# hijack this problem i have please



## texaspete

i have that devil virus zlob.pornadvertiser.ba and i dont know how to get rid of it could someone help me out but i dont alot of tech stuff bout pcs

please help coz its causing hell for me.

i get messages saying i have zlob.pornadvertiser.ba also my background is bluse with a yellow box say install antivirus. and also have this porn video boxes saying explicit porn and if i delete it another one pops up

help help

texaspete


----------



## G25r8cer

Are you on vista? You should first try doing a system restore but that prob wont help. Download and install and run hijackthis and post the log it creates.

http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis


----------



## Punk

Hello,

*Click here* to download *HJTsetup.exe*
Save HJTsetup.exe to your desktop.
Double click on the HJTsetup.exe icon on your desktop.
By default it will install to C:\Program Files\Hijack This.
Continue to click *Next* in the setup dialogue boxes until you get to the *Select Additional Tasks* dialogue.
Put a check by *Create a desktop icon* then click *Next* again.
Continue to follow the rest of the prompts from there.
At the final dialogue box click *Finish* and it will launch Hijack This.
Click on the *Do a system scan and save a log file* button. It will scan and then ask you to save the log.
Click *Save* to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
*DO NOT* have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Then please do this:

Please download *SmitfraudFix* (by *S!Ri*)

    Double-click *SmitfraudFix.exe*.
    Select option #1 - *Search* by typing *1* and press "*Enter*"; a text file will appear, which lists infected files (if present).
    Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move *SmitfraudFix.exe* directly to the root of the system drive (usually *C:*), and launch from there.

*Note* : *process.exe* is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

To sum up in your next reply I'll need the:

Hijackthis log
SmitFraudFix log


----------



## texaspete

*Hello Punk These Are The Logs*

THANX FOR HELPING

Logfile of HijackThis v1.99.1
Scan saved at 18:30:09, on 04/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
F3 - REG:win.ini: run="C:\WINDOWS\system32\winupdate.exe"
O1 - Hosts: 207.7.142.44 iwalton.com
O1 - Hosts: 207.7.142.44 www.iwalton.com
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &WinSec Toolbar - {3F5A62E2-51F2-11D3-A075-CC7364CAE42A} - C:\WINDOWS\system32\wscmp.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [My Web Search Bar] rundll32 C:\PROGRA~1\MYWEBS~1\bar\1.bin\MWSBAR.DLL,S
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Lorna Hubbard\Local Settings\Temporary Internet Files\Content.IE5\T3ZB5TSE\setup_sbd_en[1].exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKLM\..\Run: [BM428dfb51] Rundll32.exe "C:\WINDOWS\System32\mgqfpmpy.dll",s
O4 - HKLM\..\Run: [41bec8cd] rundll32.exe "C:\WINDOWS\System32\jbclavhv.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Gxyb] "C:\Program Files\S?mantec\t?skmgr.exe"
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ieupdate] "C:\WINDOWS\system32\ieupdates.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TG9ybmEgSHViYmFyZA\command.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

SmitFraudFix v2.309

Scan done at 18:34:43.53, 04/04/2008
Run from C:\Program Files\Mozilla Firefox\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Peter D Martin


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Peter D Martin\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\PETERD~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\PROGRA~1\\Google\\GOOGLE~1\\GOEC62~1.DLL"
"LoadAppInit_DLLs"=dword:00000001


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 194.168.4.100
DNS Server Search Order: 194.168.8.100

HKLM\SYSTEM\CCS\Services\Tcpip\..\{2CD15553-59BF-4BE7-B269-E96CBA23C351}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\..\{2CD15553-59BF-4BE7-B269-E96CBA23C351}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\..\{2CD15553-59BF-4BE7-B269-E96CBA23C351}: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=194.168.4.100 194.168.8.100


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


----------



## G25r8cer

Looks like your running two antivirus's!! Bad thing to do!! Uninstall one


----------



## texaspete

unistalled one. now what do i do punk!!


----------



## texaspete

i ment punk the user i done what you said is it bad

cheers


----------



## G25r8cer

texaspete said:


> i ment punk the user i done what you said is it bad
> 
> cheers



LOL yeah I didnt get that at first until i saw the other users name. Anyways, he is probably much better at this than me.


----------



## Punk

I'd like to see a combofix log please:

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## texaspete

*Thanx for getting back to me punk*

THIS IS THE LOG FROM COMBO FIX

ComboFix 08-04-03.5 - Peter D Martin 2008-04-04 22:51:03.1 - NTFSx86
Running from: C:\Documents and Settings\Peter D Martin\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Peter D Martin\Application Data\FunWebProducts
C:\Documents and Settings\Peter D Martin\Application Data\macromedia\Flash Player\#SharedObjects\BY6KGHKJ\iforex.com
C:\Documents and Settings\Peter D Martin\Application Data\macromedia\Flash Player\#SharedObjects\BY6KGHKJ\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Peter D Martin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Peter D Martin\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\Peter D Martin\My Documents\FNTS~1
C:\Documents and Settings\Peter D Martin\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Peter D Martin\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Peter D Martin\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\asembl~1
C:\Program Files\Common Files\ppatch~1
C:\Program Files\Common Files\pppatc~1
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\PopSwatr\History\allowed
C:\Program Files\FunWebProducts\PopSwatr\History\notallow
C:\Program Files\FunWebProducts\Shared\Cache\AvatarSmallBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn-new.html
C:\Program Files\FunWebProducts\Shared\Cache\FunBuddyIconBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MailStampBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyFunCardsIMBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\MyStationeryBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\WebfettiBtn.html
C:\Program Files\Hewlett-Packard\xubaci89104.dll
C:\Program Files\inetget2
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\1.bin\F3BKGERR.JPG
C:\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3CJPEG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR
C:\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL
C:\Program Files\MyWebSearch\bar\1.bin\F3SPACER.WMV
C:\Program Files\MyWebSearch\bar\1.bin\F3WALLPP.DAT
C:\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3FFXTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3IMPIPE.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.JAR
C:\Program Files\MyWebSearch\bar\1.bin\M3NTSTBR.MANIFEST
C:\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL
C:\Program Files\MyWebSearch\bar\1.bin\M3SKPLAY.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE
C:\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
C:\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL
C:\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL
C:\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL
C:\Program Files\MyWebSearch\bar\Avatar\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Cache\000502F5
C:\Program Files\MyWebSearch\bar\Cache\0017FE36
C:\Program Files\MyWebSearch\bar\Cache\002456DB
C:\Program Files\MyWebSearch\bar\Cache\003E4095
C:\Program Files\MyWebSearch\bar\Cache\005AB187.bin
C:\Program Files\MyWebSearch\bar\Cache\005AB3AA.bin
C:\Program Files\MyWebSearch\bar\Cache\005AB511.bin
C:\Program Files\MyWebSearch\bar\Cache\006BAC83.bin
C:\Program Files\MyWebSearch\bar\Cache\007F0390.bin
C:\Program Files\MyWebSearch\bar\Cache\007F05D2.bin
C:\Program Files\MyWebSearch\bar\Cache\007F0891.bin
C:\Program Files\MyWebSearch\bar\Cache\007F1543.bin
C:\Program Files\MyWebSearch\bar\Cache\007F164D
C:\Program Files\MyWebSearch\bar\Cache\00A983B0.bin
C:\Program Files\MyWebSearch\bar\Cache\00A985A4.bin
C:\Program Files\MyWebSearch\bar\Cache\00A99341.bin
C:\Program Files\MyWebSearch\bar\Cache\00A994C7.bin
C:\Program Files\MyWebSearch\bar\Cache\00A9A254.bin
C:\Program Files\MyWebSearch\bar\Cache\files.ini
C:\Program Files\MyWebSearch\bar\Game\CHECKERS.F3S
C:\Program Files\MyWebSearch\bar\Game\CHESS.F3S
C:\Program Files\MyWebSearch\bar\Game\REVERSI.F3S
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\icons\CM.ICO
C:\Program Files\MyWebSearch\bar\icons\MFC.ICO
C:\Program Files\MyWebSearch\bar\icons\PSS.ICO
C:\Program Files\MyWebSearch\bar\icons\SMILEY.ICO
C:\Program Files\MyWebSearch\bar\icons\WB.ICO
C:\Program Files\MyWebSearch\bar\icons\ZWINKY.ICO
C:\Program Files\MyWebSearch\bar\Message\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\COMMON.F3S
C:\Program Files\MyWebSearch\bar\Notifier\DOG.F3S
C:\Program Files\MyWebSearch\bar\Notifier\FISH.F3S
C:\Program Files\MyWebSearch\bar\Notifier\KUNGFU.F3S
C:\Program Files\MyWebSearch\bar\Notifier\LIFEGARD.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAID.F3S
C:\Program Files\MyWebSearch\bar\Notifier\MAILBOX.F3S
C:\Program Files\MyWebSearch\bar\Notifier\OPERA.F3S
C:\Program Files\MyWebSearch\bar\Notifier\ROBOT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SEDUCT.F3S
C:\Program Files\MyWebSearch\bar\Notifier\SURFER.F3S
C:\Program Files\MyWebSearch\bar\Settings\prevcfg2.htm
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL
C:\Program Files\network monitor
C:\Program Files\NoDNS
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\smante~1
C:\Program Files\Temporary
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\sanR24
C:\Temp\sanR24\lDii.log
C:\WINDOWS\BM428dfb51.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\System32\awvvu.dll
C:\WINDOWS\system32\bjbcqufv.dll
C:\WINDOWS\system32\buvigkhr.dll
C:\WINDOWS\system32\chcngsah.dll
C:\WINDOWS\system32\diyjepwa.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\fcsgovrt.dll
C:\WINDOWS\system32\fujrdftv.dll
C:\WINDOWS\system32\gueyaoye.dll
C:\WINDOWS\system32\hmwxxnei.dll
C:\WINDOWS\system32\hoxrulwt.dll
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\jbclavhv.dll
C:\WINDOWS\system32\kfquoiyb.dll
C:\WINDOWS\system32\lgkxmnlt.ini
C:\WINDOWS\system32\lktakvyg.dll
C:\WINDOWS\system32\lutcgcba.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mgqfpmpy.dll
C:\WINDOWS\system32\mkwmciyg.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qcceipys.ini
C:\WINDOWS\system32\shdohvuv.dll
C:\WINDOWS\system32\srqffjjc.dll
C:\WINDOWS\system32\sypieccq.dll
C:\WINDOWS\system32\tbkrsbsp.dll
C:\WINDOWS\system32\tlnmxkgl.dll
C:\WINDOWS\system32\tswqmjrm.dll
C:\WINDOWS\system32\tuvvwwu.dll
C:\WINDOWS\system32\twlurxoh.ini
C:\WINDOWS\system32\uovsxpbx.dll
C:\WINDOWS\system32\upjoxenc.dll
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\vhvalcbj.ini
C:\WINDOWS\system32\vpioktre.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wqkimido.dll
C:\WINDOWS\system32\wscmp.dll
C:\WINDOWS\system32\xuykdcfq.dll
C:\WINDOWS\system32\xwyvpdtj.dll
C:\WINDOWS\system32\ydagxkgh.dll
C:\WINDOWS\system32\yeihpnsv.dll
C:\WINDOWS\system32\yfhbyanl.dll
C:\WINDOWS\system32\yhenxmhf.dll
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem~1\?ystem\
C:\WINDOWS\TG9ybmEgSHViYmFyZA\

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NTLOAD
-------\Service_cmdService
-------\Service_Network Monitor
-------\Service_ntload


(((((((((((((((((((((((((   Files Created from 2008-03-04 to 2008-04-04  )))))))))))))))))))))))))))))))
.

2008-04-04 21:52 . 2008-04-04 21:52	269,334	--a------	C:\WINDOWS\system32\sjadgjmlsjml.bmp
2008-04-04 19:30 . 2008-04-04 19:30	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-04-04 19:30 . 2008-04-04 19:30	1,409	--a------	C:\WINDOWS\QTFont.for
2008-04-04 18:34 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-04-04 18:34 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-04-04 18:34 . 2008-03-28 23:19	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-04-04 18:34 . 2008-03-26 08:50	82,432	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-04-04 18:34 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-04-04 18:34 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-04-04 18:34 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-04-04 18:34 . 2008-04-04 18:34	6,328	--a------	C:\WINDOWS\system32\tmp.reg
2008-04-04 18:28 . 2008-04-04 18:30	<DIR>	d--------	C:\Hijackthis
2008-04-04 18:19 . 2008-04-04 18:19	53,312	--a------	C:\WINDOWS\system32\kcfaxaqk.dll
2008-04-04 16:02 . 2008-04-04 16:02	269,334	--a------	C:\WINDOWS\system32\nmtcn.bmp
2008-04-03 22:19 . 2008-04-03 22:19	269,334	--a------	C:\WINDOWS\system32\tobeh.bmp
2008-04-03 22:09 . 2008-04-03 22:09	269,334	--a------	C:\WINDOWS\system32\atojqtsb.bmp
2008-04-03 19:44 . 2008-04-03 19:44	269,334	--a------	C:\WINDOWS\system32\nepgf.bmp
2008-04-03 17:50 . 2008-04-03 17:50	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-04-03 17:24 . 2008-04-03 17:24	0	--a------	C:\WINDOWS\system32\sex2.ico.tmp
2008-04-03 16:57 . 2008-04-03 16:57	0	--a------	C:\WINDOWS\system32\sex1.ico.tmp
2008-04-03 16:50 . 2008-04-03 16:50	269,334	--a------	C:\WINDOWS\system32\retgr.bmp
2008-04-02 19:05 . 2008-04-02 19:05	269,334	--a------	C:\WINDOWS\system32\obitkjmpcj.bmp
2008-04-02 18:41 . 2008-04-02 18:41	269,334	--a------	C:\WINDOWS\system32\grihsfalkjqd.bmp
2008-04-02 16:37 . 2008-04-02 16:37	269,334	--a------	C:\WINDOWS\system32\dgrmtojipsn.bmp
2008-04-02 16:24 . 2008-04-02 16:24	269,334	--a------	C:\WINDOWS\system32\filcb.bmp
2008-04-02 16:15 . 2008-04-02 16:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 16:02 . 2008-04-02 19:08	3,262	--a------	C:\WINDOWS\system32\sex5.ico
2008-04-02 16:02 . 2008-04-02 19:07	3,262	--a------	C:\WINDOWS\system32\sex4.ico
2008-04-02 16:01 . 2008-04-02 19:07	3,262	--a------	C:\WINDOWS\system32\sex3.ico
2008-04-02 16:01 . 2008-04-02 19:06	3,262	--a------	C:\WINDOWS\system32\sex2.ico
2008-04-02 16:00 . 2008-04-04 18:18	2,114,456	---hs----	C:\WINDOWS\system32\gntaukud.ini
2008-04-02 15:59 . 2008-04-02 19:09	3,262	--a------	C:\WINDOWS\system32\sex1.ico
2008-04-02 15:56 . 2008-04-02 15:56	269,334	--a------	C:\WINDOWS\system32\dgril.bmp
2008-04-01 20:36 . 2008-04-01 20:36	37,376	-ra------	C:\WINDOWS\mrofinu1000106.exe
2008-04-01 15:57 . 2008-04-01 15:57	269,334	--a------	C:\WINDOWS\system32\atsnehsfatkf.bmp
2008-03-31 22:19 . 2008-04-02 15:59	1,602,328	---hs----	C:\WINDOWS\system32\auujtkso.ini
2008-03-31 22:12 . 2008-03-31 22:12	269,334	--a------	C:\WINDOWS\system32\rqtsnidofil.bmp
2008-03-31 17:07 . 2008-03-31 17:07	269,334	--a------	C:\WINDOWS\system32\ilcbahsrap.bmp
2008-03-30 21:59 . 2008-03-30 21:59	269,334	--a------	C:\WINDOWS\system32\sjqlknepgbqp.bmp
2008-03-30 19:23 . 2008-03-31 22:14	1,597,592	---hs----	C:\WINDOWS\system32\mjillbmv.ini
2008-03-30 19:20 . 2008-03-30 19:20	269,334	--a------	C:\WINDOWS\system32\pkrqpcf.bmp
2008-03-28 17:55 . 2008-03-28 17:55	269,334	--a------	C:\WINDOWS\system32\bidcjadsnmtgb.bmp
2008-03-27 18:49 . 2008-03-28 18:07	1,444,668	---hs----	C:\WINDOWS\system32\ysdhmfef.ini
2008-03-27 18:48 . 2008-03-27 18:48	269,334	--a------	C:\WINDOWS\system32\behob.bmp
2008-03-27 13:15 . 2008-03-27 13:15	269,334	--a------	C:\WINDOWS\system32\jelcrqt.bmp
2008-03-27 13:04 . 2008-03-27 18:49	1,389,477	---hs----	C:\WINDOWS\system32\iiiubefs.ini
2008-03-27 13:04 . 2008-03-27 13:04	269,334	--a------	C:\WINDOWS\system32\hkjmhofqdsr.bmp
2008-03-27 13:01 . 2005-03-10 13:06	88,064	--a------	C:\WINDOWS\system32\CddbLangE.dll
2008-03-27 12:58 . 2008-03-27 12:58	269,334	--a------	C:\WINDOWS\system32\lgratsbat.bmp
2008-03-25 22:59 . 2008-03-25 22:59	269,334	--a------	C:\WINDOWS\system32\hcnedsrmt.bmp
2008-03-25 22:59 . 2008-03-25 22:59	18,432	--a------	C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-03-25 22:22 . 2008-03-27 13:00	1,493,721	---hs----	C:\WINDOWS\system32\hvhrpelt.ini
2008-03-25 21:52 . 2008-03-25 22:20	1,472,400	---hs----	C:\WINDOWS\system32\yjgqcmdp.ini
2008-03-25 18:23 . 2008-04-02 16:27	<DIR>	d--------	C:\Program Files\CPV
2008-03-24 23:37 . 2008-03-24 23:37	53,312	--a------	C:\WINDOWS\system32\aehpnphm.dll
2008-03-24 23:31 . 2008-03-25 21:52	1,472,220	---hs----	C:\WINDOWS\system32\gfylausq.ini
2008-03-24 18:03 . 2008-03-24 23:31	1,579,008	---hs----	C:\WINDOWS\system32\psvhfusx.ini
2008-03-24 18:03 . 2008-03-24 18:03	53,312	--a------	C:\WINDOWS\system32\osghwfve.dll
2008-03-23 15:51 . 2008-03-24 18:02	1,543,771	---hs----	C:\WINDOWS\system32\rkwvoywa.ini
2008-03-22 15:59 . 2008-03-23 10:34	1,430,692	---hs----	C:\WINDOWS\system32\rpeiolea.ini
2008-03-20 23:56 . 2008-03-28 17:56	<DIR>	d--------	C:\Program Files\nvcoi
2008-03-20 23:56 . 2008-03-22 15:58	1,468,006	---hs----	C:\WINDOWS\system32\hfddtbbr.ini
2008-03-19 22:42 . 2008-03-19 22:42	<DIR>	d--------	C:\Program Files\Panicware
2008-03-19 22:36 . 2008-03-20 23:55	1,538,904	---hs----	C:\WINDOWS\system32\drromsvp.ini
2008-03-18 22:27 . 2008-03-19 22:27	1,526,137	---hs----	C:\WINDOWS\system32\ascjqioi.ini
2008-03-18 21:32 . 2008-03-19 22:42	9,662	--a------	C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-03-17 18:39 . 2008-03-17 16:39	66,560	--a------	C:\WINDOWS\b155.exe
2008-03-16 22:17 . 2008-03-16 22:17	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-16 22:09 . 2008-03-18 21:23	1,526,135	---hs----	C:\WINDOWS\system32\xeoqocqx.ini
2008-03-16 22:01 . 2008-03-16 22:01	63	--a------	C:\WINDOWS\system32\41beda43
2008-03-16 21:56 . 2008-04-02 21:16	<DIR>	d--------	C:\WINDOWS\system32\hz7
2008-03-16 21:56 . 2008-04-02 18:34	<DIR>	d--------	C:\WINDOWS\system32\cam2
2008-03-16 21:56 . 2008-03-16 21:56	<DIR>	d--------	C:\WINDOWS\system32\bx21
2008-03-14 18:26 . 2008-03-14 18:26	<DIR>	d--------	C:\WINDOWS\provisioning
2008-03-14 18:26 . 2008-03-14 18:37	<DIR>	d--------	C:\WINDOWS\peernet
2008-03-14 17:55 . 2008-03-14 17:55	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-03-14 17:46 . 2004-08-03 23:42	20,480	--a------	C:\WINDOWS\system32\sprecovr.exe
2008-03-14 17:43 . 2004-07-17 12:40	19,528	--a------	C:\WINDOWS\002333_.tmp
2008-03-14 17:34 . 2002-12-11 17:34	997,888	--a------	C:\WINDOWS\system32\wmvdmoe2.dll
2008-03-14 17:33 . 2006-02-27 13:32	2,479,616	--a------	C:\WINDOWS\system32\dllcache\msoeres.dll
2008-03-14 17:30 . 2008-03-14 17:30	<DIR>	d--------	C:\WINDOWS\EHome
2008-03-14 17:07 . 2007-06-13 20:07	16,896	--a------	C:\WINDOWS\system32\grwinsthlp.exe
2008-03-14 17:07 . 2008-03-14 17:07	248	--a------	C:\UnInstall.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 22:00	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-04-01 16:38	---------	d-----w	C:\Documents and Settings\Peter D Martin\Application Data\Audacity
2008-03-23 19:28	---------	d-----w	C:\Program Files\MSN Messenger
2008-03-19 22:44	---------	d-----w	C:\Program Files\Google
2008-03-19 21:25	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-19 21:25	---------	d-----w	C:\Program Files\EPSON
2008-03-19 21:23	---------	d-----w	C:\Program Files\IKEA HomePlanner
2008-03-18 20:33	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-14 16:09	---------	d-----w	C:\Program Files\Canon
2008-03-14 16:05	---------	d-----w	C:\Program Files\DivX
2006-11-19 20:50	78,424	----a-w	C:\Documents and Settings\Lorna Hubbard\Application Data\GDIPFONTCACHEV1.DAT
2005-03-15 17:44	0	----a-w	C:\Documents and Settings\Peter D Martin\Application Data\wklnhst.dat
2005-12-06 19:31	56	--sh--r	C:\WINDOWS\system32\1607371D5C.sys
2006-01-16 17:58	1,994	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-02-06 18:05  588288  4f64d1df989e3aa2fad91a2f1167b9c7	C:\WINDOWS\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2004-08-04 08:56  656384  c0823fc5469663ba63e7db88f9919d70	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2006-04-28 10:58  575488  3d5062a7667913b9b515cc5769e9fb31	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\rtmgdr\wininet.dll
2006-04-28 18:48  587264  5f4e89c8b4903acbba2f4b32cf1ed3ad	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\dllcache\wininet.dll

2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2003-03-31 03:00  167552  3b350e5a2a5e951453f3993275a4523a	C:\WINDOWS\$NtUninstallQ815485$\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\Driver Cache\i386\ndis.sys
2004-08-04 07:14  182912  558635d3af1c7546d26067d5d9b6959e	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\system32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
2008-04-02 16:27	51200	--a------	C:\Program Files\CPV\CPV7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B0B59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-03-24 23:37	53312	--a------	C:\WINDOWS\System32\aehpnphm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
2008-04-04 18:19	53312	--a------	C:\WINDOWS\System32\kcfaxaqk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4015CEC3-5A06-788E-0460-5200B9C88BC5}]
			C:\WINDOWS\System32\hmmudlk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{711ECE46-C7E0-422C-A9E0-BCBC634E06E7}]
2005-03-10 13:06	88064	--a------	C:\WINDOWS\System32\CddbLangE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8E241359-F85C-48B6-859A-86C0F9A52C4C}]
			C:\Program Files\Hewlett-Packard\qubaki.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"Aaou"="C:\WINDOWS\System32\YSTEM~1\winlogon.exe" [ ]
"Gxyb"="C:\Program Files\S?mantec\t?skmgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-20 23:56 57344]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 12:10 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-06-17 21:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-06-17 21:43 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 18:15 536576]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 19:55 483328]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-05-27 20:28 278528]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 00:11 50688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 23:15 26112]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-12-24 03:33 188416]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-12-14 02:06 495616]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 17:05 1838592]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"SBI"="C:\Documents and Settings\Lorna Hubbard\Local Settings\Temporary Internet Files\Content.IE5\T3ZB5TSE\setup_sbd_en[1].exe" [ ]
"BluetoothAuthorizationAgent"="C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe" [2008-03-25 22:59 18432]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [2008-01-23 14:47 847872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 03:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-06-11 21:34 190696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-8796-100000000002}\SC_Acrobat.exe [2005-11-30 21:22:58 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:18:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 23:09:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? 

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
.
**************************************************************************
.
Completion time: 2008-04-04 23:18:23 - machine was rebooted [Peter D Martin]
ComboFix-quarantined-files.txt  2008-04-04 22:18:12
Pre-Run: 6,874,923,008 bytes free
Post-Run: 12,382,310,400 bytes free
.
2008-03-16 11:13:52	--- E O F ---


----------



## Punk

Hey,
Can you please post a *new* Hijackthis log? How is your computer running now?


----------



## texaspete

*new log*

its running good at the mo, i think you done it ! thank you so much, how can i stop this for the future

Logfile of HijackThis v1.99.1
Scan saved at 09:19:28, on 05/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\aehpnphm.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\kcfaxaqk.dll
O2 - BHO: (no name) - {4015CEC3-5A06-788E-0460-5200B9C88BC5} - C:\WINDOWS\System32\hmmudlk.dll (file missing)
O2 - BHO: (no name) - {711ECE46-C7E0-422C-A9E0-BCBC634E06E7} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: 0 - {8E241359-F85C-48B6-859A-86C0F9A52C4C} - C:\Program Files\Hewlett-Packard\qubaki.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Lorna Hubbard\Local Settings\Temporary Internet Files\Content.IE5\T3ZB5TSE\setup_sbd_en[1].exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Gxyb] "C:\Program Files\S?mantec\t?skmgr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Punk

We are not done yet, still some malicious files.

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\WINDOWS\System32\aehpnphm.dll
> C:\WINDOWS\System32\kcfaxaqk.dll



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*

Please post a new Hijackthis log along with the Avenger log


----------



## texaspete

*avenger log*

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\System32\aehpnphm.dll" deleted successfully.
File "C:\WINDOWS\System32\kcfaxaqk.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


----------



## Punk

Hello, can you please post a new Hijackthis log?


----------



## texaspete

*hijack log*

Logfile of HijackThis v1.99.1
Scan saved at 18:56:27, on 05/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\aehpnphm.dll (file missing)
O2 - BHO: (no name) - {2F7A19F5-40B9-41B5-990A-B0363E14E1CD} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\kcfaxaqk.dll (file missing)
O2 - BHO: (no name) - {4015CEC3-5A06-788E-0460-5200B9C88BC5} - C:\WINDOWS\System32\hmmudlk.dll (file missing)
O2 - BHO: (no name) - {711ECE46-C7E0-422C-A9E0-BCBC634E06E7} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: 0 - {8E241359-F85C-48B6-859A-86C0F9A52C4C} - C:\Program Files\Hewlett-Packard\qubaki.dll (file missing)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Lorna Hubbard\Local Settings\Temporary Internet Files\Content.IE5\T3ZB5TSE\setup_sbd_en[1].exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Gxyb] "C:\Program Files\S?mantec\t?skmgr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Punk

Ok we're doing better right now, let's fix some Hijackthis lines:

Open Hijackthis, this time click on Do a Scan.
Place a checkmark next to those lines:


> O2 - BHO: (no name) - {2B0B59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\aehpnphm.dll (file missing)
> O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - C:\WINDOWS\System32\kcfaxaqk.dll (file missing)
> O2 - BHO: (no name) - {4015CEC3-5A06-788E-0460-5200B9C88BC5} - C:\WINDOWS\System32\hmmudlk.dll (file missing)
> O2 - BHO: 0 - {8E241359-F85C-48B6-859A-86C0F9A52C4C} - C:\Program Files\Hewlett-Packard\qubaki.dll (file missing)
> O15 - Trusted Zone: *.amaena.com
> O15 - Trusted Zone: *.avsystemcare.com
> O15 - Trusted Zone: *.gomyhit.com
> O15 - Trusted Zone: *.imageservr.com
> O15 - Trusted Zone: *.imagesrvr.com
> O15 - Trusted Zone: *.onerateld.com
> O15 - Trusted Zone: *.safetydownload.com
> O15 - Trusted Zone: *.storageguardsoft.com
> O15 - Trusted Zone: *.trustedantivirus.com
> O15 - Trusted Zone: *.virusschlacht.com
> O15 - Trusted Zone: *.amaena.com (HKLM)
> O15 - Trusted Zone: *.avsystemcare.com (HKLM)
> O15 - Trusted Zone: *.gomyhit.com (HKLM)
> O15 - Trusted Zone: *.imageservr.com (HKLM)
> O15 - Trusted Zone: *.imagesrvr.com (HKLM)
> O15 - Trusted Zone: *.onerateld.com (HKLM)
> O15 - Trusted Zone: *.safetydownload.com (HKLM)
> O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
> O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
> O15 - Trusted Zone: *.virusschlacht.com (HKLM)



Click on *Fix checked*. Once it has been done, please do the following:

Download *SDFix* and save it to your Desktop.

Double click *SDFix.exe* and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in *Safe Mode* by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press *Enter*.
Choose your usual account.
 Open the extracted SDFix folder and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log



To sum up, in your next reply I'll need:

 The SDFix log
A new Hijackthis log


----------



## texaspete

when i restart and press f8 and then put in to safe mode i get this

multi(0)disk(0)rdisk(0)partition(1)\windows1system321\ntoskrnl.exe
windows could not start because the following file is missing or corrupt:
(windowsroot)1system321\ntoskrnl.exe
please re-install a copy of above file


----------



## G25r8cer

Thats not good


----------



## texaspete

oh... what should i do


----------



## texaspete

punk help me!!!!! is my computer dying!!!


----------



## Punk

Oh woow this is worst than I thought.

Ok let's get the file back:

   1.  Insert the Microsoft Windows XP CD. Note: If you have a recovery CD or a restore CD and not a Microsoft Windows XP CD it is likely the below steps will not resolve your issue.
   2. Reboot the computer, as the computer is starting you should see a message to press any key to boot from the CD. When you see this message press any key.
   3. In the Microsoft Windows XP setup menu press the R key to enter the recovery console.
   4. Select the operating system you wish to fix, and then enter the administrator password.
   5. Type expand d:\i386\ntoskrnl.ex_ c:\windows\system32
   6. You will then be prompted if you wish to overwrite the file type Y and press enter to overwrite the file.
   7. Type exit to reboot the computer.

When you've done it, try SDFix.


----------



## texaspete

cool gonna try this now, but where would i find my administrator password in my pc.  coz i dont remeber setting one


----------



## Punk

I guess you don't need it then


----------



## texaspete

hey punk i done what you said and this what came up

the system cannot find the file or directory specified


----------



## Punk

Ok this is a problem I've never encountered before, I'll ask for help from other members.
Ceewi1, Buzz1927 or Gamemaster will reply to you ASAP, then once we're done with that problem, we'll continue on cleaning your computer.


----------



## texaspete

thanx man


----------



## GameMaster

Could you try and rename SDFix?

When you install it ( and you did, I reckon ), go to the SDFix folder in C:/. Right click on the folder and rename it to some neutral name ( i.e. school ). That's just in case the problem is really big. 
Now the most important is to rename SDFix.exe to i.e. school.exe.

Now try to start the program!


----------



## texaspete

i think i've done what you asked, when you mean start the program again you mean do what punk said and rebot


----------



## thermophilis

Edit: Wrong thread! sorry


----------



## GameMaster

In fact when I say start the program, I mean rename ( as I said ) and then just double click on the SDFix icon.


----------



## ceewi1

GameMaster, if I'm reading this thread correctly, texaspete is receiving the error when he attempts to follow Punk's instructions in restoring ntoskrnl.exe via the Recovery Console.

texaspete, could you please clarify your current situation.  Am I correct in the above assumption?  Are you currently unable to boot into either Normal Mode or Safe Mode?  What is the drive letter of your CD-ROM drive?


----------



## texaspete

i'm on a laptop so i only have cd driver but dont know wot letter, i guess its my c drive i think. an yes i'm following Punk's instructions in restoring ntoskrnl.exe


----------



## GameMaster

Oh sorry then... Uh I didn't understand that's the problem...


----------



## Punk

Yes the problem is coming from ntoskrnl.exe because he can't boot in safe mode because of that file being corrupted/missing. The instructions I gave him to restore it didn't work, so that's the problem.

Any ideas?


----------



## GameMaster

Chkdsk /r option, with Windows cd in drive.

Your option looked nice, though it didn't work... any other option includes Windows reinstalling...

We should see what ceewi1 suggests.


----------



## texaspete

i really appreciate your time guys for helping me out, i hope this can get sorted coz i'm going mad!! 

cheers


----------



## GameMaster

OK, let's kill some time before ceewi1 answers, and you're online.

*Insert the Microsoft Windows XP CD*. Note: If you have a recovery CD or a restore CD and not a Microsoft Windows XP CD it is likely the below steps will not resolve your issue.
Reboot the computer, as the computer is starting you should see a message to press any key to boot from the CD. When you see this message *press any key.*
In the Microsoft Windows XP setup menu press the* R* key to enter the recovery console.
Select the operating system you wish to fix, and then enter the administrator password ( which you don't have , so just enter your administrator account ).
Once at the recovery console type *chkdsk /r *
Once completed type exit and see if issue is resolved.
This is my best attemp to help


----------



## texaspete

hi done what you said and it said this

38853168 kilobytes total disk space
12974552 kilobytes are available
4096 bytes in each allocation unit
9713292 total allocation units on disk
3243638 allocation units availble on disk


----------



## GameMaster

OK, it's all fine, but do you still get the *ntoskrnl.ex*e error?


----------



## ceewi1

If that hasn't helped, please try the following:

Use the Windows CD to boot into the recovery console as before.  Type the following command and press ENTER:
*bootcfg /rebuild*

When the Windows installation is located, the following instructions are displayed:
*Add installation to boot list? (Yes/No/All)*
[Type *Y* in response to this message.]

*Enter Load Identifier:*
Type *Windows XP*

Enter OS Load options:
[Leave this field blank, and then press ENTER].

Please also type the following commands, pressing ENTER after each one.  I do not need to see the results, but tell me which of them, if any, give a "No matching files were found" error:
*dir c:\Windows\System32\ntoskrnl.exe
dir d:
dir d:\i386
dir d:\i386\ntoskrnl.ex_*

Please reboot your system.  If you are presented with a boot menu, select the first option (which should simply say *Windows XP*) from the list.


----------



## texaspete

hi i reboted it an done the expand d:\i386\ntoskrnl.ex_ c:\windows\system32 thing and something worked then went back and done the sdfix and that all worked. so what do i do nxt do i get a report from that

cheers


----------



## GameMaster

Yes, get a report.

Ceewi1, I congratulate you!


----------



## Punk

Thanks a lot Ceewi1 and GameMaster for your help.

Now Texaspete, please post the log.


----------



## texaspete

sorry how do i get the log from sdfix


----------



## texaspete

sorry how do i do a log for what you want punk is it sdfix log u want

cheers


----------



## texaspete

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-08 23:17:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


----------



## Punk

hmm ok.
Since SDFix hasn't found the trojan let's locate it manually.
I'd like to see a brand new Hijackthis log please but this time let's rename Hijackthis with something else:

*RENAME HIJACKTHIS*

Using *Windows Explore* by right-clicking the *Start* button and left clicking *Explore* navigate to: C:\Program Files\HijackThis\*HijackThis.exe*

Right-click on HijackThis.exe & select Rename to *scanner.exe* and post back a new Hijackthis log.


----------



## texaspete

Logfile of HijackThis v1.99.1
Scan saved at 18:30:37, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\scanner.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {2F7A19F5-40B9-41B5-990A-B0363E14E1CD} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: (no name) - {711ECE46-C7E0-422C-A9E0-BCBC634E06E7} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Lorna Hubbard\Local Settings\Temporary Internet Files\Content.IE5\T3ZB5TSE\setup_sbd_en[1].exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Gxyb] "C:\Program Files\S?mantec\t?skmgr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Punk

Your computer has a backdoor. A backdoor gives intruders complete control of your computer, logs your keystrokes, steal personal information, etc.

This allows hackers to remotely control your computer, *steal critical system information* and *Download and Execute files*

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decide

If you want to continue please do the following:

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\Program Files\nvcoi\nvcoi.exe



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*


----------



## texaspete

thanx punk i wanna go ahead an carry on

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\System32\aehpnphm.dll" deleted successfully.
File "C:\WINDOWS\System32\kcfaxaqk.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.



//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Apr 09 19:23:40 2008

19:23:40: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


//////////////////////////////////////////
  Avenger Pre-Processor log
//////////////////////////////////////////

Platform: Windows XP (build 2600, Service Pack 2)
Wed Apr 09 19:23:50 2008

19:23:50: Error: Invalid script.  A valid script must begin with a command directive.
Aborting execution!


//////////////////////////////////////////


Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\Program Files\nvcoi\nvcoi.exe" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


----------



## Punk

Can you please post a fresh Hijackthis log?

Avenger has deleted the Backdoor trojan I had found, let's see if there is something else. Is your computer running better? do you have anymore infection symptoms?


----------



## texaspete

its seems to be running good

Logfile of HijackThis v1.99.1
Scan saved at 19:46:51, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\scanner.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {2F7A19F5-40B9-41B5-990A-B0363E14E1CD} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: (no name) - {711ECE46-C7E0-422C-A9E0-BCBC634E06E7} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SBI] C:\Documents and Settings\Lorna Hubbard\Local Settings\Temporary Internet Files\Content.IE5\T3ZB5TSE\setup_sbd_en[1].exe
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Gxyb] "C:\Program Files\S?mantec\t?skmgr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## texaspete

punk i ever since this virus started this background came up 

http://i79.photobucket.com/albums/j121/myechomusic/back.jpg

and i change it but everytime in go to use my pc another day it comes back up straight after start up


----------



## Crimsonite

Punk has been assisting and no one should interfere unless requested.  However, I wanted to point out that this entry is not legit:

*O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb*

Note the end file location, *YSTEM~1*.  Winlogon.exe controls your logging into Windows and it should only exist in:

*C:\WINDOWS\System32\
C:\WINDOWS\SYSTEM32\DLLCACHE\
C:\WINDOWS\ServicePackFiles\i386\
C:\WINDOWS\$NtServicePackUninstall$\*


----------



## ceewi1

The system is still badly infected.  texaspete, the log you have provided is from catchme, and not SDFix.  Please follow the instructions below to post an SDFix log.  *Be sure to boot into Safe Mode before running SDFix*.

Please print out these instructions or copy them to a notepad document since you will be unable to access the Internet while in Safe Mode to read from this site.

Please reboot your computer in *Safe Mode* (tap F8 just before Windows starts to load and select Safe Mode from the list).
 Open *C:\SDFix* and double click *RunThis.bat* to start the script.
 Type *Y* to begin the cleanup process.
 It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
 Press any Key and it will restart the PC.
 When the PC restarts the Fixtool will run again and complete the removal process then display *Finished*, press any key to end the script and load your desktop icons.
 Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as *Report.txt*
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
 Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


----------



## texaspete

*SDFix: Version 1.166 *

Run by Peter D Martin on 10/04/2008 at 16:34

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

*Checking Services *:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper  

Rebooting


*Checking Files *: 

Trojan Files Found:

C:\WINDOWS\SYSTEM32\AHKNQD~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ALOJAL~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\APGRIH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\APKJAH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ATOJQTSB.BMP - Deleted
C:\WINDOWS\SYSTEM32\ATSNEH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BEHOB.BMP - Deleted
C:\WINDOWS\SYSTEM32\BIDCJA~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BMLOJM~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\BMLSBQ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\CBALON~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGRIL.BMP - Deleted
C:\WINDOWS\SYSTEM32\DGRMTO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EDKNIH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\EHSNEPSR.BMP - Deleted
C:\WINDOWS\SYSTEM32\FILCB.BMP - Deleted
C:\WINDOWS\SYSTEM32\GRIHSF~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HCNEDS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HKJMHO~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\HKNAH.BMP - Deleted
C:\WINDOWS\SYSTEM32\IDONEP~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\ILCBAH~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\JELCRQT.BMP - Deleted
C:\WINDOWS\SYSTEM32\JITSFID.BMP - Deleted
C:\WINDOWS\SYSTEM32\KJEPGN.BMP - Deleted
C:\WINDOWS\SYSTEM32\LGBIHKB.BMP - Deleted
C:\WINDOWS\SYSTEM32\LGRATS~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\NEPGF.BMP - Deleted
C:\WINDOWS\SYSTEM32\NMTCN.BMP - Deleted
C:\WINDOWS\SYSTEM32\OBITKJ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\OFIHOB~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\PCNQDOJ.BMP - Deleted
C:\WINDOWS\SYSTEM32\PKRQPCF.BMP - Deleted
C:\WINDOWS\SYSTEM32\QDKRMP~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\REHKJM~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\REPCRIL.BMP - Deleted
C:\WINDOWS\SYSTEM32\RETGR.BMP - Deleted
C:\WINDOWS\SYSTEM32\RETSBE~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\RQTSNI~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\SFALCR.BMP - Deleted
C:\WINDOWS\SYSTEM32\SJADGJ~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\SJQLKN~1.BMP - Deleted
C:\WINDOWS\SYSTEM32\TGNAD.BMP - Deleted
C:\WINDOWS\SYSTEM32\TOBEH.BMP - Deleted
C:\PROGRA~1\HEWLET~1\QUBAKI - Deleted
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe.lzma - Deleted
C:\WINDOWS\b155.exe - Deleted
C:\WINDOWS\Downloaded Program Files\UGES_0001_N122M2602NetInstaller.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\system32\sex1.ico - Deleted
C:\WINDOWS\system32\sex2.ico - Deleted
C:\WINDOWS\system32\sex3.ico - Deleted
C:\WINDOWS\system32\sex4.ico - Deleted
C:\WINDOWS\system32\sex5.ico - Deleted
C:\WINDOWS\system32\sex1.ico.tmp - Deleted
C:\WINDOWS\system32\sex2.ico.tmp - Deleted



Folder C:\Program Files\nvcoi - Removed


Removing Temp Files

*ADS Check *:



*Final Check *:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 16:49:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


*Remaining Services *:



Authorized Application Key Export:

*Remaining Files *:


File Backups: - C:\SDFix\backups\backups.zip

*Files with Hidden Attributes *:

Thu  5 Feb 2004        49,152 A..H. --- "C:\Program Files\AOL 9.0\aolphx.exe"
Thu  5 Feb 2004       151,552 A..H. --- "C:\Program Files\AOL 9.0\aoltray.exe"
Thu  5 Feb 2004        31,344 A..H. --- "C:\Program Files\AOL 9.0\RBM.exe"
Thu  5 Feb 2004       253,952 A..H. --- "C:\Program Files\AOL 9.0\waol.exe"
Tue  6 Dec 2005            56 ..SHR --- "C:\WINDOWS\system32\1607371D5C.sys"
Mon 16 Jan 2006         1,994 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Mon 10 Apr 2006         4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 10 Apr 2006           401 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv13.bak"
Sat 16 Sep 2006     2,535,424 ...H. --- "C:\Documents and Settings\Lorna Hubbard\My Documents\~WRL3895.tmp"
Sat 16 Sep 2006       811,520 ...H. --- "C:\Documents and Settings\Lorna Hubbard\My Documents\~WRL4061.tmp"
Tue 11 Apr 2006           784 A..H. --- "C:\Program Files\InterActual\InterActual Player\itiD.tmp"
Thu 20 Sep 2007             0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\1db9e52f9e862450a2af87f2f5a16dbc\BIT3A.tmp"
Sun 16 Jan 2005        49,152 ...H. --- "C:\Documents and Settings\Peter D Martin\Application Data\Microsoft\Word\~WRL0004.tmp"
Sun 16 Jan 2005        49,152 ...H. --- "C:\Documents and Settings\Peter D Martin\Application Data\Microsoft\Word\~WRL0459.tmp"
Tue 24 May 2005        25,088 ...H. --- "C:\Documents and Settings\Peter D Martin\Application Data\Microsoft\Word\~WRL1890.tmp"
Tue 24 May 2005        29,696 ...H. --- "C:\Documents and Settings\Peter D Martin\Application Data\Microsoft\Word\~WRL2575.tmp"
Mon 10 Apr 2006         4,348 ...H. --- "C:\Documents and Settings\Peter D Martin\My Documents\My Music\License Backup\drmv1key.bak"
Sat 21 Oct 2006           401 A..H. --- "C:\Documents and Settings\Peter D Martin\My Documents\My Music\License Backup\drmv1lic.bak"
Sat  5 Aug 2006           400 ...H. --- "C:\Documents and Settings\Peter D Martin\My Documents\My Music\License Backup\drmv2key.bak"
Sat 21 Oct 2006         1,536 A..H. --- "C:\Documents and Settings\Peter D Martin\My Documents\My Music\License Backup\drmv2lic.bak"

*Finished!*


----------



## texaspete

Logfile of HijackThis v1.99.1
Scan saved at 17:02:06, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\scanner.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {2F7A19F5-40B9-41B5-990A-B0363E14E1CD} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: (no name) - {711ECE46-C7E0-422C-A9E0-BCBC634E06E7} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {D8E17E98-EE21-4DF5-A0C8-FF8EF43AA938} - C:\WINDOWS\System32\CddbLangE.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Gxyb] "C:\Program Files\S?mantec\t?skmgr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## Punk

*COMBOFIX-Script*


 Please open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\WINDOWS\System32\YSTEM~1\winlogon.exe
C:\Program Files\S?mantec\t?skmgr.exe

Folder::
C:\WINDOWS\System32\YSTEM~1
C:\Program Files\S?mantec


 Save this as *CFScript.txt* and change the "*Save as type*" to "*All Files*" and place it on your desktop.







 Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe.*
 ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
 When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

After that please post:

The combofix log
a new hijackthis log


----------



## mustang2000

Does this actually work? is this safe to do, does this guy actually help. Ithink i need someone to help me.


----------



## texaspete

Logfile of HijackThis v1.99.1
Scan saved at 23:07:59, on 10/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\scanner.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: testCPV6 - {15421B84-3488-49A7-AD18-CBF84A3EFAF6} - C:\Program Files\CPV\CPV7.dll
O2 - BHO: (no name) - {2F7A19F5-40B9-41B5-990A-B0363E14E1CD} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: (no name) - {69273382-B2A6-45D9-A8EF-C83227724C4A} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: (no name) - {711ECE46-C7E0-422C-A9E0-BCBC634E06E7} - C:\WINDOWS\System32\CddbLangE.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {D8E17E98-EE21-4DF5-A0C8-FF8EF43AA938} - C:\WINDOWS\System32\CddbLangE.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [Aaou] "C:\WINDOWS\System32\YSTEM~1\winlogon.exe" -vt yazb
O4 - HKCU\..\Run: [Gxyb] "C:\Program Files\S?mantec\t?skmgr.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## texaspete

ComboFix 08-04-03.5 - Peter D Martin 2008-04-10 22:55:52.2 - NTFSx86
Running from: C:\Documents and Settings\Peter D Martin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Peter D Martin\Desktop\CFscript.txt
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\WINDOWS\System32\YSTEM~1\winlogon.exe
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Lorna Hubbard\Local Settings\Temporary Internet Files\CPV.stt
C:\Documents and Settings\Peter D Martin\Local Settings\Temporary Internet Files\CPV.stt

.
(((((((((((((((((((((((((   Files Created from 2008-03-10 to 2008-04-10  )))))))))))))))))))))))))))))))
.

2008-04-10 22:51 . 2008-04-10 22:51	269,334	--a------	C:\WINDOWS\system32\idgbqtcn.bmp
2008-04-10 17:55 . 2008-04-10 17:55	269,334	--a------	C:\WINDOWS\system32\toned.bmp
2008-04-10 16:56 . 2008-04-10 16:56	269,334	--a------	C:\WINDOWS\system32\sbelgjad.bmp
2008-04-10 16:29 . 2008-04-10 16:30	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-04-08 20:43 . 2002-08-29 03:03	2,042,240	--a------	C:\WINDOWS\system32\ntoskrnl.exe
2008-04-06 20:51 . 2008-04-06 20:51	<DIR>	d--------	C:\school.exe
2008-04-05 22:36 . 2008-04-10 16:55	<DIR>	d--------	C:\SDFix
2008-04-04 19:30 . 2008-04-07 18:00	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-04-04 19:30 . 2008-04-04 19:30	1,409	--a------	C:\WINDOWS\QTFont.for
2008-04-04 18:34 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-04-04 18:34 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-04-04 18:34 . 2008-03-28 23:19	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-04-04 18:34 . 2008-03-26 08:50	82,432	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-04-04 18:34 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-04-04 18:34 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-04-04 18:34 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-04-04 18:34 . 2008-04-04 18:34	6,328	--a------	C:\WINDOWS\system32\tmp.reg
2008-04-04 18:28 . 2008-04-10 17:01	<DIR>	d--------	C:\scanner.exe
2008-04-03 17:50 . 2008-04-03 17:50	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-04-02 16:15 . 2008-04-02 16:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-02 16:00 . 2008-04-04 18:18	2,114,456	---hs----	C:\WINDOWS\system32\gntaukud.ini
2008-03-31 22:19 . 2008-04-02 15:59	1,602,328	---hs----	C:\WINDOWS\system32\auujtkso.ini
2008-03-30 19:23 . 2008-03-31 22:14	1,597,592	---hs----	C:\WINDOWS\system32\mjillbmv.ini
2008-03-27 18:49 . 2008-03-28 18:07	1,444,668	---hs----	C:\WINDOWS\system32\ysdhmfef.ini
2008-03-27 13:04 . 2008-03-27 18:49	1,389,477	---hs----	C:\WINDOWS\system32\iiiubefs.ini
2008-03-27 13:01 . 2005-03-10 13:06	88,064	--a------	C:\WINDOWS\system32\CddbLangE.dll
2008-03-25 22:59 . 2008-03-25 22:59	18,432	--a------	C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-03-25 22:22 . 2008-03-27 13:00	1,493,721	---hs----	C:\WINDOWS\system32\hvhrpelt.ini
2008-03-25 21:52 . 2008-03-25 22:20	1,472,400	---hs----	C:\WINDOWS\system32\yjgqcmdp.ini
2008-03-25 18:23 . 2008-04-02 16:27	<DIR>	d--------	C:\Program Files\CPV
2008-03-24 23:31 . 2008-03-25 21:52	1,472,220	---hs----	C:\WINDOWS\system32\gfylausq.ini
2008-03-24 18:03 . 2008-03-24 23:31	1,579,008	---hs----	C:\WINDOWS\system32\psvhfusx.ini
2008-03-24 18:03 . 2008-03-24 18:03	53,312	--a------	C:\WINDOWS\system32\osghwfve.dll
2008-03-23 15:51 . 2008-03-24 18:02	1,543,771	---hs----	C:\WINDOWS\system32\rkwvoywa.ini
2008-03-22 15:59 . 2008-03-23 10:34	1,430,692	---hs----	C:\WINDOWS\system32\rpeiolea.ini
2008-03-20 23:56 . 2008-03-22 15:58	1,468,006	---hs----	C:\WINDOWS\system32\hfddtbbr.ini
2008-03-19 22:42 . 2008-03-19 22:42	<DIR>	d--------	C:\Program Files\Panicware
2008-03-19 22:36 . 2008-03-20 23:55	1,538,904	---hs----	C:\WINDOWS\system32\drromsvp.ini
2008-03-18 22:27 . 2008-03-19 22:27	1,526,137	---hs----	C:\WINDOWS\system32\ascjqioi.ini
2008-03-18 21:32 . 2008-03-19 22:42	9,662	--a------	C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-03-16 22:17 . 2008-03-16 22:17	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-16 22:09 . 2008-03-18 21:23	1,526,135	---hs----	C:\WINDOWS\system32\xeoqocqx.ini
2008-03-16 22:01 . 2008-03-16 22:01	63	--a------	C:\WINDOWS\system32\41beda43
2008-03-16 21:56 . 2008-04-02 21:16	<DIR>	d--------	C:\WINDOWS\system32\hz7
2008-03-16 21:56 . 2008-04-02 18:34	<DIR>	d--------	C:\WINDOWS\system32\cam2
2008-03-16 21:56 . 2008-03-16 21:56	<DIR>	d--------	C:\WINDOWS\system32\bx21
2008-03-14 18:26 . 2008-03-14 18:26	<DIR>	d--------	C:\WINDOWS\provisioning
2008-03-14 18:26 . 2008-03-14 18:37	<DIR>	d--------	C:\WINDOWS\peernet
2008-03-14 17:55 . 2008-03-14 17:55	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-03-14 17:46 . 2004-08-03 23:42	20,480	--a------	C:\WINDOWS\system32\sprecovr.exe
2008-03-14 17:43 . 2004-07-17 12:40	19,528	--a------	C:\WINDOWS\002333_.tmp
2008-03-14 17:34 . 2002-12-11 17:34	997,888	--a------	C:\WINDOWS\system32\wmvdmoe2.dll
2008-03-14 17:33 . 2006-02-27 13:32	2,479,616	--a------	C:\WINDOWS\system32\dllcache\msoeres.dll
2008-03-14 17:30 . 2008-03-14 17:30	<DIR>	d--------	C:\WINDOWS\EHome
2008-03-14 17:07 . 2007-06-13 20:07	16,896	--a------	C:\WINDOWS\system32\grwinsthlp.exe
2008-03-14 17:07 . 2008-03-14 17:07	248	--a------	C:\UnInstall.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 15:39	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-04-01 16:38	---------	d-----w	C:\Documents and Settings\Peter D Martin\Application Data\Audacity
2008-03-23 19:28	---------	d-----w	C:\Program Files\MSN Messenger
2008-03-19 22:44	---------	d-----w	C:\Program Files\Google
2008-03-19 21:25	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-19 21:25	---------	d-----w	C:\Program Files\EPSON
2008-03-19 21:23	---------	d-----w	C:\Program Files\IKEA HomePlanner
2008-03-18 20:33	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-14 16:31	24,064	----a-w	C:\WINDOWS\system32\ntload.dll
2008-03-14 16:09	---------	d-----w	C:\Program Files\Canon
2008-03-14 16:05	---------	d-----w	C:\Program Files\DivX
2006-11-19 20:50	78,424	----a-w	C:\Documents and Settings\Lorna Hubbard\Application Data\GDIPFONTCACHEV1.DAT
2005-03-15 17:44	0	----a-w	C:\Documents and Settings\Peter D Martin\Application Data\wklnhst.dat
2005-12-06 19:31	56	--sh--r	C:\WINDOWS\system32\1607371D5C.sys
2006-01-16 17:58	1,994	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-02-06 18:05  588288  4f64d1df989e3aa2fad91a2f1167b9c7	C:\WINDOWS\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2004-08-04 08:56  656384  c0823fc5469663ba63e7db88f9919d70	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2006-04-28 10:58  575488  3d5062a7667913b9b515cc5769e9fb31	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\rtmgdr\wininet.dll
2006-04-28 18:48  587264  5f4e89c8b4903acbba2f4b32cf1ed3ad	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\dllcache\wininet.dll

2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2003-03-31 03:00  167552  3b350e5a2a5e951453f3993275a4523a	C:\WINDOWS\$NtUninstallQ815485$\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\Driver Cache\i386\ndis.sys
2004-08-04 07:14  182912  558635d3af1c7546d26067d5d9b6959e	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\system32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((   [email protected]_23.17.51.03   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-05 01:58:29	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-10 15:30:22	4,857,856	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:30:22	36,864	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-05 01:58:29	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-10 15:30:07	4,857,856	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:30:08	36,864	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
2008-04-02 16:27	51200	--a------	C:\Program Files\CPV\CPV7.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F7A19F5-40B9-41B5-990A-B0363E14E1CD}]
2005-03-10 13:06	88064	--a------	C:\WINDOWS\System32\CddbLangE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{711ECE46-C7E0-422C-A9E0-BCBC634E06E7}]
2005-03-10 13:06	88064	--a------	C:\WINDOWS\System32\CddbLangE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8E17E98-EE21-4DF5-A0C8-FF8EF43AA938}]
2005-03-10 13:06	88064	--a------	C:\WINDOWS\System32\CddbLangE.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"Aaou"="C:\WINDOWS\System32\YSTEM~1\winlogon.exe" [ ]
"Gxyb"="C:\Program Files\S?mantec\t?skmgr.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 12:10 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-06-17 21:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-06-17 21:43 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 18:15 536576]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 19:55 483328]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-05-27 20:28 278528]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 00:11 50688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 23:15 26112]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-12-24 03:33 188416]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-12-14 02:06 495616]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 17:05 1838592]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"BluetoothAuthorizationAgent"="C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe" [2008-03-25 22:59 18432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 03:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-06-11 21:34 190696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-8796-100000000002}\SC_Acrobat.exe [2005-11-30 21:22:58 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:18:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-10 23:01:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? 

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-04-10 23:03:13
ComboFix-quarantined-files.txt  2008-04-10 22:02:41
ComboFix2.txt  2008-04-04 22:18:23
Pre-Run: 12,314,230,784 bytes free
Post-Run: 12,300,550,144 bytes free
.
2008-03-16 11:13:52	--- E O F ---


----------



## ceewi1

Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\WINDOWS\system32\idgbqtcn.bmp
C:\WINDOWS\system32\toned.bmp
C:\WINDOWS\system32\sbelgjad.bmp
C:\school.exe
C:\WINDOWS\system32\gntaukud.ini
C:\WINDOWS\system32\auujtkso.ini
C:\WINDOWS\system32\mjillbmv.ini
C:\WINDOWS\system32\ysdhmfef.ini
C:\WINDOWS\system32\iiiubefs.ini
C:\WINDOWS\system32\CddbLangE.dll
C:\WINDOWS\system32\hvhrpelt.ini
C:\WINDOWS\system32\yjgqcmdp.ini
C:\WINDOWS\system32\gfylausq.ini
C:\WINDOWS\system32\psvhfusx.ini
C:\WINDOWS\system32\osghwfve.dll
C:\WINDOWS\system32\rkwvoywa.ini
C:\WINDOWS\system32\rpeiolea.ini
C:\WINDOWS\system32\hfddtbbr.ini
C:\WINDOWS\system32\drromsvp.ini
C:\WINDOWS\system32\ascjqioi.ini
C:\WINDOWS\system32\xeoqocqx.ini
C:\WINDOWS\system32\41beda43
C:\WINDOWS\system32\grwinsthlp.exe

Folder::
C:\WINDOWS\system32\hz7
C:\WINDOWS\system32\cam2
C:\WINDOWS\system32\bx21
C:\Program Files\CPV

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{15421B84-3488-49A7-AD18-CBF84A3EFAF6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F7A19F5-40B9-41B5-990A-B0363E14E1CD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{711ECE46-C7E0-422C-A9E0-BCBC634E06E7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8E17E98-EE21-4DF5-A0C8-FF8EF43AA938}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aaou"=-
"Gxyb"=-


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.










Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.

Please *download* the *OTMoveIt2 by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt2.exe* to run it.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

*


		Code:
	

C:\Program Files\S?mantec /u

*
 Return to OTMoveIt2, right click in the *Paste List of Files/Folders to be Moved* window (under the light blue bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.  These results are also located at *C:\_OTMoveIt\MovedFiles\Date_Time.log*, where Date_Time is the date and time you ran OTMoveIt.
Close *OTMoveIt2*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Please post
The ComboFix log
The OTMoveIt2 log
A new HijackThis log
An update on how your system is running


----------



## Punk

mustang2000 said:


> Does this actually work? is this safe to do, does this guy actually help. Ithink i need someone to help me.



What are yout talking about?

I'm helping Texaspete...


----------



## texaspete

ComboFix 08-04-03.5 - Peter D Martin 2008-04-11 17:24:04.3 - NTFSx86
Running from: C:\Documents and Settings\Peter D Martin\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Peter D Martin\Desktop\CFscript.txt
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*

FILE ::
C:\school.exe
C:\WINDOWS\system32\41beda43
C:\WINDOWS\system32\ascjqioi.ini
C:\WINDOWS\system32\auujtkso.ini
C:\WINDOWS\system32\CddbLangE.dll
C:\WINDOWS\system32\drromsvp.ini
C:\WINDOWS\system32\gfylausq.ini
C:\WINDOWS\system32\gntaukud.ini
C:\WINDOWS\system32\grwinsthlp.exe
C:\WINDOWS\system32\hfddtbbr.ini
C:\WINDOWS\system32\hvhrpelt.ini
C:\WINDOWS\system32\idgbqtcn.bmp
C:\WINDOWS\system32\iiiubefs.ini
C:\WINDOWS\system32\mjillbmv.ini
C:\WINDOWS\system32\osghwfve.dll
C:\WINDOWS\system32\psvhfusx.ini
C:\WINDOWS\system32\rkwvoywa.ini
C:\WINDOWS\system32\rpeiolea.ini
C:\WINDOWS\system32\sbelgjad.bmp
C:\WINDOWS\system32\toned.bmp
C:\WINDOWS\system32\xeoqocqx.ini
C:\WINDOWS\system32\yjgqcmdp.ini
C:\WINDOWS\system32\ysdhmfef.ini
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\CPV
C:\Program Files\CPV\CPV7.dll
C:\WINDOWS\system32\41beda43
C:\WINDOWS\system32\ascjqioi.ini
C:\WINDOWS\system32\auujtkso.ini
C:\WINDOWS\system32\bx21
C:\WINDOWS\system32\bx21\thudll5502.exe
C:\WINDOWS\system32\cam2
C:\WINDOWS\system32\CddbLangE.dll
C:\WINDOWS\system32\drromsvp.ini
C:\WINDOWS\system32\gfylausq.ini
C:\WINDOWS\system32\gntaukud.ini
C:\WINDOWS\system32\grwinsthlp.exe
C:\WINDOWS\system32\hfddtbbr.ini
C:\WINDOWS\system32\hvhrpelt.ini
C:\WINDOWS\system32\hz7
C:\WINDOWS\system32\idgbqtcn.bmp
C:\WINDOWS\system32\iiiubefs.ini
C:\WINDOWS\system32\mjillbmv.ini
C:\WINDOWS\system32\osghwfve.dll
C:\WINDOWS\system32\psvhfusx.ini
C:\WINDOWS\system32\rkwvoywa.ini
C:\WINDOWS\system32\rpeiolea.ini
C:\WINDOWS\system32\sbelgjad.bmp
C:\WINDOWS\system32\toned.bmp
C:\WINDOWS\system32\xeoqocqx.ini
C:\WINDOWS\system32\yjgqcmdp.ini
C:\WINDOWS\system32\ysdhmfef.ini

.
(((((((((((((((((((((((((   Files Created from 2008-03-11 to 2008-04-11  )))))))))))))))))))))))))))))))
.

2008-04-11 17:13 . 2008-04-11 17:13	269,334	--a------	C:\WINDOWS\system32\krqtcjah.bmp
2008-04-10 16:29 . 2008-04-10 16:30	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-04-08 20:43 . 2002-08-29 03:03	2,042,240	--a------	C:\WINDOWS\system32\ntoskrnl.exe
2008-04-06 20:51 . 2008-04-06 20:51	<DIR>	d--------	C:\school.exe
2008-04-05 22:36 . 2008-04-10 16:55	<DIR>	d--------	C:\SDFix
2008-04-04 19:30 . 2008-04-07 18:00	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-04-04 19:30 . 2008-04-04 19:30	1,409	--a------	C:\WINDOWS\QTFont.for
2008-04-04 18:34 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-04-04 18:34 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-04-04 18:34 . 2008-03-28 23:19	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-04-04 18:34 . 2008-03-26 08:50	82,432	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-04-04 18:34 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-04-04 18:34 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-04-04 18:34 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-04-04 18:34 . 2008-04-04 18:34	6,328	--a------	C:\WINDOWS\system32\tmp.reg
2008-04-04 18:28 . 2008-04-10 23:07	<DIR>	d--------	C:\scanner.exe
2008-04-03 17:50 . 2008-04-03 17:50	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-04-02 16:15 . 2008-04-02 16:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 22:59 . 2008-03-25 22:59	18,432	--a------	C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
2008-03-19 22:42 . 2008-03-19 22:42	<DIR>	d--------	C:\Program Files\Panicware
2008-03-18 21:32 . 2008-03-19 22:42	9,662	--a------	C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-03-16 22:17 . 2008-03-16 22:17	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-14 18:26 . 2008-03-14 18:26	<DIR>	d--------	C:\WINDOWS\provisioning
2008-03-14 18:26 . 2008-03-14 18:37	<DIR>	d--------	C:\WINDOWS\peernet
2008-03-14 17:55 . 2008-03-14 17:55	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-03-14 17:46 . 2004-08-03 23:42	20,480	--a------	C:\WINDOWS\system32\sprecovr.exe
2008-03-14 17:43 . 2004-07-17 12:40	19,528	--a------	C:\WINDOWS\002333_.tmp
2008-03-14 17:34 . 2002-12-11 17:34	997,888	--a------	C:\WINDOWS\system32\wmvdmoe2.dll
2008-03-14 17:33 . 2006-02-27 13:32	2,479,616	--a------	C:\WINDOWS\system32\dllcache\msoeres.dll
2008-03-14 17:30 . 2008-03-14 17:30	<DIR>	d--------	C:\WINDOWS\EHome
2008-03-14 17:07 . 2008-03-14 17:07	248	--a------	C:\UnInstall.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 15:39	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-04-01 16:38	---------	d-----w	C:\Documents and Settings\Peter D Martin\Application Data\Audacity
2008-03-23 19:28	---------	d-----w	C:\Program Files\MSN Messenger
2008-03-19 22:44	---------	d-----w	C:\Program Files\Google
2008-03-19 21:25	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-19 21:25	---------	d-----w	C:\Program Files\EPSON
2008-03-19 21:23	---------	d-----w	C:\Program Files\IKEA HomePlanner
2008-03-18 20:33	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-14 16:31	24,064	----a-w	C:\WINDOWS\system32\ntload.dll
2008-03-14 16:09	---------	d-----w	C:\Program Files\Canon
2008-03-14 16:05	---------	d-----w	C:\Program Files\DivX
2006-11-19 20:50	78,424	----a-w	C:\Documents and Settings\Lorna Hubbard\Application Data\GDIPFONTCACHEV1.DAT
2005-03-15 17:44	0	----a-w	C:\Documents and Settings\Peter D Martin\Application Data\wklnhst.dat
2005-12-06 19:31	56	--sh--r	C:\WINDOWS\system32\1607371D5C.sys
2006-01-16 17:58	1,994	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-02-06 18:05  588288  4f64d1df989e3aa2fad91a2f1167b9c7	C:\WINDOWS\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2004-08-04 08:56  656384  c0823fc5469663ba63e7db88f9919d70	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2006-04-28 10:58  575488  3d5062a7667913b9b515cc5769e9fb31	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\rtmgdr\wininet.dll
2006-04-28 18:48  587264  5f4e89c8b4903acbba2f4b32cf1ed3ad	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\dllcache\wininet.dll

2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2003-03-31 03:00  167552  3b350e5a2a5e951453f3993275a4523a	C:\WINDOWS\$NtUninstallQ815485$\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\Driver Cache\i386\ndis.sys
2004-08-04 07:14  182912  558635d3af1c7546d26067d5d9b6959e	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\system32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((   [email protected]_23.17.51.03   )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-05 01:58:29	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-10 15:30:22	4,857,856	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:30:22	36,864	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-05 01:58:29	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-10 15:30:07	4,857,856	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:30:08	36,864	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 12:10 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-06-17 21:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-06-17 21:43 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 18:15 536576]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 19:55 483328]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-05-27 20:28 278528]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 00:11 50688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 23:15 26112]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-12-24 03:33 188416]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-12-14 02:06 495616]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 17:05 1838592]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"BluetoothAuthorizationAgent"="C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe" [2008-03-25 22:59 18432]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 03:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-06-11 21:34 190696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-8796-100000000002}\SC_Acrobat.exe [2005-11-30 21:22:58 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.LEAD"= LCODCCMP.DLL
"MSVideo8"= VfWWDM32.dll


.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:18:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-11 17:30:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? 

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-04-11 17:32:29
ComboFix-quarantined-files.txt  2008-04-11 16:31:59
ComboFix2.txt  2008-04-10 22:03:14
ComboFix3.txt  2008-04-04 22:18:23
Pre-Run: 12,251,066,368 bytes free
Post-Run: 12,213,600,256 bytes free
.
2008-03-16 11:13:52	--- E O F ---


----------



## texaspete

Logfile of HijackThis v1.99.1
Scan saved at 17:40:03, on 11/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\notepad.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\scanner.exe\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BluetoothAuthorizationAgent] C:\WINDOWS\System32\BluetoothAuthorizationAgent.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm011YYGB
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## texaspete

when i done the otmoveit is said this 

< C:\Program Files\S?mantec /u >
File/Folder C:\Program Files\S?mantec not found.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 04112008_174627


----------



## ceewi1

Please run HijackThis and choose *Do a system scan only*.

Place a check next to the following entries:
*O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZKxdm011YYGB*
Please close all open windows except for HijackThis and choose *Fix checked*

Please run OTMoveIt2 again:
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

*


		Code:
	

C:\WINDOWS\system32\krqtcjah.bmp
C:\school.exe

*
 Return to OTMoveIt2, right click in the *Paste List of Files/Folders to be Moved* window (under the light blue bar) and choose *Paste*.

Click the red *Moveit!* button.
*Copy everything in the Results window (under the green bar) to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose copy), and paste it in your next reply.  These results are also located at *C:\_OTMoveIt\MovedFiles\Date_Time.log*, where Date_Time is the date and time you ran OTMoveIt.
Close *OTMoveIt2*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Please use the *Internet Explorer* browser (or FireFox with IETab), and do an online scan with *Kaspersky Online Scanner*

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add Or Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.
(*Note*.. _for Internet *Explorer 7* users: If at any time you have trouble with the *Accept* button of the license, click on the *Zoom* tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%_.)
The program launches and downloads the latest definition files. 
Once the files are downloaded click on *Next*
 Click on *Scan Settings* and configure as follows:
 Scan using the following Anti-Virus database:
*Extended*

Scan Options:
*Scan Archives*

*Scan Mail Bases*


 Click *OK* and, under select a target to scan, select *My Computer*
When the scan is done, in the _Scan is completed _window (below), any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.








To obtain the report:
Click on: *Save Report As* (above - red blinking arrow)
Next, in the _Save as _prompt, _Save in_ area, select: *Desktop*
In the _File name_ area, use KScan, or something similar
In _Save as type_, click the drop arrow and select: *Text file [*.txt]*
Then, click: *Save*
Please post the *Kaspersky Online Scanner Report *in your reply.

Please post
The OTMoveIt2 report
The Kaspersky Online Scanner Report


----------



## texaspete

hi go to press accept on Kaspersky Online Scanner but nothing is happerning. 
i'm using firefox, and i have that option to zoom in!


----------



## Punk

texaspete said:


> hi go to press accept on Kaspersky Online Scanner but nothing is happerning.
> i'm using firefox, and i have that option to zoom in!




Use Internet Explorer


----------



## texaspete

just tryed an that zlob virus is back. it says this in the address bar http://iednserror.info/ie6/en.php?id=880058 an all this dodgy porn things have come up on my desk top!!! aghhhhhhhhhh


----------



## Punk

Ok

Let's see a Combofix log:

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* from one of the three below listed places :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open *Task Manager* then *Processes* tab (press ctrl, alt and del at the same time) and end any processes of *findstr, find, sed or swreg*, then combofix should continue.
If that happened we want to know, and also what process you had to end.


----------



## texaspete

hey punk
ComboFix 08-04-12.10 - Peter D Martin 2008-04-13 17:55:13.4 - NTFSx86
Running from: C:\Documents and Settings\Peter D Martin\Desktop\ComboFix.exe
 * Created a new restore point

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\BluetoothAuthorizationAgent.exe
C:\WINDOWS\system32\ieupdates.exe
C:\WINDOWS\system32\update32.exe
C:\WINDOWS\system32\winsrc.dll
C:\WINDOWS\system32\winupdate.exe
C:\WINDOWS\system32\wscmp.dll

.
(((((((((((((((((((((((((   Files Created from 2008-03-13 to 2008-04-13  )))))))))))))))))))))))))))))))
.

2008-04-13 17:39 . 2008-04-13 17:39	0	--a------	C:\WINDOWS\system32\sex3.ico.tmp
2008-04-13 17:38 . 2008-04-13 17:38	0	--a------	C:\WINDOWS\system32\sex2.ico.tmp
2008-04-13 17:38 . 2008-04-13 17:38	0	--a------	C:\WINDOWS\system32\sex1.ico.tmp
2008-04-13 17:27 . 2008-04-13 17:27	269,334	--a------	C:\WINDOWS\system32\dojmhkbqdsn.bmp
2008-04-13 17:22 . 2008-04-13 17:40	3,262	--a------	C:\WINDOWS\system32\sex5.ico
2008-04-13 17:22 . 2008-04-13 17:39	3,262	--a------	C:\WINDOWS\system32\sex4.ico
2008-04-13 17:21 . 2008-04-13 17:31	3,262	--a------	C:\WINDOWS\system32\sex3.ico
2008-04-13 17:21 . 2008-04-13 17:30	3,262	--a------	C:\WINDOWS\system32\sex2.ico
2008-04-13 17:20 . 2008-04-13 17:30	3,262	--a------	C:\WINDOWS\system32\sex1.ico
2008-04-13 17:13 . 2008-04-13 17:13	269,334	--a------	C:\WINDOWS\system32\lgnetkrqhgfap.bmp
2008-04-13 10:56 . 2008-04-13 10:56	<DIR>	d--------	C:\b5972bbf697fdead40e53f083c0a
2008-04-13 00:25 . 2008-04-13 00:25	269,334	--a------	C:\WINDOWS\system32\cradonidcr.bmp
2008-04-12 19:04 . 2008-04-12 19:04	269,334	--a------	C:\WINDOWS\system32\apknihgb.bmp
2008-04-12 10:17 . 2008-04-12 10:17	269,334	--a------	C:\WINDOWS\system32\felsnilcfatsf.bmp
2008-04-11 22:09 . 2008-04-11 22:09	269,334	--a------	C:\WINDOWS\system32\lcbitojml.bmp
2008-04-11 19:29 . 2008-04-11 19:29	269,334	--a------	C:\WINDOWS\system32\nepgjeh.bmp
2008-04-11 17:42 . 2008-04-11 17:42	<DIR>	d--------	C:\_OTMoveIt
2008-04-11 17:13 . 2008-04-11 17:13	269,334	--a------	C:\WINDOWS\system32\krqtcjah.bmp
2008-04-10 16:29 . 2008-04-10 16:30	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-04-08 20:43 . 2002-08-29 03:03	2,042,240	--a------	C:\WINDOWS\system32\ntoskrnl.exe
2008-04-06 20:51 . 2008-04-06 20:51	<DIR>	d--------	C:\school.exe
2008-04-05 22:36 . 2008-04-10 16:55	<DIR>	d--------	C:\SDFix
2008-04-04 19:30 . 2008-04-07 18:00	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-04-04 19:30 . 2008-04-04 19:30	1,409	--a------	C:\WINDOWS\QTFont.for
2008-04-04 18:34 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-04-04 18:34 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-04-04 18:34 . 2008-03-28 23:19	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-04-04 18:34 . 2008-03-26 08:50	82,432	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-04-04 18:34 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-04-04 18:34 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-04-04 18:34 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-04-04 18:34 . 2008-04-04 18:34	6,328	--a------	C:\WINDOWS\system32\tmp.reg
2008-04-04 18:28 . 2008-04-12 10:32	<DIR>	d--------	C:\scanner.exe
2008-04-03 17:50 . 2008-04-03 17:50	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-04-02 16:15 . 2008-04-02 16:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 22:42 . 2008-03-19 22:42	<DIR>	d--------	C:\Program Files\Panicware
2008-03-18 21:32 . 2008-03-19 22:42	9,662	--a------	C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-03-16 22:17 . 2008-03-16 22:17	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-14 18:26 . 2008-03-14 18:26	<DIR>	d--------	C:\WINDOWS\provisioning
2008-03-14 18:26 . 2008-03-14 18:37	<DIR>	d--------	C:\WINDOWS\peernet
2008-03-14 17:55 . 2008-03-14 17:55	<DIR>	d--------	C:\WINDOWS\ServicePackFiles
2008-03-14 17:46 . 2004-08-03 23:42	20,480	--a------	C:\WINDOWS\system32\sprecovr.exe
2008-03-14 17:43 . 2004-07-17 12:40	19,528	--a------	C:\WINDOWS\002333_.tmp
2008-03-14 17:34 . 2002-12-11 17:34	997,888	--a------	C:\WINDOWS\system32\wmvdmoe2.dll
2008-03-14 17:33 . 2006-02-27 13:32	2,479,616	--a------	C:\WINDOWS\system32\dllcache\msoeres.dll
2008-03-14 17:30 . 2008-03-14 17:30	<DIR>	d--------	C:\WINDOWS\EHome
2008-03-14 17:07 . 2008-03-14 17:07	248	--a------	C:\UnInstall.dat

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-10 15:39	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-04-01 16:38	---------	d-----w	C:\Documents and Settings\Peter D Martin\Application Data\Audacity
2008-03-23 19:28	---------	d-----w	C:\Program Files\MSN Messenger
2008-03-19 22:44	---------	d-----w	C:\Program Files\Google
2008-03-19 21:25	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-19 21:25	---------	d-----w	C:\Program Files\EPSON
2008-03-19 21:23	---------	d-----w	C:\Program Files\IKEA HomePlanner
2008-03-18 20:33	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-14 16:31	24,064	----a-w	C:\WINDOWS\system32\ntload.dll
2008-03-14 16:09	---------	d-----w	C:\Program Files\Canon
2008-03-14 16:05	---------	d-----w	C:\Program Files\DivX
2006-11-19 20:50	78,424	----a-w	C:\Documents and Settings\Lorna Hubbard\Application Data\GDIPFONTCACHEV1.DAT
2005-03-15 17:44	0	----a-w	C:\Documents and Settings\Peter D Martin\Application Data\wklnhst.dat
2005-12-06 19:31	56	--sh--r	C:\WINDOWS\system32\1607371D5C.sys
2006-01-16 17:58	1,994	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-02-06 18:05  588288  4f64d1df989e3aa2fad91a2f1167b9c7	C:\WINDOWS\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2004-08-04 08:56  656384  c0823fc5469663ba63e7db88f9919d70	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2006-04-28 10:58  575488  3d5062a7667913b9b515cc5769e9fb31	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\rtmgdr\wininet.dll
2006-04-28 18:48  587264  5f4e89c8b4903acbba2f4b32cf1ed3ad	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\dllcache\wininet.dll

2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2003-03-31 03:00  167552  3b350e5a2a5e951453f3993275a4523a	C:\WINDOWS\$NtUninstallQ815485$\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\Driver Cache\i386\ndis.sys
2004-08-04 07:14  182912  558635d3af1c7546d26067d5d9b6959e	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\system32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((   [email protected]_23.17.51.03   )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-04-27 20:10:38	2,569	-c--a-w	C:\WINDOWS\$NtUninstallKB810217$\spuninst\spuninst.bat
+ 2008-04-13 16:26:04	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-04-05 01:58:29	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-04-10 15:30:22	4,857,856	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:30:22	36,864	----a-w	C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-04-05 01:58:29	163,328	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-04-10 15:30:07	4,857,856	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-04-10 15:30:08	36,864	----a-w	C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2003-10-22 02:28:34	2,673	----a-w	C:\WINDOWS\hpimdl01.dat
+ 2006-07-23 20:46:04	2,560	----a-r	C:\WINDOWS\Installer\{40280409-6000-11D3-8CFE-0050048383C9}\cagicon.exe
+ 2003-03-31 02:00:00	2,000	----a-w	C:\WINDOWS\system\KEYBOARD.DRV
+ 2003-03-31 02:00:00	2,032	----a-w	C:\WINDOWS\system\MOUSE.DRV
+ 2003-03-31 02:00:00	1,744	----a-w	C:\WINDOWS\system\SOUND.DRV
+ 2003-03-31 02:00:00	2,176	----a-w	C:\WINDOWS\system\VGA.DRV
+ 2003-05-03 12:10:24	1,727	----a-w	C:\WINDOWS\system32\config\systemprofile\Application Data\Sonic\Update Manager\sumdb.dat
- 2006-10-12 10:50:39	262,144	----a-w	C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
+ 2008-04-13 16:55:06	262,144	----a-w	C:\WINDOWS\system32\config\systemprofile\NTUSER.DAT
+ 2003-03-31 02:00:00	1,740	----a-w	C:\WINDOWS\system32\dcache.bin
+ 2002-08-29 08:32:34	2,816	----a-w	C:\WINDOWS\system32\drivers\drmkaud.sys
+ 2003-03-31 02:00:00	2,944	----a-w	C:\WINDOWS\system32\drivers\null.sys
+ 2003-03-31 02:00:00	2,000	----a-w	C:\WINDOWS\system32\keyboard.drv
+ 2003-03-31 02:00:00	2,560	----a-w	C:\WINDOWS\system32\lz32.dll
+ 2003-03-31 02:00:00	2,032	----a-w	C:\WINDOWS\system32\mouse.drv
- 2008-03-05 16:30:54	19,148,408	----a-w	C:\WINDOWS\system32\MRT.exe
+ 2008-04-06 05:56:20	19,836,024	----a-w	C:\WINDOWS\system32\MRT.exe
+ 2003-03-31 02:00:00	1,744	----a-w	C:\WINDOWS\system32\sound.drv
+ 2003-03-31 02:00:00	2,176	----a-w	C:\WINDOWS\system32\vga.drv
+ 2003-03-31 02:00:00	2,864	----a-w	C:\WINDOWS\system32\winsock.dll
+ 2003-03-31 02:00:00	2,112	----a-w	C:\WINDOWS\system32\winspool.exe
+ 2003-03-31 02:00:00	2,736	----a-w	C:\WINDOWS\system32\wowdeb.exe
.
-- Snapshot reset to current date --
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 12:10 536576]
"AdobeUpdater"="C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-07-18 22:47 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-06-17 21:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-06-17 21:43 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 18:15 536576]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 19:55 483328]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-05-27 20:28 278528]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 00:11 50688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 23:15 26112]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-12-24 03:33 188416]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-12-14 02:06 495616]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 17:05 1838592]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 03:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-06-11 21:34 190696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-8796-100000000002}\SC_Acrobat.exe [2005-11-30 21:22:58 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:18:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-13 18:00:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? 

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-04-13 18:02:37
ComboFix-quarantined-files.txt  2008-04-13 17:02:13
ComboFix2.txt  2008-04-11 16:32:29
ComboFix3.txt  2008-04-10 22:03:14
ComboFix4.txt  2008-04-04 22:18:23
Pre-Run: 12,172,034,048 bytes free
Post-Run: 12,162,920,448 bytes free
.
2008-03-16 11:13:52	--- E O F ---


----------



## Punk

Ok we have new files, let's delete them:

*Download Avenger, and unzip it to your desktop or somewhere you can find it.Â  (Do not run it yet).*

Note: This program is for use on Windows XP *32 bit* systems only, and must be run from an Administrator account.


Open a *Notepad* file by clicking *Start > Run*Â  and typing *Notepad.exe* in the box, click *OK*.
Click *Format*, and ensure *Word Wrap* is unchecked.
Copy and Paste the text in the box below into *Notepad*.
Now save the file as *RemoveFiles.txt* in a location where you can find it.



> Files to delete:
> C:\WINDOWS\system32\sex3.ico.tmp C:\WINDOWS\system32\sex2.ico.tmp
> C:\WINDOWS\system32\sex1.ico.tmp
> C:\WINDOWS\system32\dojmhkbqdsn.bmp
> C:\WINDOWS\system32\sex5.ico
> C:\WINDOWS\system32\sex4.ico
> C:\WINDOWS\system32\sex3.ico
> C:\WINDOWS\system32\sex2.ico
> C:\WINDOWS\system32\sex1.ico
> C:\WINDOWS\system32\lgnetkrqhgfap.bmp
> C:\WINDOWS\system32\cradonidcr.bmp
> C:\WINDOWS\system32\ntload.dll



Note: the above code was created specifically for this user. If you are not this user, do *NOT* follow these directions as they could damage the workings of your system.

Start *Avenger* by double clicking on *Avenger.exe*.

Check *Load script from file:*
Click on the *folder symbol* below and to the right, and browse to *RemoveFiles.txt*.
Double click it to enter it into Avenger.
Click the *green traffic light symbol*.
You will be asked if you want to execute the script, answer *Yes*.
At this point you may get prompts from your protection systems, allow them please.
Avenger will set itself up to run the next time you re-boot, and will prompt you to re-start immediately.
Answer *Yes*, and allow your computer to re-boot.
Upon re-boot a command window will briefly appear on screen (this is normal).
A Notepad text file will be created *C:\avenger.txt*.
*Copy and Paste it into your next post please.*


----------



## texaspete

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform:  Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!


Error:  could not open file "C:\WINDOWS\system32\sex3.ico.tmp C:\WINDOWS\system32\sex2.ico.tmp"
Deletion of file "C:\WINDOWS\system32\sex3.ico.tmp C:\WINDOWS\system32\sex2.ico.tmp" failed!
Status: 0xc0000033 (STATUS_OBJECT_NAME_INVALID)
  --> an object cannot have this name

File "C:\WINDOWS\system32\sex1.ico.tmp" deleted successfully.
File "C:\WINDOWS\system32\dojmhkbqdsn.bmp" deleted successfully.
File "C:\WINDOWS\system32\sex5.ico" deleted successfully.
File "C:\WINDOWS\system32\sex4.ico" deleted successfully.
File "C:\WINDOWS\system32\sex3.ico" deleted successfully.
File "C:\WINDOWS\system32\sex2.ico" deleted successfully.
File "C:\WINDOWS\system32\sex1.ico" deleted successfully.
File "C:\WINDOWS\system32\lgnetkrqhgfap.bmp" deleted successfully.
File "C:\WINDOWS\system32\cradonidcr.bmp" deleted successfully.
File "C:\WINDOWS\system32\ntload.dll" deleted successfully.

Completed script processing.

*******************

Finished!  Terminate.


----------



## Punk

Do you still have the symptoms of the virus?


----------



## texaspete

great Internet Explorer is working now,thats great shall i go back an do Kaspersky Online Scanner an follow ceewi1 instuctions


----------



## Punk

Yes, follow the kapersky instructions and post the log here.


----------



## texaspete

*have to post log in 2 parts*

-------------------------------------------------------------------------------
 KASPERSKY ONLINE SCANNER REPORT
 Sunday, April 13, 2008 8:58:39 PM
 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
 Kaspersky Online Scanner version: 5.0.98.0
 Kaspersky Anti-Virus database last update: 13/04/2008
 Kaspersky Anti-Virus database records: 702086
-------------------------------------------------------------------------------

Scan Settings:
	Scan using the following antivirus database: extended
	Scan Archives: true
	Scan Mail Bases: true

Scan Target - My Computer:
	C:\
	D:\

Scan Statistics:
	Total number of scanned objects: 75775
	Number of viruses found: 39
	Number of infected objects: 213
	Number of suspicious objects: 3
	Duration of the scan process: 01:51:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat	Object is locked	skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\LocalService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Lorna Hubbard\Local Settings\Application Data\Mozilla\Firefox\Profiles\gzrsd51l.default\Cache\2AB8EE1Bd01	Infected: not-virus:Hoax.Win32.Renos.bej	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\cert8.db	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\history.dat	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\key3.db	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\parent.lock	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\search.sqlite	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\urlclassifier2.sqlite	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\appLauncher_all_log.txt	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\DM_log.txt	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\HookStarter_log.txt	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Application Data\Sony Ericsson\Teleca\Telecalib\Logging\Application logs\TlibCmnDlgs_log.txt	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Cookies\index.dat	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Peter D Martin\Desktop\SmitfraudFix.exe/data.rar	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Documents and Settings\Peter D Martin\Desktop\SmitfraudFix.exe	RarSFX: infected - 2	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbc2e.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbdam	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbdao	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbeam	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbeao	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbm	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbu2d.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbvm.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\dbvmh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\fii.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\fiih.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\hp	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\hpt2i.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\rpm.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\rpm1n.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\rpm1n1m.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\rpm1n1mh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\rpm1nh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\rpmh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashm.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-enchashmh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlm.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-black-urlmh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainm.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-malware-domainmh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainm.cf1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Google\Google Desktop Search\safeweb\goog-white-domainmh.ht1	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Identities\{74CA3E49-695D-4219-A72E-0166E72358C2}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From EBAY <[email protected]>][Date 7 Nov 2006 05:56:37 -0800]/html	Suspicious: Trojan-Spy.HTML.Fraud.gen	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Identities\{74CA3E49-695D-4219-A72E-0166E72358C2}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx/[From paypal.com <[email protected]>][Date Tue, 17 Oct 2006 05:01:27 +0300]/html	Suspicious: Trojan-Spy.HTML.Fraud.gen	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Identities\{74CA3E49-695D-4219-A72E-0166E72358C2}\Microsoft\Outlook Express\Hotmail - Deleted Items.dbx	Mail MS Outlook 5: suspicious - 2	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\Cache\_CACHE_001_	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\Cache\_CACHE_002_	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\Cache\_CACHE_003_	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Application Data\Mozilla\Firefox\Profiles\49ghvfjr.default\Cache\_CACHE_MAP_	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\History\History.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Temp\Perflib_Perfdata_1e0.dat	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Temp\~DF6FB0.tmp	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Local Settings\Temporary Internet Files\Content.IE5\index.dat	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\NTUSER.DAT	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\ntuser.dat.LOG	Object is locked	skipped
C:\Documents and Settings\Peter D Martin\Shared\# bj bridges bj bridges 59.wma	Infected: Trojan-Downloader.WMA.Wimad.d	skipped
C:\Documents and Settings\Peter D Martin\Shared\(Crack) im feeling nothing dada 16.wma	Infected: Trojan-Downloader.WMA.Wimad.d	skipped
C:\Documents and Settings\Peter D Martin\Shared\02 Track 2 (army).wma	Infected: Trojan-Downloader.WMA.Wimad.d	skipped
C:\Documents and Settings\Peter D Martin\Shared\[Full Version] alf garnett 18.wma	Infected: Trojan-Downloader.WMA.Wimad.d	skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log	Object is locked	skipped
C:\Program Files\Mozilla Firefox\SmitfraudFix\Reboot.exe	Infected: not-a-virus:RiskTool.Win32.Reboot.f	skipped
C:\Program Files\MSN Messenger\msimg32.dll	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\Program Files\MSN Messenger\riched20.dll	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\Program Files\Hewlett-Packard\xubaci89104.dll.vir	Infected: not-a-virus:AdWare.Win32.TTC.d	skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\msimg32.dll.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir	Infected: not-a-virus:AdWare.Win32.Insider.c	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3BROVLY.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.at	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3DTACTL.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HISTSW.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTMLMU.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.l	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3HTTPCT.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.af	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3IMSTUB.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3POPSWT.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3PSSAVR.SCR.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3REPROX.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3RESTUB.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCHMON.EXE.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.a	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SCRCTR.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.an	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3SHLLVW.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\F3WPHOOK.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3HTML.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3IDLE.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3MSG.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3OUTLCN.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3PLUGIN.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.as	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SKIN.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SLSRCH.EXE.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\M3SRCHMN.EXE.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSBAR.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOEPLG.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\MWSOESTB.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\bar\1.bin\NPMYWEBS.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.i	skipped
C:\QooBox\Quarantine\C\Program Files\MyWebSearch\SrchAstt\1.bin\MWSSRCAS.DLL.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch.as	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bjbcqufv.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\buvigkhr.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\chcngsah.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\diyjepwa.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fcsgovrt.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fujrdftv.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gueyaoye.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hmwxxnei.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hoxrulwt.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ieupdates.exe.vir	Infected: not-virus:Hoax.Win32.Renos.bnl	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jbclavhv.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kfquoiyb.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lktakvyg.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lutcgcba.dll.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.lub	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mgqfpmpy.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mkwmciyg.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\shdohvuv.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\srqffjjc.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sypieccq.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tbkrsbsp.dll.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.lwv	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tlnmxkgl.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tswqmjrm.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\uovsxpbx.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\update32.exe.vir	Infected: not-virus:Hoax.Win32.Renos.bnl	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\upjoxenc.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vpioktre.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winupdate.exe.vir	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqkimido.dll.vir	Infected: not-a-virus:AdWare.Win32.Virtumonde.lxl	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wscmp.dll.vir	Infected: not-a-virus:AdWare.Win32.BHO.aph	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xuykdcfq.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xwyvpdtj.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ydagxkgh.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yeihpnsv.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yfhbyanl.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yhenxmhf.dll.vir	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\catchme2008-04-04_230859.71.zip/Documents and Settings/Peter D Martin/Desktop/catchme.zip/awvvu.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\catchme2008-04-04_230859.71.zip/Documents and Settings/Peter D Martin/Desktop/catchme.zip/tuvvwwu.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\catchme2008-04-04_230859.71.zip/Documents and Settings/Peter D Martin/Desktop/catchme.zip	Infected: Packed.Win32.Monder.gen	skipped
C:\QooBox\Quarantine\catchme2008-04-04_230859.71.zip	ZIP: infected - 3	skipped
C:\SDFix\backups\backups.zip/backups/b155.exe	Infected: Trojan.Win32.BHO.bfl	skipped
C:\SDFix\backups\backups.zip/backups/mrofinu1000106.exe	Infected: Trojan-Downloader.Win32.Homles.au	skipped
C:\SDFix\backups\backups.zip/backups/UGES_0001_N122M2602NetInstaller.exe	Infected: not-a-virusownloader.Win32.WinFixer.ee	skipped
C:\SDFix\backups\backups.zip	ZIP: infected - 3	skipped


----------



## texaspete

C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP493\A0215565.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP493\A0215566.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP493\A0216565.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP494\A0218565.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP495\A0221650.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP496\A0222705.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP496\A0222758.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP497\A0223822.exe	Infected: Trojan-Downloader.Win32.Agent.lqu	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP497\A0223827.exe	Infected: not-a-virus:AdWare.Win32.Insider.c	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP497\A0224813.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP497\A0224829.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP497\A0224830.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0226861.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0226862.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0226863.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0226873.exe	Infected: Trojan-Downloader.Win32.Homles.as	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0227861.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0228876.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0228948.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0229992.exe	Infected: not-a-virus:AdWare.Win32.Insider.c	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0230003.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0231007.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0231013.exe	Infected: Trojan-Downloader.Win32.Homles.at	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0231020.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0231027.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0231034.exe	Infected: Trojan.Win32.BHO.bfl	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0231048.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0231095.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232090.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232108.exe	Infected: not-a-virus:AdWare.Win32.Insider.c	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232109.exe	Infected: not-a-virus:AdWare.Win32.Insider.d	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232110.exe/data0001	Infected: not-a-virus:AdWare.Win32.PurityScan.gp	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232110.exe	NSIS: infected - 1	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232111.dll	Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232112.dll	Infected: not-a-virus:AdWare.Win32.BHO.sr	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232114.exe/data0002	Infected: not-a-virus:AdWare.Win32.TTC.d	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232114.exe	NSIS: infected - 1	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232123.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232197.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232210.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232222.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0232242.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0233238.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP498\A0233247.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233289.exe	Infected: not-a-virus:AdWare.Win32.Insider.c	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233292.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.at	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233294.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233295.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233296.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.l	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233297.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.af	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233298.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233299.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233300.SCR	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233301.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233302.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233303.EXE	Infected: not-a-virus:AdTool.Win32.MyWebSearch.a	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233304.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.an	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233305.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233306.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233308.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233309.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233311.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233313.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233314.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.as	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233315.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233317.EXE	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233318.EXE	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233319.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233320.EXE	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233321.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233322.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233323.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.i	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233331.DLL	Infected: not-a-virus:AdTool.Win32.MyWebSearch.as	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233333.dll	Infected: not-a-virus:AdTool.Win32.MyWebSearch.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233334.scr	Infected: not-a-virus:AdTool.Win32.MyWebSearch	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233335.exe	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233338.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233339.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233340.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233341.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233342.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233343.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233344.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233345.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233346.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233347.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233348.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233349.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233350.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.lub	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233351.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233352.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233353.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233354.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233355.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233356.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.lwv	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233357.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233358.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233359.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233360.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233361.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233362.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.lxl	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233363.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233364.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233365.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233366.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233367.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233368.dll	Infected: Packed.Win32.Monder.gen	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233373.dll	Infected: not-a-virus:AdWare.Win32.TTC.d	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP499\A0233459.dll	Infected: not-a-virus:AdWare.Win32.Virtumonde.mju	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP500\A0233820.exe	Infected: Trojan-Downloader.Win32.Agent.ltf	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP500\A0233849.exe	Infected: Trojan.Win32.BHO.bfl	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP500\A0233850.exe	Infected: Trojan-Downloader.Win32.Homles.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP500\A0233859.exe	Infected: Trojan.Win32.BHO.bfl	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP500\A0233860.exe	Infected: Trojan-Downloader.Win32.Homles.au	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP500\A0233866.exe	Infected: not-a-virusownloader.Win32.WinFixer.ee	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP502\A0234100.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP502\A0234110.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP502\A0235106.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP502\A0235118.dll	Infected: not-a-virus:AdWare.Win32.BHO.aph	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP503\A0235128.exe	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP503\A0235129.dll	Infected: not-a-virus:AdWare.Win32.BHO.aph	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP503\A0235130.exe	Infected: not-virus:Hoax.Win32.Renos.bnl	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP503\A0235131.exe	Infected: not-virus:Hoax.Win32.Renos.bnl	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP503\A0235178.dll	Infected: not-virus:Hoax.Win32.Renos.bja	skipped
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP503\change.log	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll	Object is locked	skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll	Object is locked	skipped
C:\WINDOWS\Debug\PASSWD.LOG	Object is locked	skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGES_0001_N122M2602NetInstaller.exe	Infected: not-a-virusownloader.Win32.WinFixer.ee	skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UGES_0001_N122M2602NetInstaller.exe	Infected: not-a-virusownloader.Win32.WinFixer.ee	skipped
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UGES_0001_N122M2602NetInstaller.exe	Infected: not-a-virusownloader.Win32.WinFixer.ee	skipped
C:\WINDOWS\SchedLgU.Txt	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B57ED9A0-D8D3-4E0A-BAA7-CA9973BEAA41}.bin	Object is locked	skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log	Object is locked	skipped
C:\WINDOWS\Sti_Trace.log	Object is locked	skipped
C:\WINDOWS\system32\config\AppEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\default	Object is locked	skipped
C:\WINDOWS\system32\config\default.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SAM	Object is locked	skipped
C:\WINDOWS\system32\config\SAM.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SecEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY	Object is locked	skipped
C:\WINDOWS\system32\config\SECURITY.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\software	Object is locked	skipped
C:\WINDOWS\system32\config\software.LOG	Object is locked	skipped
C:\WINDOWS\system32\config\SysEvent.Evt	Object is locked	skipped
C:\WINDOWS\system32\config\system	Object is locked	skipped
C:\WINDOWS\system32\config\system.LOG	Object is locked	skipped
C:\WINDOWS\system32\h323log.txt	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR	Object is locked	skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA	Object is locked	skipped
C:\WINDOWS\wiadebug.log	Object is locked	skipped
C:\WINDOWS\wiaservc.log	Object is locked	skipped
C:\WINDOWS\WindowsUpdate.log	Object is locked	skipped

Scan process completed.


----------



## texaspete

is this log ok


----------



## Punk

texaspete said:


> is this log ok



Yes, we're waiting for Ceewi1 to answer, if he doesn't answer by tomorrow, I'll try and solve this log


----------



## ceewi1

Sorry about the delay, there's still a bit more to do.

Please download *ATF Cleaner* by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser

Click *Firefox* at the top and choose: *Select All*
Click the *Empty Selected* button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click *Opera* at the top and choose: *Select All*
Click the *Empty Selected* button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.


Open *Notepad* (Start -> Run -> type *notepad* in the Open field -> OK) and copy and paste the text present *inside* the code box below:



		Code:
	

File::
C:\Documents and Settings\Peter D Martin\Shared\# bj bridges bj bridges 59.wma
C:\Documents and Settings\Peter D Martin\Shared\(Crack) im feeling nothing dada 16.wma
C:\Documents and Settings\Peter D Martin\Shared\02 Track 2 (army).wma
C:\Documents and Settings\Peter D Martin\Shared\[Full Version] alf garnett 18.wma
C:\Program Files\MSN Messenger\msimg32.dll
C:\Program Files\MSN Messenger\riched20.dll
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGES_0001_N122M2602NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UGES_0001_N122M2602NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UGES_0001_N122M2602NetInstaller.exe
C:\WINDOWS\system32\sex3.ico.tmp
C:\WINDOWS\system32\sex2.ico.tmp

Folder::
C:\school.exe


Save this as *CFScript.txt* and change the *Save as type* to *All Files* and place it on your *desktop*.










Referring to the screenshot above, *drag CFScript.txt into ComboFix.exe*.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply, along with a new HijackThis log.
*CAUTION*:
Do *NOT* mouse-click ComboFix's window while it is running. That may cause it to stall.
Also, please do *NOT* adjust your time format while ComboFix is running.

Please post
The ComboFix log
A new HijackThis log
An update on how your system is running now


----------



## texaspete

ComboFix 08-04-12.10 - Peter D Martin 2008-04-15 17:52:04.7 - NTFSx86
Running from: C:\Documents and Settings\Peter D Martin\Desktop\ComboFix.exe

*WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!*
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Peter D Martin\Shared\# bj bridges bj bridges 59.wma
C:\Documents and Settings\Peter D Martin\Shared\(Crack) im feeling nothing dada 16.wma
C:\Documents and Settings\Peter D Martin\Shared\[Full Version] alf garnett 18.wma
C:\Documents and Settings\Peter D Martin\Shared\02 Track 2 (army).wma
C:\Program Files\MSN Messenger\msimg32.dll
C:\Program Files\MSN Messenger\riched20.dll
C:\school.exe
C:\school.exe\SDFix\apps\assosfix.reg
C:\school.exe\SDFix\apps\cliptext.exe
C:\school.exe\SDFix\apps\download.exe
C:\school.exe\SDFix\apps\dummy.sys
C:\school.exe\SDFix\apps\Enable_Command_Prompt.reg
C:\school.exe\SDFix\apps\ERDNT.E_E
C:\school.exe\SDFix\apps\ERDNTDOS.LOC
C:\school.exe\SDFix\apps\ERDNTWIN.LOC
C:\school.exe\SDFix\apps\ERUNT.EXE
C:\school.exe\SDFix\apps\ERUNT.LOC
C:\school.exe\SDFix\apps\fix.reg
C:\school.exe\SDFix\apps\FixBH.reg
C:\school.exe\SDFix\apps\FixComponents.reg
C:\school.exe\SDFix\apps\FIXCU.reg
C:\school.exe\SDFix\apps\FIXLM.reg
C:\school.exe\SDFix\apps\FixPath.exe
C:\school.exe\SDFix\apps\FixRedir.reg
C:\school.exe\SDFix\apps\FixSchedule.reg
C:\school.exe\SDFix\apps\FixWebCheck.reg
C:\school.exe\SDFix\apps\fixXP.reg
C:\school.exe\SDFix\apps\FixXPsp2.reg
C:\school.exe\SDFix\apps\grep.exe
C:\school.exe\SDFix\apps\HPFix.reg
C:\school.exe\SDFix\apps\HPFix2.reg
C:\school.exe\SDFix\apps\HPFix3.reg
C:\school.exe\SDFix\apps\HPFix4.reg
C:\school.exe\SDFix\apps\HPFix5.reg
C:\school.exe\SDFix\apps\HPFix6.reg
C:\school.exe\SDFix\apps\HPFix7.reg
C:\school.exe\SDFix\apps\isadmin.exe
C:\school.exe\SDFix\apps\leg2.txt
C:\school.exe\SDFix\apps\legacy.txt
C:\school.exe\SDFix\apps\legacybk.txt
C:\school.exe\SDFix\apps\locate.com
C:\school.exe\SDFix\apps\LS.exe
C:\school.exe\SDFix\apps\MD5File.exe
C:\school.exe\SDFix\apps\MyGcpvFix.reg
C:\school.exe\SDFix\apps\MyGkFix2.reg
C:\school.exe\SDFix\apps\Process.exe
C:\school.exe\SDFix\apps\procs.exe
C:\school.exe\SDFix\apps\psservice.exe
C:\school.exe\SDFix\apps\Rem.txt
C:\school.exe\SDFix\apps\Rem2.txt
C:\school.exe\SDFix\apps\Replace\regedit.exe
C:\school.exe\SDFix\apps\Replace\W2K.exe
C:\school.exe\SDFix\apps\Replace\w2k\beep.sys
C:\school.exe\SDFix\apps\Replace\w2k\null.sys
C:\school.exe\SDFix\apps\Replace\XP.exe
C:\school.exe\SDFix\apps\Replace\xp\beep.sys
C:\school.exe\SDFix\apps\Replace\xp\null.sys
C:\school.exe\SDFix\apps\Reset_AppInit_DLLs.reg
C:\school.exe\SDFix\apps\RestartIt!.exe
C:\school.exe\SDFix\apps\Restore_SecurityCenter.reg
C:\school.exe\SDFix\apps\Restore_SharedAccess.reg
C:\school.exe\SDFix\apps\sc.exe
C:\school.exe\SDFix\apps\sed.exe
C:\school.exe\SDFix\apps\SF.exe
C:\school.exe\SDFix\apps\shutdown.exe
C:\school.exe\SDFix\apps\srv2.txt
C:\school.exe\SDFix\apps\srv2bk.txt
C:\school.exe\SDFix\apps\svc.txt
C:\school.exe\SDFix\apps\svcbk.txt
C:\school.exe\SDFix\apps\swreg.exe
C:\school.exe\SDFix\apps\swsc.exe
C:\school.exe\SDFix\apps\unzip.exe
C:\school.exe\SDFix\apps\vfind.exe
C:\school.exe\SDFix\apps\WINMSG.EXE
C:\school.exe\SDFix\apps\winsec.reg
C:\school.exe\SDFix\apps\zip.exe
C:\school.exe\SDFix\catchme.exe
C:\school.exe\SDFix\dummy.sys
C:\school.exe\SDFix\RunThis.bat
C:\school.exe\SDFix\SDFIX_ReadMe_Online.url
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\UGES_0001_N122M2602NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\UGES_0001_N122M2602NetInstaller.exe
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\UGES_0001_N122M2602NetInstaller.exe
C:\WINDOWS\system32\sex2.ico.tmp
C:\WINDOWS\system32\sex3.ico.tmp

.
(((((((((((((((((((((((((   Files Created from 2008-03-15 to 2008-04-15  )))))))))))))))))))))))))))))))
.

2008-04-13 18:52 . 2008-04-13 18:52	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2008-04-13 18:52 . 2008-04-13 18:52	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-12 19:04 . 2008-04-12 19:04	269,334	--a------	C:\WINDOWS\system32\apknihgb.bmp
2008-04-12 10:17 . 2008-04-12 10:17	269,334	--a------	C:\WINDOWS\system32\felsnilcfatsf.bmp
2008-04-11 22:09 . 2008-04-11 22:09	269,334	--a------	C:\WINDOWS\system32\lcbitojml.bmp
2008-04-11 19:29 . 2008-04-11 19:29	269,334	--a------	C:\WINDOWS\system32\nepgjeh.bmp
2008-04-11 17:42 . 2008-04-11 17:42	<DIR>	d--------	C:\_OTMoveIt
2008-04-11 17:13 . 2008-04-11 17:13	269,334	--a------	C:\WINDOWS\system32\krqtcjah.bmp
2008-04-10 16:29 . 2008-04-10 16:30	<DIR>	d--------	C:\WINDOWS\ERUNT
2008-04-08 20:43 . 2002-08-29 03:03	2,042,240	--a------	C:\WINDOWS\system32\ntoskrnl.exe
2008-04-05 22:36 . 2008-04-10 16:55	<DIR>	d--------	C:\SDFix
2008-04-04 19:30 . 2008-04-07 18:00	54,156	--ah-----	C:\WINDOWS\QTFont.qfn
2008-04-04 19:30 . 2008-04-04 19:30	1,409	--a------	C:\WINDOWS\QTFont.for
2008-04-04 18:34 . 2007-09-05 23:22	289,144	--a------	C:\WINDOWS\system32\VCCLSID.exe
2008-04-04 18:34 . 2006-04-27 16:49	288,417	--a------	C:\WINDOWS\system32\SrchSTS.exe
2008-04-04 18:34 . 2008-03-28 23:19	86,528	--a------	C:\WINDOWS\system32\VACFix.exe
2008-04-04 18:34 . 2008-03-26 08:50	82,432	--a------	C:\WINDOWS\system32\IEDFix.exe
2008-04-04 18:34 . 2003-06-05 20:13	53,248	--a------	C:\WINDOWS\system32\Process.exe
2008-04-04 18:34 . 2004-07-31 17:50	51,200	--a------	C:\WINDOWS\system32\dumphive.exe
2008-04-04 18:34 . 2007-10-03 23:36	25,600	--a------	C:\WINDOWS\system32\WS2Fix.exe
2008-04-04 18:34 . 2008-04-04 18:34	6,328	--a------	C:\WINDOWS\system32\tmp.reg
2008-04-04 18:28 . 2008-04-12 10:32	<DIR>	d--------	C:\scanner.exe
2008-04-03 17:50 . 2008-04-03 17:50	<DIR>	d--------	C:\Program Files\Enigma Software Group
2008-04-02 16:15 . 2008-04-02 16:15	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 22:42 . 2008-03-19 22:42	<DIR>	d--------	C:\Program Files\Panicware
2008-03-18 21:32 . 2008-03-19 22:42	9,662	--a------	C:\WINDOWS\system32\ZoneAlarmIconUK.ico
2008-03-16 22:17 . 2008-03-16 22:17	<DIR>	d--------	C:\Documents and Settings\All Users\Application Data\Rabio

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 16:36	---------	d-----w	C:\Program Files\MSN Messenger
2008-04-10 15:39	---------	d-----w	C:\Program Files\Hewlett-Packard
2008-04-01 16:38	---------	d-----w	C:\Documents and Settings\Peter D Martin\Application Data\Audacity
2008-03-19 22:44	---------	d-----w	C:\Program Files\Google
2008-03-19 21:25	---------	d--h--w	C:\Program Files\InstallShield Installation Information
2008-03-19 21:25	---------	d-----w	C:\Program Files\EPSON
2008-03-19 21:23	---------	d-----w	C:\Program Files\IKEA HomePlanner
2008-03-18 20:33	---------	d-----w	C:\Program Files\Common Files\Adobe
2008-03-14 16:09	---------	d-----w	C:\Program Files\Canon
2008-03-14 16:07	248	----a-w	C:\UnInstall.dat
2008-03-14 16:05	---------	d-----w	C:\Program Files\DivX
2006-11-19 20:50	78,424	----a-w	C:\Documents and Settings\Lorna Hubbard\Application Data\GDIPFONTCACHEV1.DAT
2005-03-15 17:44	0	----a-w	C:\Documents and Settings\Peter D Martin\Application Data\wklnhst.dat
2005-12-06 19:31	56	--sh--r	C:\WINDOWS\system32\1607371D5C.sys
2006-01-16 17:58	1,994	--sha-w	C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-02-06 18:05  588288  4f64d1df989e3aa2fad91a2f1167b9c7	C:\WINDOWS\$NtUninstallKB918899-IE6SP1-20060725.123917$\wininet.dll
2004-08-04 08:56  656384  c0823fc5469663ba63e7db88f9919d70	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2006-04-28 10:58  575488  3d5062a7667913b9b515cc5769e9fb31	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\rtmgdr\wininet.dll
2006-04-28 18:48  587264  5f4e89c8b4903acbba2f4b32cf1ed3ad	C:\WINDOWS\SoftwareDistribution\Download\49afa2a0b3ea87b912cc10130c63a60f\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cb88c3740b7bdbe6238a3381da220dae\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\rtmgdr\wininet.dll
2006-06-23 19:29  587776  40f777875dfa05cd61fd1e8a593be8e9	C:\WINDOWS\SoftwareDistribution\Download\cfab6bea01ff38473d99ea9faefb37c0\RTMQFE\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\wininet.dll
2006-06-23 11:33  575488  7e7760c7f263ec7a740ee265b263f770	C:\WINDOWS\system32\dllcache\wininet.dll

2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2003-03-31 03:00  167552  3b350e5a2a5e951453f3993275a4523a	C:\WINDOWS\$NtUninstallQ815485$\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\Driver Cache\i386\ndis.sys
2004-08-04 07:14  182912  558635d3af1c7546d26067d5d9b6959e	C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2003-03-06 10:30  162432  09b38768036508b51564201afb000950	C:\WINDOWS\system32\drivers\ndis.sys
.
(((((((((((((((((((((((((((((   snapshot_2008-04-13_18.01.47.28   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-13 16:26:04	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2008-04-15 16:41:34	2,048	--s-a-w	C:\WINDOWS\bootstat.dat
+ 2005-05-24 11:27:16	213,048	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20	94,208	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54	950,272	----a-w	C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54 5674352]
"MSKAGENTEXE"="C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe" [ ]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 22:22 3739648]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 12:10 536576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-06-17 21:48 155648]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-06-17 21:43 118784]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48 36975]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-05-26 18:15 98304]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-05-26 18:15 536576]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 17:28 49152]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 08:38 241664]
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" [ ]
"HPHmon05"="C:\WINDOWS\System32\hphmon05.exe" [2003-05-22 19:55 483328]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-04-30 10:32 208958]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-05-27 20:28 278528]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2003-06-10 00:11 50688]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-03-22 23:15 26112]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 03:12 483328]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe" [2002-12-24 03:33 188416]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-09-12 01:58 229952]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2006-12-14 02:06 495616]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-08-15 17:05 1838592]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 17:16 376912]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2003-03-31 03:00 13312]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-29 18:02 68856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\System32\Macromed\Flash\NPSWF32_FlashUtil.exe" [2007-06-11 21:34 190696]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-F400-8796-100000000002}\SC_Acrobat.exe [2005-11-30 21:22:58 25214]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe [2006-10-23 01:48:20 40048]
Adobe Reader Synchronizer.lnk - C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe [2006-10-23 00:01:50 734872]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 05:19:24 237568]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 23:18:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-15 17:56:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
  Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????????A?p?????????? ???B???????????????B? ?????? 

scanning hidden files ... 

scan completed successfully 
hidden files: 0 

**************************************************************************
.
Completion time: 2008-04-15 17:58:14
ComboFix-quarantined-files.txt  2008-04-15 16:57:28
ComboFix2.txt  2008-04-13 20:54:50
ComboFix3.txt  2008-04-13 17:02:39
ComboFix4.txt  2008-04-11 16:32:29
ComboFix5.txt  2008-04-10 22:03:14
Pre-Run: 12,228,841,472 bytes free
Post-Run: 12,215,992,320 bytes free
.
2008-03-16 11:13:52	--- E O F ---


----------



## texaspete

Logfile of HijackThis v1.99.1
Scan saved at 17:59:51, on 15/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\Google Talk\googletalk.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\scanner.exe\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSKAGENTEXE] C:\PROGRA~1\McAfee\SPAMKI~1\MSKAgent.exe
O4 - HKCU\..\Run: [googletalk] "C:\Program Files\Google\Google Talk\googletalk.exe" /autostart
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_GB&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett Packard Company - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe


----------



## texaspete

running good, whatever you done it got rid of my background that would go!!


----------



## ceewi1

Great!  We need to delete a few last files that were created by the infection before it was removed, and the backups that the tools we've used have created.

Please click on *Start* -> *Run*.  Type *ComboFix /u* and click *OK*.
Note the space between the ComboFix and the /u
This will remove the backups that ComboFix has created as well as the program itself.

Please run OTMoveIt2 again.
*Copy the file paths below to the clipboard* by highlighting *ALL* of them and *pressing CTRL + C* (or, after highlighting, right-click and choose *Copy*):

*


		Code:
	

C:\WINDOWS\system32\apknihgb.bmp
C:\WINDOWS\system32\felsnilcfatsf.bmp
C:\WINDOWS\system32\lcbitojml.bmp
C:\WINDOWS\system32\nepgjeh.bmp
C:\WINDOWS\system32\krqtcjah.bmp

*
 Return to OTMoveIt2, right click in the *Paste List of Files/Folders to be Moved* window (under the light blue bar) and choose *Paste*.

Click the red *Moveit!* button.
Close *OTMoveIt2*
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose *Yes.*

Please run OTMoveIt2 one more time and click on the CleanUp! button.

I notice that you do not seem to be running antivirus software.  This is somewhat suicidal in today's digital world.  Now that the active infection has been removed, please download and install one of the following  *free *antivirus clients.  Allow it to do a full scan and remove anything that it finds: AVG, AntiVir or avast!.

Please tell me how your system is running after this, as there are a couple of final steps to take.


----------



## texaspete

*Avira AntiVir log*

system still running well

Avira AntiVir Personal
Report file date: 16 April 2008  17:47

Scanning for 1165085 virus strains and unwanted programs.

Licensed to:      Avira AntiVir PersonalEdition Classic
Serial number:    0000149996-ADJIE-0001
Platform:         Windows XP
Windows version:  (Service Pack 2)  [5.1.2600]
Boot mode:        Normally booted
Username:         SYSTEM
Computer name:    PC610911773264

Version information:
BUILD.DAT     : 8.1.00.295      16479 Bytes  09/04/2008 16:24:00
AVSCAN.EXE    : 8.1.2.12       311553 Bytes  18/03/2008 10:02:56
AVSCAN.DLL    : 8.1.1.0         53505 Bytes  07/02/2008 09:43:37
LUKE.DLL      : 8.1.2.9        151809 Bytes  28/02/2008 09:41:23
LUKERES.DLL   : 8.1.2.1         12033 Bytes  21/02/2008 09:28:40
ANTIVIR0.VDF  : 6.40.0.0     11030528 Bytes  18/07/2007 11:33:34
ANTIVIR1.VDF  : 7.0.3.2       5447168 Bytes  07/03/2008 14:08:58
ANTIVIR2.VDF  : 7.0.3.62       337408 Bytes  21/03/2008 20:12:34
ANTIVIR3.VDF  : 7.0.3.68        57856 Bytes  25/03/2008 09:27:50
Engineversion : 8.1.0.28  
AEVDF.DLL     : 8.1.0.5        102772 Bytes  25/02/2008 10:58:21
AESCRIPT.DLL  : 8.1.0.19       229754 Bytes  07/04/2008 16:34:44
AESCN.DLL     : 8.1.0.12       115060 Bytes  07/04/2008 16:34:44
AERDL.DLL     : 8.1.0.19       418164 Bytes  07/04/2008 16:34:44
AEPACK.DLL    : 8.1.1.0        364918 Bytes  18/03/2008 12:20:42
AEOFFICE.DLL  : 8.1.0.15       192889 Bytes  07/04/2008 16:34:44
AEHEUR.DLL    : 8.1.0.15      1147253 Bytes  07/04/2008 16:34:44
AEHELP.DLL    : 8.1.0.11       115061 Bytes  07/04/2008 16:34:43
AEGEN.DLL     : 8.1.0.15       299379 Bytes  07/04/2008 16:34:43
AEEMU.DLL     : 8.1.0.5        430450 Bytes  07/04/2008 16:34:43
AECORE.DLL    : 8.1.0.25       168309 Bytes  08/04/2008 10:58:32
AVWINLL.DLL   : 1.0.0.7         14593 Bytes  23/01/2008 18:07:53
AVPREF.DLL    : 8.0.0.1         25857 Bytes  18/02/2008 11:37:50
AVREP.DLL     : 7.0.0.1        155688 Bytes  16/04/2007 14:26:47
AVREG.DLL     : 8.0.0.0         30977 Bytes  23/01/2008 18:07:49
AVARKT.DLL    : 1.0.0.23       307457 Bytes  12/02/2008 09:29:23
AVEVTLOG.DLL  : 8.0.0.11       114945 Bytes  28/02/2008 09:31:31
SQLITE3.DLL   : 3.3.17.1       339968 Bytes  22/01/2008 18:28:02
SMTPLIB.DLL   : 1.2.0.19        28929 Bytes  23/01/2008 18:08:39
NETNT.DLL     : 8.0.0.1          7937 Bytes  25/01/2008 13:05:10
RCIMAGE.DLL   : 8.0.0.35      2371841 Bytes  10/03/2008 15:37:25
RCTEXT.DLL    : 8.0.32.0        86273 Bytes  06/03/2008 13:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:, 
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 16 April 2008  17:47

The scan of running processes will be started
Scan process 'CapabilityManager.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'Generic.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'hpqtra08.exe' - '1' Module(s) have been scanned
Scan process 'reader_sl.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'PSFree.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'googletalk.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'CFD.exe' - '1' Module(s) have been scanned
Scan process 'GoogleDesktop.exe' - '1' Module(s) have been scanned
Scan process 'iPodService.exe' - '1' Module(s) have been scanned
Scan process 'Application Launcher.exe' - '1' Module(s) have been scanned
Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
Scan process 'hpztsb05.exe' - '1' Module(s) have been scanned
Scan process 'hpqwmi.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'acrotray.exe' - '1' Module(s) have been scanned
Scan process 'realplay.exe' - '1' Module(s) have been scanned
Scan process 'WkUFind.exe' - '1' Module(s) have been scanned
Scan process 'eabservr.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'hphmon05.exe' - '1' Module(s) have been scanned
Scan process 'hpcmpmgr.exe' - '1' Module(s) have been scanned
Scan process 'hpwuSchd.exe' - '1' Module(s) have been scanned
Scan process 'SynTPEnh.exe' - '1' Module(s) have been scanned
Scan process 'SynTPLpr.exe' - '1' Module(s) have been scanned
Scan process 'sgtray.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SAgent2.exe' - '1' Module(s) have been scanned
Scan process 'eEBSvc.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
52 processes with 52 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
      [INFO]      No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
      [INFO]      No virus was found!

Starting to scan the registry.
The registry was scanned ( '39' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
      [WARNING]   The file could not be opened!
C:\pagefile.sys
      [WARNING]   The file could not be opened!
C:\Documents and Settings\Lorna Hubbard\Local Settings\Application Data\Mozilla\Firefox\Profiles\gzrsd51l.default\Cache\2AB8EE1Bd01
      [DETECTION] Is the Trojan horse TR/Renos.22984.1
      [NOTE]      The file was deleted!
C:\Program Files\Online Services\BTYahoo\Broadband\YSignup\DialBBSignup.exe
      [DETECTION] Contains detection pattern of the dial-up program DIAL/270336
      [NOTE]      The file was moved to '48673772.qua'!
C:\System Volume Information\_restore{4722BA04-B784-4C7D-8C34-06E379EFA6F0}\RP506\A0236600.exe
      [DETECTION] Contains detection pattern of the dial-up program DIAL/270336
      [NOTE]      The file was moved to '4838389c.qua'!


End of the scan: 16 April 2008  18:48
Used time:  1:00:52 min

The scan has been done completely.

   7983 Scanning directories
 430831 Files were scanned
      3 viruses and/or unwanted programs were found
      0 Files were classified as suspicious:
      1 files were deleted
      0 files were repaired
      2 files were moved to quarantine
      0 files were renamed
      2 Files cannot be scanned
 430828 Files not concerned
  10657 Archives were scanned
      2 Warnings
      3 Notes


----------



## texaspete

hows this!


----------



## ceewi1

Great.  Please turn off System Restore, and turn it back on again.  This will clean out your infected Restore Points.  To do so:

To turn off System Restore, follow these steps:
1. Click Start, right-click My Computer, and then click Properties.
2. Click the System Restore tab.
3. Select the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.
4. Click Yes when you receive the prompt to the turn off System Restore.

Then to turn it back on again:
1. Wait for Windows to finish clearing Restore Points.
2. Clear the Turn off System Restore check box (or the Turn off System Restore on all drives check box), and then click OK.

Below I have included some ideas on how to prevent future infections.

Please consider using these ideas to help secure your computer.  While there is no way to guarantee safety when you use a computer, these steps will make it much less likely that you will need to endure another infection.  While we really like to help people, we would rather help you protect yourself so that you won't need that help in the future.

Please navigate to http://windowsupdate.microsoft.com and download all the Critical Updates for Windows. These will patch many of the security holes through which attackers can gain access to your computer. 

Please either enable *Automatic Updates* under Start -> Control Panel -> Automatic Updates or get into the habit of checking Windows Update regularly.  They usually have security updates every month.  You can set Windows to notify you of Updates so that you can choose, but only do this if you believe you are able to understand which ones are needed.   *This is a crucial security measure.*

As a minimum, you need at least an antivirus, firewall and some type of anti-spyware program.

Some good free firewalls are ZoneAlarm, Kerio, or Outpost.  All of these will provide a far greater level of protection than the firewall built into Windows.
A tutorial on understanding and using firewalls may be found here.

Please consider installing and running some of the following programs; they are either free or have free versions of commercial programs:

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here.  Please also remember to enable Spybot's 
Immunize and TeaTimer features if you don't have the resident part of another anti-spyware program running.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent malware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for real-time protection against spyware and hijackers may be found here.

If you use Internet Explorer, it is a good idea to use IE-Spyad which provides protections against malicious websites.  

Please *keep these programs up-to-date* and run them whenever you suspect a problem to prevent malware problems.  A number of programs have resident protection and it is a good idea to run the resident protection of one of each type of program to maintain protection.  However, it is important to run only one resident program of each type since they can conflict and become less effective.  That means only one antivirus, firewall and scanning anti-spyware program at a time.  Passive protectors, like SpywareBlaster and IE-Spyad can be run with any of them.  

Note that there are a lot of rogue programs out there that want to scare you into giving them your money and some malware actually claims to be security programs.  If you get a popup for a security program that you did not install yourself, do NOT click on it and ask for help immediately.  It is very important to run an antivirus and firewall, but you can't always rely on reviews and ads for information.  Ask in a security forum that you trust if you are not sure.  If you are unsure are looking for anti-spyware programs, you can find out if it is a rogue here:

http://www.spywarewarrior.com/rogue_anti-spyware.htm

Please consider using an *alternate browser*. Mozilla's Firefox browser is a very good alternative.  In addition to being generally more secure than Internet Explorer, it has a very good built-in popup blocker and add-ons, like NoScripts, can make it even more secure.  Opera is another good option.
If you are interested, Firefox may be downloaded from here
Opera is available here:  http://www.opera.com/download/

Hopefully these steps will help to keep you error free.  If you run into more difficulty, we will certainly do what we can to help.


----------



## texaspete

hey i turn it off then back on like you said then i downloaded internet exploer 7 then it restart so it did but now i log in and i have nothing on my desktop not even a tool just my arrow and my destop background not icons!!!!!! have restored it to nothing, i'm using a internet cafe to type this. 


help!!!!


----------



## ceewi1

Try pressing Ctrl+Alt+Del, this should bring up the Task Manager.  Click on *File* ->*New Task*.  Type *explorer* and click *OK*.  That should bring your Desktop icons and Start Menu back up.  If it doesn't, try rebooting into Safe Mode  (tap F8 just before Windows starts to load and select Safe Mode from the list).

If that allows you to access your desktop, try uninstalling Internet Explorer 7 from Add or Remove Programs.

Also click on *Start -> Run*.  Type in the following command and click *OK*:
*sfc /scannow*
You may be prompted to insert your Windows CD, please do so if asked.


----------

