# Proxy Trojan?



## Itronix

I tried to open Mafia (pc game) on my computer and AVG says that there is a threat detected, a Trojan Horse Proxy.ABWC. Any ideas on what's going on? Eventually I'll probably throw Nod32 in or something ......

I haven't run Mafia on that computer for quite a while now, so I don't know how long it's been there. I read about them on the internet and it seems that they can be a pretty decent problem. I guess it's a hacker trojan? How do I fix this? Thanks everyone.


----------



## GameMaster

Download *SDFix* and save it to your Desktop. 

Double click *SDFix.exe* and it will extract the files to %systemdrive% 
(Drive that contains the Windows Directory, typically C:\SDFix) 

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer 
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; 
Instead of Windows loading as normal, the Advanced Options Menu should appear; 
Select the first option, to run Windows in Safe Mode, then press *Enter*. 
Choose your usual account. 
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script. 
 Type *Y* to begin the cleanup process. 
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. 
 Press any Key and it will restart the PC. 
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons. 
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt* 
(Report.txt will also be copied to Clipboard ready for posting back on the forum). 
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log 

*Click here*[/color] to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop. 
Double click on the HJTsetup.exe icon on your desktop. 
By default it will install to C:\Program Files\Hijack This. 
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Additional Tasks* dialogue. 
Put a check by *Create a desktop icon* then click *Next* again. 
Continue to follow the rest of the prompts from there. 
At the final dialogue box click *Finish* and it will launch Hijack This. 
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log. 
Click *Save* to save the log file and then the log will open in notepad. 
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log. 
Come back here to this thread and Paste the log in your next reply. 
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.


----------



## Itronix

Thanks, friend. I have to go to work and I don't know if I'll be back home tonight,so if not tonight I will work on it tomorrow and get back to you. For now I guess I'll just leave it disconnected from the internet so nobody can get in. Thanks again, I really appreciate it.


----------



## Itronix

Hello, again. I can't get the runthis icon to really work. It opens the black command promt box for a half second and closes it.


----------



## GameMaster

Sorry-run HijackThis please ( that's instructions under the SDFix )


----------



## Itronix

Oh, whoops! Sorry about that. Thanks for your help! I'll do that.


----------



## nihilius

I have the exact same problem with my mafia game, the same proxy trojan. But it only seems to appear in the temp folder just after the game is launched. My AVG antivirus then detects and heals the file, but the game is unable to start. When i trie to start the game afterwards the trojan is once again spawned in my temp folder. What is causing this problem? I've tried your SDfix procedure, but it can't find anything besides whats in the temp folder, and that is easily removed manualy. So I hope you guys can help a noob find what's creating all these proxy trojans.


----------



## GameMaster

Please download ATF cleaner 
Make sure that all browser windows are closed. 

 
Double-click *ATF-Cleaner.exe* to run the program. 
Under *Main* choose: *Select All* 
Click the *Empty Selected* button. 
If you use Firefox browser
Click *Firefox* at the top and choose: *Select All* 
Click the *Empty Selected* button. 
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
If you use Opera browser
Click *Opera* at the top and choose: *Select All* 
Click the *Empty Selected* button. 
*NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt. 
Click *Exit* on the Main menu to close the program. 

Anymore such problems?


----------



## nihilius

GameMaster said:


> Please download ATF cleaner
> Make sure that all browser windows are closed.
> 
> 
> Double-click *ATF-Cleaner.exe* to run the program.
> Under *Main* choose: *Select All*
> Click the *Empty Selected* button.
> If you use Firefox browser
> Click *Firefox* at the top and choose: *Select All*
> Click the *Empty Selected* button.
> *NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
> If you use Opera browser
> Click *Opera* at the top and choose: *Select All*
> Click the *Empty Selected* button.
> *NOTE:* If you would like to keep your saved passwords, please click *No* at the prompt.
> Click *Exit* on the Main menu to close the program.
> 
> Anymore such problems?



Well it cleans out the temp folder, but every time i start mafia, my avg says threat detected!, Trojan horse Proxy.ABWC.
Regardless of the tempfolder being emty or not. But it's a nice program, but it doesn't solve my problem, it's a file called SIntfNT.dll


----------



## GameMaster

OK, thanks. That speaks for itself.

*Download and Run ComboFix* 
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.* 

*Download this file* from one of the three below listed places : 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe 
http://www.forospyware.com/sUBs/ComboFix.exe 
http://subs.geekstogo.com/ComboFix.exe 

Then double click *combofix.exe* & follow the prompts. 
When finished, it shall produce *a log* for you. *Post that log* in your next reply 
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall* 

Combofix should never take more that 20 minutes including the reboot if malware is detected. 
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue. 
If that happened we want to know, and also what process you had to end.


----------



## nihilius

here is the logfile from my computer:


ComboFix 08-05-25.5 - Nikolaj 2008-05-26 23:41:32.1 - *FAT32*x86
Microsoft Windows XP Professional  5.1.2600.2.1252.45.1033.18.540 [GMT 2:00]
Running from: C:\Documents and Settings\Nikolaj\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\_desktop.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\_desktop.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Extras\_desktop.ini
C:\Documents and Settings\All Users\Documents\Adobe PDF\Settings\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Alanis Morissette\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Alanis Morissette\Everything - Single\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Deardorf Peterson Group\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Deardorf Peterson Group\Portal\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\King Sunny Ade & His African Beats\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\King Sunny Ade & His African Beats\Synchro Series\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Mark Knopfler\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Mark Knopfler\shangri-la\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Robert Randolph & the Family Band\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Robert Randolph & the Family Band\Unclassified\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Rosie Thomas\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Rosie Thomas\Only With Laughter Can You Win\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\0007296F\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\0007297F\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\The Shins\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Music\The Shins\Chutes Too Narrow\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Impressionism - GalleryPlayer\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Landscapes - GalleryPlayer\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Masterpieces - GalleryPlayer\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Nature - GalleryPlayer\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Travel - GalleryPlayer\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Vintage - GalleryPlayer\_desktop.ini
C:\Documents and Settings\All Users\Documents\My Videos\_desktop.ini
C:\Documents and Settings\All Users\Documents\Recorded TV\_desktop.ini
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\_desktop.ini
C:\WINDOWS\Downloaded Program Files\setup.inf

.
(((((((((((((((((((((((((   Files Created from 2008-04-26 to 2008-05-26  )))))))))))))))))))))))))))))))
.

2008-05-26 21:44 . 2008-05-26 21:44	<DIR>	d--------	C:\Program Files\Trend Micro
2008-05-26 21:29 . 2008-05-26 21:29	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-05-26 21:28 . 2008-05-26 21:28	<DIR>	d--------	C:\Documents and Settings\NetworkService\Application Data\Webroot
2008-05-26 21:25 . 2008-05-23 03:54	<DIR>	d--------	C:\SDFix
2008-05-26 20:31 . 2008-05-26 20:31	<DIR>	d--------	C:\Program Files\Creative
2008-05-26 20:31 . 2002-06-06 14:38	139,264	--a------	C:\WINDOWS\system32\eax.dll
2008-05-26 19:30 . 2003-04-09 11:28	233,472	-ra------	C:\WINDOWS\system32\MafiaSetup.exe
2008-05-19 18:13 . 2008-05-19 18:13	<DIR>	d--------	C:\Program Files\Pocket Tanks Deluxe
2008-05-15 22:10 . 2008-05-15 22:10	<DIR>	d--------	C:\Documents and Settings\Nikolaj\OngameNetwork
2008-05-11 20:41 . 2008-05-11 20:41	0	--a------	C:\WINDOWS\pestpatrol5.INI
2008-05-11 20:37 . 2008-05-11 20:37	<DIR>	d--------	C:\Program Files\Common Files\Scanner
2008-05-11 20:37 . 2008-05-11 20:37	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\CA
2008-05-11 20:36 . 2008-05-11 20:37	<DIR>	d--------	C:\Program Files\CA
2008-05-08 01:00 . 2008-05-08 01:00	<DIR>	d--------	C:\Program Files\PokerRoom.com
2008-05-07 11:38 . 2008-05-26 18:50	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-05-07 11:38 . 2008-05-11 17:42	1,409	--a------	C:\WINDOWS\QTFont.for

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-09 22:17	---------	d-----w	C:\Program Files\Activision
2008-03-27 08:12	151,583	----a-w	C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12	151,583	----a-w	C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47	1,845,248	----a-w	C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47	1,845,248	----a-w	C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-01 16:36	3,591,680	------w	C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55	70,656	------w	C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55	625,664	------w	C:\WINDOWS\system32\dllcache\iexplore.exe
2007-11-29 14:37	604	---ha-w	C:\Program Files\STLL Notifier
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-10 20:00 33280 C:\WINDOWS\system32\rundll32.exe]
"AGRSMMSG"="AGRSMMSG.exe" [2005-12-13 21:50 88204 C:\WINDOWS\AGRSMMSG.exe]
"RTHDCPL"="RTHDCPL.EXE" [2006-07-19 09:42 16248320 C:\WINDOWS\RTHDCPL.exe]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 20:00 59392]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-10 20:00 455168]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-06-13 09:57 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-06-13 09:57 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-06-13 09:57 118784]
"LManager"="C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE" [2006-07-14 12:13 471040]
"AzMixerSel"="C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2006-07-19 09:41 53248]
"ePower_DMC"="C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-07-12 15:48 438272]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 11:56 579584]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2006-11-12 11:48 157592]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-04-29 06:13 766041]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-28 17:35 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"midi"= gmidi.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acer Empowering Technology.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acer Empowering Technology.lnk
backup=C:\WINDOWS\pss\Acer Empowering Technology.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Nikolaj^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Nikolaj\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acer ePresentation HPD]
--a------ 2006-06-07 20:18 208896 C:\Acer\Empowering Technology\ePresentation\ePresentation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boot]
--a------ 2006-03-15 22:12 579584 C:\Acer\Empowering Technology\ePower\Boot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CaISSDT]
--a------ 2006-04-21 14:42 165416 C:\Program Files\CA\eTrust Internet Security Suite\caissdt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eDataSecurity Loader]
--a------ 2006-03-17 15:00 345088 C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
--a------ 2005-08-05 13:56 64512 C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ePower_DMC]
--a------ 2006-07-12 15:48 438272 C:\Acer\Empowering Technology\ePower\ePower_DMC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eRecoveryService]
--a------ 2006-06-01 14:40 413696 C:\Acer\Empowering Technology\eRecovery\eRAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eTrustPPAP]
--a------ 2008-05-11 20:38 258048 C:\Program Files\CA\eTrust Internet Security Suite\eTrust PestPatrol Anti-Spyware\PPActiveDetection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EW Message Server]
--a------ 2004-08-04 23:20 45056 C:\WINDOWS\system32\msg32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-10 20:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NAV CfgWiz]
C:\Program Files\Norton AntiVirus\CfgWiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntiMUI]
--a------ 2006-05-15 11:15 45056 C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-07-19 09:42 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2007-06-13 08:16 528384 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2007-03-01 19:55 4865600 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
--a------ 2008-03-04 16:27 1481968 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\WINDOWS\\System32\\dplaysvr.exe"=
"C:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain.exe"=
"C:\\Program Files\\Messenger\\MSMSGS.EXE"=
"C:\\Program Files\\Black Isle\\BGII - SoA\\BGMain.exe"=
"C:\\Program Files\\Black Isle\\Baldur's Gate\\BGMain2.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"D:\\cs\\hl.exe"=

S3 EWAVE;EWAVE;C:\WINDOWS\system32\drivers\ew.sys [2004-08-04 23:22]
S3 Fadpu16E;Fadpu16E;C:\DOCUME~1\Nikolaj\LOCALS~1\Temp\Fadpu16E.sys []
S3 FILESPY;FILESPY;C:\WINDOWS\system32\drivers\FILESPY.sys [2004-08-04 23:46]
S3 lv321av;Logitech USB PC Camera (VC0321);C:\WINDOWS\system32\DRIVERS\lv321av.sys [2006-06-20 03:20]
S3 NSTATION;NSTATION;C:\WINDOWS\system32\drivers\nstation.sys [2004-08-04 23:25]
S3 psdfilter;psdfilter;C:\WINDOWS\system32\Drivers\psdfilter.sys [2006-04-07 20:17]
S3 psdvdisk;psdvdisk;C:\WINDOWS\system32\Drivers\psdvdisk.sys [2006-03-08 17:10]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\SE2Ebus.sys [2006-05-01 13:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\MafiaLauncher.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
\Shell\AutoRun\command - F:\autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\H]
\Shell\AutoRun\command - H:\amplayer.exe autorun.dat

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\Autorun.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 23:42:55
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 23:43:24
ComboFix-quarantined-files.txt  2008-05-26 21:43:22

Pre-Run: 5,844,402,176 bytes free
Post-Run: 5,827,395,584 bytes free

222	--- E O F ---	2008-05-17 13:06:48


----------



## GameMaster

The log is completely clean. No trace of the file you mentioned and after a quick research I found that the file is actually legit.
Let's try with HijackThis log though.

Please download the HijackThis installer from http://www.trendsecure.com/portal/en...HJTInstall.exe.

Run the installer and choose *Install,* indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*.

When the Notepad window opens choose Edit -> Select All to select the entire log, and copy and paste the log into a reply post.
_Most of what it lists will be harmless or even essential, don't fix anything yet._


----------



## nihilius

ok i tried to open mafia and told avg to ignore the trojan now it should be in the temp folder, here is the hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:43, on 27-05-2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\system32\igfxext.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=104795&clcid=0x409
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.aceradvantage.com/stdreg
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [MSPY2002] "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /SYNC
O4 - HKLM\..\Run: [PHIME2002A] "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" /IMEName
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [LManager] C:\PROGRA~1\LAUNCH~1\QtZgAcer.EXE
O4 - HKLM\..\Run: [AzMixerSel] "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe"
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SynTPEnh] "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETVÆRKSTJENESTE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D8575CE3-3432-4540-88A9-85A1325D3375} (e-Safekey) - https://netbank.danskebank.dk/html/activex/e-Safekey/DB/e-Safekey.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Memory Check Service (AcerMemUsageCheckService) - Acer Inc. - C:\Acer\Empowering Technology\ePerformance\MemCheck.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour-tjeneste (Bonjour Service) - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod-tjeneste (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 7262 bytes


----------



## GameMaster

The log appears to be clean. It's really invisible or isn't on your computer. Could you tell me the full file path of the virus? C:/Documents and Settings/...?


----------



## nihilius

GameMaster said:


> The log appears to be clean. It's really invisible or isn't on your computer. Could you tell me the full file path of the virus? C:/Documents and Settings/...?



C:/Documents and Settings/Nikolaj/Local Settings/Temp/SIntfNT.dll

I can't figure out whats wrong, it seems like the file is harmless but it's perceived as a trojan by avg


----------



## bjkman

*I have the same problems*

I've done everything listed here. I googled the virus and this forum came up and my problem happens when I open Deus Ex 2: Invisible War. It loads up the entire game until I click Load Game and select the level I want to load, then the program minimizes and I can't use it anymore, while AVG detects the Trojan horse Proxy.ABWC

the file name for me is C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\sintfnt.dll

Here's my ComboFix log:
ComboFix 08-05-26.2 - HP_Administrator 2008-05-26 22:20:13.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.452 [GMT -7:00]
Running from: C:\Documents and Settings\HP_Administrator\Desktop\ComboFix.exe
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\Config.xml
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\db\Aliases.dbs
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\db\Sites.dbs
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\dwld\WhiteList.xip
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\report\aggr_storage.xml
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\report\send_storage.xml
C:\Documents and Settings\HP_Administrator\Application Data\ShoppingReport\cs\res1\WhiteList.dbs
C:\Program Files\ShoppingReport
C:\Program Files\ShoppingReport\Uninst.exe
D:\Autorun.inf

.
(((((((((((((((((((((((((   Files Created from 2008-04-27 to 2008-05-27  )))))))))))))))))))))))))))))))
.

2008-05-16 18:21 . 2008-05-16 18:21	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Snapfish
2008-05-16 17:51 . 2008-05-16 17:51	<DIR>	d--------	C:\Program Files\Picasa2
2008-05-11 12:08 . 2008-05-11 12:08	<DIR>	d--------	C:\Program Files\iPod
2008-05-11 12:08 . 2008-05-11 12:08	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Apple Computer
2008-05-11 12:08 . 2008-05-26 11:07	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-05-11 12:08 . 2008-05-11 12:08	1,409	--a------	C:\WINDOWS\QTFont.for
2008-05-11 12:07 . 2008-05-11 12:07	<DIR>	d--------	C:\Program Files\QuickTime
2008-05-11 12:07 . 2008-05-11 12:08	<DIR>	d--------	C:\Program Files\iTunes
2008-05-11 12:07 . 2008-05-11 12:07	<DIR>	d--------	C:\Program Files\Bonjour
2008-05-11 12:07 . 2008-05-11 12:07	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-11 12:06 . 2008-05-11 12:06	<DIR>	d----c---	C:\WINDOWS\system32\DRVSTORE
2008-05-11 12:06 . 2008-05-11 12:06	<DIR>	d--------	C:\Program Files\Common Files\Apple
2008-05-11 12:06 . 2008-05-11 12:06	<DIR>	d--------	C:\Program Files\Apple Software Update
2008-05-11 12:06 . 2008-05-11 12:06	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Apple
2008-05-11 12:06 . 2008-02-18 11:16	30,464	--a------	C:\WINDOWS\system32\drivers\usbaapl.sys
2008-05-08 18:40 . 2008-05-08 18:40	<DIR>	d--------	C:\Program Files\BitPim
2008-05-08 18:36 . 2008-05-08 18:36	<DIR>	d--h-----	C:\temp\pt8q3khslw
2008-05-08 18:27 . 2008-05-08 18:27	<DIR>	d--------	C:\Program Files\Samsung
2008-05-08 18:27 . 2007-07-03 16:58	106,792	--a------	C:\WINDOWS\system32\drivers\sscdmdm.sys
2008-05-08 18:27 . 2007-07-03 16:59	86,824	--a------	C:\WINDOWS\system32\drivers\sscdserd.sys
2008-05-08 18:27 . 2007-07-03 16:54	80,552	--a------	C:\WINDOWS\system32\drivers\sscdbus.sys
2008-05-08 18:27 . 2007-07-03 16:57	11,944	--a------	C:\WINDOWS\system32\drivers\sscdmdfl.sys
2008-05-08 18:27 . 2007-07-03 17:00	9,256	--a------	C:\WINDOWS\system32\drivers\sscdwhnt.sys
2008-05-08 18:27 . 2007-07-03 17:00	9,256	--a------	C:\WINDOWS\system32\drivers\sscdwh.sys
2008-05-08 18:27 . 2007-07-03 16:56	9,256	--a------	C:\WINDOWS\system32\drivers\sscdcmnt.sys
2008-05-08 18:27 . 2007-07-03 16:56	9,256	--a------	C:\WINDOWS\system32\drivers\sscdcm.sys
2008-05-08 18:26 . 2008-05-08 18:26	<DIR>	d--------	C:\Program Files\Verizon Wireless
2008-05-08 18:26 . 2008-05-26 12:47	1,609,728	--a------	C:\WINDOWS\MEDB.mdb
2008-05-08 18:26 . 2007-05-01 15:23	528,384	---------	C:\WINDOWS\system32\VZWDownManager.exe
2008-05-08 18:26 . 2007-05-01 15:23	49,152	---------	C:\WINDOWS\system32\VZWDLManager.dll
2008-05-08 18:26 . 2007-05-02 01:34	375	---------	C:\WINDOWS\system32\VZWDLManager.inf
2008-05-07 15:47 . 2008-05-07 15:47	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\GarageGames
2008-05-06 22:26 . 2008-05-06 22:26	43,520	--a------	C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-06 16:54 . 2008-05-06 16:54	<DIR>	d--------	C:\Program Files\directx
2008-05-06 16:40 . 2008-05-06 22:54	<DIR>	d--------	C:\Program Files\Deus Ex - Invisible War
2008-05-05 18:08 . 2008-05-05 18:08	<DIR>	d--------	C:\Program Files\IrfanView
2008-05-04 15:31 . 2008-05-04 15:32	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Otto
2008-05-04 15:31 . 2008-05-04 15:32	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Otto
2008-05-04 15:15 . 2008-05-04 15:15	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Template
2008-05-04 15:15 . 2008-05-26 12:46	1,160	--a------	C:\Documents and Settings\HP_Administrator\Application Data\wklnhst.dat
2008-05-04 14:42 . 2008-05-04 14:43	<DIR>	d--------	C:\Program Files\DISC
2008-05-04 14:08 . 2008-05-08 18:36	<DIR>	d--------	C:\temp
2008-05-03 20:38 . 2008-05-10 21:55	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\HP
2008-05-03 09:52 . 2004-08-03 23:01	25,856	--a------	C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-03 09:52 . 2004-08-03 23:01	25,856	--a------	C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-03 09:52 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2008-05-03 09:52 . 2004-08-03 22:58	15,104	--a------	C:\WINDOWS\system32\dllcache\usbscan.sys
2008-05-03 09:51 . 2004-08-03 23:08	31,616	--a------	C:\WINDOWS\system32\drivers\usbccgp.sys
2008-05-03 09:51 . 2004-08-03 23:08	31,616	--a------	C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-05-03 08:48 . 2008-05-03 08:48	227	--a------	C:\WINDOWS\HP_CounterReport_Update_HPSU.ini
2008-05-03 08:45 . 2008-05-03 08:45	<DIR>	d--------	C:\SystemRoot
2008-05-02 16:24 . 2008-05-02 16:24	<DIR>	d--------	C:\Program Files\Common Files\TiVo Shared
2008-05-02 16:13 . 2008-05-02 16:13	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Sonic
2008-05-02 16:12 . 2008-05-02 16:12	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\Leadertech
2008-05-02 11:49 . 2008-05-02 11:49	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\WildTangent
2008-05-02 11:49 . 2008-05-02 11:49	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\WildTangent
2008-05-02 11:19 . 2008-05-02 11:19	<DIR>	d--------	C:\Program Files\Windows Media Connect 2
2008-05-02 11:17 . 2008-05-08 18:45	<DIR>	d--------	C:\WINDOWS\system32\drivers\UMDF
2008-05-02 11:17 . 2008-05-02 11:18	<DIR>	d--------	C:\fad5e8b528dbc97ae85030
2008-05-02 11:17 . 2008-05-02 11:17	<DIR>	d--------	C:\0514281461503bf77bfc3aa16f47
2008-04-30 21:54 . 2008-04-30 21:54	<DIR>	d--------	C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2008-04-27 19:48 . 2008-05-16 18:21	1,799	--a------	C:\WINDOWS\mozver.dat
2008-04-27 11:31 . 2008-04-27 11:31	0	--a------	C:\WINDOWS\nsreg.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-07 04:10	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Digital Interactive Systems Corporation
2008-05-06 23:40	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-05-04 22:32	251	----a-w	C:\Program Files\wt3d.ini
2008-05-03 15:52	---------	d-----w	C:\Program Files\HP
2008-05-03 15:52	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-05-02 23:24	---------	d-----w	C:\Program Files\Sonic
2008-05-02 21:30	---------	d-----w	C:\Program Files\PC-Doctor 5 for Windows
2008-04-26 19:19	---------	d-----w	C:\Program Files\ANI
2008-04-26 19:18	---------	d-----w	C:\Program Files\Airlink101
2008-04-26 13:29	---------	d-----w	C:\Program Files\Common Files\Symantec Shared
2008-04-26 13:29	---------	d-----w	C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-26 06:10	96,520	----a-w	C:\WINDOWS\system32\drivers\avgldx86.sys
2008-04-26 06:10	75,272	----a-w	C:\WINDOWS\system32\drivers\avgtdix.sys
2008-04-26 06:10	---------	d-----w	C:\Program Files\AVG
2008-04-26 06:10	---------	d-----w	C:\Documents and Settings\All Users\Application Data\avg8
2008-04-26 05:45	---------	d-----w	C:\Program Files\Symantec
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-09 21:00 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 16:24 1694208]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-10-02 17:44 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 21:01 67584]
"RTHDCPL"="RTHDCPL.EXE" [2006-03-08 04:54 16010240 C:\WINDOWS\RTHDCPL.EXE]
"AlwaysReady Power Message APP"="ARPWRMSG.EXE" [2005-08-02 23:19 77312 C:\WINDOWS\arpwrmsg.exe]
"HPHUPD08"="c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe" [2005-06-01 23:35 49152]
"DMAScheduler"="c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe" [2006-03-20 09:05 90112]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2005-07-22 22:14 237568]
"PCDrProfiler"="" []
"HPBootOp"="C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 22:34 249856]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2007-05-08 16:24 54840]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 18:30 517768]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00 132496]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-04-25 23:10 1177368]
"Airlink101 WLAN Monitor"="C:\Program Files\Airlink101\WLAN Monitor\WLANmon.exe" [2006-06-30 18:55 954368]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2006-06-01 16:59 49152]
"KBD"="C:\HP\KBD\KBD.EXE" [2005-02-02 16:44 61440]
"DISCover"="C:\Program Files\DISC\DISCover.exe" [2006-03-15 19:12 1077248]
"DiscUpdateManager"="C:\Program Files\DISC\DiscUpdMgr.exe" [2006-03-15 19:11 61440]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]

C:\Documents and Settings\HP_Administrator\Start Menu\Programs\Startup\
MEMonitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe [2008-05-08 18:26:50 947544]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-12-15 18:40:44 282624]
Updates From HP.lnk - C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe [2006-07-22 03:21:53 36903]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\DISC\\DISCover.exe"=
"C:\\Program Files\\DISC\\DiscStreamHub.exe"=
"C:\\Program Files\\DISC\\myFTP.exe"=
"C:\\Program Files\\Updates from HP\\9972322\\Program\\HPOOVClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-04-25 23:10]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-04-25 23:10]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-04-25 23:10]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-04-25 23:10]
R3 AL101;Airlink101 802.11g PCI Driver;C:\WINDOWS\system32\DRIVERS\AL101.sys [2006-07-04 15:28]
S3 GameConsoleService;GameConsoleService;"C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe" [2008-03-28 16:04]
S3 pohci13F;pohci13F;C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\pohci13F.sys []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 22:24:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 


C:\WINDOWS\TEMP\4cc45e3a-99d2-49a4-9010-fa6e69a2e6fd.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\DISC\DiscStreamHub.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-05-26 22:27:33 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-27 05:27:29

Pre-Run: 173,086,027,776 bytes free
Post-Run: 173,227,888,640 bytes free

219	--- E O F ---	2008-05-16 15:14:18












and here's my SDFix log:

*SDFix: Version 1.186 *
Run by HP_Administrator on Mon 05/26/2008 at 10:51 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

*Checking Services *:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


*Checking Files *: 

No Trojan Files Found






Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 23:00:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services *:




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe:*:Enabled:hpqtra08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe:*:Enabled:hpqdia.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqnrs08.exe:*:Enabled:hpqnrs08.exe"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"="C:\\Program Files\\AVG\\AVG8\\avgupd.exe:*:Enabled:avgupd.exe"
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"="C:\\Program Files\\AVG\\AVG8\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\DISC\\DISCover.exe"="C:\\Program Files\\DISC\\DISCover.exe:*:EnabledISCover Drop & Play System"
"C:\\Program Files\\DISC\\DiscStreamHub.exe"="C:\\Program Files\\DISC\\DiscStreamHub.exe:*:EnabledISCover Stream Hub"
"C:\\Program Files\\DISC\\myFTP.exe"="C:\\Program Files\\DISC\\myFTP.exe:*:EnabledISCover FTP"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\HPOOVClient.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\HPOOVClient.exe:*:Enabled:Updates from HP"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe"="C:\\Program Files\\Updates from HP\\9972322\\Program\\Updates from HP.exe:*:Enabled:Updates from HP"

*Remaining Files *:


File Backups: - C:\SDFix\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Sun 12 Aug 2007           211 A.SHR --- "C:\BOOT.BAK"
Fri 16 May 2008     6,104,632 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Sat 26 Apr 2008            22 A.SH. --- "C:\WINDOWS\SMINST\HPCD.sys"
Fri 16 May 2008         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu  5 Jul 2007       146,432 ..SHR --- "C:\Program Files\Verizon Wireless\V CAST Music Manager\Setup.exe"
Mon  7 May 2007        53,248 A.SHR --- "C:\Program Files\Verizon Wireless\V CAST Music Manager\_Setupx.dll"
Fri  2 May 2008             0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue  6 May 2008             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\BIT31.tmp"
Wed 14 Dec 2005       200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\ACST4.DLL"
Tue 22 Nov 2005        81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005        73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005        88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90\INSTPH.DLL"
Wed 14 Dec 2005       200,704 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\ACST4.DLL"
Tue 22 Nov 2005        81,920 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLFIREWALLMGR.DLL"
Tue 22 Nov 2005        73,728 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\AOLINSTALLERFW.DLL"
Wed 14 Dec 2005        88,064 A..H. --- "C:\Program Files\Online Services\Aol\United States\AOL90E\INSTPH.DLL"

*Finished!*


----------



## bjkman

my HiJack This log wouldn't fit in that post, so here it is:



and my HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:33:31 PM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\arservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\ARPWRMSG.EXE
C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Airlink101\WLAN Monitor\WLANmon.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\DISC\DISCover.exe
C:\Program Files\DISC\DiscUpdMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
C:\Program Files\DISC\DiscStreamHub.exe
c:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
c:\windows\system\hpsysdrv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=63&bd=PAVILION&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: HpWebHelper - {AAAE832A-5FFF-4661-9C8F-369692D1DCB9} - C:\WINDOWS\pchealth\helpctr\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\plugin\WebHelper.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
O4 - HKLM\..\Run: [HPHUPD08] "c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe"
O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [Airlink101 WLAN Monitor] "C:\Program Files\Airlink101\WLAN Monitor\WLANmon.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
O4 - Startup: MEMonitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Manager\MEMonitor.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\WildTangent\Apps\HP Game Console\GameConsoleService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\HPZIPM12.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9341 bytes












That's everything. Hope this helps you help me.
-Ben


----------



## GameMaster

*Bjkman* please would you create another thread for this? Althugh you may have the same problem, it's hard to help two at the same time, in the same thread.
Just copy the logs in a new thread.

*Nillius:*
*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).* 

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account. 


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*. 
Click *Format*, and ensure *Word Wrap* is unchecked. 
Copy and Paste the text in the box below into *Notepad*. 
Now save the file as *RemoveFiles.txt* in a location where you can find it. 



> Files to delete:
> C:/Documents and Settings/Nikolaj/Local Settings/Temp/SIntfNT.dll



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system. 

Start *Avenger* by double clicking on *Avenger.exe*. 

Check *Load script from file:* 
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*. 
Double click it to enter it into Avenger. 
Click the *green traffic light symbol*. 
You will be asked if you want to execute the script, answer *Yes*. 
At this point you may get prompts from your protection systems, allow them please. 
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately. 
Answer *Yes*, and allow your computer to re-boot. 
Upon re-boot a command window will briefly appear on screen (this is normal). 
A Notepad text file will be created *C:\avenger.txt*. 
*Copy and Paste it into your next post please.* 

Any problems??


----------



## nihilius

GameMaster said:


> *Bjkman* please would you create another thread for this? Althugh you may have the same problem, it's hard to help two at the same time, in the same thread.
> Just copy the logs in a new thread.
> 
> *Nillius:*
> *Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*
> 
> Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.
> 
> 
> Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
> Click *Format*, and ensure *Word Wrap* is unchecked.
> Copy and Paste the text in the box below into *Notepad*.
> Now save the file as *RemoveFiles.txt* in a location where you can find it.
> 
> 
> 
> Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.
> 
> Start *Avenger* by double clicking on *Avenger.exe*.
> 
> Check *Load script from file:*
> Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
> Double click it to enter it into Avenger.
> Click the *green traffic light symbol*.
> You will be asked if you want to execute the script, answer *Yes*.
> At this point you may get prompts from your protection systems, allow them please.
> Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
> Answer *Yes*, and allow your computer to re-boot.
> Upon re-boot a command window will briefly appear on screen (this is normal).
> A Notepad text file will be created *C:\avenger.txt*.
> *Copy and Paste it into your next post please.*
> 
> Any problems??



The file seems not to be the problem, it is the thing that creates it when i launch mafia, it disappears from the temp folder even thou I told AVG to ignore the problem, here is the log:

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  file "C:/Documents and Settings/Nikolaj/Local Settings/Temp/SIntfNT.dll" not found!
Deletion of file "C:/Documents and Settings/Nikolaj/Local Settings/Temp/SIntfNT.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
  --> the object does not exist


Completed script processing.

*******************

Finished!  Terminate.


----------



## GameMaster

I can only imagine one scenario: when you start playing Mafia online, some file game-related is recognised as a virus. It doesn't exist when we try to delete it so...it's not a problem.
If it pops out one more time, and if you get tired of it, you can always change your AntiVirus protection.


----------



## nihilius

GameMaster said:


> I can only imagine one scenario: when you start playing Mafia online, some file game-related is recognised as a virus. It doesn't exist when we try to delete it so...it's not a problem.
> If it pops out one more time, and if you get tired of it, you can always change your AntiVirus protection.



I can't even start the game, when i doubleclick the mafia icon the trojan appears immidately, If I turn AVG of Nothing happens at all. Thats the problem, I can't play the game. Thanks for your help anyway, It's great that this forum exist


----------



## GameMaster

I suggest you uninstall the game and never run it again.


----------



## Itronix

Hello. I'm sorry I haven't got back to you. I finally got some time. Here is the log. I know that someone else had this problem too, but maybe you will see something in mine. Thanks!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:52:56 PM, on 5/28/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\SOUNDMAN.EXE
C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files (x86)\Grisoft\AVG7\avgcc.exe
C:\Program Files (x86)\Browser Mouse\Browser Mouse\1.1\Mouse32A.exe
C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe
C:\Program Files (x86)\Internet Explorer\ieuser.exe
C:\Program Files (x86)\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files (x86)\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files (x86)\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files (x86)\google\googletoolbar1.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~2\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LWBMOUSE] "C:\Program Files (x86)\Browser Mouse\Browser Mouse\1.1\MOUSE32A.EXE"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files (x86)\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\Steam.exe -silent
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~2\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files (x86)\Google\Google Updater\GoogleUpdater.exe
O13 - Gopher Prefix: 
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files (x86)\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {D1E7CBDA-E60E-4970-A01C-37301EF7BF98} (Measurement Services Client v.3.12) - http://www.yougamers.com/systeminfo/MSC3.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files (x86)\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files (x86)\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~2\Grisoft\AVG7\avgemc.exe
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files (x86)\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files (x86)\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files (x86)\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

--
End of file - 8098 bytes


----------



## G25r8cer

I am fairly sure you can fix the following. Wait for someone to confirm though!

O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: @dfsrres.dll,-101 (DFSR) - Unknown owner - C:\Windows\system32\DFSR.exe (file missing)
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (nvsvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\SLsvc.exe,-101 (slsvc) - Unknown owner - C:\Windows\system32\SLsvc.exe (file missing)
O23 - Service: @%SystemRoot%\system32\snmptrap.exe,-3 (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: Steam Client Service - Valve Corporation - C:\Program Files (x86)\Common Files\Steam\SteamService.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%ProgramFiles%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)

Those all have files missing so I am sure you can fix them.


----------



## GameMaster

It won't help, you can't delete bad services fixing them with HijackThis.
I'm sorry I just don't have the time now, I'll be back in 6-7 hours.


----------



## GameMaster

*Download and Run ComboFix* 
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.* 

*Download this file* from one of the three below listed places : 

http://download.bleepingcomputer.com/sUBs/ComboFix.exe 
http://www.forospyware.com/sUBs/ComboFix.exe 
http://subs.geekstogo.com/ComboFix.exe 

Then double click *combofix.exe* & follow the prompts. 
When finished, it shall produce *a log* for you. *Post that log* in your next reply 
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall* 

Combofix should never take more that 20 minutes including the reboot if malware is detected. 
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue. 
If that happened we want to know, and also what process you had to end.


----------



## Itronix

Hey, gamemaster. They aren't quite working. One just says that you can't name it "combofix[1]" when I never named anything and another says that it won't work for my Vista 64 bit. Sorry about this trouble and I really appreciate your help.


----------



## GameMaster

Oh right...
Please open your HijackThis and click *Do a system scan only.*
Check these entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = 
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: ::1 localhost
O13 - Gopher Prefix

Now close all open windows except the HijackThis and click *Fix checked.*
Reboot your computer.

The rest of the log is legit. Once again, I can't find the Proxy trojan here.

Please go *HERE* to run Panda ActiveScan 2.0
Click the big green *Scan now* button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
Once the scan is completed, please hit the notepad icon next to the text *Export to:*
Save it to a convenient location such as your Desktop 
Post the contents of the *ActiveScan.txt* in your next reply


----------



## Itronix

Hey, thanks Gamemaster! I'll give that a try tomorrow.


----------



## Itronix

Ok, here it is. Does it look like I have a couple?

;***********************************************************************************************************************************************************************************
ANALYSIS: 2008-06-01 23:44:10
PROTECTIONS: 1
MALWARE: 2
SUSPECTS: 0
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description                                  Version                       Active    Updated
;===================================================================================================================================================================================
AVG 7.5.524                                  7.5.524                       Yes       Yes
;===================================================================================================================================================================================
MALWARE
Id        Description                        Type                Active    Severity  Disinfectable  Disinfected Location
;===================================================================================================================================================================================
00139535  Application/Processor              HackTools           No        0         Yes            No           C:\SDFix\apps\Process.exe
00139535  Application/Processor              HackTools           No        0         No             No           C:\Users\Danny\Downloads\SDFix.exe[SDFix\apps\Process.exe]
01176994  Bck/VB.XB                          Virus/Trojan        No        0         No             No           C:\Users\Danny\Downloads\ComboFix.exe[327882R2FWJFW\NirCmdC.cfexe]
01176994  Bck/VB.XB                          Virus/Trojan        No        0         Yes            No           C:\ComboFix\NirCmdC.cfexe
;===================================================================================================================================================================================
SUSPECTS
Sent      Location                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              ^�F@�_

3
;===================================================================================================================================================================================
;===================================================================================================================================================================================
VULNERABILITIES
Id        Severity   Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                ^�F@�_

3
;===================================================================================================================================================================================
;===================================================================================================================================================================================


----------



## GameMaster

No you're absolutely clean.
To remove the "Hack Tool" ComboFix, do next:

 Click *Start* then *Run*,
Now type *Combofix /u* in the runbox and click *OK*. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "*2*"

Anymore problems now?


----------



## Itronix

Hello, Gamemaster. It can't find it. I made sure that the space was there, I left space(s) out, added spaces, but nothing. Thanks.


----------



## GameMaster

Great, can you notice any problems with your pc?


----------



## Itronix

Hey, sorry that I'm just now replying. Thank you for your help. No, I don't notice anything wrong besides the Trojan warning when I try to open Mafia. I guess I'm clean? Maybe I'll try reinstalling Mafia? Thanks again.


----------



## GameMaster

Yeah that would be great. I hope that helps! 
Good luck.


----------

