Pc wont work without virus [RESOLVED]

I installed a a few new virus programs for my pc they are  good , but the problem is , SUPERantispyware picked up a *censored* of a lot about 70 odd virus's and when i clicked next to reboot i was left with only one opotion and that was safe mode and networking or safe mode when i pressed enter to start windows normally it wouldnt sigh on , it just kept going back to the safe mode opotion.

So i moved up to safe mode and networking it started in safe mode i was asked wehter i wanted to start a system restore so i did , pc restarted and system restore failed but my pc bumped out of safe mode and started normally... i was just wondering if there is anything i can do for safe mesaure to be sure everything is working ok on my computer because i didnt like the look of it only starting in safe mode , im lucky i did anything because i was clueless any ideas i will be most thankful for. 


PS i havent been online in a while i have been on holiday

[Moderator]

As per your previous posts you have been infected for some time. You said you did not use P2P any more, but where are you going that you get all of this and what kind of protection are you using, because it isn't working.

Do you have a real Windows CD to just reinstall fresh and start all over?

[Mod & Malware Specialist]

Hey there, Tony, long time no see.  I hope your time away was well-spent.

Are your scanners still picking up viruses?  I'm somewhat interested in a HijackThis log, just out of curiosity.

And perhaps you should download ComboFix and save it to your desktop.  Run the program and read its disclaimer (it's fairly short) and make sure you really pay attention to what it says.  Follow the prompts and when finished, it will produce a log at C:\ComboFix.txt.  Go ahead and post that here.  Note: Don't click on the window while it's running; this may cause stalls.

Also, go to Start > Run and in the dialog box, copy/paste the following...

regedit /e c:\safeboot.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot"

This will create a safeboot.txt in C:\.  Copy the contents and paste them here.  All of this stuff will probably take you a few posts, but it could be helpful.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\tezchiby.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\Program files\VundoFix.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\Program files\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.icq.com/start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [tezchiby.exe] C:\Documents and Settings\All Users\Application Data\tezchiby.exe
O4 - HKLM\..\Run: [RestartNeroSetup] "C:\DOCUME~1\Owner\LOCALS~1\Temp\NER21.tmp\Setupx.exe"
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu1000272.exe 61A847B5BBF72813329B385475FB01F0B3E35B6 638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\bcusivjl.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\Owner\APPLIC~1\FNTS~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Zmzf] "C:\Documents and Settings\Owner\My Documents\s?stem\??oolsv.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80BF6E-4C18-457B-89FD-3FF1D5092F16}: NameServer = 212.139.132.21 212.139.132.20
O20 - AppInit_DLLs: MsgPlusLoader.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

[Mod & Malware Specialist]

Sheesh, Tony, it's like you went searching for infections!  Your computer is loaded.  And according to Spyware Alerts from Cyber Defender, you have an infection that was just discovered yesterday!  Perhaps you shouldn't have an internet connection.  Ha.

You have no O2 entries (you should at least have them for Java and Adobe), so this is a strong sign of a newer Vundo infection.  I'd like for you to rename HijackThis.exe to richenstony.exe.


1. Download VundoFix and save it to your desktop.
2. Run VundoFix and click on Scan For Vundo.
3. Once it's done scanning, click on Remove Vundo.
4. When it prompts you to remove the files, click on Yes.
5. Your desktop will go blank as it's removing files.  Don't worry, this is normal.
6. It will prompt you to restart your computer, so click OK.
7. When your computer is turned back on, your problem should be gone.
8. The program normally produces a Vundofix.txt file.  Please locat this file and paste the contents in your next post.

And then, just to be thorough...
1. Download VirtumundoBeGone and save it to your desktop.
2. Reboot into Safe Mode.
3. Once you are in Safe Mode, run VirtumundoBeGone and follow the instructions.
4. Exit when it has finished and reboot back into normal mode.  Vundo should now be removed from your computer.


Also...
You have a PurityScan infection.  Copy everything inside the quote box below (starting with dir) and paste it into Notepad.  Go up to File > Save As... and click the drop-down box to change the "Save As Type" to "All Files".  Save it as findfile.bat on your Desktop.

dir C:\Documents and Settings\Owner\My Documents\s?stem\ /a h > files.txt
notepad files.txt

Locate findfile.bat on your Desktop and double-click on it.  It will open Notepad with some text in it.  Please post the contents of that Notepad file here along with a new HijackThis log.


When you post your next log, post everything, including the header.  Even if it takes more than one post.  Also...I remember suggesting quite a few programs to you, but I don't see any of them active.  You need to keep one of your anti-virus programs active to help reduce infection.  And I also don't see any evidence of a firewall on your computer.  Is this true?

nope windows fire wall is 100% on... i think i know how i got the virus , it was from a crack i downloaded of a site it ran dos mode , so yh lol , i been infected like this before .... its not good i scanned with vundofix last night it picked up 1 trace of vundo , i also cnt rename hijackthis for some reason (ODD) im a bit worried because my pc also picked up 4 trojan dialers , i still have all the vanti-virus programs from are last talk , i dont keep them running due to my system running so slow , but i will keep superantispyware going from now on as i use that more than any other ... im doing a 2nd vundo search on my pc for safe meausres as i was running another virus program last night to so it might of missed something . And yes i shouldnt be allowed access to the internet , its a bain on me and soceity haha


2nd search came back clear of vundo !! Thats a good thing !!





Heres what VGB said
[06/02/2007, 1:00:32] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Owner\Favorites\Desktop\VirtumundoBeGone.exe" )
[06/02/2007, 1:00:41] - Detected System Information:
[06/02/2007, 1:00:41] -  Windows Version: 5.1.2600, Service Pack 2
[06/02/2007, 1:00:41] -  Current Username: Owner (Admin)
[06/02/2007, 1:00:41] -  Windows is in NORMAL mode.
[06/02/2007, 1:00:41] - Searching for Browser Helper Objects:
[06/02/2007, 1:00:41] -  BHO 1: {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} ()
[06/02/2007, 1:00:41] - WARNING: BHO has no default name. Checking for Winlogon reference.
[06/02/2007, 1:00:41] -  No filename found. Continuing.
[06/02/2007, 1:00:41] - Finished Searching Browser Helper Objects
[06/02/2007, 1:00:41] - Finishing up...
[06/02/2007, 1:00:41] - Nothing found! Exiting...



Im off to follow the rest of your instructions cheers for the help chris most thankful

[Forum Gaming Master]

it was from a crack i downloaded of a site

Maybe you shouldn't download cracks anymore... 

[Moderator]

Try re-installing the virus...

Re-boot and see if things are back to normal.

All sorted guys thanks for the help , im using a few new programs to help tackle my virus habits its like i click in a big sigh every 5 mins WITH VIRUS WROTE ALL OVER it ...... but hey im learning in a way im getting to learn a little bit more about my computer along the way .... which is 1 of 5 reasons why i thought this site was good , every last one of you thats replyied to my posts so far has been most undestanding , about all my issues on my pc and thats great i have found a computer comunity willing to help others in need . Most throw you to the wolves!!

Thanks again guys !!

Im gunna try and help others with ther problems along the way 2

Heres a 2nd hijackthis log: Ive done everything you have asked.... i did a load of virus checks with all sorts of programs and i now use a better firewall... heres log


C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.icq.com/start
O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - (no file)
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe -s
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKCU\..\Policies\Explorer\Run: [{5464910E-0701-1033-0730-02041222002c}] "C:\Program Files\Common Files\{5464910E-0701-1033-0730-02041222002c}\Update.exe" mc-110-12-0000627
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{5464910E-0701-1033-0730-02041222002c}] "C:\Program Files\Common Files\{5464910E-0701-1033-0730-02041222002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{5464910E-0701-1033-0730-02041222002c}] "C:\Program Files\Common Files\{5464910E-0701-1033-0730-02041222002c}\Update.exe" mc-110-12-0000627 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80BF6E-4C18-457B-89FD-3FF1D5092F16}: NameServer = 212.139.132.7 212.139.132.6
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 5453 bytes

[Mod & Malware Specialist]

You're still leaving out the header, Tony.  The whole log is important.


Your log is definitely a bit cleaner, but there are still a few things you need to get rid of...


Once we start, you won't have access to this post anymore, so I recommend that you print out this post or save it to a Notepad file.  Open HijackThis and scan again.  Check the following entries, but don't do anything to them yet...

O2 - BHO: (no name) - {BEDF30ED-41B2-4CDC-875A-ED063C81AF7B} - (no file)

O4 - HKLM\..\Run: [SManager] smanager.7.exe

O4 - HKCU\..\Policies\Explorer\Run: [{5464910E-0701-1033-0730-02041222002c}] "C:\Program Files\Common Files\{5464910E-0701-1033-0730-02041222002c}\Update.exe" mc-110-12-0000627

O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{5464910E-0701-1033-0730-02041222002c}] "C:\Program Files\Common Files\{5464910E-0701-1033-0730-02041222002c}\Update.exe" mc-110-12-0000627 (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{5464910E-0701-1033-0730-02041222002c}] "C:\Program Files\Common Files\{5464910E-0701-1033-0730-02041222002c}\Update.exe" mc-110-12-0000627 (User 'Default user')

O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Now, close all windows (including this one) besides HijackThis, then click Fix Checked.  Close HijackThis and reboot into Safe Mode and enable hidden files and folders.

Navigate to and delete the following folder(s) if present...

C:\Program Files\Common Files\{5464910E-0701-1033-0730-02041222002c}

Navigate to and delete the following file(s) if present...

C:\WINDOWS\system32\msasvc.exe
smanager.7.exe  (Perform a system-wide search for this and delete it if found.)
winemx32.dll  (Perform a system-wide search for this and delete it if found.)

Once you've done all of this, reboot into Normal Mode and post a new HijackThis log so we can see if there's any other junk we need to clean up.  Let me know how everything's running now and if you had any problems following my steps.

none of the files i was asked to delete where there , heres the full log in safe mode.


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:12:20, on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 3205 bytes

[Mod & Malware Specialist]

Can you go ahead and give me another log, but from Normal Mode?  Sorry, I should've specified this earlier.  Malware is often inactive in Safe Mode, so a log can't be entirely accurate when run in Safe Mode.

np 

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:39:51, on 02/06/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Owner\My Documents\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.icq.com/start
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [Uniblue SpyEraser] "C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe" -m
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O16 - DPF: {F84E0B64-1E86-4640-8094-5B38CEB28C1E} (SkyFex Client Object) - https://skyfex.com/download/SkyFexClient.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80BF6E-4C18-457B-89FD-3FF1D5092F16}: NameServer = 212.139.132.21 212.139.132.20
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 4267 bytes

[Mod & Malware Specialist]

It's looking a lot better.  There's just one thing to address...


Download SDFix and save it to your Desktop.  Double-click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix).  Then go ahead and reboot into Safe Mode.

Open up HijackThis and fix the following entry...

O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)

Also...
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B80BF6E-4C18-457B-89FD-3FF1D5092F16}: NameServer = 212.139.132.21 212.139.132.20
(Is RIPE Networks your ISP?  If not, you should fix this also.)

Close HijackThis.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on the forum).

• Finally, paste the contents of the Report.txt back on the forum with a new HijackThis log.

We're almost done here, I think.