Author Topic: Er......this really sucks. Help, please?  (Read 67821 times)

0 Members and 1 Guest are viewing this topic.

Offline Maxx_original

  • Moderator
  • Super Poster
  • *
  • Posts: 1479
Re: Er......this really sucks. Help, please?
« Reply #30 on: October 20, 2007, 05:08:45 PM »
the older variants were a simple dll's registered as BHO's.. the newer versions came with an user-mode rootkit, which is hiding the libraries etc..

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Er......this really sucks. Help, please?
« Reply #31 on: October 20, 2007, 05:09:17 PM »
I can't recall where I read it but I believe some of the Vundo infections are hidden by rootkit.

I must improve my typing skills ;D
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

mauserme

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #32 on: October 20, 2007, 05:33:01 PM »
Well, many have been rooted (or stealthy, at least) for a while and were able to hide from HijackThis for example (the reason for renaming HJT in some cases).  But now VundoFix is less effective and ComboFix doesn't always find it.  In the case of ComboFix it's not just that the detection is lacking - they don't show up in the 30 day list of file creations in some cases.

And I had a recent thread in this forum where the file couldn't be deleted with OTMoveIt or in safe mode.  A user mode rootkit probably explains the lack of success with OTMoveIt but failure to delete in safe mode surprised me.

But maybe we should let alex1234 have his thread back and continue this in the Cafe.  I would be interested if you would post more there.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #33 on: October 20, 2007, 05:50:24 PM »
fortunately - all the variants (of Virtumondo) have the same basics and could be detected..
Is it my imagination or are these recent variants better protected - very good at hiding from the traditional tools and harder to delete when found?

The ones that I was looking at with sitypnow, removal was accomplished with a combination of smitfraud(not sure if that did anything), sas, combofix, vundofix etc. Nothing that I haven't seen used here.

The common thing was a line similar to "04 Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\incfejqn.dll",sitypnow ", with [xxx] variable as was xxx.dll. It seems that the xxx.dll can change from one instance of hjt to the next. Of course there was a number of random letter filenames, that went along with them.

These threads where in the last 3 weeks.

mauserme

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #34 on: October 20, 2007, 06:04:19 PM »
The common thing was a line similar to "04 Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\incfejqn.dll",sitypnow ", with [xxx] variable as was xxx.dll. It seems that the xxx.dll can change from one instance of hjt to the next. Of course there was a number of random letter filenames, that went along with them.
I actually worked on one of those just last month

http://forum.avast.com/index.php?topic=30529.msg252635#msg252635

And yes, the file name did change.

But look at the list of WinPFind file deletions on page 4 of that thread after running the tools you mention (well, I don't remember any SmitFraud in that thread, but the rest).  It's fine - that's what WinPFind is for.  But it wasn't necessary not so long ago.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #35 on: October 20, 2007, 06:34:14 PM »
The post I was refering from came from a google search. As I said I not sure about smitfraudfix, as no log posted and that line was abandoned in favor of combofix and SAS.

http://forums.techguy.org/malware-removal-hijackthis-logs/630961-solved-urfwgsq-dll-sitypnow.html

But you're right, should give this thread back to alex.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Er......this really sucks. Help, please?
« Reply #36 on: October 20, 2007, 08:41:50 PM »
fortunately - all the variants (of Virtumondo) have the same basics and could be detected..
Is it my imagination or are these recent variants better protected - very good at hiding from the traditional tools and harder to delete when found?
In a word YES

alex1234

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #37 on: October 21, 2007, 12:20:54 AM »
Quote
But you're right, should give this thread back to alex.
No problem, I really don't mind at all. Anyways I'm learning more about these things as I read your comments. :)

I'm happy to say that I updated and ran SuperAntispyware as oldman suggested, in fact I ran it twice. First time it came up with 406 infected but I did not restart immediately as I said. Then some time later I ran it again and it found 135. Both times I quarantined and immediately after the second run I rebooted. Now all signs of infection seem to be gone (no more alerts and pop-ups thus far), and I actually physically shut off my modem as well just in case stuff was coming in after start up.

As oldman requested, I will attach the logs of the two SuperAntispyware runs with this post.

I'll run DSS next as mauserme suggested and post the log in the next post since I need to close this window.

I've renamed the HJT program and ran it just now, this is the log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:33 PM, on 20/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\WINDOWS\system32\devldr32.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\WINDOWS\system32\spider.exe
D:\PROGRA~1\MOZILL~1\FIREFOX.EXE
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: BHO32 - {717833AD-7A96-11DC-8314-0800200C9A66} - D:\Program Files\BH0\ie-improver.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BB3D133B-253E-4995-B14F-2BA165B591F7} - D:\WINDOWS\system32\jkhhh.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "D:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 7050 bytes


I see it is still there as
O2 - BHO: (no name) - {BB3D133B-253E-4995-B14F-2BA165B591F7} - D:\WINDOWS\system32\jkhhh.dll
but my symptoms are gone, which is good.
« Last Edit: October 21, 2007, 12:23:33 AM by alex1234 »

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88791
  • No support PMs thanks
Re: Er......this really sucks. Help, please?
« Reply #38 on: October 21, 2007, 12:45:12 AM »
You should Fix this.
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

You should Fix these when confirmed as bad.
O2 - BHO: (no name) - {BB3D133B-253E-4995-B14F-2BA165B591F7} - D:\WINDOWS\system32\jkhhh.dll
This would appear to be a Virtumonde entry, it may be that this is just the registry entry but check if the file is there too, (http://www.spywaredata.com/spyware/malware/jkhhh.dll.php), upload to VT and send to avast if detected by multiple scanners.

O2 - BHO: BHO32 - {717833AD-7A96-11DC-8314-0800200C9A66} - D:\Program Files\BH0\ie-improver.dll

See http://www.sophos.com/security/analyses/trojbhodv.html
Quote
When Troj/BHO-DV is installed the following files are created:

<Program Files>\IE bho\ie-improver.dll
<Program Files>\IE bho\uninstall.exe

The file ie-improver.dll is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

Upload to VT to confirm and send to avast if detected by multiple scanners.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.1.6099 (build 24.1.8821.762) UI 1.0.796/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #39 on: October 21, 2007, 12:52:44 AM »
There's still some signs in th hjt log. Also what might be zlob. This might be a good time to clean out some old restore points, just in case system restore is restoring some of it.

Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point

Remove old restore points

Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Good choice in turning of the modem, in case there is a downloader.


Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #40 on: October 21, 2007, 01:08:59 AM »
There's also the 020 line, but ixnnajpv.dll doesn't show in running proccesses

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)

alex1234

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #41 on: October 21, 2007, 01:16:23 AM »
I made 5 attempts at running DSS but each time I get a "....has encountered a problem and needs to close" error.

jkhhh.dll returned 11/32 (34.38%). I will sent it to avast.
The D:\Program Files\BH0\ie-improver.dll file I cannot upload to VirusTotal since I cannot find a BHO directory in D:\Program Files\ in the upload browser.

Quote
(http://www.spywaredata.com/spyware/malware/jkhhh.dll.php)
I'm guessing this is a collection of jkhhh.dll files that people have uploaded, I do not see mine there, if judging by file size is a good indication of a match.

Quote
Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point

Remove old restore points

Disk Cleanup - Launch the Disk Cleanup tool and then select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

Unless system restore points are created automatically, I do not have any since I recently reformatted. But will do.

Quote
some tools for stubborn file removal.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
Will be looking into this as well.

Quote
There's also the 020 line, but ixnnajpv.dll doesn't show in running proccesses

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
Hmm, that's what VundoFix tried to delete twice but said it failed.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #42 on: October 21, 2007, 01:24:07 AM »
What about this file

D:\WINDOWS\system32\jkhhh.dll

Is it present on your computer?

I don't know anthing about DSS, will have to wait for mauserme or someone who does.

Offline oldman

  • Avast Evangelist
  • Massive Poster
  • ***
  • Posts: 4142
  • Some days..... MOS...this bug's for you
Re: Er......this really sucks. Help, please?
« Reply #43 on: October 21, 2007, 01:39:22 AM »

Unless system restore points are created automatically, I do not have any since I recently reformatted. But will do.

SAS quarintined some from your system restore. Yes they are created automatically.


Quote
some tools for stubborn file removal.
- MoveOnBoot http://www.snapfiles.com/get/moveonboot.html
- Unlocker http://ccollomb.free.fr/unlocker/ is also good as it also has a few additional features to not only delete the files but stop any process that is stopping you from deleting a file.
Will be looking into this as well.

Hold off on a bit for that.


Quote
There's also the 020 line, but ixnnajpv.dll doesn't show in running proccesses

O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
Hmm, that's what VundoFix tried to delete twice but said it failed.

We might be able to remove that one, but first let's see what combofix has to say.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

alex1234

  • Guest
Re: Er......this really sucks. Help, please?
« Reply #44 on: October 21, 2007, 06:43:09 AM »
My symptoms have now come back though the frequency of IE pop-ups have decreased dramatically.


Quote
What about this file

D:\WINDOWS\system32\jkhhh.dll

Is it present on your computer?
It was, and is no longer. The ComboFix might have deleted it since that's the only thing I've really done of late, see below.

Quote
Double click combofix.exe and follow the prompts.

When finished, it shall produce a log for you.

I ran it though I don't think it made it to completion. At one point in the window it did list a bunch of those randomly named files, then it restarted my PC after telling me it would, and after that continued running, but then the system restarted again with no warning from ComboFix and so I believe this second restart was some sort of failure....though I am not sure. Also it said it would restore my clock settings when done but they've not been restored. I have looked in the ComboFix folder that was created and see no log, the only text file I see contains

ComboFix 07-10-21.1** - Administrator 2007-10-20 21:58:06.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.1011 [GMT -6:00]
Running from: D:\Documents and Settings\Administrator\Desktop\ComboFix.exe
 * Created a new restore point
.


I made sure to never click in the ComboFix window. But should I try to run it again?
Here is my Hijack This log anyways:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:37, on 2007-10-20
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
D:\Program Files\Alwil Software\Avast4\ashServ.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\devldr32.exe
D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
D:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
D:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Comodo\Firewall\CPF.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe
D:\Program Files\Messenger\msmsgs.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
D:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe
D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\uTorrent\uTorrent.exe
D:\Program Files\Trend Micro\HijackThis\HijackThisAlex.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - D:\WINDOWS\system32\sivnbypf.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - D:\WINDOWS\system32\sivnbypf.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Motive SmartBridge] D:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [RemoteControl] "D:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MimBoot] D:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] D:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NBKeyScan] "D:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [hpfsched] D:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "D:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "D:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Reminder-hpc41001.lnk = D:\Program Files\HP DeskJet 690C Series\ereg\Remind32.exe
O4 - Global Startup: TELUS eCare.lnk = D:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: !SASWinLogon - D:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ixnnajpv - ixnnajpv.dll (file missing)
O20 - Winlogon Notify: sivnbypf - D:\WINDOWS\SYSTEM32\sivnbypf.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - D:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - D:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe

--
End of file - 6845 bytes


As well I just want to attach a screenshot from Comodo's Traffic section in case any of you can see something suspicious there. MotiveSB is related to my ISP software, I believe. I'm just wondering what the System and svchost.exe are.