Help - contents of HijackThis log, SuperantiSpyware log & CoboFix.txt

BullGuard Antivirus Forum > Virus Removal > Removal Help > Help - contents of HijackThis log, SuperantiSpyware log & CoboFix.txt

Forum Quick Jump

[ << Previous Thread | Next Thread >> ]

Titchymichy
New Member

Date Joined Mar 2008
Total Posts : 6

Posted 3-29-2008 6:04 (GMT +1)

Trying to sanities a friend's infected PC and have contents of HijackThis log, SuperantiSpyware log & ComboFix.txt below - any help appreciated;

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:33, on 2008-03-29
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
G:\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F47B2E1-3C71-49FF-A853-D9637C7DDC3B} - C:\WINDOWS\jkkjghgd.dll (file missing)
O2 - BHO: Google Module - {4C579E8B-92F1-44d1-9444-66A4355E9386} - bagetionwll.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [gebyxyaxur] Rundll32.exe "C:\WINDOWS\system32\pmnlllkh.dll",s
O4 - HKLM\..\Run: [50de3a25] rundll32.exe "C:\WINDOWS\system32\mkdapyto.dll",b
O4 - HKLM\..\Run: [awvvwwxuro] Rundll32.exe "=5%ì•"°ìy%040XœY<%K{xxxŠZü9xx",s
O4 - HKLM\..\Run: [oppqqpmnli] Rundll32.exe "=5%ì•"°ìy%AŠŠAZ9ü9xx",s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm027YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O10 - Unknown file in Winsock LSP: wsock3.dll
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/ZwinkyInitialSetup1.0.0.15-3.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174690111187
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8690 bytes

SuperAntiSpyware Log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/29/2008 at 03:40 PM

Application Version : 4.0.1154

Core Rules Database Version : 3412
Trace Rules Database Version: 1404

Scan type : Complete Scan
Total Scan Time : 00:28:00

Memory items scanned      : 369
Memory threats detected   : 5
Registry items scanned    : 5660
Registry threats detected : 63
File items scanned        : 14689
File threats detected     : 90

Adware.Vundo-Variant
C:\WINDOWS\SYSTEM32\UVPEQULC.DLL
C:\WINDOWS\SYSTEM32\UVPEQULC.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\uvpequlc
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144675.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144681.DLL
C:\WINDOWS\SYSTEM32\PQJYULUD.DLL

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\OPNNMLM.DLL
C:\WINDOWS\SYSTEM32\OPNNMLM.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\opnnmlm
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144668.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144669.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144674.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\JKHHE.DLL
C:\WINDOWS\SYSTEM32\JKHHE.DLL

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\MKDAPYTO.DLL
C:\WINDOWS\SYSTEM32\MKDAPYTO.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144654.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144655.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144656.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144657.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144658.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144659.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144660.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144661.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144662.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144663.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144664.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144665.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144666.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144667.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144670.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144671.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144672.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144673.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144676.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144679.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144680.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144685.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144690.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144691.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144692.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144696.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144701.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP299\A0146762.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP303\A0148799.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP305\A0154831.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP306\A0156840.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP308\A0161074.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP311\A0162109.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP313\A0162143.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP314\A0162162.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP315\A0165173.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP316\A0165205.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0166253.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0166256.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0166257.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0166258.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0166261.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0166265.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0167252.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0188261.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0188264.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP319\A0188265.DLL

Adware.eZula
C:\WINDOWS\SYSTEM32\BKVQNNTE.EXE
C:\WINDOWS\SYSTEM32\BKVQNNTE.EXE
C:\WINDOWS\Prefetch\BKVQNNTE.EXE-13071EE3.pf

Adware.MyWebSearch
HKLM\Software\Classes\CLSID\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF1-072E-44CF-8957-5838F569A31D}\Programmable
C:\PROGRAM FILES\MYWEBSEARCH\SRCHASTT\1.BIN\MWSSRCAS.DLL
HKLM\Software\Classes\CLSID\{00A6FAF6-072E-44cf-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\InprocServer32#ThreadingModel
HKCR\CLSID\{00A6FAF6-072E-44CF-8957-5838F569A31D}\Programmable
HKLM\Software\Classes\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA1-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
C:\PROGRAM FILES\MYWEBSEARCH\BAR\1.BIN\MWSBAR.DLL
HKLM\Software\Classes\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32
HKCR\CLSID\{07B18EA9-A523-4961-B6BB-170DE4475CCA}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{00A6FAF1-072E-44cf-8957-5838F569A31D}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{07B18EA1-A523-4961-B6BB-170DE4475CCA}
HKU\S-1-5-21-2000478354-1677128483-682003330-1003\Software\Microsoft\Internet Explorer\URLSearchHooks#{00A6FAF6-072E-44cf-8957-5838F569A31D}

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKU\S-1-5-21-2000478354-1677128483-682003330-1003\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}
HKCR\CLSID\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}
HKCR\CLSID\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}\InprocServer32
HKCR\CLSID\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}
HKCR\CLSID\{2ABAAC42-84DF-4C00-89DA-BC7EB2B0E70B}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{2C7DEDFC-0C0D-4099-8334-AC765C268CDB}
HKCR\CLSID\{2C7DEDFC-0C0D-4099-8334-AC765C268CDB}
HKCR\CLSID\{2C7DEDFC-0C0D-4099-8334-AC765C268CDB}\InprocServer32
HKCR\CLSID\{2C7DEDFC-0C0D-4099-8334-AC765C268CDB}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2C7DEDFC-0C0D-4099-8334-AC765C268CDB}

Adware.Adservs
C:\WINDOWS\system32\atmtd.dll._

Trojan.Unknown Origin
HKLM\Software\xpre
HKLM\Software\xpre#execount
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0131916.EXE

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion

Adware.WinTouch/XInside
C:\Program Files\InetGet2
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Router

Adware.ClickSpring/Yazzle
C:\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE

Trojan.Downloader-Gen/MROFIN
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP223\A0077298.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP258\A0115083.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0131313.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0131432.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0131477.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0131542.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0132085.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0132243.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0132300.EXE

Trojan.Downloader-Gen/DDC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144693.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144694.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144695.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144697.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144698.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144699.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144700.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144702.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144705.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144706.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP293\A0144708.EXE

Trojan.Unclassified/17PHolmes-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0131205.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{41DA2A03-B6C8-4501-A166-FE91B83B5DD4}(2)\RP281\A0131445.EXE

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\EHHKJ.INI

and finally Combofix txt

ComboFix 08-03-25.4 - Bilal 2008-03-29 15:52:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.358 [GMT 0:00]
Running from: G:\ComboFix.exe
* Created a new restore point
* Resident AV is active

[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Bilal\Application Data\FunWebProducts
C:\Documents and Settings\Bilal\Application Data\FunWebProducts\Data\Bilal\avatar.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\000210BF
C:\Program Files\MyWebSearch\bar\Cache\000403D5
C:\Program Files\MyWebSearch\bar\Cache\00040636
C:\Program Files\MyWebSearch\bar\Cache\000EF374
C:\Program Files\MyWebSearch\bar\Cache\00143BBF.bin
C:\Program Files\MyWebSearch\bar\Cache\00143FF5
C:\Program Files\MyWebSearch\bar\Cache\001C9D03.bin
C:\Program Files\MyWebSearch\bar\Cache\001CACC2.bin
C:\Program Files\MyWebSearch\bar\Cache\001CAF14.bin
C:\Program Files\MyWebSearch\bar\Cache\001CB07B.bin
C:\Program Files\MyWebSearch\bar\Cache\001CB1E2.bin
C:\Program Files\MyWebSearch\bar\Cache\002CCE75
C:\Program Files\MyWebSearch\bar\Cache\0067F680.bin
C:\Program Files\MyWebSearch\bar\Cache\00681294.bin
C:\Program Files\MyWebSearch\bar\Cache\0068138E.bin
C:\Program Files\MyWebSearch\bar\Cache\006814D6.bin
C:\Program Files\MyWebSearch\bar\Cache\00F40BB5.bin
C:\Program Files\MyWebSearch\bar\Cache\00F40D0D.bin
C:\Program Files\MyWebSearch\bar\Cache\00F40ED2.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\WINDOWS\BM53ed09b9.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aisojrbe.ini
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\cmds.txt
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\eavjfkhf.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fhvjuxef.ini
C:\WINDOWS\system32\file.exe
C:\WINDOWS\system32\gjbdwfot.ini
C:\WINDOWS\system32\jqrjnlfy.ini
C:\WINDOWS\system32\lywrvtkk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msvcrtd.exe
C:\WINDOWS\system32\ndudvnbk.ini
C:\WINDOWS\system32\otypadkm.ini
C:\WINDOWS\system32\pagxddbh.ini
C:\WINDOWS\system32\qckefnga.ini
C:\WINDOWS\system32\rnidwvpe.ini
C:\WINDOWS\system32\xdbepana.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Service_DomainService

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-29 15:10 . 2008-03-29 15:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-29 15:10 . 2008-03-29 15:10 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\SUPERAntiSpyware.com
2008-03-29 15:10 . 2008-03-29 15:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-29 15:09 . 2008-03-29 15:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 15:01 . 2008-03-29 15:01 <DIR> d-------- C:\Program Files\CCleaner
2008-03-20 23:35 . 2004-08-04 12:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-03-20 23:34 . 2004-08-04 12:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-03-20 23:33 . 2004-08-04 12:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-20 23:32 . 2004-08-04 12:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-03-20 23:31 . 2004-05-13 00:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-20 23:26 . 2008-03-20 23:26 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-20 23:25 . 2008-03-20 23:25 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-20 23:25 . 2008-03-20 23:25 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-20 23:25 . 2008-03-20 23:25 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-20 23:25 . 2008-03-20 23:25 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-20 23:25 . 2008-03-20 23:25 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-20 23:14 . 2004-08-03 22:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-03-20 19:58 . 2008-03-20 19:58 0 --a------ C:\WINDOWS\system32\geedeefcyvspmjg

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 15:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\BullGuard
2008-03-29 14:57 --------- d-----w C:\Documents and Settings\Bilal\Application Data\AppDate
2008-02-18 17:47 --------- d-----w C:\Documents and Settings\Bilal\Application Data\Talkback
2008-02-18 17:46 51,152 ----a-w C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-02-15 16:34 22,016 ----a-w C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll
2008-02-15 16:34 22,016 ----a-w C:\Documents and Settings\Bilal\~tmp1147.exe
2008-02-11 23:16 --------- d-----w C:\Documents and Settings\Bilal\Application Data\Azureus
2008-02-11 22:50 --------- d-----w C:\Program Files\SopCast
2008-02-11 14:28 --------- d-----w C:\Documents and Settings\Bilal\Application Data\BullGuard
2008-02-07 02:03 --------- d-----w C:\Program Files\BullGuard Ltd
2008-02-07 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-07 01:26 --------- d-----w C:\Program Files\RAR Password Cracker
2008-02-07 01:25 --------- d-----w C:\Program Files\Virgin Broadband
2008-02-07 01:25 --------- d-----w C:\Program Files\MacroVirus
2008-02-07 01:25 --------- d-----w C:\Documents and Settings\Bilal\Application Data\MacroVirus
2008-02-07 01:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2008-02-04 03:05 --------- d-----w C:\Program Files\Symantec
2008-02-04 02:48 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-02-04 02:45 --------- d-----w C:\Documents and Settings\Bilal\Application Data\Virgin Broadband
2008-02-04 01:41 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-04 01:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-04 01:39 --------- d-----w C:\Program Files\FLV Player
2008-02-04 01:39 --------- d-----w C:\Documents and Settings\Bilal\Application Data\AVG7
2008-02-04 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7(2)
2008-02-04 01:27 --------- d-----w C:\Program Files\Common Files\Real
2008-02-02 18:35 --------- d-----w C:\Documents and Settings\Bilal\Application Data\U3
2008-02-01 21:07 --------- d-----w C:\Program Files\DivX
2008-01-27 22:33 10 ----a-w C:\Program Files\.autoreg
2007-07-03 13:54 23,402,288 ----a-w C:\Program Files\AdbeRdr810_en_US.exe
.

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 3-29-2008 7:45 (GMT +1)

Hello

Download LSPFix from:
http://cexx.org/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "wsock3.dll" into the remove box using the >> button.
Press the finish button.

Then reboot.

Go to Start - Control Panel - Add-Remove Programs

Remove the following if found or any variation:

One of Your antivirus programs

"Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and will typically cause your computer to crash, and will provide less protection.
Not more."

Download DrWebCureit:

ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

to your desktop.

Plug ALL Your external drives/sticks in

Doubleclick the "drweb-cureit.exe" and click "Start" in the prompt window that will open , asking "start the express scan now".

It will first make a quick scan of your system, let it clean what it find, and when it says "done"

Click on the Options->Change settings.

Actions Tab- Adware-Dialers-Riskware-Hacktools, use dropdown menu and select –Rename

Click – Apply - OK

Click on Scan Tab. Move dot from Express scan to Complete Scan. Click on The Green arrow to the right. It will now scan your drive(s), say yes to all

After the scan, in the Dr.Web CureIt menu on top, click file and choose save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.

At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch

Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

When completed, a log will open in Notepad. Please save it to a convenient location.

Copy and Paste that log into your next reply, along with drweb log and new combofix log, hijackthis log.

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Titchymichy
New Member

Date Joined Mar 2008
Total Posts : 6

Posted 3-29-2008 8:11 (GMT +1)

Thanks Touch! I will give this a go in the morning & post results. Fingers crossed :-)

Titchymichy
New Member

Date Joined Mar 2008
Total Posts : 6

Posted 3-30-2008 6:13 (GMT +1)

Hi

On start up I'm still getting following rundll errors:
error loading=5%i* the specified module could not be found
error loading c:\programs\system32\mkdapyto.dll

I can't mkdapyto.dll anywhere.

Haven't been able to run DrwebCureit ? here are my other new logs if that helps.

Malwarebytes' Anti-Malware 1.09
Database version: 507

Scan type: Quick Scan
Objects scanned: 1
Time elapsed: 3 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

ComboFix 08-03-25.4 - Bilal 2008-03-30 17:06:25.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.353 [GMT 1:00]
Running from: G:\ComboFix.exe
* Resident AV is active

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\Bilal\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Bilal\Favorites\Online Security Guide.lnk
.
---- Previous Run -------
.
C:\Documents and Settings\Bilal\Application Data\FunWebProducts
C:\Documents and Settings\Bilal\Application Data\FunWebProducts\Data\Bilal\avatar.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\Program Files\MyWebSearch\bar\Cache\000210BF
C:\Program Files\MyWebSearch\bar\Cache\000403D5
C:\Program Files\MyWebSearch\bar\Cache\00040636
C:\Program Files\MyWebSearch\bar\Cache\000EF374
C:\Program Files\MyWebSearch\bar\Cache\00143BBF.bin
C:\Program Files\MyWebSearch\bar\Cache\00143FF5
C:\Program Files\MyWebSearch\bar\Cache\001C9D03.bin
C:\Program Files\MyWebSearch\bar\Cache\001CACC2.bin
C:\Program Files\MyWebSearch\bar\Cache\001CAF14.bin
C:\Program Files\MyWebSearch\bar\Cache\001CB07B.bin
C:\Program Files\MyWebSearch\bar\Cache\001CB1E2.bin
C:\Program Files\MyWebSearch\bar\Cache\002CCE75
C:\Program Files\MyWebSearch\bar\Cache\0067F680.bin
C:\Program Files\MyWebSearch\bar\Cache\00681294.bin
C:\Program Files\MyWebSearch\bar\Cache\0068138E.bin
C:\Program Files\MyWebSearch\bar\Cache\006814D6.bin
C:\Program Files\MyWebSearch\bar\Cache\00F40BB5.bin
C:\Program Files\MyWebSearch\bar\Cache\00F40D0D.bin
C:\Program Files\MyWebSearch\bar\Cache\00F40ED2.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\WINDOWS\BM53ed09b9.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aisojrbe.ini
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\cmds.txt
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\eavjfkhf.ini
C:\WINDOWS\system32\ehhkj.ini2
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fhvjuxef.ini
C:\WINDOWS\system32\file.exe
C:\WINDOWS\system32\gjbdwfot.ini
C:\WINDOWS\system32\jqrjnlfy.ini
C:\WINDOWS\system32\lywrvtkk.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msvcrtd.exe
C:\WINDOWS\system32\ndudvnbk.ini
C:\WINDOWS\system32\otypadkm.ini
C:\WINDOWS\system32\pagxddbh.ini
C:\WINDOWS\system32\qckefnga.ini
C:\WINDOWS\system32\rnidwvpe.ini
C:\WINDOWS\system32\xdbepana.ini
D:\Autorun.inf

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DOMAINSERVICE
-------\Service_DomainService

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 15:32 . 2008-03-30 16:06 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-30 15:32 . 2008-03-30 15:32 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\Malwarebytes
2008-03-30 15:32 . 2008-03-30 15:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-29 17:32 . 2008-03-29 17:32 <DIR> d-------- C:\HJT
2008-03-29 16:10 . 2008-03-29 16:10 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-29 16:10 . 2008-03-29 16:10 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\SUPERAntiSpyware.com
2008-03-29 16:10 . 2008-03-29 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-29 16:09 . 2008-03-29 16:09 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-29 16:01 . 2008-03-29 16:01 <DIR> d-------- C:\Program Files\CCleaner
2008-03-21 00:35 . 2004-08-04 13:00 482,304 --a--c--- C:\WINDOWS\system32\dllcache\pintlgnt.ime
2008-03-21 00:34 . 2004-08-04 13:00 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-03-21 00:33 . 2004-08-04 13:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll
2008-03-21 00:32 . 2004-08-04 13:00 2,134,528 --a--c--- C:\WINDOWS\system32\dllcache\smtpsnap.dll
2008-03-21 00:31 . 2004-05-13 01:39 876,653 --a--c--- C:\WINDOWS\system32\dllcache\fp4awel.dll
2008-03-21 00:26 . 2008-03-21 00:26 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest
2008-03-21 00:25 . 2008-03-21 00:25 749 -rah----- C:\WINDOWS\WindowsShell.Manifest
2008-03-21 00:25 . 2008-03-21 00:25 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest
2008-03-21 00:25 . 2008-03-21 00:25 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest
2008-03-21 00:25 . 2008-03-21 00:25 749 -rah----- C:\WINDOWS\system32\nwc.cpl.manifest
2008-03-21 00:25 . 2008-03-21 00:25 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest
2008-03-21 00:14 . 2004-08-03 23:31 20,992 --a------ C:\WINDOWS\system32\drivers\RTL8139.sys
2008-03-20 20:58 . 2008-03-20 20:58 0 --a------ C:\WINDOWS\system32\geedeefcyvspmjg
2008-02-22 23:04 . 2008-02-22 23:04 268 --ah----- C:\sqmdata14.sqm
2008-02-22 23:04 . 2008-02-22 23:04 244 --ah----- C:\sqmnoopt14.sqm
2008-02-22 18:20 . 2008-02-22 18:20 268 --ah----- C:\sqmdata13.sqm
2008-02-22 18:20 . 2008-02-22 18:20 244 --ah----- C:\sqmnoopt13.sqm
2008-02-18 18:47 . 2008-02-18 18:47 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\Talkback
2008-02-15 17:34 . 2008-03-30 16:35 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\AppDate
2008-02-15 17:34 . 2008-02-15 17:34 22,016 --a------ C:\WINDOWS\system32\pmnlllkh.dll
2008-02-15 17:34 . 2008-02-15 17:34 22,016 --a------ C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll
2008-02-15 17:34 . 2008-03-30 17:14 341 --a------ C:\WINDOWS\system32\awvtrrqo
2008-02-11 23:49 . 2008-02-11 23:50 <DIR> d-------- C:\Program Files\SopCast
2008-02-07 19:53 . 2008-02-07 19:53 268 --ah----- C:\sqmdata12.sqm
2008-02-07 19:53 . 2008-02-07 19:53 244 --ah----- C:\sqmnoopt12.sqm
2008-02-07 04:44 . 2008-02-07 04:44 268 --ah----- C:\sqmdata11.sqm
2008-02-07 04:44 . 2008-02-07 04:44 244 --ah----- C:\sqmnoopt11.sqm
2008-02-07 03:10 . 2008-02-07 03:10 268 --ah----- C:\sqmdata10.sqm
2008-02-07 03:10 . 2008-02-07 03:10 244 --ah----- C:\sqmnoopt10.sqm
2008-02-07 03:05 . 2008-03-30 16:03 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\BullGuard
2008-02-07 03:03 . 2008-02-07 03:03 <DIR> d-------- C:\Program Files\BullGuard Ltd
2008-02-07 03:03 . 2008-03-30 16:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BullGuard
2008-02-07 03:03 . 2008-02-18 18:46 51,152 --a------ C:\WINDOWS\system32\drivers\BdFileSpy.sys
2008-02-07 02:25 . 2008-02-07 02:25 <DIR> d-------- C:\WINDOWS\system32\Resource
2008-02-06 18:57 . 2008-02-06 18:57 1 --a------ C:\WINDOWS\system32\cookie1.dat
2008-02-04 19:34 . 2008-02-04 19:34 268 --ah----- C:\sqmdata09.sqm
2008-02-04 19:34 . 2008-02-04 19:34 244 --ah----- C:\sqmnoopt09.sqm
2008-02-04 19:02 . 2008-02-04 19:02 268 --ah----- C:\sqmdata08.sqm
2008-02-04 19:02 . 2008-02-04 19:02 244 --ah----- C:\sqmnoopt08.sqm
2008-02-04 05:54 . 2008-02-04 05:54 268 --ah----- C:\sqmdata07.sqm
2008-02-04 05:54 . 2008-02-04 05:54 244 --ah----- C:\sqmnoopt07.sqm
2008-02-04 05:10 . 2008-02-04 05:10 268 --ah----- C:\sqmdata06.sqm
2008-02-04 05:10 . 2008-02-04 05:10 244 --ah----- C:\sqmnoopt06.sqm
2008-02-04 03:45 . 2008-02-04 03:45 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\Virgin Broadband
2008-02-04 03:44 . 2008-02-07 02:25 <DIR> d-------- C:\Program Files\Virgin Broadband
2008-02-04 03:44 . 2008-02-07 02:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2008-02-04 03:28 . 2008-02-07 02:25 <DIR> d-------- C:\Program Files\MacroVirus
2008-02-04 03:28 . 2008-02-07 02:25 <DIR> d-------- C:\Documents and Settings\Bilal\Application Data\MacroVirus
2008-02-04 02:29 . 2008-02-04 02:29 <DIR> d-------- C:\WINDOWS\LastGood(2)
2008-02-02 19:41 . 2008-02-25 19:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-02 19:41 . 2008-02-02 19:41 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-11 23:16 --------- d-----w C:\Documents and Settings\Bilal\Application Data\Azureus
2008-02-07 01:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-02-07 01:26 --------- d-----w C:\Program Files\RAR Password Cracker
2008-02-04 03:05 --------- d-----w C:\Program Files\Symantec
2008-02-04 02:48 --------- d-----w C:\Program Files\InstallShield Installation Information
2008-02-04 01:41 --------- d-----w C:\Program Files\Norton AntiVirus
2008-02-04 01:41 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-02-04 01:39 --------- d-----w C:\Program Files\FLV Player
2008-02-04 01:39 --------- d-----w C:\Documents and Settings\Bilal\Application Data\AVG7
2008-02-04 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7(2)
2008-02-04 01:27 --------- d-----w C:\Program Files\Common Files\Real
2008-02-02 18:35 --------- d-----w C:\Documents and Settings\Bilal\Application Data\U3
2008-02-01 21:07 --------- d-----w C:\Program Files\DivX
2008-01-27 22:33 10 ----a-w C:\Program Files\.autoreg
2007-07-03 13:54 23,402,288 ----a-w C:\Program Files\AdbeRdr810_en_US.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F47B2E1-3C71-49FF-A853-D9637C7DDC3B}]
C:\WINDOWS\jkkjghgd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-10-28 17:25 94208]
"PcSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [ ]
"Router"="C:\Program Files\Router\Router.exe" [ ]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-02-29 17:03 1481968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-09-03 08:04 84640]
"osCheck"="C:\Program Files\Norton AntiVirus\osCheck.exe" [2006-09-06 02:22 26248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41 282624]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-04-27 11:25 257088]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 20:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 19:30 517768]
"BullGuard"="C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" [2008-02-18 18:46 304456]
"gebyxyaxur"="C:\WINDOWS\system32\pmnlllkh.dll" [2008-02-15 17:34 22016]
"50de3a25"="C:\WINDOWS\system32\mkdapyto.dll" [ ]
"awvvwwxuro"="=5%ì•°ìy%040XœY<%K{xxxŠZü9xx" []
"oppqqpmnli"="=5%ì•°ìy%AŠŠAZ9ü9xx" []
"SoundMan"="SOUNDMAN.EXE" [2004-01-08 19:54 65536 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=

R2 BdFileSpy;BullGuard File Monitor Driver;C:\WINDOWS\system32\drivers\BdFileSpy.sys [2008-02-18 18:46]
R2 BsFileScan;BullGuard File Scan Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R2 BsFire;BullGuard Firewall Service;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R3 afw;Agnitum firewall driver;C:\WINDOWS\system32\DRIVERS\afw.sys [2007-11-28 11:42]
S3 AutorunDirectIO;AutorunDirectIO;F:\AUTORUN\DIODrvr.sys []
S3 BGRaSvc;BGRaSvc;"C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe" [2007-12-20 10:48]
S3 Reconn;BullGuard Email Monitor;C:\Program Files\BullGuard Ltd\BullGuard\Reconn.sys [2007-10-29 09:08]
S3 W700bus;Sony Ericsson W700 Driver driver (WDM);C:\WINDOWS\system32\DRIVERS\W700bus.sys [2005-12-23 15:12]
S3 W700mdfl;Sony Ericsson W700 USB WMC Modem Filter;C:\WINDOWS\system32\DRIVERS\W700mdfl.sys [2005-12-23 15:13]
S3 W700mdm;Sony Ericsson W700 USB WMC Modem Driver;C:\WINDOWS\system32\DRIVERS\W700mdm.sys [2005-12-23 15:13]
S3 W700mgmt;Sony Ericsson W700 USB WMC Device Management Drivers (WDM);C:\WINDOWS\system32\DRIVERS\W700mgmt.sys [2005-12-23 15:14]
S3 W700obex;Sony Ericsson W700 USB WMC OBEX Interface;C:\WINDOWS\system32\DRIVERS\W700obex.sys [2005-12-23 15:15]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
BullGuard REG_MULTI_SZ BgMainSvc BsFileScan BsMailProxy BsFire

.
Contents of the 'Scheduled Tasks' folder
"2007-10-28 12:56:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-02-18 03:00:00 C:\WINDOWS\Tasks\MacroVirus Scheduled Scan.job"
- C:\Program Files\MacroVirus\MacroVirus.ex
- C:\Program Files\MacroVirus
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 17:13:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\lsass.exe
-> C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\pmnlllkh.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-30 17:17:32 - machine was rebooted [Bilal]
ComboFix-quarantined-files.txt 2008-03-30 16:17:25
.
2008-02-26 00:44:36 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:20:53, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\HJT\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2F47B2E1-3C71-49FF-A853-D9637C7DDC3B} - C:\WINDOWS\jkkjghgd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton AntiVirus\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BullGuard] "C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe" -boot
O4 - HKLM\..\Run: [gebyxyaxur] Rundll32.exe "C:\WINDOWS\system32\pmnlllkh.dll",s
O4 - HKLM\..\Run: [50de3a25] rundll32.exe "C:\WINDOWS\system32\mkdapyto.dll",b
O4 - HKLM\..\Run: [awvvwwxuro] Rundll32.exe "=5%ì•"°ìy%040XœY<%K{xxxŠZü9xx",s
O4 - HKLM\..\Run: [oppqqpmnli] Rundll32.exe "=5%ì•"°ìy%AŠŠAZ9ü9xx",s
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZJxdm027YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174690111187
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BullGuard LiveUpdate (BgLiveSvc) - BullGuard Ltd. - C:\Program Files\BullGuard Ltd\BullGuard\BullGuardUpdate.exe
O23 - Service: BGRaSvc - BullGuard - C:\Program Files\BullGuard Ltd\BullGuard\support\bgrasvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8119 bytes

Touch
Forum Moderator

Date Joined Jun 2004
Total Posts : 14307

Posted 4-1-2008 2:50 (GMT +1)

Go to Start - Control Panel - Add-Remove Programs

Remove:

One of Your antivirus programs

Run Malwarebytes' Anti-Malware again, with the settings ->

Once the program has loaded, select Perform full scan, then click Scan.

When the scan is complete, click OK, then Show Results to view the results.

Be sure that everything is checked, and click Remove Selected.

Open notepad and copy/paste the text in the quote box below into it:

Quote:

-----------------------------------------------------

KILLALL::

Snapshot::

File::

C:\WINDOWS\system32\geedeefcyvspmjg

C:\WINDOWS\system32\pmnlllkh.dll

C:\Documents and Settings\Bilal\Application Data\ssqrpqpm.dll

C:\WINDOWS\system32\awvtrrqo

C:\Program Files\RAR Password Cracker

C:\WINDOWS\jkkjghgd.dll

Folder::

C:\Documents and Settings\Bilal\Application Data\Azureus

C:\Program Files\RAR Password Cracker

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"gebyxyaxur"=-

"50de3a25"=-
"awvvwwxuro"=-
"oppqqpmnli"=-

----------------------------------------------

Save this as CFScript.txt

http://www.fromsej.saknet.dk/billeder/cfscript.gif

At this point, You MUST EXIT ALL BROWSERS NOW before continuing!

Referring to the picture above, drag CFScript.txt into ComboFix.exe.

ComboFix will now run a scan on your system.

It may reboot your system when it finishes. This is normal.

Post new hijackthis log along with fresh combofix log, Malwarebytes' Anti-Malware log

Do NOT post your problem in someone elses thread.

Member of - Alliance of Security Analysis Professionals

Post Edited (Touch) : 01-04-2008 01:53:00 GMT

Titchymichy
New Member

Date Joined Mar 2008
Total Posts : 6

Posted 4-1-2008 8:43 (GMT +1)

Cheers! done all that and now all dll errors have disappeared, below are my new logs:

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:28:16, on 01/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal