0

It says VIRUS ALERT! in the taskbar and I cant see the C drive or the button that says run when I click start. I cant download hijack this because of the virus but I managed to go on the target of a program to get to the C drive and find hijack this so heres the log. Also it keeps popping up saying sytem alert and spyware alert and theres a white cross with red background flashing on and off in the taskbar.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30: VIRUS ALERT!, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Program Files\Sheffield Wednesday - DNA\app.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: rtsplgob - {CB25FC2F-305D-4538-9462-18A2CA4130D5} - C:\WINDOWS\rtsplgob.dll
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [d02c349c] rundll32.exe "C:\WINDOWS\system32\brhxuhem.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sheffield Wednesday - Desktop News Alerts] C:\Program Files\Sheffield Wednesday - DNA\launch.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [antivirus-2008pro.exe] C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O21 - SSODL: rnopbfgt - {EB71E0B8-56D5-4D8C-8943-999FE5D870EE} - C:\WINDOWS\rnopbfgt.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10462 bytes

9
Contributors
44
Replies
45
Views
9 Years
Discussion Span
Last Post by skkrman7482
0

Hi and welcome to the Daniweb forums :).

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

I couldnt download it on here because of the virus but I downloaded it on another computer and saved it to usb but when I put the usb into this computer the bar at the bottom of the computer has gone and so have all the desktop icons so I cant open the usb.

0

Managed to install it in a roundabout way and its just scanning now. Ill upload the results and a new HJT when its done.

0

If you press Ctrl+Alt+Delete together, can you bring up the Task Manager? If so, select 'New Task' under the 'Applications' Tab. Browse to the USB drive and install it that way.
Safe mode is another way you may be able to get there.

0

Malwarebytes' Anti-Malware 1.17
Database version: 857

15:01:38 15/06/2008
mbam-log-6-15-2008 (15-01-38).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|)
Objects scanned: 270288
Time elapsed: 1 hour(s), 28 minute(s), 7 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 5
Registry Keys Infected: 28
Registry Values Infected: 7
Registry Data Items Infected: 19
Folders Infected: 5
Files Infected: 27

Memory Processes Infected:
C:\Documents and Settings\Rob.ROBERT\Local Settings\Tempboome20.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\SYSTEM32\brhxuhem.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\ljJBtqqP.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\SYSTEM32\awtrSkjI.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\rtsplgob.dll (Trojan.FakeAlert) -> Unloaded module successfully.
C:\WINDOWS\kvsdpfeadgl.dll (Trojan.FakeAlert) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3ee84d3b-4b23-47a0-bee8-216febd2ba65} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{3ee84d3b-4b23-47a0-bee8-216febd2ba65} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\AdvRemoteDbg (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\PlayMP3 (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\HID_Layer (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\NetProject (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ba44cbc8-e16a-4f36-b066-4d75699e171d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ba44cbc8-e16a-4f36-b066-4d75699e171d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\awtrskji (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cb25fc2f-305d-4538-9462-18a2ca4130d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{eb71e0b8-56d5-4d8c-8943-999fe5d870ee} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d5c48234-382d-4895-a5c5-ffb23134b1c7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{d5c48234-382d-4895-a5c5-ffb23134b1c7} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.bfoq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\rtsplgob.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\multimediaControls.chl (Trojan.Zlob) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d02c349c (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{f06e2abe-3a50-4079-be25-fc100d9eaa25} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\antivirus-2008pro.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{ba44cbc8-e16a-4f36-b066-4d75699e171d} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{cb25fc2f-305d-4538-9462-18a2ca4130d5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\rnopbfgt (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjbtqqp -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\ljjbtqqp -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76477-OEM-0011903-00102) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowNetPlaces (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule\ImagePath (Hijack.Service) -> Bad: (C:\WINDOWS\system32\drivers\spools.exe) Good: (%SystemRoot%\System32\svchost.exe -k netsvcs) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Infected (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\Suspicious (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Start Menu\Programs\Antivirus 2008 PRO (Rogue.Antivirus2008) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\SYSTEM32\brhxuhem.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\mehuxhrb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\ljJBtqqP.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\PqqtBJjl.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\PqqtBJjl.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\elfv.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\vscan.tsi (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Program Files\Antivirus 2008 PRO\zlib.dll (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users.WINDOWS\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Start Menu\Programs\Antivirus 2008 PRO\antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\awtrSkjI.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\SYSTEM32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\xkefqtgs.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\rtsplgob.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\rnopbfgt.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\pebgkxwq.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\kvsdpfeadgl.dll (Trojan.FakeAlert) -> Delete on reboot.
C:\Documents and Settings\Rob.ROBERT\Application Data\TmpRecentIcons\antivirus-2008pro.lnk (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus-2008pro.lnk (Rogue.Antivirus2008) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Local Settings\Tempboome20.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Desktop\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Desktop\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Desktop\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Favorites\Error Cleaner.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Favorites\Privacy Protector.url (Rogue.Link) -> Quarantined and deleted successfully.
C:\Documents and Settings\Rob.ROBERT\Favorites\Spyware&Malware Protection.url (Rogue.Link) -> Quarantined and deleted successfully.


and Ill restart the computer now and then do a HJT log

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:10:05, on 15/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sheffield Wednesday - DNA\app.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox 3 Beta 1\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sheffield Wednesday - Desktop News Alerts] C:\Program Files\Sheffield Wednesday - DNA\launch.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 9827 bytes

0

Hello,

I have the exact sameproblemcoupled with an Adware.Agent.BN infection that won't go away.

I will follow the instructions in the second post and get back to you with the logfile.

0

By the looks of it it will take ages before I can get back to you.

I'm trying to run the mbam update but it just won't do anything. Is there any other way to update it than from within the software? Can I go somewhere and download a file?

I will run a full scan without the latest update and hopefully that will help.

0

Log looks ok, but can you rename hijackthis.exe to analysethis and rescan and post another log please.

========

kmf2008. Welcome to Daniweb, but please start your own thread instead of hijacking this one :).

0

just right click hijackthis and click rename and put analysethis? not sure if thats what you meant but I tried that and now it wont open because it says changing the file name made it unstable.

0

kmf2008. Welcome to Daniweb, but please start your own thread instead of hijacking this one :).

Oh I'm sorry. I'm used to people saying "Don't start your own thread use an existing one". I guess every infection is unique though...

0

just right click hijackthis and click rename and put analysethis? not sure if thats what you meant but I tried that and now it wont open because it says changing the file name made it unstable.

Not sure why. I have done this hundreds of times and never had a problem. Uninstall that version and redownload another. Right click on the hijackthis.exe file and select Rename and change the name to analysethis
Do not change the file extension, just the file name.

0

I did that but it keeps saying "if you change a file name extension, the file may become unstable" even though im doing what you said and not trying to change the extension.

0

Wierd. Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt in your reply.

0

Deckard's System Scanner v20071014.68
Run by Rob on 2008-06-17 08:57:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 4 Restore Point(s) --
4: 2008-06-17 07:44:45 UTC - RP10 - Deckard's System Scanner Restore Point
3: 2008-06-16 18:11:32 UTC - RP9 - System Checkpoint
2: 2008-06-15 14:21:40 UTC - RP8 - Installed Folder Guard Professional Edition 7.91
1: 2008-06-11 02:00:38 UTC - RP7 - Software Distribution Service 3.0


Backed up registry hives.
Performed disk cleanup.

System Drive C: has 2.4 GiB (less than 15%) free.


-- HijackThis (run as Rob.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:59:04, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
C:\Program Files\Sheffield Wednesday - DNA\app.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\Documents and Settings\Rob.ROBERT\Local Settings\Temporary Internet Files\Content.IE5\35EWTHFC\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rob.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sheffield Wednesday - Desktop News Alerts] C:\Program Files\Sheffield Wednesday - DNA\launch.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 9923 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080427-215616-312 O4 - HKLM\..\Run: [BMd31f0700] Rundll32.exe "C:\WINDOWS\system32\limaqdtv.dll",s
backup-20080427-215616-801 O4 - HKLM\..\Run: [d02c349c] rundll32.exe "C:\WINDOWS\system32\vsxjfsya.dll",b
backup-20080430-233949-203 O2 - BHO: (no name) - {0BB6EF78-FFC8-4F7A-BD2C-09DA1169A4B5} - C:\WINDOWS\system32\qoMfeFus.dll (file missing)
backup-20080430-233949-296 O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
backup-20080430-233949-485 O16 - DPF: {46058878-5352-4550-8CD0-839BE09FAD8E} (PowerFootball1.PowerFootballLoader1) - http://adidas.powerchallenge.com/applet/PowerFootballLoader.CAB
backup-20080430-233949-621 O2 - BHO: (no name) - {DE941056-6FDB-4A2F-8830-A6522C79D0DB} - C:\WINDOWS\system32\nnnoLEXq.dll (file missing)
backup-20080430-233949-841 O2 - BHO: {4af55fbc-3bd3-79db-de94-0b2c00568da4} - {4ad86500-c2b0-49ed-bd97-3db3cbf55fa4} - C:\WINDOWS\system32\xwblcdiq.dll (file missing)
backup-20080430-233950-344 O20 - Winlogon Notify: qoMfeFus - qoMfeFus.dll (file missing)
backup-20080508-180600-181 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)
backup-20080508-180600-401 O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Rob.ROBERT\cftmon.exe
backup-20080508-180600-546 O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe
backup-20080519-202508-243 O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe (file missing)

-- File Associations -----------------------------------------------------------

.chm - unable to read key
.chm - unable to read key
.js - unable to read key
.js - unable to read key
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S3 catchme - c:\docume~1\rob~1.rob\locals~1\temp\catchme.sys (file missing)
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 SABProcEnum - c:\program files\internet explorer\sabprocenum.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R3 ServiceLayer - "c:\program files\common files\pcsuite\services\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 UleadBurningHelper (Ulead Burning Helper) - c:\program files\common files\ulead systems\dvd\ulcdrsvr.exe (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) PRO/100 VE Network Connection
Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01811028&REV_03\4&10416D21&0&40F0
Manufacturer: Intel
Name: Intel(R) PRO/100 VE Network Connection
PNP Device ID: PCI\VEN_8086&DEV_1064&SUBSYS_01811028&REV_03\4&10416D21&0&40F0
Service: E100B


-- Scheduled Tasks -------------------------------------------------------------

2008-06-17 08:41:03 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2008-05-01 00:02:36 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-05-17 and 2008-06-17 -----------------------------

2008-06-16 23:55:32 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\MailFrontier
2008-06-16 23:46:46 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-06-16 23:46:24 11264 --a------ C:\WINDOWS\system32\SpOrder.dll <Not Verified; Microsoft Corporation; Microsoft(R) Windows NT(TM) Operating System>
2008-06-16 17:25:16 0 d-------- C:\Program Files\uTorrent
2008-06-16 17:25:14 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\uTorrent
2008-06-15 15:23:07 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\Folder Guard
2008-06-15 15:21:42 0 d-------- C:\Program Files\Folder Guard Pro
2008-06-15 13:29:37 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\Malwarebytes
2008-06-15 13:29:27 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-15 13:29:26 0 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 10:06:53 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\TmpRecentIcons
2008-06-15 00:33:51 92544 -----n--- C:\WINDOWS\system32\brhxuhem.dll
2008-06-15 00:32:58 323456 -----n--- C:\WINDOWS\system32\ljJBtqqP.dll
2008-06-15 00:27:56 155648 -----n--- C:\WINDOWS\rtsplgob.dll
2008-06-15 00:27:55 29824 -----n--- C:\WINDOWS\system32\awtrSkjI.dll
2008-06-15 00:27:55 245760 -----n--- C:\WINDOWS\kvsdpfeadgl.dll
2008-06-02 23:48:24 0 d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-05-27 16:36:27 0 d--h----- C:\Documents and Settings\Rob.ROBERT\igLoader Files
2008-05-23 20:38:41 0 d-------- C:\Program Files\Alwil Software


-- Find3M Report ---------------------------------------------------------------

2008-06-17 08:53:42 0 d-------- C:\Program Files\Mozilla Firefox 3 Beta 1
2008-06-17 08:52:50 0 d-------- C:\Program Files\Sheffield Wednesday - DNA
2008-06-17 08:48:40 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\LimeWire
2008-06-17 08:03:21 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2008-06-16 17:29:03 0 d-------- C:\Program Files\LimeWire
2008-05-20 03:00:52 0 d-------- C:\Program Files\Microsoft Silverlight
2008-05-10 18:17:18 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\Adobe
2008-05-05 19:38:24 0 d-------- C:\Program Files\AviSynth 2.5
2008-05-01 00:26:04 0 d-------- C:\Program Files\Apple Software Update
2008-05-01 00:22:35 0 d-------- C:\Program Files\iTunes
2008-05-01 00:21:51 0 d-------- C:\Program Files\iPod
2008-05-01 00:17:37 0 d-------- C:\Program Files\QuickTime
2008-05-01 00:05:02 0 d-------- C:\Program Files\Safari
2008-04-30 18:54:36 0 d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\AVGTOOLBAR
2008-04-27 22:06:00 374115 --ahs---- C:\WINDOWS\system32\qXELonnn.ini2
2008-04-27 12:57:09 0 d-------- C:\Program Files\AVG
2008-04-17 18:03:53 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-17 18:03:35 0 d-------- C:\Program Files\Memeo
2008-04-17 18:03:35 0 d-------- C:\Program Files\Common Files


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sclauncher"="C:\Program Files\SimpleCenter\bin\win\sclauncher.exe" [27/07/2006 16:19]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [18/11/2006 23:53]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [27/02/2008 17:56]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [07/08/2007 01:05]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [14/11/2007 16:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [09/03/2007 11:09]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [28/03/2008 23:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"FG_Monitor"="C:\Program Files\Folder Guard Pro\FGKey.exe" [25/02/2007 00:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [02/04/2008 21:07]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [12/08/2004 14:56]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"Sheffield Wednesday - Desktop News Alerts"="C:\Program Files\Sheffield Wednesday - DNA\launch.exe" [07/04/2006 18:04]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [25/06/2007 19:43]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [27/02/2008 17:56]

C:\Documents and Settings\Rob.ROBERT\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 20:16:50]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [26/10/2006 20:24:54]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Ulead Photo Express 4.0 SE Calendar Checker .lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe [24/08/2006 09:44:45]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)
"NoDispCPL"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoStartMenuMorePrograms"=0 (0x0)
"StartMenuLogOff"=0 (0x0)
"NoToolbarCustomize"=0 (0x0)
"NoSetFolders"=0 (0x0)

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,


-- End of Deckard's System Scanner: finished at 2008-06-17 09:01:31 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Home Edition (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Pentium(R) 4 CPU 2.80GHz
CPU 1: Intel(R) Pentium(R) 4 CPU 2.80GHz
Percentage of Memory in Use: 21%
Physical Memory (total/avail): 2558.07 MiB / 2000.62 MiB
Pagefile Memory (total/avail): 3173.29 MiB / 2659.39 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1935.16 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 70.93 GiB total, 2.4 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)
G: is Fixed (FAT32) - 465.65 GiB total, 463.12 GiB free.

\\.\PHYSICALDRIVE0 - Maxtor 6Y080M0 - 74.5 GiB - 3 partitions
\PARTITION0 - Unknown - 70.57 MiB
\PARTITION1 (bootable) - Installable File System - 70.93 GiB - C:
\PARTITION2 - Unknown - 3.5 GiB

\\.\PHYSICALDRIVE1 - WD 5000AAV External USB Device - 465.76 GiB - 1 partition
\PARTITION0 - Unknown - 465.76 GiB - G:

-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.
AntivirusOverride is set.

FW: ZoneAlarm Security Suite Firewall v7.0.473.000 (Check Point, LTD.)
AV: ZoneAlarm Security Suite Antivirus v7.0.473.000 (Check Point, LTD.)
AV: ESET NOD32 Antivirus 3.0 v3.0 (ESET, spol. s r. o.)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:ĀµTorrent"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\Rob.ROBERT\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
CLIENTNAME=Console
CM3_DATA=C:\Program Files\Championship Manager 01-02\data\
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ROBERT
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob.ROBERT
LOGONSERVER=\\ROBERT
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Ulead Systems\MPEG;C:\Program Files\Common Files\Adobe\AGL;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 4, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0304
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_05\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ROB~1.ROB\LOCALS~1\Temp
TMP=C:\DOCUME~1\ROB~1.ROB\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=ROBERT
USERNAME=Rob
USERPROFILE=C:\Documents and Settings\Rob.ROBERT
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob.ROBERT (admin)
Administrator.ROBERT (admin)


-- Add/Remove Programs ---------------------------------------------------------

ĀµTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
HijackThis 2.0.2 --> "C:\PROGRA~1\TRENDM~1\HIJACK~1\HijackThis.exe" /uninstall
Tapani Patch Addition --> rundll32.exe dfshim.dll,ShArpMaintain Tapani Patch Addition.application, Culture=neutral, PublicKeyToken=b9cb9cadbaafeb31, processorArchitecture=msil
ZoneAlarm Security Suite --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type19518 / Error
Event Submitted/Written: 06/17/2008 08:15:18 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application KService.exe, version 5.12.707.160, faulting module KService.exe, version 5.12.707.160, fault address 0x0021215a.
Processing media-specific event for [KService.exe!ws!]

Event Record #/Type19513 / Error
Event Submitted/Written: 06/17/2008 00:08:05 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application KService.exe, version 5.12.707.160, faulting module KService.exe, version 5.12.707.160, fault address 0x0021215a.
Processing media-specific event for [KService.exe!ws!]

Event Record #/Type19496 / Success
Event Submitted/Written: 06/16/2008 10:34:03 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

Event Record #/Type19485 / Error
Event Submitted/Written: 06/16/2008 10:00:38 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application services.exe, version 5.1.2600.2180, faulting module services.exe, version 5.1.2600.2180, fault address 0x000108a9.
Processing media-specific event for [services.exe!ws!]

Event Record #/Type19477 / Success
Event Submitted/Written: 06/16/2008 09:52:40 PM
Event ID/Source: 12001 / usnjsvc
Event Description:
The Messenger Sharing USN Journal Reader service started successfully.

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type2020747 / Error
Event Submitted/Written: 06/17/2008 08:51:56 AM
Event ID/Source: 7022 / Service Control Manager
Event Description:
The KService service hung on starting.

Event Record #/Type2020746 / Error
Event Submitted/Written: 06/17/2008 08:51:55 AM
Event ID/Source: 1003 / System Error
Event Description:
Error code 10000050, parameter1 bad0b148, parameter2 00000000, parameter3 8056c77b, parameter4 00000000.

Event Record #/Type2020744 / Error
Event Submitted/Written: 06/17/2008 08:49:20 AM / 06/17/2008 08:50:20 AM
Event ID/Source: 5003 / E100B
Event Description:
Intel(R) PRO/100 VE Network Connection : Could not find an adapter.

Event Record #/Type2020743 / Error
Event Submitted/Written: 06/17/2008 08:50:04 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Ulead Burning Helper service failed to start due to the following error:
%%2

Event Record #/Type2020739 / Warning
Event Submitted/Written: 06/17/2008 08:35:13 AM
Event ID/Source: 4226 / Tcpip
Event Description:
TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

-- End of Deckard's System Scanner: finished at 2008-06-17 09:01:31 ------------

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

C:\WINDOWS\system32\brhxuhem.dll
C:\WINDOWS\system32\ljJBtqqP.dll
C:\WINDOWS\rtsplgob.dll
C:\WINDOWS\system32\awtrSkjI.dll
C:\WINDOWS\kvsdpfeadgl.dll

================

Please download DAFT and save it to your desktop:

  1. Double-click the daft.exe icon. Read the disclaimer and click OK.
  2. Click on the Scan button.
  3. Place a checkmark next to the following entries:

    .chm
    .js
    .reg
    .scr

  4. Click the Fix button.
  5. Re-scan and save a logfile. By default, it will save as daft.txt.

Post the contents of that logfile with your next post.

===============

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

File brhxuhem.dll received on 06.17.2008 22:52:58 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 2/33 (6.07%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.0 2008.06.17 -
AntiVir 7.8.0.55 2008.06.17 TR/Trash.Gen
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.17 -
AVG 7.5.0.516 2008.06.17 -
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.17 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5881 2008.06.17 -
Ewido 4.0 2008.06.17 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.17 -
GData 2.0.7306.1023 2008.06.17 -
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3195 2008.06.17 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.17 -
Prevx1 V2 2008.06.17 -
Rising 20.49.11.00 2008.06.17 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.353 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.17 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 Trojan.Trash.Gen
Additional information
File size: 92544 bytes
MD5...: 4065dbe44a4ffc6ebb973a807200a22f
SHA1..: a5ef7e92f34bb61e8f10f97fb65f50fc9e997175
SHA256: 0206aea27fbd1ccc8e19e3543d0492ccd963817cf9c2c9c4e02e83b1389e91fc
SHA512: 59ef406fb9ed0f7e115bab3cda51002308202ebf7ec18f8dc6f7139518adb8c8
185093bf4b1cc58d24475719ddb8564ec722bc8811d2aa4d6af1ba0fd8c20660
PEiD..: -
PEInfo: -


File ljJBtqqP.dll received on 06.17.2008 22:54:34 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 4/33 (12.13%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.0 2008.06.17 -
AntiVir 7.8.0.55 2008.06.17 TR/Trash.Gen
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.17 Win32:Virtumonde-LB
AVG 7.5.0.516 2008.06.17 -
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.17 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5881 2008.06.17 -
Ewido 4.0 2008.06.17 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.17 -
GData 2.0.7306.1023 2008.06.17 Win32:Virtumonde-LB
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3195 2008.06.17 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.17 -
Prevx1 V2 2008.06.17 -
Rising 20.49.11.00 2008.06.17 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.353 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.17 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 Trojan.Trash.Gen
Additional information
File size: 323456 bytes
MD5...: fa9cd054a6aeb5f8b5851bbdf1aa614d
SHA1..: 346ab1d966fdf70b10e48bfca07359390e8b3c45
SHA256: c083d348ea5b318e8715fd292c21e4bce8ecc7b3d1892a9a2d7a2068463e8181
SHA512: bc3dcdefb03c8a6db48309555163f593ff66e888ff92399c1ceee65051ddf084
abde14ceea05ba94acfe3dcf2e9c4a020c4f6933185f7a522ca6079d80e18bf6
PEiD..: -
PEInfo: -


File rtsplgob.dll received on 06.17.2008 22:56:17 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 3/33 (9.1%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.0 2008.06.17 -
AntiVir 7.8.0.55 2008.06.17 TR/Trash.Gen
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.17 -
AVG 7.5.0.516 2008.06.17 Downloader.Zlob.SE
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.17 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5881 2008.06.17 -
Ewido 4.0 2008.06.17 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.17 -
GData 2.0.7306.1023 2008.06.17 -
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3195 2008.06.17 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.17 -
Prevx1 V2 2008.06.17 -
Rising 20.49.11.00 2008.06.17 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.353 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.17 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 Trojan.Trash.Gen
Additional information
File size: 155648 bytes
MD5...: 9a84d8cec19b53ee40b49e0ff515bcf6
SHA1..: 4fa8a66774f43eb0c2bf37bb1bae9ee379fcb700
SHA256: d74d967651d92cc8634e3f6b9c7ca52e46a2ee9787d5ed8bcc00a42f582b4287
SHA512: ea1311c0dd24c798c4dc585084ee2257a4ef66a8e416bb8a4215c0857cce80ef
9f4878646d8d80f97b214db74ab7447999043ac7dcf442df7841e9e81accdcba
PEiD..: -
PEInfo: -


File awtrSkjI.dll received on 06.17.2008 22:57:14 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 4/33 (12.13%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.0 2008.06.17 -
AntiVir 7.8.0.55 2008.06.17 TR/Trash.Gen
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.17 Win32:Agent-ZFK
AVG 7.5.0.516 2008.06.17 -
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.17 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5881 2008.06.17 -
Ewido 4.0 2008.06.17 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.17 -
GData 2.0.7306.1023 2008.06.17 Win32:Agent-ZFK
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3195 2008.06.17 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.17 -
Prevx1 V2 2008.06.17 -
Rising 20.49.11.00 2008.06.17 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.353 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.17 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 Trojan.Trash.Gen
Additional information
File size: 29824 bytes
MD5...: 86366915413145c7e5ac463ab4830bf3
SHA1..: f116ea7d53aa2ae18ff8fa55bdde1d94a924d7cf
SHA256: e40d6ef09ccbbb1cca08bb1d63de9f5371fdd6582e1a9d5ea04822dbfeffbf17
SHA512: 8b7b61a1d83987e4b991dce6c6a1d87b35c594e5914af803c63e5dfd50541106
94dea39764bbc1bd695d6d1eb0ff9e06b3fecf7821fb4bb12dd97c6b698fee0c
PEiD..: -
PEInfo: -


File kvsdpfeadgl.dll received on 06.17.2008 22:58:40 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 5/33 (15.16%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.6.18.0 2008.06.17 -
AntiVir 7.8.0.55 2008.06.17 TR/Killav.28714
Authentium 5.1.0.4 2008.06.17 -
Avast 4.8.1195.0 2008.06.17 Win32:Vapsup-EB
AVG 7.5.0.516 2008.06.17 Downloader.Adload.MB
BitDefender 7.2 2008.06.17 -
CAT-QuickHeal 9.50 2008.06.17 -
ClamAV 0.93.1 2008.06.17 -
DrWeb 4.44.0.09170 2008.06.17 -
eSafe 7.0.15.0 2008.06.17 -
eTrust-Vet 31.6.5881 2008.06.17 -
Ewido 4.0 2008.06.17 -
F-Prot 4.4.4.56 2008.06.12 -
F-Secure 6.70.13260.0 2008.06.17 -
Fortinet 3.14.0.0 2008.06.17 -
GData 2.0.7306.1023 2008.06.17 Win32:Vapsup-EB
Ikarus T3.1.1.26.0 2008.06.17 -
Kaspersky 7.0.0.125 2008.06.17 -
McAfee 5319 2008.06.17 -
Microsoft 1.3604 2008.06.17 -
NOD32v2 3195 2008.06.17 -
Norman 5.80.02 2008.06.17 -
Panda 9.0.0.4 2008.06.17 -
Prevx1 V2 2008.06.17 -
Rising 20.49.11.00 2008.06.17 -
Sophos 4.30.0 2008.06.17 -
Sunbelt 3.0.1153.1 2008.06.15 -
Symantec 10 2008.06.17 -
TheHacker 6.2.92.353 2008.06.17 -
TrendMicro 8.700.0.1004 2008.06.17 -
VBA32 3.12.6.7 2008.06.17 -
VirusBuster 4.3.26:9 2008.06.12 -
Webwasher-Gateway 6.6.2 2008.06.17 Trojan.Killav.28714
Additional information
File size: 245760 bytes
MD5...: ccf56f2d68127889da0159be54b32824
SHA1..: 9f055ce846078fb0a299c3301906a311f679a4ba
SHA256: eeeb9c1858fc5c802f3985cd4e9fed3e92a2b745e1b643e173d96fcb0836caf6
SHA512: 5f3253b4bd487483e0cb613d02dc4d08b658d1daf93138f112b886bcdb2f075b
c387a5f45040d5c659157c41b2bdf5d95de034d1ce13585bc2d4ec11a64a53bd
PEiD..: -
PEInfo: -

0

DAFT Log saved on 2008-06-17 22:01:21
-----------------------------------------------------------------------
All associations okay!

0

combofix seems to have got stuck right at the and after the computer restarted as it just says "Preparing log report. Do not run any programs until ComboFix has finished" but it seems to be stuck there.

0

and now it has done :)

ComboFix 08-06-16.5 - Rob 2008-06-17 22:05:38.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2079 [GMT 1:00]
Running from: C:\Documents and Settings\Rob.ROBERT\Desktop\ComboFix.exe
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMd31f0700.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\rtsplgob.dll
C:\WINDOWS\system32\awtrSkjI.dll
C:\WINDOWS\system32\aysfjxsv.ini
C:\WINDOWS\system32\brhxuhem.dll
C:\WINDOWS\system32\ljJBtqqP.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qXELonnn.ini
C:\WINDOWS\SYSTEM32\qXELonnn.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-17 to 2008-06-17 )))))))))))))))))))))))))))))))
.

2008-06-17 08:44 . 2008-06-17 08:44 <DIR> d-------- C:\Deckard
2008-06-17 00:01 . 2008-06-17 22:02 1,267 --a------ C:\rollback.ini
2008-06-16 23:55 . 2008-06-16 23:55 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\MailFrontier
2008-06-16 23:46 . 2008-06-17 08:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-06-16 23:46 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-16 23:46 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-06-16 23:44 . 2008-04-02 21:07 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-06-16 23:33 . 2008-06-16 23:33 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-16 17:25 . 2008-06-16 17:25 <DIR> d-------- C:\Program Files\uTorrent
2008-06-16 17:25 . 2008-06-17 19:54 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\uTorrent
2008-06-15 15:23 . 2008-06-15 15:35 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\Folder Guard
2008-06-15 15:21 . 2008-06-15 15:35 <DIR> d-------- C:\Program Files\Folder Guard Pro
2008-06-15 13:29 . 2008-06-15 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 13:29 . 2008-06-15 13:29 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\Malwarebytes
2008-06-15 13:29 . 2008-06-15 13:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-15 13:29 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-15 13:29 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-15 00:27 . 2008-06-15 15:01 245,760 --------- C:\WINDOWS\kvsdpfeadgl.dll
2008-06-11 01:32 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 01:32 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-02 23:48 . 2008-06-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-05-27 16:36 . 2008-05-27 16:36 <DIR> d--h----- C:\Documents and Settings\Rob.ROBERT\igLoader Files
2008-05-27 00:54 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-05-23 20:38 . 2008-05-23 20:38 <DIR> d-------- C:\Program Files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-17 21:18 15,074,336 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-17 21:18 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-06-17 21:16 --------- d-----w C:\Program Files\Sheffield Wednesday - DNA
2008-06-17 21:12 202,724 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-17 16:03 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2008-06-17 15:59 31,232 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-06-17 11:10 --------- d-----w C:\Documents and Settings\Rob.ROBERT\Application Data\LimeWire
2008-06-17 07:48 97,792 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-06-17 07:48 1,791,488 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-16 16:29 --------- d-----w C:\Program Files\LimeWire
2008-05-20 02:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-14 11:33 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-05 18:38 --------- d-----w C:\Program Files\AviSynth 2.5
2008-05-02 17:21 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-04-30 23:26 --------- d-----w C:\Program Files\Apple Software Update
2008-04-30 23:22 --------- d-----w C:\Program Files\iTunes
2008-04-30 23:21 --------- d-----w C:\Program Files\iPod
2008-04-30 23:17 --------- d-----w C:\Program Files\QuickTime
2008-04-30 23:05 --------- d-----w C:\Program Files\Safari
2008-04-30 17:54 --------- d-----w C:\Documents and Settings\Rob.ROBERT\Application Data\AVGTOOLBAR
2008-04-27 11:57 --------- d-----w C:\Program Files\AVG
2008-04-27 09:27 115,871 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_04_27_05_46_41_small.dmp.zip
2008-04-27 09:27 114,731 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_04_27_08_32_14_small.dmp.zip
2008-04-17 17:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-17 17:03 --------- d-----w C:\Program Files\Memeo
2008-04-03 12:15 98,304 ----a-w C:\WINDOWS\DUMP8ec2.tmp
2007-12-08 18:45 0 -c--a-w C:\Documents and Settings\Rob.ROBERT\.exe
2007-04-19 18:29 1,040,832 -c--a-w C:\Documents and Settings\Rob.ROBERT\KHost.exe
2007-01-28 23:21 87,608 -c--a-w C:\Documents and Settings\Rob.ROBERT\Application Data\ezpinst.exe
2007-01-28 23:21 47,360 -c--a-w C:\Documents and Settings\Rob.ROBERT\Application Data\pcouffin.sys
2006-11-18 17:30 56 -csha-w C:\Documents and Settings\All Users.WINDOWS\Application Data\dc64vg9.sys
2002-04-03 14:01 286,720 ----a-w C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2007-12-09 00:08 36,896 --sha-w C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 14:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Sheffield Wednesday - Desktop News Alerts"="C:\Program Files\Sheffield Wednesday - DNA\launch.exe" [2006-04-07 18:04 339968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 19:43 68856]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sclauncher"="C:\Program Files\SimpleCenter\bin\win\sclauncher.exe" [2006-07-27 16:19 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 23:53 185896]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 16:05 1410304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"FG_Monitor"="C:\Program Files\Folder Guard Pro\FGKey.exe" [2007-02-25 00:00 132680]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 14:56 15360]

C:\Documents and Settings\Rob.ROBERT\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Ulead Photo Express 4.0 SE Calendar Checker .lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe [2006-08-24 09:44:45 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 16:06]
R2 FGUARD32;FGUARD32;C:\Program Files\Folder Guard Pro\FGUARD32.SYS [2007-02-25 00:00]
R3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 14:33]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-10 19:02]

.
Contents of the 'Scheduled Tasks' folder
"2008-04-30 23:02:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-17 18:41:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-17 22:17:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\FOLDER~1\FGKey.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sheffield Wednesday - DNA\app.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\SYSTEM32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-06-17 22:28:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-17 21:27:50
ComboFix2.txt 2007-12-08 18:54:43

Pre-Run: 2,526,371,840 bytes free
Post-Run: 2,733,867,008 bytes free

174 --- E O F --- 2008-06-11 02:03:38

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:29:44, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sheffield Wednesday - DNA\app.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sheffield Wednesday - Desktop News Alerts] C:\Program Files\Sheffield Wednesday - DNA\launch.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10073 bytes

0

Im not sure if this is related but it seems to have messed up add/remove programs because there is only an option to remove programs that have been installed in the last couple of days and theres no option for any of the others.

0

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\WINDOWS\kvsdpfeadgl.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

[IMG]http://i5.photobucket.com/albums/y153/crunchie1/CFScript.gif[/IMG]


7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

============

What seems to have messed up the add/remove entries?

0

I think when one of the things Ive been using during this to fix the virus it must have deleted a file thats needed for add/remove programs or something. Any idea what file it could be?

ComboFix 08-06-16.5 - Rob 2008-06-18 20:42:56.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.2147 [GMT 1:00]
Running from: C:\Documents and Settings\Rob.ROBERT\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob.ROBERT\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\kvsdpfeadgl.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\kvsdpfeadgl.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-18 to 2008-06-18 )))))))))))))))))))))))))))))))
.

2008-06-17 08:44 . 2008-06-17 08:44 <DIR> d-------- C:\Deckard
2008-06-17 00:01 . 2008-06-18 18:03 1,113 --a------ C:\rollback.ini
2008-06-16 23:55 . 2008-06-16 23:55 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\MailFrontier
2008-06-16 23:46 . 2008-06-17 08:26 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\MailFrontier
2008-06-16 23:46 . 2008-04-02 21:07 75,248 --a------ C:\WINDOWS\zllsputility.exe
2008-06-16 23:46 . 2004-04-27 05:40 11,264 --a------ C:\WINDOWS\SYSTEM32\SpOrder.dll
2008-06-16 23:44 . 2008-04-02 21:07 1,086,952 --a------ C:\WINDOWS\SYSTEM32\zpeng24.dll
2008-06-16 23:33 . 2008-06-16 23:33 <DIR> d-------- C:\Program Files\Zone Labs
2008-06-16 17:25 . 2008-06-16 17:25 <DIR> d-------- C:\Program Files\uTorrent
2008-06-16 17:25 . 2008-06-17 19:54 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\uTorrent
2008-06-15 15:23 . 2008-06-15 15:35 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\Folder Guard
2008-06-15 15:21 . 2008-06-15 15:35 <DIR> d-------- C:\Program Files\Folder Guard Pro
2008-06-15 13:29 . 2008-06-15 13:29 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-15 13:29 . 2008-06-15 13:29 <DIR> d-------- C:\Documents and Settings\Rob.ROBERT\Application Data\Malwarebytes
2008-06-15 13:29 . 2008-06-15 13:29 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Malwarebytes
2008-06-15 13:29 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbamcatchme.sys
2008-06-15 13:29 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\mbam.sys
2008-06-11 01:32 . 2008-04-14 12:01 272,128 --------- C:\WINDOWS\SYSTEM32\DRIVERS\bthport.sys
2008-06-11 01:32 . 2008-04-14 12:01 272,128 -----c--- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-02 23:48 . 2008-06-02 23:48 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Office Genuine Advantage
2008-05-27 16:36 . 2008-05-27 16:36 <DIR> d--h----- C:\Documents and Settings\Rob.ROBERT\igLoader Files
2008-05-27 00:54 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2008-05-23 20:38 . 2008-05-23 20:38 <DIR> d-------- C:\Program Files\Alwil Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-18 19:54 15,400,480 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-06-18 19:53 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Kontiki
2008-06-18 19:52 --------- d-----w C:\Program Files\Sheffield Wednesday - DNA
2008-06-18 19:47 207,236 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-06-18 19:36 --------- d-----w C:\Program Files\Mozilla Firefox 3 Beta 1
2008-06-17 15:59 31,232 ----a-w C:\WINDOWS\Internet Logs\xDB3.tmp
2008-06-17 11:10 --------- d-----w C:\Documents and Settings\Rob.ROBERT\Application Data\LimeWire
2008-06-17 07:48 97,792 ----a-w C:\WINDOWS\Internet Logs\xDB1.tmp
2008-06-17 07:48 1,791,488 ----a-w C:\WINDOWS\Internet Logs\xDB2.tmp
2008-06-16 16:29 --------- d-----w C:\Program Files\LimeWire
2008-05-20 02:00 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-05-14 11:33 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft Help
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-05 18:38 --------- d-----w C:\Program Files\AviSynth 2.5
2008-05-02 17:21 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-04-30 23:26 --------- d-----w C:\Program Files\Apple Software Update
2008-04-30 23:22 --------- d-----w C:\Program Files\iTunes
2008-04-30 23:21 --------- d-----w C:\Program Files\iPod
2008-04-30 23:17 --------- d-----w C:\Program Files\QuickTime
2008-04-30 23:05 --------- d-----w C:\Program Files\Safari
2008-04-30 17:54 --------- d-----w C:\Documents and Settings\Rob.ROBERT\Application Data\AVGTOOLBAR
2008-04-27 11:57 --------- d-----w C:\Program Files\AVG
2008-04-27 09:27 115,871 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_04_27_05_46_41_small.dmp.zip
2008-04-27 09:27 114,731 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_04_27_08_32_14_small.dmp.zip
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\SYSTEM32\wininet.dll
2008-04-03 12:15 98,304 ----a-w C:\WINDOWS\DUMP8ec2.tmp
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\SYSTEM32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\SYSTEM32\win32k.sys
2007-12-08 18:45 0 -c--a-w C:\Documents and Settings\Rob.ROBERT\.exe
2007-04-19 18:29 1,040,832 -c--a-w C:\Documents and Settings\Rob.ROBERT\KHost.exe
2007-01-28 23:21 87,608 -c--a-w C:\Documents and Settings\Rob.ROBERT\Application Data\ezpinst.exe
2007-01-28 23:21 47,360 -c--a-w C:\Documents and Settings\Rob.ROBERT\Application Data\pcouffin.sys
2006-11-18 17:30 56 -csha-w C:\Documents and Settings\All Users.WINDOWS\Application Data\dc64vg9.sys
2002-04-03 14:01 286,720 ----a-w C:\Program Files\internet explorer\plugins\PanoViewer.dll
1999-04-30 15:00 98,304 ----a-w C:\Program Files\internet explorer\plugins\UPjpeg.dll
2007-12-09 00:08 36,896 --sha-w C:\WINDOWS\SYSTEM32\DRIVERS\fidbox2.dat
.

((((((((((((((((((((((((((((( snapshot@2008-06-17_22.27.10.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-17 21:13:29 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-06-18 19:49:22 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
- 2008-06-17 21:13:50 450,896 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-06-18 19:49:40 456,020 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\bases\sfdb.dat
- 2008-06-17 21:03:16 9,557,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2008-06-18 17:04:05 9,580,296 ----a-w C:\WINDOWS\SYSTEM32\ZoneLabs\spyware.dat
+ 2008-06-18 19:49:39 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_6d4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-12 14:56 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34 5724184]
"Sheffield Wednesday - Desktop News Alerts"="C:\Program Files\Sheffield Wednesday - DNA\launch.exe" [2006-04-07 18:04 339968]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-25 19:43 68856]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sclauncher"="C:\Program Files\SimpleCenter\bin\win\sclauncher.exe" [2006-07-27 16:19 90112]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-11-18 23:53 185896]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 17:56 1032376]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 01:05 200704]
"egui"="C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" [2007-11-14 16:05 1410304]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09 63712]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"FG_Monitor"="C:\Program Files\Folder Guard Pro\FGKey.exe" [2007-02-25 00:00 132680]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-04-02 21:07 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-12 14:56 15360]

C:\Documents and Settings\Rob.ROBERT\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 20:24:54 98632]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Ulead Photo Express 4.0 SE Calendar Checker .lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe [2006-08-24 09:44:45 69632]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2007-11-14 16:06]
R2 FGUARD32;FGUARD32;C:\Program Files\Folder Guard Pro\FGUARD32.SYS [2007-02-25 00:00]
S3 MBAMCatchMe;MBAMCatchMe;C:\WINDOWS\system32\drivers\mbamcatchme.sys [2008-06-10 19:02]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2005-04-21 14:33]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-17 22:37:05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-18 19:41:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-18 20:50:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> ?:\WINDOWS\system32\urlmon.dll
-> ?:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1433_x-ww_5cf844d2\MSVCR80.dll
-> ?:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\avsys\ScanningProcess.exe
C:\PROGRA~1\FOLDER~1\FGKey.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sheffield Wednesday - DNA\app.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\SYSTEM32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-18 21:05:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-18 20:05:24
ComboFix2.txt 2008-06-17 21:29:02
ComboFix3.txt 2007-12-08 18:54:43

Pre-Run: 2,637,467,648 bytes free
Post-Run: 2,665,000,960 bytes free

191 --- E O F --- 2008-06-11 02:03:38

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54:49, on 18/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Folder Guard Pro\FGKey.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sheffield Wednesday - DNA\app.exe
C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [sclauncher] C:\Program Files\SimpleCenter\bin\win\sclauncher.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [FG_Monitor] C:\Program Files\Folder Guard Pro\FGKey.exe /Start
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Sheffield Wednesday - Desktop News Alerts] C:\Program Files\Sheffield Wednesday - DNA\launch.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SEf\CalCheck.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} (SABScanProcesses Class) - http://www.superadblocker.com/activex/sabspx.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Unknown owner - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

--
End of file - 10102 bytes

0

Do you have your XP installation CD? If so..............

Go to Start | Run and type in sfc /scannow and hit the Ok button. Insert your CD if/when requested.

See if that fixes it.

0

That hasnt fixed it but at least the virus' have gone. Thanks for the help.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.