Cannot remove uacinit.dll trojan.agent

lanikai90 · June 9, 2009

Hi there.

I got a nasty win32/cryptor virus on my Toshiba laptop last week. I would get constant adverts to buy WINDefender and when I search google for something, it would take me to a wierd webpage. I haven't opened my IE nor my Firefox since then. It's taken me a few days to finally install MBAM in safe mode (it took renaming the mbam.exe file to my name and took MBAM two installations because it froze). I managed to run a successful cleanup with MBAM, all except this uacinit.dll file that said it would delete on reboot, but it hasn't deleted. MBAM and my AVG (paid subscription) continues to spot this UACINIT.DLL file and many other UAC files. I haven't installed "HijackThis" in hopes that I don't kill my laptop with more malware removal tools, but if i have to, then i will. Here's the MBAM log and AVG log. Any help to get rid of this for good would be greatly appreciated. I really don't want to have to reformat the laptop.

Thanks.

-------

Malwarebytes' Anti-Malware 1.37

Database version: 2249

Windows 5.1.2600 Service Pack 3

08/06/2009 22:03:43

mbam-log-2009-06-08 (22-03-31).txt

Scan type: Full Scan (C:\|E:\|)

Objects scanned: 182735

Time elapsed: 35 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

------------

AVG LOG

Scan "Scan whole computer" was finished.

Rootkits;"17";"0";"17"

Warnings;"59"

Folders selected for scanning:;"Scan whole computer"

Scan started:;"08 June 2009, 22:07:45"

Scan finished:;"08 June 2009, 23:18:49 (1 hour(s) 11 minute(s) 4 second(s))"

Total object scanned:;"474188"

User who launched the scan:;"user_name"

Warnings

File;"Infection";"Result"

C:\Documents and Settings\user_name\Cookies\user_name@7search[2].txt;"Found Tracking cookie.7search";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@7search[2].txt:\7search.com.5bc4302d;"Found Tracking cookie.7search";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@7search[2].txt:\7search.com.f2cc2494;"Found Tracking cookie.7search";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@adrevolver[2].txt;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@adrevolver[2].txt:\adrevolver.com.9b9d670a;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@adrevolver[2].txt:\adrevolver.com.f6cfcad4;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@advertising[2].txt;"Found Tracking cookie.Advertising";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@advertising[2].txt:\advertising.com.525a5fb9;"Found Tracking cookie.Advertising";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@atdmt[1].txt;"Found Tracking cookie.Atdmt";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@atdmt[1].txt:\atdmt.com.7247c262;"Found Tracking cookie.Atdmt";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@atdmt[1].txt:\atdmt.com.b3e33b5f;"Found Tracking cookie.Atdmt";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@bs.serving-sys[1].txt;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@bs.serving-sys[1].txt:\bs.serving-sys.com.5bf1f00f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@burstnet[2].txt;"Found Tracking cookie.Burstnet";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@burstnet[2].txt:\burstnet.com.a3218a37;"Found Tracking cookie.Burstnet";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@burstnet[2].txt:\burstnet.com.c4fe2ebb;"Found Tracking cookie.Burstnet";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@casalemedia[1].txt;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@casalemedia[1].txt:\casalemedia.com.12e6c053;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@casalemedia[1].txt:\casalemedia.com.1773afc;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@casalemedia[1].txt:\casalemedia.com.2d37ad26;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@casalemedia[1].txt:\casalemedia.com.350339d4;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@casalemedia[1].txt:\casalemedia.com.80ad4799;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@casalemedia[1].txt:\casalemedia.com.987e6b46;"Found Tracking cookie.Casalemedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@clickbank[1].txt;"Found Tracking cookie.Clickbank";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@clickbank[1].txt:\clickbank.net.82079eb1;"Found Tracking cookie.Clickbank";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@doubleclick[2].txt;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@doubleclick[2].txt:\doubleclick.net.1d39bd48;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@doubleclick[2].txt:\doubleclick.net.bf396750;"Found Tracking cookie.Doubleclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@fastclick[2].txt;"Found Tracking cookie.Fastclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@fastclick[2].txt:\fastclick.net.8a6435e9;"Found Tracking cookie.Fastclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@fastclick[2].txt:\fastclick.net.8dd1284a;"Found Tracking cookie.Fastclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@fastclick[2].txt:\fastclick.net.9b41aa53;"Found Tracking cookie.Fastclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@fastclick[2].txt:\fastclick.net.c38980e4;"Found Tracking cookie.Fastclick";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@m.webtrends[1].txt;"Found Tracking cookie.Webtrends";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@m.webtrends[1].txt:\m.webtrends.com.b4ca7df0;"Found Tracking cookie.Webtrends";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@media.adrevolver[3].txt;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@media.adrevolver[3].txt:\media.adrevolver.com.2be00b0;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@media.adrevolver[3].txt:\media.adrevolver.com.7fd89687;"Found Tracking cookie.Adrevolver";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@realmedia[1].txt;"Found Tracking cookie.Realmedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@realmedia[1].txt:\realmedia.com.125a868c;"Found Tracking cookie.Realmedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@realmedia[1].txt:\realmedia.com.855b46d;"Found Tracking cookie.Realmedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@realmedia[1].txt:\realmedia.com.e14be39e;"Found Tracking cookie.Realmedia";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@revsci[1].txt;"Found Tracking cookie.Revsci";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@revsci[1].txt:\revsci.net.50e13b1b;"Found Tracking cookie.Revsci";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@serving-sys[2].txt;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@serving-sys[2].txt:\serving-sys.com.255d6f2f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@serving-sys[2].txt:\serving-sys.com.400f83f;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@serving-sys[2].txt:\serving-sys.com.4b416ef8;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@serving-sys[2].txt:\serving-sys.com.606c3d3b;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@serving-sys[2].txt:\serving-sys.com.6a1cf9e8;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@serving-sys[2].txt:\serving-sys.com.c9034af6;"Found Tracking cookie.Serving-sys";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@tribalfusion[1].txt;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@tribalfusion[1].txt:\tribalfusion.com.dcc03271;"Found Tracking cookie.Tribalfusion";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@yieldmanager[1].txt;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@yieldmanager[1].txt:\yieldmanager.com.d120a313;"Found Tracking cookie.Yieldmanager";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@zedo[1].txt;"Found Tracking cookie.Zedo";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@zedo[1].txt:\zedo.com.27f1639b;"Found Tracking cookie.Zedo";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@zedo[1].txt:\zedo.com.c1dd09f2;"Found Tracking cookie.Zedo";"Potentially dangerous object"

C:\Documents and Settings\user_name\Cookies\user_name@zedo[1].txt:\zedo.com.ff8ec9c0;"Found Tracking cookie.Zedo";"Potentially dangerous object"

Rootkits

File;"Infection";"Result"

c:\Documents and Settings\user_name\Local Settings\Temp\UAC1f57.tmp;"Hidden file";"Object is hidden"

C:\WINDOWS\system32\drivers\UACvjkymtkibmivedo.sys;"Hidden driver";"Object is hidden"

c:\WINDOWS\system32\drivers\UACvjkymtkibmivedo.sys;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\UACbrqhweeccxhmlte.dll;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\uacinit.dll;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\UACodvqvdktudehwhw.dll;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\UACrntihclimpxgfrk.log;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\UACwdodaiquxeqelas.dat;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\UACwesshtoblteebue.dll;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\UACweymbiqmcjlqfew.dll;"Hidden file";"Object is hidden"

c:\WINDOWS\system32\UACxyqgmjnyomqxbvb.dll;"Hidden file";"Object is hidden"

c:\WINDOWS\Temp\UACb5dd.tmp;"Hidden file";"Object is hidden"

c:\WINDOWS\Temp\UACbc84.tmp;"Hidden file";"Object is hidden"

c:\WINDOWS\Temp\UACbfd0.tmp;"Hidden file";"Object is hidden"

c:\WINDOWS\Temp\UACc32c.tmp;"Hidden file";"Object is hidden"

c:\WINDOWS\Temp\UACc7df.tmp;"Hidden file";"Object is hidden"

c:\WINDOWS\Temp\UACcc73.tmp;"Hidden file";"Object is hidden"

Bio-Hazard · June 9, 2009

Hello and Welcome to forums!

My name is Bio-Hazard and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:

I will be working on your Malware issues this may or may not solve other issues you have with your machine.
The fixes are specific to your problem and should only be used for this issue on this machine.
I f you don't know or understand something please don't hesitate to ask.
Please DO NOT run any other tools or scans whilst I am helping you.
It is important that you reply to this thread. Do not start a new topic.
Your security programs may give warnings for some of the tools I will ask you to use. Be assured, any links I give are safe.
Absence of symptoms does not mean that everything is clear.

No Reply Within 5 Days Will Result In Your Topic Being Closed!!

Download and Run ComboFix

Download ComboFix from one of these locations:

Link 1

Link 2

Link 3

Here you can find a tutorial about Combofix: HOW TO USE COMBOFIX

You must download it to and run it from your Desktop
ComboFix SHOULD NOT be used unless requested by a forum helper.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
Double click on ComboFix.exe and follow the prompts.
- As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
- Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
- If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.
[*]Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
[*]Combofix should never take more that 20 minutes including the reboot if malware is detected.

IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.

Download HijackThis

To get things going i need you to download HijackThis see the instructions below.

Click HERE to download HijackThis Installer
Save HijackThis Installer to your desktop.
Doubleclick on the HijackThis Installer icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on Edit > Select All then click on Edit > Copy to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.

DO NOT use the AnalyseThis button its findings are dangerous if misinterpreted.

DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Next Reply

Please reply with:

ComboFix log (found at C:\Combofix.txt)
New HijackThis log

lanikai90 · June 9, 2009

Thanks BioHarzrd.

ComboFix didn't open after I downloaded it to my desktop. I had to re-download it again and rename the file before placing it on my desktop. I didn't have the Windows recovery program, I asked ComboFix to intall it but it failed and carried on removing my malware. Here's the log.

--------------------------

ComboFix 09-06-09.01 - Sarah B 09/06/2009 20:15.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.1014.612 [GMT 1:00]

Running from: c:\documents and settings\Sarah B\Desktop\Combo-Fix.exe

AV: AVG Anti-Virus *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\kb913800.exe

c:\windows\system32\drivers\UACvjkymtkibmivedo.sys

c:\windows\system32\UACbrqhweeccxhmlte.dll

c:\windows\system32\uacinit.dll

c:\windows\system32\UACodvqvdktudehwhw.dll

c:\windows\system32\UACrntihclimpxgfrk.log

c:\windows\system32\UACvguevfprxrsoycp.log

c:\windows\system32\UACwdodaiquxeqelas.dat

c:\windows\system32\UACwesshtoblteebue.dll

c:\windows\system32\UACweymbiqmcjlqfew.dll

c:\windows\system32\UACxyqgmjnyomqxbvb.dll

c:\windows\system32\UACyfrdfmwywrkykjx.log

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Service_UACd.sys

((((((((((((((((((((((((( Files Created from 2009-05-09 to 2009-06-09 )))))))))))))))))))))))))))))))

.

2009-06-08 19:15 . 2009-06-08 19:15 -------- d-----w- c:\documents and settings\Sarah B\Application Data\Malwarebytes

2009-06-08 18:10 . 2009-05-26 12:20 40160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-06-08 18:10 . 2009-06-08 20:52 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-06-08 18:10 . 2009-06-08 18:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes

2009-06-08 18:10 . 2009-05-26 12:19 19096 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-06-04 17:33 . 2009-06-05 17:07 -------- d-----w- c:\documents and settings\Sarah B\Application Data\AVGTOOLBAR

2009-05-30 10:32 . 2009-05-30 10:32 -------- d-----w- c:\program files\iPod

2009-05-30 10:32 . 2009-05-30 10:32 -------- d-----w- c:\program files\iTunes

2009-05-30 10:32 . 2009-05-30 10:32 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}

2009-05-30 10:30 . 2009-05-30 10:30 -------- d-----w- c:\program files\Bonjour

2009-05-30 10:27 . 2009-05-30 10:27 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe

2009-05-21 19:13 . 2009-05-21 19:13 -------- d-----w- c:\documents and settings\LocalService\Local Settings\Application Data\Google

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-06-05 17:00 . 2008-10-27 20:37 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8

2009-06-04 17:33 . 2008-10-27 20:38 11952 ----a-w- c:\windows\system32\avgrsstx.dll

2009-06-04 17:33 . 2008-10-27 20:38 12552 ----a-w- c:\windows\system32\drivers\avgrkx86.sys

2009-06-04 17:33 . 2008-10-27 20:38 108552 ----a-w- c:\windows\system32\drivers\avgtdix.sys

2009-06-04 17:33 . 2008-10-27 20:38 325896 ----a-w- c:\windows\system32\drivers\avgldx86.sys

2009-06-04 17:33 . 2007-05-05 12:50 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys

2009-06-04 17:20 . 2009-06-05 15:42 177946 ----a-w- c:\windows\pchealth\helpctr\Config\Cache\Professional_32_1033.dat

2009-05-30 10:32 . 2007-09-02 18:15 -------- d-----w- c:\program files\Common Files\Apple

2009-05-21 19:13 . 2008-01-19 04:37 -------- d-----w- c:\program files\Picasa2

2009-05-19 21:21 . 2007-09-07 21:18 -------- d-----w- c:\documents and settings\Sarah B\Application Data\U3

2009-05-17 21:59 . 2008-02-06 13:20 -------- d-----w- c:\documents and settings\Sarah B\Application Data\Skype

2009-05-17 21:42 . 2008-02-06 13:22 -------- d-----w- c:\documents and settings\Sarah B\Application Data\skypePM

2009-05-01 18:30 . 2009-05-01 18:30 3366912 ----a-w- c:\windows\system32\GPhotos.scr

2009-04-15 21:07 . 2006-09-13 15:30 50456 ----a-w- c:\documents and settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys

2009-03-19 15:32 . 2006-09-19 13:44 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"TOSCDSPD"="c:\program files\TOSHIBA\TOSCDSPD\toscdspd.exe" [2005-04-11 65536]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]

"kdx"="c:\windows\kdx\KHost.exe" [2007-05-11 2236416]

"Creative WebCam Tray"="c:\program files\Creative\Shared Files\CamTray.exe" [2005-10-27 299008]

"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ehTray"="c:\windows\ehome\ehtray.exe" [2005-08-05 64512]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-03-23 94208]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-03-23 77824]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-03-23 118784]

"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-02 761948]

"THotkey"="c:\program files\Toshiba\Toshiba Applet\thotkey.exe" [2006-08-25 356352]

"Tvs"="c:\program files\TOSHIBA\Tvs\TvsTray.exe" [2006-02-02 73728]

"SmoothView"="c:\program files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe" [2005-05-12 118784]

"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-10-06 122940]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 802816]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 696320]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-12-12 136600]

"PCSuiteTrayApplication"="c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-28 222720]

"AVG8_TRAY"="c:\progra~1\AVG\AVG8\avgtray.exe" [2009-06-04 1947928]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]

"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2006-05-05 16206848]

"AGRSMMSG"="AGRSMMSG.exe" - c:\windows\agrsmmsg.exe [2005-12-13 88204]

"TPSMain"="TPSMain.exe" - c:\windows\system32\TPSMain.exe [2005-08-03 266240]

"NDSTray.exe"="NDSTray.exe" [bU]

"TFncKy"="TFncKy.exe" [bU]

"CFSServ.exe"="CFSServ.exe" [bU]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"PcSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2006-11-09 1634304]

c:\documents and settings\Sarah B\Start Menu\Programs\Startup\

Microsoft Office OneNote 2003 Quick Launch.lnk - c:\program files\Microsoft Office\OFFICE11\ONENOTEM.EXE [2005-3-17 59080]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Acrobat Assistant.lnk - c:\program files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2006-12-19 82026]

Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]

Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]

"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]

2009-06-04 17:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"="0"

"UpdatesDisableNotify"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"c:\\Program Files\\Messenger\\msmsgs.exe"=

"c:\\WINDOWS\\kdx\\KHost.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgam.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

"c:\\Documents and Settings\\Sarah B\\Application Data\\Macromedia\\Flash Player\\www.macromedia.com\\bin\\octoshape\\octoshape.exe"=

"c:\\WINDOWS\\system32\\dpvsetup.exe"=

"c:\\Program Files\\Skype\\Phone\\Skype.exe"=

"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=

"c:\\Program Files\\iTunes\\iTunes.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiag.exe"=

"c:\\Program Files\\AVG\\AVG8\\avgdiagex.exe"=

"c:\\Program Files\\Toshiba\\ConfigFree\\CFSServ.exe"=

R0 AvgRkx86;avgrkx86.sys;c:\windows\system32\drivers\avgrkx86.sys [27/10/2008 21:38 12552]

R1 AvgLdx86;AVG AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [27/10/2008 21:38 325896]

R1 AvgTdiX;AVG8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [27/10/2008 21:38 108552]

R2 avg8emc;AVG8 E-mail Scanner;c:\progra~1\AVG\AVG8\avgemc.exe [04/06/2009 18:33 908568]

R2 avg8wd;AVG8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [04/06/2009 18:33 298776]

R3 X10Hid;X10 Hid Device;c:\windows\system32\drivers\x10hid.sys [14/09/2006 12:10 7040]

S3 V0260VID;Live! Cam Vista IM;c:\windows\system32\drivers\V0260Vid.sys [06/02/2008 14:30 178913]

.

Contents of the 'Scheduled Tasks' folder

2008-08-15 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-07-25 11:34]

.

- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.yahoo.com/

uSearchMigratedDefaultURL = hxxp://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}

uDefault_Search_URL = hxxp://www.google.com/ie

uInternet Settings,ProxyOverride = *.local

uSearchURL,(Default) = hxxp://www.google.com/search?q=%s

IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000

.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-06-09 20:20

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(896)

c:\windows\system32\Ati2evxx.dll

.

Completion time: 2009-06-09 20:22

ComboFix-quarantined-files.txt 2009-06-09 19:22

Pre-Run: 54,622,109,696 bytes free

Post-Run: 55,578,087,424 bytes free

173 --- E O F --- 2009-05-16 17:03

-----------------------

I installed HijackThis. It looks like I have the svchost.exe virus stilll on my laptop. I have been reading about this on websites. Should I be worried??? Here's the log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 20:25:46, on 09/06/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16827)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [synTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe

O4 - HKLM\..\Run: [THotkey] C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

O4 - HKLM\..\Run: [TPSMain] TPSMain.exe

O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe

O4 - HKLM\..\Run: [Tvs] C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

O4 - HKLM\..\Run: [smoothView] C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

O4 - HKLM\..\Run: [TFncKy] TFncKy.exe

O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [CFSServ.exe] CFSServ.exe -NoClient

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup

O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [TOSCDSPD] C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background

O4 - HKCU\..\Run: [kdx] C:\WINDOWS\kdx\KHost.exe -all

O4 - HKCU\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CamTray.exe

O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1

O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')

O4 - Startup: Microsoft Office OneNote 2003 Quick Launch.lnk = C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe

O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll

O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/26.34/uploader2.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe

O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: KService - Unknown owner - C:\Program Files\KService\KService.exe (file missing)

O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

O23 - Service: X10 Device Network Service (x10nets) - X10 - C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

--

End of file - 10654 bytes

Bio-Hazard · June 10, 2009

Hello!

I see few Norton entries in your HijackThis. Have you uninstalled Norton?

ComboFix didn't open after I downloaded it to my desktop. I had to re-download it again and rename the file before placing it on my desktop. I didn't have the Windows recovery program, I asked ComboFix to intall it but it failed and carried on removing my malware. Here's the log.

The infection you had interfered with Combofix. You did very well.

It looks like I have the svchost.exe virus stilll on my laptop. I have been reading about this on websites. Should I be worried???

What do you mean by this? What entry makes you beleieve you have this virus?

ATF-Cleaner

Please download ATF Cleaner by Atribune.

Save it to your desktop
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords please click No at the prompt.
Click Exit on the Main menu to close the program.

Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Please go to Kaspersky website and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
- Spyware, Adware, Dialers, and other potentially dangerous programs
- Archives
[*]Click on My Computer under Scan.
[*]Once the scan is complete, it will display the results. Click on View Scan Report.
[*]You will see a list of infected items there. Click on Save Report As....
[*]Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
[*]Please post this log in your next reply along with a fresh HijackThis log.

Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:

Answer to my questions
Kaspersky Log
A fresh HijackThis Log ( after all the above has been done)
A description of how your computer is behaving

lanikai90 · June 11, 2009

'I see few Norton entries in your HijackThis. Have you uninstalled Norton?'

I don't have Norton installed on my laptop. My main anitvirus program is AVG (paid sub). I believe Norton came with the laptop when it was purchased. I thought I had removed it. I'll try to have a look again to make sure I have removed all it's contents.

Re: svchost.exe

'What do you mean by this? What entry makes you beleieve you have this virus?

The reason I thought this was because I noticed in my HijackThis log under 'running processes' it has 3 instances of the following:

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

I have been reading on your forums and on computer forums that there are some viral problems with this file. I understand that some svchost files are needed to make processes run on my pc but I didn't know if these were the good svchost files or the bad ones.

Kapersky Log Here: It's showing I still have threats/infections, but it looks as though they are in Quarentine within ComboFix. Am I right? Should I delete them out of Quarentine? How do I do that?

--------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER 7.0 REPORT

Thursday, June 11, 2009

Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)

Kaspersky Online Scanner version: 7.0.26.13

Program database last update: Thursday, June 11, 2009 19:42:47

Records in database: 2337631

--------------------------------------------------------------------------------

Scan settings:

Scan using the following database: extended

Scan archives: yes

Scan mail databases: yes

Scan area - My Computer:

C:\

D:\

Scan statistics:

Files scanned: 67543

Threat name: 5

Infected objects: 12

Suspicious objects: 0

Duration of the scan: 01:23:52

File name / Threat name / Threats count

C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\UACvjkymtkibmivedo.sys.vir Infected: Rootkit.Win32.Agent.lhm 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACbrqhweeccxhmlte.dll.vir Infected: Packed.Win32.Tdss.m 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACodvqvdktudehwhw.dll.vir Infected: Trojan.Win32.TDSS.adzx 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACwesshtoblteebue.dll.vir Infected: Packed.Win32.Tdss.m 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACweymbiqmcjlqfew.dll.vir Infected: Trojan.Win32.TDSS.adzz 1

C:\Qoobox\Quarantine\C\WINDOWS\system32\UACxyqgmjnyomqxbvb.dll.vir Infected: Trojan.Win32.TDSS.aegg 1

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP267\A0025177.sys Infected: Rootkit.Win32.Agent.lhm 1

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP267\A0025178.dll Infected: Packed.Win32.Tdss.m 1

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP267\A0025179.dll Infected: Packed.Win32.Tdss.m 1

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP267\A0025180.dll Infected: Trojan.Win32.TDSS.adzx 1

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP267\A0025181.dll Infected: Trojan.Win32.TDSS.adzz 1

C:\System Volume Information\_restore{1283C4C2-5C9F-4160-B9A2-AC1BC36A6A58}\RP267\A0025182.dll Infected: Trojan.Win32.TDSS.aegg 1

The selected area was scanned.

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:43:37, on 11/06/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16850)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe

C:\WINDOWS\eHome\ehRecvr.exe

C:\WINDOWS\eHome\ehSched.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\Program Files\Toshiba\TOSHIBA Applet\TAPPSRV.exe

C:\PROGRA~1\COMMON~1\X10\Common\x10nets.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\system32\dllhost.exe

C:\WINDOWS\ehome\ehtray.exe

C:\WINDOWS\system32\igfxtray.exe

C:\WINDOWS\eHome\ehmsas.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\igfxpers.exe

C:\Program Files\Synaptics\SynTP\SynTPEnh.exe

C:\Program Files\Synaptics\SynTP\Toshiba.exe

C:\WINDOWS\RTHDCPL.EXE

C:\WINDOWS\AGRSMMSG.exe

C:\Program Files\Toshiba\Toshiba Applet\thotkey.exe

C:\Program Files\TOSHIBA\ConfigFree\NDSTray.exe

C:\Program Files\TOSHIBA\Tvs\TvsTray.exe

C:\Program Files\TOSHIBA\TOSHIBA Zooming Utility\SmoothView.exe

C:\Program Files\TOSHIBA\TOSHIBA Controls\TFncKy.exe

C:\WINDOWS\system32\TPSBattM.exe

C:\WINDOWS\System32\DLA\DLACTRLW.EXE

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\Program Files\TOSHIBA\ConfigFree\CFSServ.exe

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

C:\PROGRA~1\AVG\AVG8\avgtray.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\TOSHIBA\TOSCDSPD\toscdspd.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Messenger\msmsgs.exe

C:\WINDOWS\kdx\KHost.exe

C:\Program Files\Creative\Shared Files\CamTray.exe

C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe

C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

C:\Program Files\Microsoft Office\OFFICE11\ONENOTEM.EXE

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe

C:\PROGRA~1\AVG\AVG8\avgam.exe

C:\PROGRA~1\AVG\AVG8\avgrsx.exe

C:\PROGRA~1\AVG\AVG8\avgnsx.exe

C:\PROGRA~1\AVG\AVG8\avgemc.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\AVG\AVG8\avgscanx.exe

C:\Program Files\AVG\AVG8\avgcsrvx.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll

O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll

O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL

O2 - BHO: Java Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll

O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll