Hello all, I'm hoping to get some help here. As the title states, I can't get to certain websites and it seems that it is being caused by some sort of virus. I've ran numerous anti-spyware scans and hijackthis logs, and everything seems fine, but the problem persists.

Not sure how I can help you help me... Would you like a HijackThis log?

Thanks,
sawney

Recommended Answers

All 48 Replies

Are you behind a proxy or firewall of sorts?

Windows firewall is enabled (in security center) and I'm not sure about proxy... how would I go about checking that?

*edit: after doing some research on proxy, I would like to add that I'm not on a network and don't use a router to connect to the internet. I hope that answers your question.*

You say you have run numerous hijackthis logs. What did you do with them? Hijackthis does not fix anything without manual input.
Post the log here for review.

Windows firewall is enabled (in security center) and I'm not sure about proxy... how would I go about checking that?

*edit: after doing some research on proxy, I would like to add that I'm not on a network and don't use a router to connect to the internet. I hope that answers your question.*

Yes...this answers my question.

What DNS servers are you using? Go to a command prompt and type "ipconfig /all" without the quotes and post the DNS servers listed.

DHCP server 64.59.176.40
DNS Servers 64.59.176.1364.59.176.15


HijackthisLog


Logfile of HijackThis v1.99.1
Scan saved at 8:51:36 AM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Bakx\Desktop\HijackThis.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnipegweather.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229628070489
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229628686464
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programs\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programs\Spyware Doctor\pctsSvc.exe
O23 - Service: VMwareService - Unknown owner - C:\WINDOWS\system\VMwareService.exe (file missing)

Thanks!

Hijackthis log looks ok, but it is an ancient version. Uninstall it and download the latest (2.0.2).

Here is the 2.0.2 version's log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:45:50 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnipegweather.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229628070489
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229628686464
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programs\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programs\Spyware Doctor\pctsSvc.exe
O23 - Service: VMwareService - Unknown owner - C:\WINDOWS\system\VMwareService.exe (file missing)

--
End of file - 3866 bytes


Also, I keep running into new websites that don't load... It seems random but there must be some connection. I know I'm running a fairly old version most drivers/programs, but I can't get onto the proper websites to update. Could it be a IE security feature I'm missing, or some sort of certification? I'm obviously grasping at straws here, but I'm a small business owner and this is starting to seriously affect my business.

Thanks for the responses so far guys, I really appreciate you taking time to help me.

Even small business owners can afford a free anti-virus program :).

==

Not seeing anything in that log either. Couple of things you can try.

Download and run Winsockfix from here http://www.softpedia.com/get/Tweak/Network-Tweak/WinSockFix.shtml

Reboot and see how things are now.

==

If no better, run MBAM to see if it finds anything.

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

Looks like we found some nasties... here is the MBAM log and I'll restart computer, run HJT and post that as well.

Malwarebytes' Anti-Malware 1.32
Database version: 1649
Windows 5.1.2600 Service Pack 3

1/14/2009 12:14:26 AM
mbam-log-2009-01-14 (00-14-26).txt

Scan type: Full Scan (C:\|)
Objects scanned: 71631
Time elapsed: 26 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 23

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VMwareService (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\baliteta.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\belunipa.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fewayuvi.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fezuwese.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fufepaha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\fugobuba.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\gayamaha.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\govujena.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\hupiwaki.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\kabovebu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\muyerude.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\payulayo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pazabori.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\rawituzo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wekinimu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wepevimo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yekevume.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yidurufo.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\yorejego.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zedojoga.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zimimenu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zivosoze.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\zubokuhu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.

Well I'm still experiencing this DNS problem, but here is my HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:22:04 AM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnipegweather.com/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: Foxit Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll (file missing)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229628070489
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229628686464
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programs\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programs\Spyware Doctor\pctsSvc.exe

--
End of file - 3778 bytes

Please download ComboFix by sUBs from HERE or HERE

  • You must download it to and run it from your Desktop
  • Physically disconnect from the internet.
  • Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
  • Re-enable all the programs that were disabled during the running of ComboFix..

Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Run Combofix ONCE only!!

Still getting the dns error.

Combofix:

ComboFix 09-01-13.04 - Bakx 2009-01-14 10:09:53.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.96 [GMT -6:00]
Running from: c:\documents and settings\Bakx\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-12-14 to 2009-01-14 )))))))))))))))))))))))))))))))
.

2009-01-13 23:46 . 2009-01-13 23:46 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Malwarebytes
2009-01-13 23:45 . 2009-01-13 23:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 23:45 . 2009-01-13 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 23:45 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 23:45 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 16:42 . 2009-01-13 16:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 09:31 . 2009-01-11 09:31 0 --a------ c:\windows\nsreg.dat
2009-01-07 16:30 . 2009-01-07 16:30 <DIR> d-------- c:\program files\Foxit Software
2009-01-07 16:30 . 2009-01-07 16:30 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Foxit
2009-01-07 13:25 . 2009-01-07 13:33 <DIR> d-------- c:\documents and settings\Bakx\Application Data\vlc
2009-01-07 13:23 . 2009-01-07 13:23 <DIR> d-------- c:\program files\VideoLAN
2008-12-28 21:36 . 2008-04-13 18:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-28 21:36 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\scripting
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\en
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\l2schemas
2008-12-27 12:35 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2008-12-27 12:35 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2008-12-27 12:34 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2008-12-27 12:34 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2008-12-27 12:34 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2008-12-27 12:34 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2008-12-27 04:12 . 2008-09-09 19:14 1,307,648 --------- c:\windows\system32\msxml6.dll
2008-12-27 04:11 . 2008-04-13 18:10 844,314 -----c--- c:\windows\system32\dllcache\msdxm.ocx
2008-12-27 04:10 . 2008-04-13 18:12 695,808 -----c--- c:\windows\system32\dllcache\drmv2clt.dll
2008-12-27 02:29 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-27 02:29 . 2008-08-14 04:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-27 02:28 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-27 02:28 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-27 02:27 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 02:27 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 02:27 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 02:27 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 02:26 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-27 02:25 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-27 02:25 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-27 02:25 . 2008-05-01 08:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-27 02:24 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-27 02:22 . 2008-12-12 11:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2008-12-27 02:22 . 2008-10-15 19:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2008-12-27 02:22 . 2008-10-15 19:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2008-12-27 02:22 . 2008-10-15 19:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2008-12-27 02:21 . 2008-10-03 04:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2008-12-27 02:20 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-27 01:41 . 2008-12-27 01:41 <DIR> d-------- C:\fsaua.data
2008-12-27 01:37 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-27 01:37 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-26 09:15 . 2008-12-26 09:15 51,355 --a------ c:\windows\system32\muzika.xm
2008-12-26 09:09 . 2009-01-07 17:14 <DIR> d-------- c:\documents and settings\Bakx\Application Data\uTorrent
2008-12-26 08:48 . 2008-12-27 01:24 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-26 08:47 . 2008-12-26 08:47 <DIR> d-------- c:\documents and settings\Bakx\Application Data\PC Tools
2008-12-26 08:47 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-26 08:47 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-26 08:47 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-26 08:47 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-24 00:59 . 2008-12-24 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-24 00:58 . 2008-12-24 00:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-23 22:28 . 2008-12-26 23:33 326 --a------ c:\windows\wininit.ini
2008-12-23 15:50 . 2009-01-11 09:30 <DIR> d-------- C:\Programs
2008-12-23 15:50 . 2008-12-26 08:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 13:12 . 2008-12-28 15:29 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Download Manager
2008-12-20 16:35 . 2008-12-20 16:35 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-12-20 16:35 . 2005-05-06 21:00 140,288 --a------ c:\windows\system32\CNMLM7M.DLL
2008-12-20 16:35 . 2005-05-06 21:00 8,704 --a------ c:\windows\system32\CNMVS7M.DLL
2008-12-20 16:34 . 2008-04-13 12:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-20 16:32 . 2008-12-20 16:32 <DIR> d--h----- c:\windows\system32\CanonMP Uninstaller Information
2008-12-20 16:32 . 2008-12-20 16:32 <DIR> d--h----- C:\CanonMP
2008-12-20 16:32 . 2005-08-04 03:37 221,184 --a------ c:\windows\system32\CNCC800.DLL
2008-12-20 16:32 . 2005-06-20 08:24 139,264 --a------ c:\windows\system32\CNCL800.DLL
2008-12-20 16:32 . 2005-06-14 01:19 77,824 --a------ c:\windows\system32\CNCA800.DLL
2008-12-20 16:32 . 2005-08-04 03:37 69,632 --a------ c:\windows\system32\CNCI800.DLL
2008-12-20 16:32 . 2005-08-04 03:38 49,152 --a------ c:\windows\system32\cncisco.dll
2008-12-20 16:08 . 2008-04-13 12:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-20 16:07 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-20 15:06 . 2008-12-20 15:06 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-20 15:04 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll
2008-12-20 15:04 . 2008-12-20 15:04 376 --a------ c:\windows\ODBC.INI
2008-12-20 14:46 . 2008-12-20 14:46 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-20 14:45 . 2008-12-20 14:45 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-12-20 14:44 . 2008-12-20 15:03 <DIR> d-------- c:\windows\SHELLNEW
2008-12-20 14:39 . 2008-12-20 14:39 <DIR> dr-h----- C:\MSOCache
2008-12-18 14:28 . 2008-12-18 14:29 <DIR> d-------- c:\program files\Google
2008-12-18 14:17 . 2008-12-28 15:14 316,640 --a------ c:\windows\WMSysPr9.prx
2008-12-18 14:15 . 2008-12-18 14:15 <DIR> d-------- c:\windows\provisioning
2008-12-18 14:15 . 2008-12-28 11:10 <DIR> d-------- c:\windows\peernet
2008-12-18 14:11 . 2008-12-28 11:12 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-18 14:02 . 2008-12-28 10:31 <DIR> d-------- c:\windows\EHome
2008-12-18 13:56 . 2002-04-15 21:11 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2008-12-18 13:56 . 2008-04-14 05:42 11,264 --------- c:\windows\system32\spnpinst.exe
2008-12-18 13:56 . 2004-08-02 14:20 7,208 --------- c:\windows\system32\secupd.sig
2008-12-18 13:56 . 2004-08-02 14:20 4,569 --------- c:\windows\system32\secupd.dat
2008-12-18 13:26 . 2008-12-28 21:21 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-18 13:26 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-12-18 13:25 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\bits
2008-12-18 13:25 . 2008-04-13 11:39 438,784 --------- c:\windows\system32\xpob2res.dll
2008-12-18 13:25 . 2008-04-13 18:12 354,304 --a------ c:\windows\system32\winhttp.dll
2008-12-18 13:25 . 2008-04-13 18:12 18,944 --a------ c:\windows\system32\qmgrprxy.dll
2008-12-18 13:25 . 2008-04-13 18:11 8,192 --------- c:\windows\system32\bitsprx2.dll
2008-12-18 13:25 . 2008-04-13 18:11 7,168 --------- c:\windows\system32\bitsprx3.dll
2008-12-18 13:22 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2008-12-18 13:22 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2008-12-18 13:22 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2008-12-18 13:22 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-18 13:22 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2008-12-18 13:22 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-18 13:22 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-18 13:22 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 13:22 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-18 13:21 . 2008-12-18 13:21 <DIR> d---s---- c:\documents and settings\Bakx\UserData
2008-12-18 13:09 . 2008-12-18 13:09 <DIR> d---s---- c:\windows\system32\Microsoft
2008-12-18 13:05 . 2008-12-18 13:05 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-18 13:05 . 2008-12-18 13:05 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-18 13:05 . 1999-05-07 13:24 645,616 --a------ c:\windows\system32\MSCOMCT2.OCX
2008-12-18 13:05 . 2000-03-23 12:50 446,464 -ra------ c:\windows\system32\hhactivex.dll
2008-12-18 13:05 . 1999-05-07 13:24 414,944 --a------ c:\windows\system32\COMCT332.OCX
2008-12-18 13:05 . 1998-11-10 10:46 328,480 --a------ c:\windows\system32\ssa3d30.ocx
2008-12-18 13:05 . 2002-01-08 17:00 176,128 --a------ c:\windows\system32\RcdScan.dll
2008-12-18 13:05 . 1998-09-24 12:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2008-12-18 13:05 . 1998-06-17 23:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-12-18 13:05 . 2001-08-22 08:42 13,632 --------- c:\windows\system32\drivers\omci.sys
2008-12-18 13:05 . 1998-09-24 12:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 18:21 --------- d-----w c:\program files\microsoft frontpage
2008-12-18 18:20 558,142 ----a-w c:\windows\java\Packages\EIS8JRBJ.ZIP
2008-12-18 18:20 155,995 ----a-w c:\windows\java\Packages\Y1RRD77J.ZIP
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:07 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2007-10-18 17:09 733,517,824 ----a-w c:\program files\Common Files\Realplayer.avi
2008-04-14 00:11 171,376 --sha-r c:\windows\system32\kxqbqycr.dll
.

((((((((((((((((((((((((((((( snapshot_2009-01-08_ 0.33.28.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-28 21:11:40 189,792 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-12 22:40:32 196,160 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 39408]
"SpybotSD TeaTimer"="c:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programs\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7515:TCP"= 7515:TCP:oghndane

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Bakx\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Bakx\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programs\Spyware Doctor\pctsAuxs.exe [2008-12-26 356920]
S4 odwqd;Support Time;c:\windows\system32\svchost.exe -k netsvcs [2002-09-03 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
odwqd
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - c:\program files\AskBarDis\bar\bin\askBar.dll
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://winnipegweather.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
FF - ProfilePath - c:\documents and settings\Bakx\Application Data\Mozilla\Firefox\Profiles\7vi4wx06.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-14 10:17:47
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\odwqd]
"ServiceDll"="c:\windows\system32\kxqbqycr.dll"
.
Completion time: 2009-01-14 10:25:10
ComboFix-quarantined-files.txt 2009-01-14 16:25:05
ComboFix2.txt 2009-01-11 16:02:30
ComboFix3.txt 2009-01-08 06:36:13
ComboFix4.txt 2008-12-27 07:35:04
ComboFix5.txt 2009-01-14 16:06:42

Pre-Run: 19,519,397,888 bytes free
Post-Run: 19,595,956,224 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
225 --- E O F --- 2008-12-29 09:01:22


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:52 AM, on 1/14/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnipegweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229628070489
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229628686464
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programs\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programs\Spyware Doctor\pctsSvc.exe

--
End of file - 3941 bytes

Any reason why combofix was run 6 times? I need to see the log from the first run but I reckon because it's run 6 times, the first log has now been overwritten :(

I've run combofix a few times prior to this as well as spybot and adaware scans. I know I should go about fixing my computer with a trained professional like yourself, but I've always been a DIY guy. Like you said, the logs have all been overwritten.

I'm only doing as you say since my first post, before that I was reading posts from people having similar problems as mine and trying to follow the advice that they got.

Is there anything else I can do to help?

Have a look in C:\qoobox and find all the logs there (combofix2.txt combofix3.txt etc.) and attach them to your post.
Ordinarily they should be pasted, but because here are a few of them, just attach them this time.

<a href="/images/attachments/1/Add-Remove%20Programs.txt">Add-Remove Programs.txt</a>

<a href="/images/attachments/1/ComboFix2.txt">ComboFix2.txt</a>

<a href="/images/attachments/1/ComboFix3.txt">ComboFix3.txt</a>

<a href="/images/attachments/1/ComboFix4.txt">ComboFix4.txt</a>

<a href="/images/attachments/1/ComboFix5.txt">ComboFix5.txt</a>

<a href="/images/attachments/1/ComboFix-quarantined-files.txt">ComboFix-quarantined-files.txt</a>

Here are the other 4 logs, add/remove programs txt file, and quarantine txt file

Ok. Looks like your pc was severely compromised.
Try the following;

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program

==

Download Dial-a-Fix and run it. Select the 'Check all' (green arrow) and then hit 'GO.'
Reboot when done and see how things are now.

==

Reboot and see how it is.

Still can't get onto those websites. Although I have firefox installed, it wasn't available on the ATF-Cleaner menu. I have both Firefox and IE installed and I think I set Firefox as the default browser.

Anything else I can try?

Does Firefox show up on the menu?

Please go to Jotti's or to virustotal and have this file scanned. Post the results back here.

c:\windows\system32\kxqbqycr.dll

"The Page Cannot Be Displayed"

Can't get to either of those websites. Would you like me to email you the file or attach it here?

And no, Firefox did not show up on the ATF menu.

Check your HOSTS file

It should only contain some comments and 127.0.0.1 and localhost

That is all my Hosts file contains, the comments, 127.0.0.1 and localhost.

Rename the file to oldkxqbqycr.dll and reboot your pc. Try to upload it now.

Cannot find that file. Enabled hidden files via tools menu, looked in system32 menu, did Ctrl F search in system32 menu for it. Did I get rid of it with a previous scan or combofix?

It shows up in combofix, but not as being deleted.

==

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:



FileLook::
c:\windows\system32\kxqbqycr.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the Internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Here is the Combofix log:

ComboFix 09-01-13.04 - Bakx 2009-01-17 14:37:32.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.255.102 [GMT -6:00]
Running from: c:\documents and settings\Bakx\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Bakx\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

E:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-12-17 to 2009-01-17 )))))))))))))))))))))))))))))))
.

2009-01-17 14:31 . 2009-01-17 14:32 <DIR> d-------- C:\32788R22FWJFW
2009-01-15 14:19 . 2009-01-15 14:19 <DIR> d-------- c:\windows\system32\CatRoot2
2009-01-13 23:46 . 2009-01-13 23:46 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Malwarebytes
2009-01-13 23:45 . 2009-01-13 23:46 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-13 23:45 . 2009-01-13 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-13 23:45 . 2009-01-04 18:39 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-13 23:45 . 2009-01-04 18:39 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-13 16:42 . 2009-01-13 16:42 <DIR> d-------- c:\program files\Trend Micro
2009-01-11 09:31 . 2009-01-11 09:31 0 --a------ c:\windows\nsreg.dat
2009-01-07 16:30 . 2009-01-07 16:30 <DIR> d-------- c:\program files\Foxit Software
2009-01-07 16:30 . 2009-01-07 16:30 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Foxit
2009-01-07 13:25 . 2009-01-07 13:33 <DIR> d-------- c:\documents and settings\Bakx\Application Data\vlc
2009-01-07 13:23 . 2009-01-07 13:23 <DIR> d-------- c:\program files\VideoLAN
2008-12-28 21:36 . 2008-04-13 18:12 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-12-28 21:36 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\scripting
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\en
2008-12-28 11:10 . 2008-12-28 11:10 <DIR> d-------- c:\windows\l2schemas
2008-12-27 12:35 . 2003-02-28 18:26 46,352 --a------ c:\windows\setdebug.exe
2008-12-27 12:35 . 2003-02-28 16:54 7,315 --a------ c:\windows\system32\javasup.vxd
2008-12-27 12:34 . 2003-02-28 18:26 139,536 --a------ c:\windows\system32\javaee.dll
2008-12-27 12:34 . 2003-02-28 16:35 6,550 --a------ c:\windows\jautoexp.dat
2008-12-27 12:34 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedon.reg
2008-12-27 12:34 . 2003-02-28 16:38 113 --a------ c:\windows\system32\zonedoff.reg
2008-12-27 04:12 . 2008-09-09 19:14 1,307,648 --------- c:\windows\system32\msxml6.dll
2008-12-27 04:11 . 2008-04-13 18:10 844,314 -----c--- c:\windows\system32\dllcache\msdxm.ocx
2008-12-27 04:10 . 2008-04-13 18:12 695,808 -----c--- c:\windows\system32\dllcache\drmv2clt.dll
2008-12-27 02:29 . 2008-06-13 05:05 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2008-12-27 02:29 . 2008-08-14 04:04 138,496 -----c--- c:\windows\system32\dllcache\afd.sys
2008-12-27 02:28 . 2008-09-15 06:12 1,846,400 -----c--- c:\windows\system32\dllcache\win32k.sys
2008-12-27 02:28 . 2008-09-08 04:41 333,824 -----c--- c:\windows\system32\dllcache\srv.sys
2008-12-27 02:27 . 2008-08-14 04:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-12-27 02:27 . 2008-08-14 04:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-12-27 02:27 . 2008-08-14 03:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-12-27 02:27 . 2008-08-14 03:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-12-27 02:26 . 2008-05-08 08:02 203,136 -----c--- c:\windows\system32\dllcache\rmcast.sys
2008-12-27 02:25 . 2008-04-11 13:04 691,712 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2008-12-27 02:25 . 2008-10-24 05:21 455,296 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2008-12-27 02:25 . 2008-05-01 08:33 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2008-12-27 02:24 . 2008-09-04 11:15 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2008-12-27 02:22 . 2008-12-12 11:01 3,067,904 -----c--- c:\windows\system32\dllcache\mshtml.dll
2008-12-27 02:22 . 2008-10-15 19:00 1,499,136 -----c--- c:\windows\system32\dllcache\shdocvw.dll
2008-12-27 02:22 . 2008-10-15 19:00 666,112 -----c--- c:\windows\system32\dllcache\wininet.dll
2008-12-27 02:22 . 2008-10-15 19:00 619,520 -----c--- c:\windows\system32\dllcache\urlmon.dll
2008-12-27 02:21 . 2008-10-03 04:02 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2008-12-27 02:20 . 2008-10-15 10:34 337,408 -----c--- c:\windows\system32\dllcache\netapi32.dll
2008-12-27 01:41 . 2008-12-27 01:41 <DIR> d-------- C:\fsaua.data
2008-12-27 01:37 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2008-12-27 01:37 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2008-12-26 09:15 . 2008-12-26 09:15 51,355 --a------ c:\windows\system32\muzika.xm
2008-12-26 09:09 . 2009-01-15 08:25 <DIR> d-------- c:\documents and settings\Bakx\Application Data\uTorrent
2008-12-26 08:48 . 2008-12-27 01:24 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-26 08:47 . 2008-12-26 08:47 <DIR> d-------- c:\documents and settings\Bakx\Application Data\PC Tools
2008-12-26 08:47 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2008-12-26 08:47 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2008-12-26 08:47 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2008-12-26 08:47 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-24 00:59 . 2008-12-24 01:14 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-12-24 00:58 . 2008-12-24 00:58 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-12-23 22:28 . 2008-12-26 23:33 326 --a------ c:\windows\wininit.ini
2008-12-23 15:50 . 2009-01-11 09:30 <DIR> d-------- C:\Programs
2008-12-23 15:50 . 2008-12-26 08:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-12-21 13:12 . 2008-12-28 15:29 <DIR> d-------- c:\documents and settings\Bakx\Application Data\Download Manager
2008-12-20 16:35 . 2008-12-20 16:35 <DIR> d--h----- c:\documents and settings\All Users\Application Data\CanonBJ
2008-12-20 16:35 . 2005-05-06 21:00 140,288 --a------ c:\windows\system32\CNMLM7M.DLL
2008-12-20 16:35 . 2005-05-06 21:00 8,704 --a------ c:\windows\system32\CNMVS7M.DLL
2008-12-20 16:34 . 2008-04-13 12:45 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-12-20 16:32 . 2008-12-20 16:32 <DIR> d--h----- c:\windows\system32\CanonMP Uninstaller Information
2008-12-20 16:32 . 2008-12-20 16:32 <DIR> d--h----- C:\CanonMP
2008-12-20 16:32 . 2005-08-04 03:37 221,184 --a------ c:\windows\system32\CNCC800.DLL
2008-12-20 16:32 . 2005-06-20 08:24 139,264 --a------ c:\windows\system32\CNCL800.DLL
2008-12-20 16:32 . 2005-06-14 01:19 77,824 --a------ c:\windows\system32\CNCA800.DLL
2008-12-20 16:32 . 2005-08-04 03:37 69,632 --a------ c:\windows\system32\CNCI800.DLL
2008-12-20 16:32 . 2005-08-04 03:38 49,152 --a------ c:\windows\system32\cncisco.dll
2008-12-20 16:08 . 2008-04-13 12:47 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-12-20 16:07 . 2008-04-13 12:45 32,128 --a------ c:\windows\system32\drivers\usbccgp.sys
2008-12-20 15:06 . 2008-12-20 15:06 <DIR> d-------- c:\program files\Common Files\Adobe
2008-12-20 15:04 . 2007-04-09 13:23 28,040 --a------ c:\windows\system32\mdimon.dll
2008-12-20 15:04 . 2008-12-20 15:04 376 --a------ c:\windows\ODBC.INI
2008-12-20 14:46 . 2008-12-20 14:46 <DIR> d-------- c:\program files\Microsoft.NET
2008-12-20 14:45 . 2008-12-20 14:45 <DIR> d-------- c:\program files\Microsoft ActiveSync
2008-12-20 14:44 . 2008-12-20 15:03 <DIR> d-------- c:\windows\SHELLNEW
2008-12-20 14:39 . 2008-12-20 14:39 <DIR> dr-h----- C:\MSOCache
2008-12-18 14:28 . 2008-12-18 14:29 <DIR> d-------- c:\program files\Google
2008-12-18 14:17 . 2008-12-28 15:14 316,640 --a------ c:\windows\WMSysPr9.prx
2008-12-18 14:15 . 2008-12-18 14:15 <DIR> d-------- c:\windows\provisioning
2008-12-18 14:15 . 2008-12-28 11:10 <DIR> d-------- c:\windows\peernet
2008-12-18 14:11 . 2008-12-28 11:12 <DIR> d-------- c:\windows\ServicePackFiles
2008-12-18 14:02 . 2008-12-28 10:31 <DIR> d-------- c:\windows\EHome
2008-12-18 13:56 . 2002-04-15 21:11 67,866 --------- c:\windows\system32\drivers\netwlan5.img
2008-12-18 13:56 . 2008-04-14 05:42 11,264 --------- c:\windows\system32\spnpinst.exe
2008-12-18 13:56 . 2004-08-02 14:20 7,208 --------- c:\windows\system32\secupd.sig
2008-12-18 13:56 . 2004-08-02 14:20 4,569 --------- c:\windows\system32\secupd.dat
2008-12-18 13:26 . 2008-12-28 21:21 <DIR> d--h----- c:\windows\$hf_mig$
2008-12-18 13:26 . 2007-08-10 20:46 26,488 --a------ c:\windows\system32\spupdsvc.exe
2008-12-18 13:25 . 2008-12-28 11:10 <DIR> d-------- c:\windows\system32\bits
2008-12-18 13:25 . 2008-04-13 11:39 438,784 --------- c:\windows\system32\xpob2res.dll
2008-12-18 13:25 . 2008-04-13 18:12 354,304 --a------ c:\windows\system32\winhttp.dll
2008-12-18 13:25 . 2008-04-13 18:12 18,944 --a------ c:\windows\system32\qmgrprxy.dll
2008-12-18 13:25 . 2008-04-13 18:11 8,192 --------- c:\windows\system32\bitsprx2.dll
2008-12-18 13:25 . 2008-04-13 18:11 7,168 --------- c:\windows\system32\bitsprx3.dll
2008-12-18 13:22 . 2008-10-16 14:12 561,688 --a------ c:\windows\system32\wuapi.dll
2008-12-18 13:22 . 2008-10-16 14:12 323,608 --a------ c:\windows\system32\wucltui.dll
2008-12-18 13:22 . 2008-10-16 14:12 213,528 --a------ c:\windows\system32\wuaucpl.cpl
2008-12-18 13:22 . 2008-10-16 14:09 43,544 --a------ c:\windows\system32\wups2.dll
2008-12-18 13:22 . 2008-10-16 14:08 34,328 --a------ c:\windows\system32\wups.dll
2008-12-18 13:22 . 2008-10-16 14:09 31,768 --a------ c:\windows\system32\wucltui.dll.mui
2008-12-18 13:22 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuaucpl.cpl.mui
2008-12-18 13:22 . 2008-10-16 14:07 23,576 --a------ c:\windows\system32\wuapi.dll.mui
2008-12-18 13:22 . 2008-10-16 14:07 18,456 --a------ c:\windows\system32\wuaueng.dll.mui
2008-12-18 13:21 . 2008-12-18 13:21 <DIR> d---s---- c:\documents and settings\Bakx\UserData
2008-12-18 13:09 . 2008-12-18 13:09 <DIR> d---s---- c:\windows\system32\Microsoft
2008-12-18 13:05 . 2008-12-18 13:05 <DIR> d--h----- c:\program files\InstallShield Installation Information
2008-12-18 13:05 . 2008-12-18 13:05 <DIR> d-------- c:\program files\Common Files\InstallShield
2008-12-18 13:05 . 1999-05-07 13:24 645,616 --a------ c:\windows\system32\MSCOMCT2.OCX
2008-12-18 13:05 . 2000-03-23 12:50 446,464 -ra------ c:\windows\system32\hhactivex.dll
2008-12-18 13:05 . 1999-05-07 13:24 414,944 --a------ c:\windows\system32\COMCT332.OCX
2008-12-18 13:05 . 1998-11-10 10:46 328,480 --a------ c:\windows\system32\ssa3d30.ocx
2008-12-18 13:05 . 2002-01-08 17:00 176,128 --a------ c:\windows\system32\RcdScan.dll
2008-12-18 13:05 . 1998-09-24 12:03 171,967 --a------ c:\windows\system32\Odbcjet.hlp
2008-12-18 13:05 . 1998-06-17 23:00 89,360 --a------ c:\windows\system32\VB5DB.DLL
2008-12-18 13:05 . 2001-08-22 08:42 13,632 --------- c:\windows\system32\drivers\omci.sys
2008-12-18 13:05 . 1998-09-24 12:03 7,348 --a------ c:\windows\system32\Odbcjet.cnt

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-18 18:21 --------- d-----w c:\program files\microsoft frontpage
2008-12-18 18:20 558,142 ----a-w c:\windows\java\Packages\EIS8JRBJ.ZIP
2008-12-18 18:20 155,995 ----a-w c:\windows\java\Packages\Y1RRD77J.ZIP
2007-10-18 17:09 733,517,824 ----a-w c:\program files\Common Files\Realplayer.avi
2008-04-14 00:11 171,376 --sha-r c:\windows\system32\kxqbqycr.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\kxqbqycr.dll -- Not a PE file.


((((((((((((((((((((((((((((( snapshot_2009-01-08_ 0.33.28.19 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 14:00:00 28,672 ----a-w c:\windows\NIRCMD.exe
+ 2000-08-31 14:00:00 29,696 ----a-w c:\windows\NIRCMD.exe
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-12-28 21:12:18 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2009-01-08 20:41:36 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-12-28 21:11:40 189,792 ----a-w c:\windows\system32\FNTCACHE.DAT
+ 2009-01-12 22:40:32 196,160 ----a-w c:\windows\system32\FNTCACHE.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-12-18 39408]
"SpybotSD TeaTimer"="c:\programs\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Programs\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"7515:TCP"= 7515:TCP:oghndane

S3 F-Secure Standalone Minifilter;F-Secure Standalone Minifilter;\??\c:\docume~1\Bakx\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys --> c:\docume~1\Bakx\LOCALS~1\Temp\OnlineScanner\Anti-Virus\fsgk.sys [?]
S3 sdAuxService;PC Tools Auxiliary Service;c:\programs\Spyware Doctor\pctsAuxs.exe [2008-12-26 356920]
S4 odwqd;Support Time;c:\windows\system32\svchost.exe -k netsvcs [2002-09-03 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
odwqd
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://winnipegweather.com/
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
c:\windows\Downloaded Program Files\DirectAnimation Java Classes.osd

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

c:\windows\Downloaded Program Files\Manager.exe - c:\windows\Downloaded Program Files\DownloadManagerV2.ocx
O16 -: {4871A87A-BFDD-4106-8153-FFDE2BAC2967}
hxxp://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
c:\windows\Downloaded Program Files\DownloadManagerV2.inf
FF - ProfilePath - c:\documents and settings\Bakx\Application Data\Mozilla\Firefox\Profiles\7vi4wx06.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.ca/
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-17 14:48:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\odwqd]
"ServiceDll"="c:\windows\system32\kxqbqycr.dll"
.
------------------------ Other Running Processes ------------------------
.
c:\programs\Lavasoft\Ad-Aware\aawservice.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-01-17 14:53:36 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-17 20:53:31
ComboFix2.txt 2009-01-14 16:25:13
ComboFix3.txt 2009-01-11 16:02:30
ComboFix4.txt 2009-01-08 06:36:13
ComboFix5.txt 2009-01-17 20:32:15

Pre-Run: 18,757,664,768 bytes free
Post-Run: 18,786,103,296 bytes free

Current=1 Default=1 Failed=0 LastKnownGood=4 Sets=1,2,3,4
235 --- E O F --- 2008-12-29 09:01:22


And Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:43 PM, on 1/17/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://winnipegweather.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Programs\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.0.926.3450\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O3 - Toolbar: (no name) - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - (no file)
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Programs\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Programs\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {4871A87A-BFDD-4106-8153-FFDE2BAC2967} (DLM Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.4.1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1229628070489
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1229628686464
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Programs\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Programs\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Programs\Spyware Doctor\pctsSvc.exe

--
End of file - 3872 bytes

That didn't help either :(. Combofix is picking that file up, so it must be there.

Whether or not it is bad remains to be seen though. We need to locate it and get it scanned.

Go back to Jotti and try just pasting the line in.

c:\windows\system32\kxqbqycr.dll

I can't get to Jotti, Website cannot be displayed. Same goes for any anti-virus website I've tried. Is there another way to rename it?

Scan for rootkits?

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.