Expert: Brian Benosky - 3/13/2008

Question
QUESTION: My AVG has been disabled, when running a free scan through Norton I am getting a virus showing as Trojan.Virantix.B. I have seen a previous entry on your web site for this. I have run the Hijack this as described on the website, here are the results.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:10:52, on 12/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Watford FC - DNA\app.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Norton Security Scan\Nss.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Logitech\Video\AlbumDB2.exe
C:\Program Files\AllExperts\AllExperts.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://format.packardbell.com/cgi-bin/redirect/?country=UK&range=AD&phase=6&key=
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] ~"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [Watford FC - Desktop News Alerts] C:\Program Files\Watford FC - DNA\launch.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital MusicNet Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (Tiscali Music Downloads) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{77AC4A21-B184-4839-A1E3-58DF08DC78AE}: NameServer = 212.74.112.66,212.74.112.67
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 9727 bytes

Hope you can help me out here.

Thanks
Neil


ANSWER: Hi Neil

Not only has AVG been disabled, but it has been completely removed from startup.  Follow these instructions below:

Please turn off System Restore:
1. Click Start, right-click My Computer, and then click Properties.
2. In the System Properties dialog box, click the System Restore tab.
3. Click to select the Turn off System Restore check box. Or, click to select the Turn off System Restore on all drives check box.
4. Click OK.
5. When you receive the following message, click Yes to confirm that you want to turn off System Restore:
You have chosen to turn off System Restore. If you continue, all existing restore points will be deleted, and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?
After a few moments, the System Properties dialog box closes.

Please follow the instructions below to run ComboFix:

1. Download this file to your desktop - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you.
Note:  Do not mouseclick combofix's window while it is running. That may cause it to stall.

Next, please download and run Dr.Web CureIt! from this link:
ftp://ftp.drweb.com/pub/drweb/cureit/cureit.exe
Run a complete system scan with Dr.Web, then post me the results, along with the ComboFix log and a new HijackThis log.

Brian

---------- FOLLOW-UP ----------

QUESTION: Please see scan logs below

Dr Web results:-

00777703.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02670125.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02691343.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02700593.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02706062.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02725140.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02923109.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02968281.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02968328.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02968390.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02968437.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02968500.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
02968531.FIL;C:\$VAULT$.AVG;Trojan.Fakealert.452;Deleted.;
POSTOOBE.NEC;C:\DRIVERS;VBS.Generic.278;Deleted.;
users32.dat.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Click.5043;Deleted.;
winivstr.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Fakealert.452;Deleted.;

ComboFix results:-

ComboFix 08-03-10.1 - Richard 2008-03-13 12:59:41.1 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.522 [GMT 0:00]
Running from: C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\2QPY8O3M\ComboFix[1].exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Richard\Application Data\PrivacyProtector Free
C:\Documents and Settings\Richard\Application Data\PrivacyProtector Free\Logs\update.log
C:\Documents and Settings\Richard\Application Data\ultra
C:\Documents and Settings\Richard\Application Data\ultra\uninstall.bat
C:\Documents and Settings\Richard\err.log
C:\WINDOWS\inf\ultra.inf
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\drivers\inetx26.img
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\winivstr.exe

.
(((((((((((((((((((((((((   Files Created from 2008-02-13 to 2008-03-13  )))))))))))))))))))))))))))))))
.

2008-03-13 11:38 . 2008-03-13 11:39   <DIR>   d--------   C:\Documents and Settings\John\Application Data\AVG7
2008-03-12 16:09 . 2007-01-18 12:00   3,968   --a------   C:\WINDOWS\system32\drivers\AvgArCln.sys
2008-03-12 16:00 . 2008-03-12 16:05   <DIR>   d--------   C:\Documents and Settings\Richard\Application Data\AVG7
2008-03-12 16:00 . 2008-03-12 16:00   <DIR>   d--------   C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-12 15:42 . 2008-03-12 15:42   <DIR>   d--------   C:\Documents and Settings\Richard\Application Data\Grisoft
2008-03-12 15:42 . 2008-03-12 15:59   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-12 15:42 . 2007-05-30 12:10   10,872   --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-12 13:05 . 2008-03-12 13:10   <DIR>   d--------   C:\Program Files\AllExperts
2008-03-12 13:04 . 2008-03-13 11:44   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Avg7
2008-03-12 11:53 . 2007-07-30 19:19   271,224   --a------   C:\WINDOWS\system32\mucltui.dll
2008-03-12 11:53 . 2007-07-30 19:19   30,072   --a------   C:\WINDOWS\system32\mucltui.dll.mui
2008-03-11 12:54 . 2008-03-11 14:07   <DIR>   d--------   C:\Program Files\Windows Live Safety Center
2008-03-10 13:03 . 2008-03-10 13:13   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-10 12:52 . 2008-03-10 12:52   <DIR>   d--------   C:\WINDOWS\Search And Destroy
2008-03-10 12:46 . 2008-03-10 12:46   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\ParetoLogic Anti-Spyware
2008-03-10 12:08 . 2008-03-10 12:08   <DIR>   d--------   C:\Program Files\Enigma Software Group
2008-03-09 17:41 . 2008-03-09 17:48   <DIR>   d--------   C:\Program Files\RegCure
2008-03-09 07:20 . 2008-03-09 17:31   3,145,782   --ah-----   C:\WINDOWS\system32\toyhide.bmp
2008-03-08 15:46 . 2008-03-08 15:46   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\WhiteCap (Holiday Edition)
2008-02-26 20:12 . 2008-03-12 16:33   54,156   --ah-----   C:\WINDOWS\QTFont.qfn
2008-02-26 20:12 . 2008-03-12 12:47   1,409   --a------   C:\WINDOWS\QTFont.for
2008-02-26 20:11 . 2008-03-13 11:05   <DIR>   d--------   C:\Program Files\iTunes
2008-02-26 20:10 . 2008-02-26 20:10   <DIR>   d--------   C:\Program Files\Bonjour
2008-02-26 20:09 . 2008-02-26 20:09   <DIR>   d--------   C:\Program Files\Common Files\Apple
2008-02-26 20:09 . 2008-02-26 20:09   <DIR>   d--------   C:\Program Files\Apple Software Update
2008-02-26 20:09 . 2008-02-26 20:09   <DIR>   d--------   C:\Documents and Settings\All Users\Application Data\Apple
2008-02-25 18:53 . 2008-02-25 18:53   <DIR>   d--------   C:\Program Files\uTorrent
2008-02-25 18:53 . 2008-03-12 23:16   <DIR>   d--------   C:\Documents and Settings\Richard\Application Data\uTorrent
2008-02-24 10:14 . 2008-03-12 18:00   <DIR>   d--------   C:\Program Files\Norton Security Scan

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-13 13:01   ---------   d-----w   C:\Documents and Settings\Richard\Application Data\Skype
2008-03-13 12:47   ---------   d-----w   C:\Program Files\Common Files\Symantec Shared
2008-03-13 11:54   ---------   d-----w   C:\Program Files\MSN Messenger
2008-03-13 11:39   ---------   d-----w   C:\Program Files\Watford FC - DNA
2008-03-10 20:33   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Google Updater
2008-03-09 08:52   ---------   d-----w   C:\Program Files\QuickTime
2008-03-07 17:03   ---------   d-----w   C:\Program Files\Google
2008-02-26 20:11   ---------   d-----w   C:\Program Files\iPod
2008-02-26 20:09   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-26 18:03   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2008-02-18 11:45   ---------   d-----w   C:\Program Files\Common Files\Adobe
2008-02-10 21:17   ---------   d---a-w   C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-05 10:44   ---------   d-----w   C:\Documents and Settings\All Users\Application Data\Kontiki
2008-01-20 23:03   ---------   d-----w   C:\Program Files\Windows Media Connect 2
2008-01-11 05:53   44,544   ----a-w   C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-19 23:01   347,136   ----a-w   C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 09:51   179,584   ------w   C:\WINDOWS\system32\dllcache\mrxdav.sys
2005-01-07 15:20   278,528   ----a-w   C:\Program Files\internet explorer\plugins\PanoViewer.dll
2005-01-07 15:20   143,360   ----a-w   C:\Program Files\internet explorer\plugins\UPjpeg.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-09-13 12:31 22880040]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 13:00 208952]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 13:00 455168]
"SoundMan"="SOUNDMAN.EXE" [2005-05-17 17:48 77824 C:\WINDOWS\SOUNDMAN.EXE]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2005-05-20 14:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-08 14:03 29744]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"braviax"="C:\WINDOWS\system32\braviax.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-12 16:00 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 13:00 53760 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digimax Viewer 2.0.lnk - C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe [2006-04-16 15:44:31 626688]
Exif Launcher.lnk - C:\Program Files\FinePixViewer\QuickDCF.exe [2005-12-18 12:09:36 200704]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-02 18:45:20 126136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders   msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, xlibgfl254.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Documents and Settings\\Richard\\Local Settings\\Temp\\ImInstaller\\IncrediMail\\incredimail_install[1].exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\apps\\skype\\phone\\Skype.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

S3 GoogleDesktopManager-093007-112848;Google Desktop Manager 5.5.709.30344;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-03-08 14:03]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-04 16:49:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-12 18:21:54 C:\WINDOWS\Tasks\Norton Security Scan.job"
- C:\Program Files\Norton Security Scan\Nss.exe
"2008-03-11 18:00:00 C:\WINDOWS\Tasks\Pareto UNS.job"
- C:\Program Files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe
"2008-03-13 12:48:35 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-03-09 17:41:50 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-13 13:01:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-13 13:02:42
ComboFix-quarantined-files.txt  2008-03-13 13:02:33
.
2008-03-12 15:28:05   --- E O F ---  

HijackThis results:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:47 PM, on 13/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\APPS\HIDSERVICE\HIDSERVICE.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Samsung\Digimax Viewer 2.0\STImgBrowser.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Richard\Local Settings\Temporary Internet Files\Content.IE5\WDLV6XG9\cureit[1].exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\RarSFX0\_start.exe
C:\DOCUME~1\Richard\LOCALS~1\Temp\RarSFX0\setup.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AllExperts\AllExperts.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Digimax Viewer 2.0.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {15AC034D-14DF-4AF8-9D02-29E1F56A8235} (Virgin Digital MusicNet Class) - http://www.virgindigital.co.uk/activeX/VirginWMA.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {6218F7B5-0D3A-48BA-AE4C-49DCFA63D400} (CSEQueryObject Object) - http://www.myheritage.com/Genoogle/Components/ActiveX/SearchEngineQuery.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muwe
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {C45B1500-7B63-47C2-AB25-C28CB46AFDEE} (Tiscali Music Downloads) - http://sib1.od2.com/common/musicmanager/installation/MusicManagerPlugin.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{77AC4A21-B184-4839-A1E3-58DF08DC78AE}: NameServer = 212.74.112.66,212.74.112.67
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Generic Service for HID Keyboard Input Collections (GenericHidService) - Unknown owner - c:\APPS\HIDSERVICE\HIDSERVICE.exe
O23 - Service: Google Desktop Manager 5.5.709.30344 (GoogleDesktopManager-093007-112848) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe

--
End of file - 10150 bytes

Thanks, Please can you confirm next steps.


Answer
Hi Neil

Please run HJT (scan only) and place a check next to the following items, then click the Fix Checked button:

O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
  O4 - HKLM\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe
  O4 - HKCU\..\Run: [braviax] C:\WINDOWS\system32\braviax.exe

Close HJT, then download the program KillBox to your desktop:
http://killbox.net/downloads/KillBox.exe
Run KillBox.  In the box paste the following:
C:\WINDOWS\system32\braviax.exe
Then click the red circle with the X in it.

When finished, reboot and post me a fresh HJT log and let me know how the computer is running.

Brian