOWS\system32\DRIVERS\BrParImg.sys [2001-08-17 14:12]
S3 BrParWdm;Brother WDM Parallel Driver;C:\WINDOWS\system32\Drivers\BrParwdm.sys [2001-08-17 14:12]
S3 BrSerWDM;Brother WDM Serial driver;C:\WINDOWS\system32\Drivers\BrSerWdm.sys [2004-11-23 18:39]
S4 wfxsvc;WinFax PRO;C:\WINDOWS\system32\WFXSVC.EXE [2000-02-14 18:36]

.
**************************************************************************

disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

please note that you need administrator rights to perform deep scan
disk not found C:\

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\
disk not found C:\

scan completed successfully
hidden files: 

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\cbXQkhFu.dll
-> C:\WINDOWS\system32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
.
**************************************************************************
.
Completion time: 2008-05-21  9:27:16 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt  2008-05-21 13:27:10
ComboFix2.txt  2008-05-20 23:52:10
ComboFix3.txt  2008-05-20 23:11:06
ComboFix4.txt  2008-05-20 14:59:33
ComboFix5.txt  2008-05-20 14:20:07

Pre-Run: 279,975,116,800 bytes free
Post-Run: 279,957,970,944 bytes free

256	--- E O F ---	2008-05-18 19:42:34


----------



## GameMaster

It's OK, don't worry. Delete this file in the safe mofe. Search same, when found delete the file. It won't show you an error.
It's very important that you delete that file, it's a Trojan virus that neither me or Punk found in your ComboFix and HijackThis logs.


----------



## fmonte

I am trying to delete it in safe mode but I do get the error message.


----------



## GameMaster

Impossible. Allright then, this will surely do it:

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Drivers to unload:
> C:\WINDOWS\system32\cbXQkhFu.dll
> 
> Files to delete:
> C:\WINDOWS\system32\cbXQkhFu.dll
> C:\WINDOWS\system32\mlJBSljJ.dll



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.*


----------



## fmonte

Here is the text you requested but when the notepad came up over top of it came a error message that said Windows no disk: Exception Processing Message c0000013 Parameters 75b6b9c 4 75b6b9c 75b6bf9c. Is there anything I should do with that or just reboot?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  registry key "\Registry\Machine\System\CurrentControlSet\Services\C:\WINDOWS\system32\cbXQkhFu.dll" not found!
Deletion of driver "C:\WINDOWS\system32\cbXQkhFu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist

File "C:\Windows\system32\cbXQkhFu.dll" deleted successfully.
File "C:\WINDOWS\system32\mlJBSljJ.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


----------



## GameMaster

Well you're Trojanless now, lol.
I'd like to have one more scan though, to make sure. I don't know what that error means...can you tell me what's the situation with your desktop and icons?

Please go *HERE* to run Panda ActiveScan 2.0
Click the big green *Scan now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text *Export to:*
Save it to a convenient location such as your Desktop 
Post the contents of the *ActiveScan.txt* in your next reply


----------



## fmonte

Just a short note to let you know, I cancelled that error message and rebooted and things seem back to normal. Could this nightmare be over? If so, please let me know if it is safe to get back online? I use AVG virus scan(free edition) and the Windows firewall although many times upon booting up I get an annoying error message that says my firewall did not start. It says click here to put it on but when I do that it won't allow me to change it so I have to reboot hoping it comes on the next time.


----------



## fmonte

Just got your message about Panda, will do it now. Thank you.


----------



## GameMaster

Hi, yeah , looking forward your scan results. It's possible that the nightmare is overm but I want to be sure and if you're still infected, the log you post will certanly help me.


----------



## fmonte

Here you go, I hope this is what you need. Just to let you know, it took about an hour for the scan to say 20% complete and then I opened up another browser so that I could surf the net while it was finishing and then 5 minutes later I go back and the scan is done. Did I do something wrong that would affect the results. Should I repeat the scan and do nothing while it is running.

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-05-21 18:23:11
PROTECTIONS: 1
MALWARE: 19
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;===================================================================================================================================================================================
AVG 7.5.524                                  7.5.524                       Yes       Yes
;===================================================================================================================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===================================================================================================================================================================================
00003428  adware/memorywatcher               Adware              No        0         Yes            No           hkey_classes_root\vbrad.trayicon
00139535  Application/Processor              HackTools           No        0         Yes            No           C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Process.exe
00139535  Application/Processor              HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP193\A0049098.exe
00139535  Application/Processor              HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050304.exe
00147806  Cookie/7search                     TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@7search[2].txt
00167665  Cookie/Clicktracks                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@stats1.clicktracks[1].txt
00168048  Cookie/Overture                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@perf.overture[1].txt
00168061  Cookie/Apmebf                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@apmebf[1].txt
00168076  Cookie/BurstNet                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@burstnet[2].txt
00170550  Cookie/Humanclick                  TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@hc2.humanclick[2].txt
00170554  Cookie/Overture                    TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@overture[2].txt
00194327  Cookie/Go                          TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@go[2].txt
00199984  Cookie/Searchportal                TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@searchportal.information[2].txt
00207338  Cookie/Target                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@target[2].txt
00207862  Cookie/did-it                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@did-it[1].txt
00262020  Cookie/Atwola                      TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@atwola[2].txt
00325830  Cookie/Bridgetrack                 TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@citi.bridgetrack[2].txt
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050266.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP203\A0050186.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP194\A0049399.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP206\A0050369.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP195\A0049512.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\A0050131.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP201\A0050060.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP198\A0049907.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP200\A0050008.EXE
01185375  Application/Psexec.A               HackTools           No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP199\A0049959.EXE
01196325  Cookie/Enhance                     TrackingCookie      No        0         Yes            No           C:\Documents and Settings\Frank\Cookies\frank@enhance[2].txt
02197130  Trj/Rebooter.J                     Virus/Trojan        No        1         Yes            No           C:\Documents and Settings\Frank\Desktop\SmitfraudFix\Reboot.exe
02197130  Trj/Rebooter.J                     Virus/Trojan        No        1         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP196\A0049551.exe
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP202\A0050122.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP201\A0050053.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP203\A0050179.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP194\A0049391.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP204\A0050258.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP199\A0049952.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP200\A0050001.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP198\A0049900.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP206\A0050359.sys
02885963  Rootkit/Booto.C                    Virus/Worm          No        0         Yes            No           C:\System Volume Information\_restore{464D0C44-46CA-467C-8464-A5AEC5CFB150}\RP195\A0049504.sys
;===================================================================================================================================================================================
SUSPECTS
Sent      Location                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              Ek
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id        Severity   Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                Ek
;===================================================================================================================================================================================
;===================================================================================================================================================================================


----------



## GameMaster

No it's OK.
Now please reset your System Restore to clear out the infected *Restore Points.*

 Click *Start.*
Right-click *My Computer *and select *Properties*
Click the *System Restore *tab at the top
Check the box next to *Turn off System Restore*
Click *Apply* then click *Yes.*
 Wait a couple of moments before turning it on again:
Uncheck the box next to *Turn off System Restore*
Click *Apply *then *OK.*

Now please post a fresh HijackThis log there is one more Spyware/Trojan hiding.


----------



## fmonte

Thanks for all your time and patience Game Master. One final question. I thought I had good protection against virus. I researched the thread on this forum and it said AVG free was good and Windows firewall was good. That is what I have been using. Do you think that is sufficient. Do I need something in place or in addition to these two. Also, do you have a fix for when I occasionally get that Windows firewall baloon at startup that says it did not start.


----------



## GameMaster

Did you flush your restore points as asked to? 
Please post a HijackThis log I found a Trojan hiding but I need the log to see that file's location.

AVG free is good, if up to date. Windows Firewall isn't really enough, and we suggest you get another firewall. Here's a little article that will guide you with setting up a great protection system but please also do what I asked you to to remove the remaining virus.

http://www.computerforum.com/17717-basic-malware-prevention.html

Remember to have only one of all installed!


----------



## fmonte

Yes I flushed the restore points as directed. Here is the log you requested. Let me know if you need anything else. Thank you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:58, on 2008-05-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\ScanSoft\PaperPort\PaprPort.exe
C:\Program Files\ScanSoft\PaperPort\pplinks.exe
C:\Program Files\ScanSoft\PaperPort\SSINDEXR.EXE
C:\Program Files\ScanSoft\PaperPort\ppscanmg.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0CD08B3E-C80F-4FBC-ABB6-CB1766D2A8D5} - C:\WINDOWS\system32\mlJBSljJ.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {47551F98-CC7F-4701-A650-D7231EEA60BD} - C:\WINDOWS\system32\cbXQkhFu.dll (file missing)
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Panasonic Device Monitor Wakeup] C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
O4 - HKLM\..\Run: [Panasonic Device Manager for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
O4 - HKLM\..\Run: [Panasonic PCFAX for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\KmPcFax.exe -1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O20 - AppInit_DLLs:  
O20 - Winlogon Notify: cbXQkhFu - cbXQkhFu.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panasonic Local Printer Service - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe

--
End of file - 9607 bytes


----------



## GameMaster

Lol your HijackThis log is always different and always shows another infection(s).
Please open your HijackThis log again and choose *Do a system scan only.* Check these entries if found:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {0CD08B3E-C80F-4FBC-ABB6-CB1766D2A8D5} - C:\WINDOWS\system32\mlJBSljJ.dll (file missing
O2 - BHO: (no name) - {47551F98-CC7F-4701-A650-D7231EEA60BD} - C:\WINDOWS\system32\cbXQkhFu.dll (file missing
O20 - AppInit_DLLs: 
O20 - Winlogon Notify: cbXQkhFu - cbXQkhFu.dll (file missing)

Now close all open windows except the HijackThis and click *Fix checked.*

Reboot your computer and then do the following:

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Files to delete:
> C:\WINDOWS\system32\mlJBSljJ.dll
> C:\WINDOWS\system32\cbXQkhFu.dll



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.* 

Please tell me is your system running better now?


----------



## fmonte

You say my log file is always different. I just want to confirm I am doing what you want. Am I suppose to do this in normal mode. Remember in normal mode I only have two buttons on the welcome page, Frank and Guest. When I boot up in safe mode I have a third button called administrator. Please advise what mode you want. Thank you. Frank


----------



## GameMaster

Please go on doing what I suggest you.
I now understand why the logs are different.
You should do everything in normal mode unless stated that you need to go to safe mode. Normal mode is made of two accounts, your and Guest. Your account is treated as an administrator of the computer but Guest isn't.
When you boot into the safe mode, you always have one additional account-Administrator. It's ok and from now on, when asked to boot to safe mode, go to your usual account.

Please proceed with my instructions in normal mode.


----------



## fmonte

I di everything you asked. It seems to be running okay. Here is the log. Also to I flush the restore feature again as you suggested earlier?

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:\WINDOWS\system32\mlJBSljJ.dll" not found!
Deletion of file "C:\WINDOWS\system32\mlJBSljJ.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Error:  file "C:\WINDOWS\system32\cbXQkhFu.dll" not found!
Deletion of file "C:\WINDOWS\system32\cbXQkhFu.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


----------



## fmonte

Anticipating that you need it, I did the retore point flush and hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:19, on 2008-05-22
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\BrmfBAgS.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [HP Lamp] "C:\Program Files\Hewlett-Packard\HP PrecisionScan\PrecisionScan Pro\hplamp.exe"
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Panasonic Device Monitor Wakeup] C:\Program Files\Panasonic\Device Monitor\dmwakeup.exe
O4 - HKLM\..\Run: [Panasonic Device Manager for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\PCCMFSDM.exe
O4 - HKLM\..\Run: [Panasonic PCFAX for Multi-Function Station software] C:\Program Files\Panasonic\MFStation\KmPcFax.exe -1
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Device Detector 3.lnk = C:\Program Files\Olympus\DeviceDetector\DevDtct2.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Brother BidiAgent Service for Resource manager (brmfbags) - Brother Industries, Ltd. - C:\WINDOWS\system32\BrmfBAgS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panasonic Local Printer Service - Panasonic Communications Co., Ltd. - C:\PROGRA~1\PANASO~1\LocalCom\lmsrvnt.exe
O23 - Service: Panasonic Trap Monitor Service - Panasonic - C:\PROGRA~1\PANASO~1\TRAPMO~1\Trapmnnt.exe

--
End of file - 8828 bytes


----------



## GameMaster

Great your log appears to be clean 
Please read the article I linked you to before: http://www.computerforum.com/17717-basic-malware-prevention.html
That should keep your system clean of any malware.
Enjoy!


----------



## fmonte

Thanks for everything. Sincerely, Frank


----------

