Win 32 trojan, please help!!!

Newbie Poster

14 posts since Oct 2006

Reputation Points: 10

Solved Threads: 0

Link 1
Link 2
Link 3

Hi pydfc

Download Combofix from any of the links below, and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Junior Poster

127 posts since Jul 2007

Reputation Points: 11

Solved Threads: 10

Thanks for your time and help, here is the required log files from combofix and hijackthis

I look forward to your advice.

Paul

ComboFix 08-02.03.1 - Owner 2008-02-04 11:30:07.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.130 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\iifgdee.dll
C:\WINDOWS\system32\vtsts.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Common Files\{3C29F~1
C:\Program Files\Common Files\{3C29F~1\Uninst.exe
C:\Program Files\Common Files\{BC29F~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\printview
C:\Program Files\printview\chnlist.dat
C:\Program Files\printview\hotlist.dat
C:\Program Files\printview\remlist.dat
C:\Program Files\winupdates
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe
C:\WINDOWS\IA
C:\WINDOWS\ie-hook.txt
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\awtsr.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cookie.dat
C:\WINDOWS\system32\cvvmwbpn.dll
C:\WINDOWS\SYSTEM32\gowljxsf.ini
C:\WINDOWS\system32\helper.dll
C:\WINDOWS\system32\hgggedb.dll
C:\WINDOWS\SYSTEM32\hupbuvhk.ini
C:\WINDOWS\system32\idyohwtn.dll
C:\WINDOWS\system32\iifgdee.dll
C:\WINDOWS\SYSTEM32\ijabuwiy.ini
C:\WINDOWS\system32\khvubpuh.dll
C:\WINDOWS\system32\knvkqmus.dll
C:\WINDOWS\system32\lpfkbogu.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\SYSTEM32\ntwhoydi.ini
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\SYSTEM32\ststv.ini
C:\WINDOWS\SYSTEM32\ststv.ini2
C:\WINDOWS\system32\txltoedd.dll
C:\WINDOWS\system32\vfwkaltd.dll
C:\WINDOWS\system32\vfwkaltd.dllbox
C:\WINDOWS\system32\vngmjxei.dll
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\ygjizkud.dllbox
D:\Autorun.inf

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com
hxxp://msgr.dlservice.microsoft.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\nm

((((((((((((((((((((((((( Files Created from 2008-01-04 to 2008-02-04 )))))))))))))))))))))))))))))))
.

2008-02-03 18:41 . 2008-02-03 18:41 d-------- C:\Program Files\Alwil Software
2008-02-03 18:41 . 2007-12-04 13:04 837,496 --a------ C:\WINDOWS\SYSTEM32\aswBoot.exe
2008-02-03 18:41 . 2007-12-04 12:54 95,608 --a------ C:\WINDOWS\SYSTEM32\AvastSS.scr
2008-02-03 18:41 . 2007-12-04 14:55 94,544 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon2.sys
2008-02-03 18:41 . 2007-12-04 14:56 93,264 --a------ C:\WINDOWS\SYSTEM32\drivers\aswmon.sys
2008-02-03 18:41 . 2007-12-04 14:51 42,912 --a------ C:\WINDOWS\SYSTEM32\drivers\aswTdi.sys
2008-02-03 18:41 . 2007-12-04 14:49 26,624 --a------ C:\WINDOWS\SYSTEM32\drivers\aavmker4.sys
2008-02-03 18:41 . 2007-12-04 14:53 23,152 --a------ C:\WINDOWS\SYSTEM32\drivers\aswRdr.sys
2008-01-30 19:49 . 2008-01-30 19:49 d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-29 12:34 . 2008-01-29 12:44 15,400 --a------ C:\WINDOWS\BMbf1aca51.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-04 11:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-03 23:14 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8269.sys
2008-02-03 19:05 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-03 10:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 10:24 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-01 18:45 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-30 19:29 --------- d-----w C:\Program Files\Yahoo!
2008-01-28 00:15 --------- d-----w C:\Program Files\Kontiki
2007-12-30 22:51 --------- d-----w C:\Program Files\Channel4
2007-12-30 22:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2007-12-21 15:10 --------- d-----w C:\Documents and Settings\Owner\Application Data\DivX
2004-11-02 12:30 57,728 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-06-18 09:05 45,056 -c--a-w C:\WINDOWS\INF\Slntinst.exe
2003-08-22 09:09 45,056 -c--a-w C:\WINDOWS\INF\slntinst_staticW2k.exe
2006-07-01 09:48 595,105 -csha-w C:\WINDOWS\SYSTEM32\stvwa.bak1
.

((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 61,440 2001-07-07 03:56:56 C:\hp\KBD\bak\KBD.EXE

----a-w 409,600 2004-01-14 01:10:02 C:\Program Files\Canon\Easy-PrintToolBox\bak\BJPSMAIN.EXE
----a-w 409,600 2004-01-14 01:10:02 C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE

----a-w 81,920 2004-06-16 05:03:04 C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe

----a-w 221,184 2004-06-16 05:03:26 C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe

----a-w 28,738 2001-08-16 05:41:58 C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe

----a-w 133,016 2005-12-10 14:57:19 C:\Program Files\DAEMON Tools\bak\daemon.exe
----a-w 133,016 2005-12-10 14:57:19 C:\Program Files\DAEMON Tools\daemon.exe

----a-w 278,528 2006-02-23 15:45:20 C:\Program Files\iTunes\bak\iTunesHelper.exe

----a-w 36,975 2005-11-10 13:03:52 C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe

----a-w 430,080 2004-03-08 12:50:50 C:\Program Files\LiveUpdate\bak\LiveUpdate.exe

----a-w 24,576 2001-10-05 01:34:51 C:\Program Files\Microsoft Works\bak\wkfud.exe

----a-w 331,830 2001-08-22 22:52:52 C:\Program Files\Microsoft Works\bak\WksSb.exe

----a-w 282,624 2006-09-01 14:57:48 C:\Program Files\QuickTime\bak\qttask.exe
----a-w 282,624 2006-09-01 15:57:48 C:\Program Files\QuickTime\qttask.exe

----a-w 1,003,520 2006-05-29 19:52:08 C:\Program Files\Real\RealPlayer\bak\realplay.exe

-c--a-w 40,960 2003-01-21 14:19:24 C:\WINDOWS\bak\VM_STI.EXE

-c--a-w 212,992 2001-06-16 05:34:56 C:\WINDOWS\SMINST\bak\RECGUARD.EXE

-c--a-w 52,736 1998-05-07 23:04:38 C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe

-c--a-w 90,112 2001-08-08 06:36:38 C:\WINDOWS\SYSTEM32\bak\hkcmd.exe

-c--a-w 143,360 2001-08-08 07:25:48 C:\WINDOWS\SYSTEM32\bak\igfxtray.exe

-c--a-w 155,648 2001-07-09 10:50:42 C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe

-c--a-w 81,920 2001-07-04 03:13:56 C:\WINDOWS\SYSTEM32\bak\ps2.exe

-c--a-w 406,016 2003-11-10 16:06:08 C:\WINDOWS\SYSTEM32\bak\PSDrvCheck.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A3948C4-B3F9-4625-815F-31DD87765572}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3170c686-bc1a-4a4a-a5b6-61e534c3c23a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{850C7964-9320-4055-BE11-7D7B562A6417}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54 5674352]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 19:05 204288]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2001-12-18 03:09 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2001-12-20 08:20 299008 C:\WINDOWS\SYSTEM32\nwiz.exe]
"PCTVOICE"="pctspk.exe" [2001-08-02 08:37 155648 C:\WINDOWS\SYSTEM32\pctspk.exe]
"Dit"="Dit.exe" [2003-04-22 17:20 61440 C:\WINDOWS\Dit.exe]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 20:21 53248 C:\WINDOWS\SYSTEM32\BtUsrBdg.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 14:29 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57 282624]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 20:58 8704]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 01:10 409600]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 00:04 118837]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 13:00 79224]
"bc29f9cd"="C:\WINDOWS\system32\khvubpuh.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Spyware Doctor"="" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [2001-08-07 00:06:54 24633]
Startup.exe [2003-10-16 15:37:00 36864]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogon]
helper.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xgpnneqx]
xgpnneqx.dll

R3 BTCOMM;BTCOMM;C:\WINDOWS\system32\drivers\Btcomm.sys [2004-09-28 14:18]
R3 BTKRNBDG;Bluetooth COM Bridge;C:\WINDOWS\system32\DRIVERS\btkrnbdg.sys [2003-03-18 09:31]
R3 CSRBC01;%CSRBC01.SvcDesc%;C:\WINDOWS\system32\Drivers\csrbc01.sys [2003-10-29 17:52]
R3 Dvd43;Dvd43;C:\WINDOWS\system32\DRIVERS\Dvd43.sys [2005-01-01 22:14]
R3 fdrawcmd;fdrawcmd;C:\WINDOWS\system32\Drivers\fdrawcmd.sys [2006-06-10 10:45]
R3 vad_multi;Windigo Virtual Audio Device (WDM);C:\WINDOWS\system32\drivers\vadmulti.sys [2003-11-05 09:53]
S3 SiS7012;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\sis7012.sys [2002-01-17 22:18]
S3 V2210VID;DigitalCam Pro;C:\WINDOWS\system32\DRIVERS\V2210vid.sys [2002-10-31 04:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e9cf96-378e-11db-9e3d-0030cd0001e9}]
\Shell\AutoRun\command - I:\setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-01-03 07:19:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-01-01 00:22:30 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-01 00:22:30 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-01 00:22:30 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-01 00:22:29 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 11:57:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\DitExp.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-02-04 12:02:24 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-04 12:02:20

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:08:57, on 04/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\BtUsrBdg.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\DitExp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dundeefc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [bc29f9cd] rundll32.exe "C:\WINDOWS\system32\khvubpuh.dll",b
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/36c55a9a450a682168f1ca7c038dfe0d_35.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.ladbrokes.com/Ladbrokes/FlashAX.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - Winlogon Notify: SensLogon - helper.dll (file missing)
O20 - Winlogon Notify: xgpnneqx - xgpnneqx.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Windows Updater - {259BA022-2005-45E9-A965-10EDB9C00605} - (no file)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9916 bytes

Newbie Poster

14 posts since Oct 2006

Reputation Points: 10

Solved Threads: 0

Hi pydfc

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as its originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.Please do not reboot your machine until we have reviewed the log.

Attachments

Junior Poster

127 posts since Jul 2007

Reputation Points: 11

Solved Threads: 10

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows Whistler Personal" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Newbie Poster

14 posts since Oct 2006

Reputation Points: 10

Solved Threads: 0

Link 1
Link 2
Link 3

Hi pydfc

Sorry for the delay in getting back to you.

You will now see the option to boot to Recovery Console when you boot the PC. This would allow us to make repairs from the Recovery Console if we have to. Please choose to boot to Windows XP unless asked otherwise.

-------------------------

Delete your copy of ComboFix.exe and download an updated copy from any of the links below, and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

---------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

AWF::
C:\hp\KBD\bak\KBD.EXE
C:\Program Files\Canon\Easy-PrintToolBox\bak\BJPSMAIN.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\bak\issch.exe
C:\Program Files\Common Files\InstallShield\UpdateService\bak\isuspm.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\bak\WkUFind.exe
C:\Program Files\DAEMON Tools\bak\daemon.exe
C:\Program Files\iTunes\bak\iTunesHelper.exe
C:\Program Files\Java\jre1.5.0_06\bin\bak\jusched.exe
C:\Program Files\LiveUpdate\bak\LiveUpdate.exe
C:\Program Files\Microsoft Works\bak\wkfud.exe
C:\Program Files\Microsoft Works\bak\WksSb.exe
C:\Program Files\QuickTime\bak\qttask.exe
C:\Program Files\Real\RealPlayer\bak\realplay.exe
C:\WINDOWS\bak\VM_STI.EXE
C:\WINDOWS\SMINST\bak\RECGUARD.EXE
C:\WINDOWS\SYSTEM\bak\hpsysdrv.exe
C:\WINDOWS\SYSTEM32\bak\hkcmd.exe
C:\WINDOWS\SYSTEM32\bak\igfxtray.exe
C:\WINDOWS\SYSTEM32\bak\NeroCheck.exe
C:\WINDOWS\SYSTEM32\bak\ps2.exe
C:\WINDOWS\SYSTEM32\bak\PSDrvCheck.exe
File::
C:\WINDOWS\SYSTEM32\stvwa.bak1
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogon]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A3948C4-B3F9-4625-815F-31DD87765572}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3170c686-bc1a-4a4a-a5b6-61e534c3c23a}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{850C7964-9320-4055-BE11-7D7B562A6417}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98663E21-9CCE-4CF6-863C-911A9523A66F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bc29f9cd"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xgpnneqx]

Save this asCFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at"C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

---------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database:Extended

Scan Options:Scan Archives
Scan Mail Bases

Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

---------------------
RequiredLogs

C:\ComboFix.txt
Kaspersky report
new HijackThis log

Please also provide an update on system behaviour

Attachments

Junior Poster

127 posts since Jul 2007

Reputation Points: 11

Solved Threads: 10

Saturday, March 15, 2008 4:19:59 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 631202

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics
Total number of scanned objects 97586
Number of viruses found 24
Number of infected objects 76
Number of suspicious objects 2
Duration of the scan process 03:51:03

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Kontiki\error.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip/install.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DyFuCAInternetOptimizer2.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\Warhammer_40000_Dawn_of_War_1.0.rar/keygen.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.edv skipped

C:\Documents and Settings\Owner\Desktop\Warhammer_40000_Dawn_of_War_1.0.rar/crack.exe Infected: Trojan.Win32.Dialer.yz skipped

C:\Documents and Settings\Owner\Desktop\Warhammer_40000_Dawn_of_War_1.0.rar RAR: infected - 2 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\PAulmyoung16@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\PAulmyoung16@hotmail.com\SharingMetadata\pending.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\PAulmyoung16@hotmail.com\SharingMetadata\Working\database_5CBC_2A24_BC29_F962\dfsr.db Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\PAulmyoung16@hotmail.com\SharingMetadata\Working\database_5CBC_2A24_BC29_F962\fsr.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\PAulmyoung16@hotmail.com\SharingMetadata\Working\database_5CBC_2A24_BC29_F962\fsrtmp.log Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Messenger\PAulmyoung16@hotmail.com\SharingMetadata\Working\database_5CBC_2A24_BC29_F962\tmp.edb Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\Paulmyoung16@hotmail.com\real\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows Live Contacts\Paulmyoung16@hotmail.com\shadow\members.stg Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\BCG8.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF9863.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DF9870.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFB728.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFB8F7.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFCA0C.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~DFCA5A.tmp Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\My Documents\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Owner\My Documents\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Owner\My Documents\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped

C:\Documents and Settings\Owner\My Documents\keyfinder.exe RarSFX: infected - 3 skipped

C:\Documents and Settings\Owner\My Documents\My Received Files\photo album.zip/photo album2007.pif Infected: Backdoor.Win32.IRCBot.aaq skipped

C:\Documents and Settings\Owner\My Documents\My Received Files\photo album.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\ACE Mega CoDecS Pack\Anti-Virus\chpD.tmp Infected: Backdoor.Win32.IRCBot.gen skipped

C:\Program Files\SearchRelevant\SearchRelevant5.dll Infected: not-a-virus:AdWare.Win32.Relevance.c skipped

C:\QooBox\Quarantine\C\WINDOWS\Downloaded Program Files\UDC6_0001_D19M1908NetInstaller.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.ar skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\awtsr.exe.vir Infected: Trojan-Downloader.Win32.ConHook.ah skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cvvmwbpn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\helper.dll.vir Infected: Trojan-Spy.Win32.Banker.cji skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hgggedb.dll.vir Infected: Trojan.Win32.BHO.auf skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\idyohwtn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\khvubpuh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\knvkqmus.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\lpfkbogu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\txltoedd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vfwkaltd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vngmjxei.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped

C:\QooBox\Quarantine\catchme2008-02-04_115416.18.zip/iifgdee.dll Infected: Trojan.Win32.BHO.auf skipped

C:\QooBox\Quarantine\catchme2008-02-04_115416.18.zip/vtsts.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\QooBox\Quarantine\catchme2008-02-04_115416.18.zip ZIP: infected - 2 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP351\A0039020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP351\A0039023.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP351\A0039024.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP351\A0039025.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP351\A0039028.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP352\A0039074.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP352\A0039075.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP352\A0039078.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP354\A0040158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP356\A0040234.exe Infected: not-a-virus:AdWare.Win32.PrintView.a skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP356\A0040235.dll Infected: not-a-virus:AdWare.Win32.PrintView.a skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP356\A0040237.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP356\A0040256.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gip skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040278.dll Infected: Trojan-Spy.Win32.Banker.cji skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040281.exe Infected: Trojan-Downloader.Win32.ConHook.ah skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040282.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040283.dll Infected: Trojan.Win32.BHO.auf skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040284.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040285.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040286.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040287.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040288.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040289.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040290.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.auj skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040299.dll Infected: Trojan.Win32.BHO.auf skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP357\A0040300.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP376\change.log Object is locked skipped

C:\Temp\Bargains.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped

C:\Temp\Bargains.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped

C:\Temp\Bargains.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.q skipped

C:\Temp\Bargains.exe/stream/data0005 Infected: Trojan-Clicker.Win32.VB.ex skipped

C:\Temp\Bargains.exe/stream/data0006/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped

C:\Temp\Bargains.exe/stream/data0006/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped

C:\Temp\Bargains.exe/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped

C:\Temp\Bargains.exe/stream/data0007/stream/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.y skipped

C:\Temp\Bargains.exe/stream/data0007/stream/data0005 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped

C:\Temp\Bargains.exe/stream/data0007/stream/data0006 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped

C:\Temp\Bargains.exe/stream/data0007/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.n skipped

C:\Temp\Bargains.exe/stream/data0007/stream/data0008 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped

C:\Temp\Bargains.exe/stream/data0007/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped

C:\Temp\Bargains.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped

C:\Temp\Bargains.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.l skipped

C:\Temp\Bargains.exe NSIS: infected - 15 skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\FQTKHI.DAT Infected: Backdoor.Win32.Hupigon.cke skipped

C:\WINDOWS\photo album.zip/photo album2007.pif Infected: Backdoor.Win32.IRCBot.aaq skipped

C:\WINDOWS\photo album.zip ZIP: infected - 1 skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\ciadmon.dll Infected: Packed.Win32.Klone.k skipped

C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default Object is locked skipped

C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software Object is locked skipped

C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system Object is locked skipped

C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\drivers\dtscsi.sys Object is locked skipped

C:\WINDOWS\SYSTEM32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\SYSTEM32\drivers\sptd8269.sys Object is locked skipped

C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\Temp\Perflib_Perfdata_1c8.dat Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

D:\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe RAR: infected - 1 skipped

D:\brutus-aet2.zip/BrutusA2.exe Infected: not-a-virus:PSWTool.Win32.Brutus skipped

D:\brutus-aet2.zip ZIP: infected - 1 skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

D:\System Volume Information\_restore{0AB78115-3F10-4D7F-ACE9-38BAFC97C2B9}\RP376\change.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:22:29, on 15/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\BtUsrBdg.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dundeefc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/36c55a9a450a682168f1ca7c038dfe0d_35.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.ladbrokes.com/Ladbrokes/FlashAX.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Windows Updater - {259BA022-2005-45E9-A965-10EDB9C00605} - (no file)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 9409 bytes

ComboFix 08-03-14.4 - Owner 2008-03-15 11:21:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\cfscript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\SYSTEM32\stvwa.bak1
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMbf1aca51.xml
C:\WINDOWS\SYSTEM32\stvwa.bak1

.
((((((((((((((((((((((((( Files Created from 2008-02-15 to 2008-03-15 )))))))))))))))))))))))))))))))
.

No new files created in this timespan

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 11:25 --------- d-----w C:\Program Files\Microsoft Works
2008-03-15 11:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-15 11:21 --------- d-----w C:\Program Files\QuickTime
2008-03-15 11:20 --------- d-----w C:\Program Files\LiveUpdate
2008-03-15 11:20 --------- d-----w C:\Program Files\iTunes
2008-03-15 11:20 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-04 12:04 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-04 12:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-03 23:14 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8269.sys
2008-02-03 18:41 --------- d-----w C:\Program Files\Alwil Software
2008-02-01 18:45 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-30 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-30 19:29 --------- d-----w C:\Program Files\Yahoo!
2008-01-28 00:15 --------- d-----w C:\Program Files\Kontiki
2004-11-02 12:30 57,728 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-06-18 09:05 45,056 -c--a-w C:\WINDOWS\INF\Slntinst.exe
2003-08-22 09:09 45,056 -c--a-w C:\WINDOWS\INF\slntinst_staticW2k.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2001-12-18 03:09 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2001-12-20 08:20 299008 C:\WINDOWS\SYSTEM32\nwiz.exe]
"PCTVOICE"="pctspk.exe" [2001-08-02 08:37 155648 C:\WINDOWS\SYSTEM32\pctspk.exe]
"Dit"="Dit.exe" [2003-04-22 17:20 61440 C:\WINDOWS\Dit.exe]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 20:21 53248 C:\WINDOWS\SYSTEM32\BtUsrBdg.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 14:29 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 14:57 282624]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 20:58 8704]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 01:10 409600]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 00:04 118837]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Spyware Doctor"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\BitTornado\\btdownloadgui.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e9cf96-378e-11db-9e3d-0030cd0001e9}]
\Shell\AutoRun\command - I:\setupSNK.exe

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-15 11:26:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc29.tmp"
.
Completion time: 2008-03-15 11:28:21
ComboFix-quarantined-files.txt 2008-03-15 11:27:58
ComboFix2.txt 2008-02-04 12:02:25

Newbie Poster

14 posts since Oct 2006

Reputation Points: 10

Solved Threads: 0

Hi pydfc

Sorry for the delay in getting back to you, I've just become a Gran so have been at hospital the last few days :)

Open Spybot Search & Destroy and Click on Recovery from the menu on the left. Select all the items then click on Purge selected items to delete the quarantined items then close Spybot.

------------------------

Download MsnCleaner_eng.zip but don't use it yet.
(Copy/Paste the downloadlink in the url window or use "Save Target As")Now reboot into Safe Mode
Double-click MsnCleaner_eng.exe to run it.
Click the Analyze button.
A report will be created once after you finish scan.
If it finds an infection, click the Deleted button.
Now, please reboot back to normal mode.
Please post the contents of C:\MsnCleaner.txt in a reply to this post.

------------------------

Scan with HijackThis and check the following entries (If they still exist) (make sure not to miss any)

O16 - DPF: {00000000-0000-0000-0000-100000000003} - http://code.trasferimento.biz/l/36c5...38dfe0d_35.exe
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O22 - SharedTaskScheduler: Windows Updater - {259BA022-2005-45E9-A965-10EDB9C00605} - (no file)

Remember to close all other windows and click Fix Checked

------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

http://www.daniweb.com/forums/thread107503.html

File::

C:\Documents and Settings\Owner\Desktop\Warhammer_40000_Dawn_of_War_1.0.rar

C:\WINDOWS\FQTKHI.DAT

C:\Temp\Bargains.exe

C:\Program Files\SearchRelevant\SearchRelevant5.dll

D:\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe C:\WINDOWS\SYSTEM32\ciadmon.dll

Collect::[33]

C:\WINDOWS\photo album.zip

C:\Program Files\ACE Mega CoDecS Pack\Anti-Virus\chpD.tmp

C:\Documents and Settings\Owner\My Documents\My Received Files\photo album.zip

Save this asCFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at"C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

------------------------
Required Logs

C:\MsnCleaner.txt
C:\ComboFix.txt
new HijackThis log taken after the ComboFix scan

Please also include an update on system behaviour

Attachments

Junior Poster

127 posts since Jul 2007

Reputation Points: 11

Solved Threads: 10

There is nothng found on MSNcleaner anymore, i did however delete one file on the first scan. butthe report comes back clean.

The system is running a little smoother now, do i still have a problem??

Thanks again for your help.

ComboFix 08-03-14.4 - Owner 2008-03-22 12:53:50.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.195 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript
* Created a new restore point

FILE ::
C:\Documents and Settings\Owner\Desktop\Warhammer_40000_Dawn_of_War_1.0.rar
C:\Program Files\SearchRelevant\SearchRelevant5.dll
C:\Temp\Bargains.exe
C:\WINDOWS\FQTKHI.DAT
D:\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe C:\WINDOWS\SYSTEM32\ciadmon.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Desktop\Warhammer_40000_Dawn_of_War_1.0.rar
C:\Documents and Settings\Owner\My Documents\My Received Files\photo album.zip
C:\Program Files\ACE Mega CoDecS Pack\Anti-Virus\chpD.tmp
C:\Program Files\SearchRelevant\SearchRelevant5.dll
C:\Temp\Bargains.exe
C:\WINDOWS\FQTKHI.DAT

.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.

2008-03-22 12:34 . 2008-03-22 12:39 d-------- C:\MSNCleaner
2008-03-15 11:57 . 2008-03-15 11:57 d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-03-15 11:57 . 2008-03-15 11:57 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-22 12:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-22 12:54 --------- d-----w C:\Program Files\SearchRelevant
2008-03-22 12:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-22 11:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-15 11:25 --------- d-----w C:\Program Files\QuickTime
2008-03-15 11:25 --------- d-----w C:\Program Files\Microsoft Works
2008-03-15 11:25 --------- d-----w C:\Program Files\LiveUpdate
2008-03-15 11:25 --------- d-----w C:\Program Files\iTunes
2008-03-15 11:25 --------- d-----w C:\Program Files\DAEMON Tools
2008-02-03 23:14 96,256 ----a-w C:\WINDOWS\system32\drivers\sptd8269.sys
2008-02-03 18:41 --------- d-----w C:\Program Files\Alwil Software
2008-02-01 18:45 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-01-30 19:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-01-30 19:29 --------- d-----w C:\Program Files\Yahoo!
2008-01-28 00:15 --------- d-----w C:\Program Files\Kontiki
2004-11-02 12:30 57,728 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-06-18 09:05 45,056 -c--a-w C:\WINDOWS\INF\Slntinst.exe
2003-08-22 09:09 45,056 -c--a-w C:\WINDOWS\INF\slntinst_staticW2k.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"S3TRAY2"="S3tray2.exe" [2001-12-18 03:09 69632 C:\WINDOWS\SYSTEM32\S3tray2.exe]
"NvCplDaemon"="NvQTwk" []
"nwiz"="nwiz.exe" [2001-12-20 08:20 299008 C:\WINDOWS\SYSTEM32\nwiz.exe]
"PCTVOICE"="pctspk.exe" [2001-08-02 08:37 155648 C:\WINDOWS\SYSTEM32\pctspk.exe]
"Dit"="Dit.exe" [2003-04-22 17:20 61440 C:\WINDOWS\Dit.exe]
"BTUSRBDG"="BtUsrBdg.exe" [2003-11-05 20:21 53248 C:\WINDOWS\SYSTEM32\BtUsrBdg.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-03-09 14:29 86016]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 14:57 282624]
"Windows Media Connect 2"="C:\Program Files\Windows Media Connect 2\WMCCFG.exe" [2006-10-18 20:58 8704]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 01:10 409600]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-10 00:04 118837]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 00:01 110592]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23 1032640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]
"Spyware Doctor"="" []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"EditLevel"= 0 (0x0)
"NoCommonGroups"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{71e9cf96-378e-11db-9e3d-0030cd0001e9}]
\Shell\AutoRun\command - I:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2007-01-03 07:19:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2002-01-01 00:22:30 C:\WINDOWS\Tasks\ISP signup reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-01 00:22:30 C:\WINDOWS\Tasks\ISP signup reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-01 00:22:30 C:\WINDOWS\Tasks\ISP signup reminder 3.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
"2002-01-01 00:22:29 C:\WINDOWS\Tasks\Registration reminder 1.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 12:58:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\mchInjDrv]
"ImagePath"="\??\C:\WINDOWS\TEMP\mc29.tmp"
.
Completion time: 2008-03-22 13:00:35
ComboFix-quarantined-files.txt 2008-03-22 13:00:13
ComboFix2.txt 2008-03-15 11:28:23
ComboFix3.txt 2008-02-04 12:02:25

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:02:51, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Dit.exe
C:\WINDOWS\system32\BtUsrBdg.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\XTNDConnect Blue Manager\XCBluMgr.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\DitExp.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\SUSHIM~1.EXE
C:\Program Files\Extended Systems\XTNDConnect Blue Manager\btprot.exe
C:\PROGRA~1\EXTEND~1\XTNDCO~1\XTNDCO~1\BTUI_M~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\MSN Messenger\livecall.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dundeefc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://uk4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Dit] Dit.exe
O4 - HKLM\..\Run: [BTUSRBDG] BtUsrBdg.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: Startup.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\WINDOWS\System32\shdocvw.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://flashpoker.ladbrokes.com/Ladbrokes/FlashAX.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - Unknown owner - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 8969 bytes

Newbie Poster

14 posts since Oct 2006

Reputation Points: 10

Solved Threads: 0

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.Download the latest version of Java Runtime Environment (JRE) 6 Update 5 and save it to your desktop.
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u5-windows-i586-p.exe to install the newest version.
After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)On the General tab, under Temporary Internet Files, click the Settings button.
Next, click on the Delete Files button
There are two options in the window to clear the cache - Leave BOTH CheckedApplications and Applets
Trace and Log Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Temporary Files Window
Click OK to leave the Java Control Panel.

-----------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

--------------------------------
Required Logs

Kaspersky report
new HijackThis log

Please also provide an update on system behaviour