Hi, the virus/trojan on my computer seems to have similar symptoms to others on this forum.

I have the red "X" label on my C Drive and several hundred pos.tmp files.

To fix this problem, I ran Vundofix.exe, HijackThis, and ComboFix as suggested in other posts.

I have both the HijackThis and ComboFix logs saved if they are needed.

Please let me know the next steps! Thanks for all your help!

you might want to try http://housecall.trendmicro.com. I'm not sure which virus it is. You might want to post your logs too just so we can have a look.

Tech Alpha Computer Forums

Download the "HijackThis" Installer from this link:

http://www.trendsecure.com/portal/e...

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Post Hijackthis Log in your next reply.

*Do Safe Computing*

@Adii

He already said he ran Hijack this and has the logs.

Tech Alpha Computer Forums

Dear TheNerd,

Logs result may changed randomly, So i need fresh Hijackthis log at the time when i require. Because Fresh Hijackthis log may be different than already saved log.

*Do Safe Computing*

HIJACKTHIS LOG:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:58 PM, on 3/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device
Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
D:\PROGRA~1\TRENDM~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRA~1\TRENDM~1\Tmntsrv.exe
D:\PROGRA~1\TRENDM~1\TmPfw.exe
D:\PROGRA~1\TRENDM~1\tmproxy.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\vVX3000.exe
D:\Program Files\Trend Micro PC-cillin\pccguide.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Trend Micro PC-cillin\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
D:\PROGRA~1\TRENDM~1\PCCMAIN.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User1\My Documents\My Downloads\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?Lin...
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://www.optonline.net/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft.com/fwlink/?Lin...
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft
Internet Explorer
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no
file)
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
N3 - Netscape 7: user_pref("browser.startup.homepage",
"http://home.netscape.com/bookmark/7_1/home.html"); (C:\Documents and
Settings\USER1\Application Data\Mozilla\Profiles\default\34nlw33n.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",
"engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_02.src");
(C:\Documents and Settings\USER1\Application
Data\Mozilla\Profiles\default\34nlw33n.slt\prefs.js)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0DEEC962-E958-4796-84E5-4168BC28EB86} - (no file)
O2 - BHO: Lexico Toolbar - {11359F4A-B191-42d7-905A-594F8CF0387B} -
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O2 - BHO: (no name) - {19F56DD8-9D24-469B-80F8-32F43621E573} - (no file)
O2 - BHO: (no name) - {1B63B5CD-21B5-4347-B8EC-738A46C72355} - C:\Program
Files\Internet Explorer\conav777444.dll
O2 - BHO: (no name) - {20024841-EF95-46C0-B930-71C8DAA41CE4} - (no file)
O2 - BHO: (no name) - {36c46ed3-78ba-4c90-aaa6-e2ab7d2e0e9f} - (no file)
O2 - BHO: (no name) - {4032395E-3467-4AB2-BB8C-884C898FDA4F} - (no file)
O2 - BHO: (no name) - {6706B1F3-F2C8-4EF7-BF3B-0657F8C18304} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} -
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {934DA88A-5276-4A35-BCE9-2103BE0A9E33} - (no file)
O2 - BHO: (no name) - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -
c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} -
C:\Program Files\Google\GoogleToolbarNotifier\2.0.1121.2472\swg.dll
O2 - BHO: (no name) - {BFAF14A8-834A-4B65-BD8C-3722C5ABBE8D} - (no file)
O2 - BHO: (no name) - {C8612878-AB0D-4F72-AF9E-F7A058226118} - (no file)
O2 - BHO: TChkBHO Class - {E8B9F80E-C8C1-4D52-A229-2F1F4F75084A} -
C:\WINDOWS\system32\agske.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} -
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\lexbar.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series]
"C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2F1.EXE" /P30 "EPSON Stylus Photo
R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album
Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program
Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software
Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [pccguide.exe] "D:\Program Files\Trend Micro PC-cillin\pccguide.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US
ee://aol/imApp
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe"
/background
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program
Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [OE_OEM] "D:\Program Files\Trend Micro
PC-cillin\TMAS_OE\TMAS_OEMon.exe"
O4 - HKUS\S-1-5-19\..\Run: [CRACK] \WINDOWS\system32\config\crack.lnk (User 'LOCAL
SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CRACK] \WINDOWS\system32\config\crack.lnk (User 'NETWORK
SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CRACK] \WINDOWS\system32\config\crack.lnk (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CRACK] \WINDOWS\system32\config\crack.lnk (User 'Default
user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat
7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital
Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program
Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar
2.0\resources\en-US\local\search.html
O8 - Extra context menu item: >>> HARDCORE MOVIES <<< -
javascript:{document.location='http://neosexvideo.com/webmasters/df044/access.htm';}
O8 - Extra context menu item: E&xport to Microsoft Excel -
res://D:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - D:\Program
files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - D:\Program
files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} - C:\Program
Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra 'Tools' menuitem: Kill popup - {0A9F8624-4221-4508-9636-69ABD753695A} -
C:\Program Files\PopUpBuster\popupbuster.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} -
C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program
Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -
C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 -
{e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger -
{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file
missing)
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} -
http://a1540.g.akamai.net/7/1540/52...
O16 - DPF: {470A6E01-15A3-49B3-B8B9-8EDF4AC1A480} -
http://sp.ask.com/docs/teoma/toolba...
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} -
http://dictionary.reference.com/too...
O18 - Filter: text/plain - {9EA3D557-CB5B-4643-B532-8F92861BAF57} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctlllhb.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common
Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner -
C:\WINDOWS\system32\windows (file missing)
O23 - Service: Multimedia_Interface - Prism Microsystems, Inc. -
C:\WINDOWS\system32\mm\aysshell.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. -
D:\PROGRA~1\TRENDM~1\PcCtlCom.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. -
D:\PROGRA~1\TRENDM~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. -
D:\PROGRA~1\TRENDM~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. -
D:\PROGRA~1\TRENDM~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program
Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\dicowu.html

--
End of file - 11991 bytes

Please Disable Trend Micro PC-cillin and other Security Related softwares to avoid confliction.

STEP: 1

Please run HijackThis again! and click "Scan." Place checks next to the following entries:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = MicrosoftInternet Explorer
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (nofile)
R3 - URLSearchHook: (no name) - _{4FC95EDD-4796-4966-9049-29649C80111D} - (no file)
R3 - URLSearchHook: (no name) - _{0428FFC7-1931-45b7-95CB-3CBB919777E1} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe,
O2 - BHO: (no name) - {0DEEC962-E958-4796-84E5-4168BC28EB86} - (no file)
O2 - BHO: (no name) - {19F56DD8-9D24-469B-80F8-32F43621E573} - (no file)
O2 - BHO: (no name) - {1B63B5CD-21B5-4347-B8EC-738A46C72355} - C:\ProgramFiles\Internet Explorer\conav777444.dll
O2 - BHO: (no name) - {20024841-EF95-46C0-B930-71C8DAA41CE4} - (no file)
O2 - BHO: (no name) - {36c46ed3-78ba-4c90-aaa6-e2ab7d2e0e9f} - (no file)
O2 - BHO: (no name) - {4032395E-3467-4AB2-BB8C-884C898FDA4F} - (no file)
O2 - BHO: (no name) - {6706B1F3-F2C8-4EF7-BF3B-0657F8C18304} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {934DA88A-5276-4A35-BCE9-2103BE0A9E33} - (no file)
O2 - BHO: (no name) - {9A23B8A4-C6C9-4A68-8FA6-5F905DC8FF80} - (no file)
O2 - BHO: (no name) - {BFAF14A8-834A-4B65-BD8C-3722C5ABBE8D} - (no file)
O2 - BHO: (no name) - {C8612878-AB0D-4F72-AF9E-F7A058226118} - (no file)
O2 - BHO: TChkBHO Class - {E8B9F80E-C8C1-4D52-A229-2F1F4F75084A} -C:\WINDOWS\system32\agske.dll
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKUS\.DEFAULT\..\Run: [CRACK] \WINDOWS\system32\config\crack.lnk (User 'Defaultuser')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: >>> HARDCORE MOVIES <<< -javascript:{document.location='http://neosexvideo.com/webmasters/df044/access.htm';}
O18 - Filter: text/plain - {9EA3D557-CB5B-4643-B532-8F92861BAF57} - (no file)
O20 - AppInit_DLLs: C:\WINDOWS\System32\ctlllhb.dll
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner -C:\WINDOWS\system32\windows (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\dicowu.html

Close all browsers and other windows except for HijackThis!, and click "Fix checked".

STEP: 2

Show all hidden files and folders to remove following file::

Remove these files:
C:\WINDOWS\system32\agske.dll
C:\WINDOWS\System32\ctlllhb.dll
C:\WINDOWS\system32\config\crack.lnk
C:\Program Files\Common Files\dicowu.html
C:\ProgramFiles\Internet Explorer\conav777444.dll

STEP: 3

Please run Notepad and copy the following text between dotted lines into a new file:

------------------
sc config MSControlService start= disabled
sc stop MSControlService
sc delete MSControlService
------------------

Save the file to the desktop as remove.bat and make sure the "Save as type" field says "All files". Locate remove.bat on the Desktop and double-click on it to run it. Please note any errors encountered.
Restart the computer normally to complete the fix.

THEN:

Download Combofix by sUBs and save to your desktop.

(If you have previously downloaded ComboFix,please delete that version now.)

download link HERE:
http://download.bleepingcomputer.co...
http://www.forospyware.com/sUBs/Com...

Note
It is important that it is saved directly to your desktop

Close any open browsers.

Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.

Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log.

*Do Safe Computing*