PDA

View Full Version : Virtumonde, Virtumonde.Generic & possible others



Cabanaramma
2007-11-20, 00:39
I need help! My pc has started displaying pop-ups which are posing as Windows informing me of security threats and prompting me to download supposed cures (I’ve never clicked ‘ok’ on any of these, as it’s evidently fake), and when I’m connected to the internet, both the pc and the internet connection are slowed down loads and I’m bombarded with pop-ups. The malware has also installed a security toolbar in Internet Explorer. I have Spybot S&D Teatimer running, and there's a constant stream of notifications telling me that BHO's and Winlogon Notifiers are trying to install themselves.

I've tried to get rid of it on my own, but as I can't get rid of everything, as soon as I connect to the internet everything comes back. What I've tried so far:
* I’ve run Spybot S&D several times, and despite numerous attempts to fix them, Virtumonde or Virtumonde.Generic always turn up in the scan.
* I’ve run Trojan Remover, and it removes various .dll & .ini files (different, seemingly randomly named files everytime). The 3 files that it has never been able to remove (they either don't get deleted, or if manually deleted they reappear of their own accord) are:
C:\WINDOWS\system32\mllmj.dll (Adware.Virtumonde)
C:\WINDOWS\system32\jmllm.ini (Adware.Virtumonde)
C:\WINDOWS\system32\jmllm.bak2 (Adware.Virtumonde)
* Ad-Aware 2007 spotted (and fixed) Win32.TrojanDownloader.Zlob, but it comes back when I connect to the internet
* I tried VundoFix to get rid of Virtumonde & it spotted nothing. VirtumundoBeGone deletes a randomly named .dll (a different one everytime I connect to the internet), but can't get rid of:
C:\WINDOWS\system32\mllmj.dll


The Kaspersky scan log is too long to post here, so I've attached it.

The HJT log follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:09:13, on 19/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {721A5026-C722-4E1D-8130-D31D4E9707A8} - C:\WINDOWS\system32\mllmj.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\yqmcdgkx.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\yqmcdgkx.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178794879781
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

random/random
2007-11-21, 00:23
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Please download show-vundo.vbs (http://linhadefensiva.uol.com.br/files/vbs/show-vundo.vbs) to your desktop
Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic

Cabanaramma
2007-11-21, 01:05
Thanks for your reply.

Vundofix log (I've ignored past entries and only copied & pasted today's):

VundoFix V6.6.1

Checking Java version...

Sun Java not detected
Scan started at 22:32:18 20/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\yqmcdgkx.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\yqmcdgkx.dll
C:\WINDOWS\system32\yqmcdgkx.dll Has been deleted!

Performing Repairs to the registry.
Done!


HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:00:22, on 20/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {D6F075A9-C99B-4866-B469-9ABAB7739BD8} - C:\WINDOWS\system32\mllmj.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178794879781
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


Show-vundo log:

=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

[Vazia]


-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0
[2] C:\WINDOWS\system32\mllmj.dll


-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"


-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\]
AcroIEHlprObj Class | [Indefinido]
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{D6F075A9-C99B-4866-B469-9ABAB7739BD8}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\mllmj.dll



-------------------------------------------------
Winlogon Notify
-------------------------------------------------


[Padrão] crypt32chain : crypt32.dll

[Padrão] cryptnet : cryptnet.dll

[Padrão] cscdll : cscdll.dll

[Padrão] ScCertProp : wlnotify.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Padrão] SensLogn : WlNotify.dll

[Padrão] termsrv : wlnotify.dll

[Padrão] wlballoon : wlnotify.dll


Esta NÃO É uma lista de arquivos maliciosos!

random/random
2007-11-21, 16:40
Open a new notepad window
Paste the list of files from the quote box below into the notepad window.

C:\WINDOWS\system32\mllmj.dll
Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting


Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic

Cabanaramma
2007-11-21, 22:52
Vundofix log:
VundoFix V6.6.1

Checking Java version...

Sun Java not detected
Scan started at 20:36:00 21/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\uxqpxzwe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\jmllm.bak2
C:\WINDOWS\system32\jmllm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jmllm.ini
C:\WINDOWS\system32\jmllm.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mllmj.dll
C:\WINDOWS\system32\mllmj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uxqpxzwe.dll
C:\WINDOWS\system32\uxqpxzwe.dll Has been deleted!

Performing Repairs to the registry.
Done!

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:47:08, on 21/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {AF027F9E-4188-4D38-AE78-4C6CAF0F1908} - C:\WINDOWS\system32\mllmj.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178794879781
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Show-vundo log:
=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

[Vazia]


-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0
[2] C:\WINDOWS\system32\mllmj.dll


-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"


-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\]
AcroIEHlprObj Class | [Indefinido]
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
[Indefinido] | [Indefinido]
C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{AF027F9E-4188-4D38-AE78-4C6CAF0F1908}\]
[Indefinido] | [Indefinido]
C:\WINDOWS\system32\mllmj.dll



-------------------------------------------------
Winlogon Notify
-------------------------------------------------


[Padrão] crypt32chain : crypt32.dll

[Padrão] cryptnet : cryptnet.dll

[Padrão] cscdll : cscdll.dll

[Padrão] ScCertProp : wlnotify.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Padrão] SensLogn : WlNotify.dll

[Padrão] termsrv : wlnotify.dll

[Padrão] wlballoon : wlnotify.dll

Esta NÃO É uma lista de arquivos maliciosos!

Is it just me or do mllmj.dll, jmllm.ini, and jmllm.bak2 finally seem to have been deleted...?

random/random
2007-11-22, 01:34
Is it just me or do mllmj.dll, jmllm.ini, and jmllm.bak2 finally seem to have been deleted...?

Yes, they have been deleted

Backup Your Registry with ERUNT
Please use the following link and scroll down to ERUNT and download it.
http://aumha.org/freeware/freeware.php
For version with the Installer:
Use the setup program to install ERUNT on your computer
For the zipped version:
Unzip all the files into a folder of your choice.
Click Erunt.exe to backup your registry to the folder of your choice.

Note: to restore your registry, go to the folder and start ERDNT.exe

Copy the contents of the following codebox to a notepad window


REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save it to the desktop as fix.reg, making sure save as type is set to all files

Locate Fix.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt

Run HijackThis
Click on do a system scan only
Place a checkmark next to these lines(if still present)

O2 - BHO: (no name) - {AF027F9E-4188-4D38-AE78-4C6CAF0F1908} - C:\WINDOWS\system32\mllmj.dll (file missing)
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)

Then close all windows except HijackThis and click Fix Checked


Double-click show-vundo.vbs to run it.
When completed, it will open a notepad window
Copy and paste the contents of that window as a reply to this topic, along with a new HijackTHis log

Cabanaramma
2007-11-23, 02:38
Show-vundo log:
=================================================
Relatório | BHOs, Winlogon Notify e AppInit_DLLs
=================================================
AppInit_DLLs
-------------------------------------------------

[Vazia]


-------------------------------------------------
Authentication Packages
-------------------------------------------------

[1] msv1_0


-------------------------------------------------
Security Providers
-------------------------------------------------

msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


-------------------------------------------------
Explorer Execute Hooks
-------------------------------------------------

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"="shell32.dll"


-------------------------------------------------
Browser Helper Objects
-------------------------------------------------

[HKLM\SOFTWARE\Classes\CLSID\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\]
AcroIEHlprObj Class | [Indefinido]
C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll


[HKLM\SOFTWARE\Classes\CLSID\{53707962-6F74-2D53-2644-206D7942484F}\]
[Indefinido] | [Indefinido]
C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll



-------------------------------------------------
Winlogon Notify
-------------------------------------------------


[Padrão] crypt32chain : crypt32.dll

[Padrão] cryptnet : cryptnet.dll

[Padrão] cscdll : cscdll.dll

[Padrão] ScCertProp : wlnotify.dll

[Padrão] Schedule : wlnotify.dll

[Padrão] sclgntfy : sclgntfy.dll

[Padrão] SensLogn : WlNotify.dll

[Padrão] termsrv : wlnotify.dll

[Padrão] wlballoon : wlnotify.dll


Esta NÃO É uma lista de arquivos maliciosos!


HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:38:06, on 23/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178794879781
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

random/random
2007-11-23, 21:23
Go here (http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats is unticked, and the option Scan unwanted applications is checked
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, along with a new HijackThis log and a description of any remaining problems

Cabanaramma
2007-11-24, 03:56
Online scan log:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2682 (20071123)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=61d481c885ca9d41bd835a2893012679
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-24 01:44:47
# local_time=2007-11-24 01:44:47 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=123979
# found=35
# scan_time=3070
C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-486.dll Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-694.dll Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071113-153333-494.dll Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071113-153333-901.dll Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071114-172834-436.dll Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071114-172834-510.dll Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071114-180801-230.dll Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071114-180801-774.dll Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071114-194731-269.dll Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071119-180355-716.dll Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\RECYCLER\S-1-5-21-1547161642-299502267-682003330-1003\Dc10\backups\backup-20071119-180355-841.dll Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\VundoFix Backups\mllmj.dll.bad Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\VundoFix Backups\omhqanwm.dll.bad Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\VundoFix Backups\uxqpxzwe.dll.bad Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\VundoFix Backups\yqmcdgkx.dll.bad Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\WINDOWS\system32\akfjqglo.dll.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\WINDOWS\system32\bitsprx.dll probably a variant of Win32/Adware.BHO.NBI application 890B8D0F880C14DB98521B691C873E2D
C:\WINDOWS\system32\d3d.dll probably a variant of Win32/Adware.BHO.NBI application 890B8D0F880C14DB98521B691C873E2D
C:\WINDOWS\system32\grsgayuw.dll Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\WINDOWS\system32\iamwuxck.dll Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\WINDOWS\system32\juylnkhk.dll.ren Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\WINDOWS\system32\klpslxwy.dll Win32/BHO.G trojan 0A93E54EB34B5443D98B76EE8C26D7FF
C:\WINDOWS\system32\kqahcerr.dll Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\WINDOWS\system32\krvblvqd.dll Win32/BHO.G trojan 5CCFD60AE18A22A6D15197D519446123
C:\WINDOWS\system32\lxuqonob.dll.ren Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\WINDOWS\system32\mxebflmn.dll Win32/BHO.G trojan 0A93E54EB34B5443D98B76EE8C26D7FF
C:\WINDOWS\system32\omhqanwm.dll.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\WINDOWS\system32\omtyuewt.dll Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\WINDOWS\system32\rjtvddma.dll.ren Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\WINDOWS\system32\sinngdqn.dll Win32/BHO.G trojan 5CCFD60AE18A22A6D15197D519446123
C:\WINDOWS\system32\wasurmfl.dll Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\WINDOWS\system32\xajurjpa.dll Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\WINDOWS\system32\xhhfrlhf.dll Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\WINDOWS\system32\xhjuusfx.dll Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\WINDOWS\system32\zzpdkrxg.dll.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:52:48, on 24/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BE35248-09A1-4E92-8A44-7A997A8418CA} - C:\WINDOWS\system32\d3d.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: msn_0711_upd240014.exe
O4 - Global Startup: msn_0711_upd240014.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195778825593
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe



There aren't any problems left that I've noticed: PC is no longer slow, internet connection is ok now, no pop ups, no fake anti-spyware, nothing trying to download itself; everything seems clear. That online scan doesn't look too good though....?

random/random
2007-11-24, 14:02
You appear to have been reinfected, and it looks like you may have picked up a particularly nasty infection


Download GMER by GMER from here (http://gmer.net/gmer.zip)
Unzip it to a folder on your desktop
Double click on gmer.exe to launch GMER
If asked, allow the gmer.sys driver load
If it warns you about rootkit activity and asks if you want to run scan, click OK
If you don't get a warning then

Click the rootkit tab
Click Scan

Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerrk.txt
Click on the >>> tab
This will open up the rest of the tabs for you
Click on the Autostart tab
Click on Scan
Once the scan has finished, click copy
Paste the log into notepad using Ctrl+V
Save it to your desktop as gmerautos.txt
Copy and paste the contents of gmerautos.txt and gmerrk.txt as a reply to this topic



Run HijackThis
Click on Open the Misc Tools section
Tick these two options:

List also minor sections (full)
List empty sections (complete)

Now click on Generate StartupList log
Click Yes to the prompt
A notepad window will open
Copy and paste the contents of that window as a reply to this topic

Cabanaramma
2007-11-27, 01:26
I tried running the rootkit scan 3 times, but either it made my pc crash half way through the scan, or the programme froze when the scan had finished, so i couldn't copy the results.

GMER Autostart
GMER 1.0.13.12551 - http://www.gmer.net
Autostart scan 2007-11-26 23:25:31
Windows 5.1.2600 Service Pack 2


HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems@Windows = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@Userinit = C:\WINDOWS\system32\userinit.exe,

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
aawservice /*Ad-Aware 2007 Service*/@ = "C:\Program Files\AntiSpyware\Adaware\aawservice.exe"
Apple Mobile Device /*Apple Mobile Device*/@ = "C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe"
kavsvc /*kavsvc*/@ = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe"
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
Pctspk /*PCTEL Speaker Phone*/@ = %SystemRoot%\system32\pctspk.exe
Spooler /*Print Spooler*/@ = %SystemRoot%\system32\spoolsv.exe
UMWdf /*Windows User Mode Driver Framework*/@ = C:\WINDOWS\system32\wdfmgr.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@VTTimerVTTimer.exe = VTTimer.exe
@KAVPersonal50"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
@SoundManSOUNDMAN.EXE = SOUNDMAN.EXE
@lxcrmon.exe"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" = "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
@FaxCenterServer"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s = "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
@iTunesHelper"C:\Program Files\iTunes\iTunesHelper.exe" = "C:\Program Files\iTunes\iTunesHelper.exe"
@QuickTime Task"C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime = "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
@EzPrint"C:\Program Files\Lexmark 2400 Series\ezprint.exe" = "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
@LXCRCATSrundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16 = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@ctfmon.exeC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@MsnMsgr"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /*Display Panning CPL Extension*/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /*Previous Versions Property Page*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /*Previous Versions*/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) =
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{07C45BB1-4A8C-4642-A1F5-237E7215FF66} /*IE Microsoft BrowserBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{1C1EDB47-CE22-4bbb-B608-77B48F83C823} /*IE Fade Task*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{205D7A97-F16D-4691-86EF-F3075DCCA57D} /*IE Menu Desk Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{3028902F-6374-48b2-8DC6-9725E775B926} /*IE AutoComplete*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{43886CD5-6529-41c4-A707-7B3C92C05E68} /*IE Navigation Bar*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{44C76ECD-F7FA-411c-9929-1B77BA77F524} /*IE Menu Site*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{4B78D326-D922-44f9-AF2A-07805C2A3560} /*IE Menu Band*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6038EF75-ABFC-4e59-AB6F-12D397F6568D} /*IE Microsoft History AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6B4ECC4F-16D1-4474-94AB-5A763F2A54AE} /*IE Tracking Shell Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{6CF48EF8-44CD-45d2-8832-A16EA016311B} /*IE IShellFolderBand*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{73CFD649-CD48-4fd8-A272-2070EA56526B} /*IE BandProxy*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{98FF6D4B-6387-4b0a-8FBD-C5C4BB17B4F8} /*IE MRU AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9A096BB5-9DC3-4D1C-8526-C3CBF991EA4E} /*IE RSS Feeder Folder*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{9D958C62-3954-4b44-8FAB-C4670C1DB4C2} /*IE Microsoft Shell Folder AutoComplete List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B31C5FAE-961F-415b-BAF0-E697A5178B94} /*IE Microsoft Multiple AutoComplete List Container*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BC476F4C-D9D7-4100-8D4E-E043F6DEC409} /*Microsoft Browser Architecture*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{BFAD62EE-9D54-4b2a-BF3B-76F90697BD2A} /*IE Shell Rebar BandSite*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{E6EE9AAC-F76B-4947-8260-A9F136138E11} /*IE Shell Band Site Menu*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F2CF5485-4E02-4f68-819C-B92DE9277049} /*&Links*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{F83DAC1C-9BB9-4f2b-B619-09819DA81B0E} /*IE Registry Tree Options Utility*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{FDE7673D-2E19-4145-8376-BBD58C4BC7BA} /*IE Custom MRU AutoCompleted List*/C:\WINDOWS\system32\ieframe.dll = C:\WINDOWS\system32\ieframe.dll
@{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF} /*iTunes*/C:\Program Files\iTunes\iTunesMiniPlayer.dll = C:\Program Files\iTunes\iTunesMiniPlayer.dll
@{FC9FB64A-1EB2-4CCF-AF5E-1A497A9B5C2D} /*Messenger Sharing Folders*/C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll = C:\Program Files\MSN Messenger\fsshext.8.1.0178.00.dll
@{52B87208-9CCF-42C9-B88E-069281105805} /*Trojan Remover Shell Extension*/C:\PROGRA~1\ANTISP~1\TROJAN~1\Trshlex.dll = C:\PROGRA~1\ANTISP~1\TROJAN~1\Trshlex.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
Trojan Remover@{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\ANTISP~1\TROJAN~1\Trshlex.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
Kaspersky Anti-Virus@{dd230880-495a-11d1-b064-008048ec2fc5} = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\shellex.dll
Trojan Remover@{52B87208-9CCF-42C9-B88E-069281105805} = C:\PROGRA~1\ANTISP~1\TROJAN~1\Trshlex.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{1BE35248-09A1-4E92-8A44-7A997A8418CA}C:\WINDOWS\system32\d3d.dll = C:\WINDOWS\system32\d3d.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll

HKCU\Control Panel\Desktop@SCRNSAVE.EXE = C:\WINDOWS\system32\ssmypics.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pagehttp://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home = http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pagehttp://www.google.co.uk/ = http://www.google.co.uk/
@Local PageC:\WINDOWS\system32\blank.htm = C:\WINDOWS\system32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/xml@CLSID = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
dvd@CLSID = C:\WINDOWS\system32\msvidctl.dll
its@CLSID = C:\WINDOWS\system32\itss.dll
livecall@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mhtml@CLSID = %SystemRoot%\system32\inetcomm.dll
ms-its@CLSID = C:\WINDOWS\system32\itss.dll
ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
msnim@CLSID = C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
mso-offdap@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
mso-offdap11@CLSID = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
tv@CLSID = C:\WINDOWS\system32\msvidctl.dll

HKLM\Software\Classes\PROTOCOLS\Handler\wia@CLSID = C:\WINDOWS\system32\wiascr.dll



HJT Startup List
StartupList report, 26/11/2007, 22:13:39
StartupList version: 1.52.2
Started from : C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

VTTimer = VTTimer.exe
KAVPersonal50 = "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
SoundMan = SOUNDMAN.EXE
lxcrmon.exe = "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
FaxCenterServer = "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
EzPrint = "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
LXCRCATS = rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
MsnMsgr = "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\d3d.dll - {1BE35248-09A1-4E92-8A44-7A997A8418CA}
(no name) - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Download Program Files:

[CKAVWebScan Object]
InProcServer32 = C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[MySpace Uploader Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MySpaceUploader.ocx
CODEBASE = http://lads.myspace.com/upload/MySpaceUploader.cab

[MSN Photo Upload Tool]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\MsnPUpld.dll
CODEBASE = http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab

[OnlineScanner Control]
InProcServer32 = C:\WINDOWS\system32\ONLINE~1.OCX
CODEBASE = http://www.eset.eu/buxus/docs/OnlineScanner.cab

[Windows Live Safety Center Base Module]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\wlscBase.dll
CODEBASE = http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195778825593

[DivXBrowserPlugin Object]
InProcServer32 = C:\Program Files\DivX\DivX Web Player\npdivx32.dll
CODEBASE = http://go.divx.com/plugin/DivXBrowserPlugin.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9c.ocx
CODEBASE = https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
End of report, 6,038 bytes
Report generated in 0.094 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only


No idea if this is relevant, but I've got Kaspersky AntiVirus and I can't update it - tried several times this week but it won't download the update file, won't even connect to the server.

random/random
2007-11-27, 21:20
Download Autoruns from here (http://download.sysinternals.com/Files/Autoruns.zip)
Unzip/extract it to a folder on your desktop
Double click on autoruns.exe to start Autoruns
Wait for it to finish scanning
Under Options make sure the following options are slected

Verify Code Signatures
Hide Signed Microsoft Entries

Click File > Refresh
Click File > Save As
Save it to the desktop as autoruns.txt
Post the contents of autoruns.txt as a reply to this topic

Cabanaramma
2007-11-28, 13:06
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
+ EzPrint Lexmark Fast Pics Application (Not verified) Lexmark International Inc. c:\program files\lexmark 2400 series\ezprint.exe
+ FaxCenterServer Fax Man Server c:\program files\lexmark fax solutions\fm3032.exe
+ iTunesHelper iTunesHelper Module (Verified) Apple Computer, Inc. c:\program files\itunes\ituneshelper.exe
+ KAVPersonal50 Kaspersky Anti-Virus GUI Part (Not verified) Kaspersky Lab c:\program files\kaspersky lab\kaspersky anti-virus personal\kav.exe
+ lxcrmon.exe Device Monitor c:\program files\lexmark 2400 series\lxcrmon.exe
+ QuickTime Task QuickTime Task (Not verified) Apple Inc. c:\program files\quicktime\qttask.exe
HKLM\SOFTWARE\Classes\Protocols\Handler
+ ms-itss Microsoft® InfoTech Storage System Library (Not verified) Microsoft Corporation c:\program files\common files\microsoft shared\information retrieval\msitss.dll
HKCU\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components
+ 0 File not found: About:Home
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components
+ IE7 Uninstall Stub IE Per User Active Setup Uninstall Utility (Not verified) Microsoft Corporation c:\windows\system32\ieudinit.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved
+ &Links Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ Display Panning CPL Extension File not found: deskpan.dll
+ IE AutoComplete Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE BandProxy Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Custom MRU AutoCompleted List Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Fade Task Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE IShellFolderBand Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Menu Band Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Menu Desk Bar Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Menu Site Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft BrowserBand Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft History AutoComplete List Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft Multiple AutoComplete List Container Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Microsoft Shell Folder AutoComplete List Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE MRU AutoComplete List Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Navigation Bar Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Registry Tree Options Utility Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE RSS Feeder Folder Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Shell Band Site Menu Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Shell Rebar BandSite Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE Tracking Shell Menu Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ IE User Assist Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ iTunes iTunes Mini Player DLL (Verified) Apple Computer, Inc. c:\program files\itunes\itunesminiplayer.dll
+ Microsoft Browser Architecture Internet Explorer (Not verified) Microsoft Corporation c:\windows\system32\ieframe.dll
+ Trojan Remover Shell Extension Trojan Remover Shell Extension (Verified) Simply Super Software c:\program files\antispyware\trojan remover\trshlex.dll
HKLM\Software\Classes\Folder\Shellex\ColumnHandlers
+ PDF Shell Extension PDF Shell Extension (Not verified) Adobe Systems, Inc. c:\program files\adobe\acrobat 7.0\activex\pdfshell.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects
+ AcroIEHlprObj Class Adobe Acrobat IE Helper Version 7.0 for ActiveX (Verified) Adobe Systems, Incorporated c:\program files\adobe\acrobat 7.0\activex\acroiehelper.dll
+ {1BE35248-09A1-4E92-8A44-7A997A8418CA} c:\windows\system32\d3d.dll
+ {53707962-6F74-2D53-2644-206D7942484F} Bad download blocker (Verified) Safer Networking Ltd. c:\program files\antispyware\spybot - search & destroy\sdhelper.dll
HKLM\Software\Microsoft\Internet Explorer\Extensions
+ Windows Messenger Windows Messenger (Not verified) Microsoft Corporation c:\program files\messenger\msmsgs.exe
HKLM\System\CurrentControlSet\Services
+ aawservice Protects your computer from spyware (Verified) Lavasoft AB c:\program files\antispyware\adaware\aawservice.exe
+ Apple Mobile Device Provides the interface to Apple mobile devices. (Not verified) Apple, Inc. c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
+ kavsvc Kaspersky Anti-Virus Service (Not verified) Kaspersky Lab c:\program files\kaspersky lab\kaspersky anti-virus personal\kavsvc.exe
HKLM\System\CurrentControlSet\Services
+ bkn50USB Sample Driver for Ralink 802.11g Wireless USB Adapters (Not verified) Ralink Technology Inc. c:\windows\system32\drivers\rt2500usb.sys
+ Changer File not found: C:\WINDOWS\System32\Drivers\Changer.sys
+ GEARAspiWDM CD/DVD Class Filter Driver (Verified) GEAR Software Inc. c:\windows\system32\drivers\gearaspiwdm.sys
+ gmer GMER Driver http://www.gmer.net (Not verified) GMER c:\windows\system32\drivers\gmer.sys
+ GTNDIS5 File not found: C:\WINDOWS\System32\Drivers\GTNDIS5.sys
+ i2omgmt File not found: C:\WINDOWS\System32\Drivers\i2omgmt.sys
+ ids00026 File not found: C:\WINDOWS\System32\Drivers\ids00026.sys
+ ids0018a File not found: C:\WINDOWS\System32\Drivers\ids0018a.sys
+ ids00196 File not found: C:\WINDOWS\System32\Drivers\ids00196.sys
+ ids001b8 Kaspersky IDS Plugin (Not verified) Kaspersky Lab c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\bases\ids001b8.sys
+ irsir File not found: C:\WINDOWS\System32\Drivers\irsir.sys
+ Klick Kaspersky NDIS Interceptor (Not verified) Kaspersky Lab c:\windows\system32\drivers\klick.sys
+ Klif spuper-ptor (Not verified) Kaspersky Labs c:\windows\system32\drivers\klif.sys
+ Klin Kaspersky TDI Interceptor (Not verified) Kaspersky Lab c:\windows\system32\drivers\klin.sys
+ Klmc Kaspersky Anti-Virus Mail Checker Proxy (Not verified) Kaspersky Lab c:\windows\system32\drivers\klmc.sys
+ klstm Kaspersky Stealth Mode Plugin (Not verified) Kaspersky Lab c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\bases\klstm.sys
+ lbrtfdc File not found: C:\WINDOWS\System32\Drivers\lbrtfdc.sys
+ PCIDump File not found: C:\WINDOWS\System32\Drivers\PCIDump.sys
+ PDCOMP File not found: C:\WINDOWS\System32\Drivers\PDCOMP.sys
+ PDFRAME File not found: C:\WINDOWS\System32\Drivers\PDFRAME.sys
+ PDRELI File not found: C:\WINDOWS\System32\Drivers\PDRELI.sys
+ PDRFRAME File not found: C:\WINDOWS\System32\Drivers\PDRFRAME.sys
+ PxHelp20 Px Engine Device Driver for Windows 2000/XP (Verified) Sonic Solutions c:\windows\system32\drivers\pxhelp20.sys
+ SIS163u SiS163 USB Wireless LAN Adapter Driver (Not verified) Silicon Integrated Systems Corp. c:\windows\system32\drivers\sis163u.sys
+ TSP spuper-ptor (Not verified) Kaspersky Labs c:\windows\system32\drivers\klif.sys
+ WDICA File not found: C:\WINDOWS\System32\Drivers\WDICA.sys
HKLM\System\CurrentControlSet\Control\Session Manager\BootExecute
+ lsdelete c:\windows\system32\lsdelete.exe
HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors
+ Lexmark Print-2-Fax Port Print Monitor (Win2k/WinXP) c:\windows\system32\lxprmon.dll
+ Microsoft Document Imaging Writer Monitor Microsoft® Document Imaging (Not verified) Microsoft Corporation c:\windows\system32\mdimon.dll

random/random
2007-11-28, 20:30
Download the latest version of ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Cabanaramma
2007-11-29, 01:11
Combofix Log:
ComboFix 07-11-19.4C - Home 2007-11-28 22:58:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT 0:00]
Running from: C:\Program Files\AntiSpyware\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\akfjqglo.dllbox
C:\WINDOWS\system32\birnnyfc.dllbox
C:\WINDOWS\system32\omhqanwm.dllbox
C:\WINDOWS\system32\uxqpxzwe.dllbox
C:\WINDOWS\system32\yqmcdgkx.dllbox
C:\WINDOWS\system32\zzpdkrxg.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-24 01:30 83,456 --a------ C:\WINDOWS\system32\d3d.dll
2007-11-24 00:52 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-23 00:50 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-23 00:50 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-23 00:50 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-23 00:50 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-20 23:15 689,163 ---hs---- C:\WINDOWS\system32\rrechaqk.ini
2007-11-20 23:15 85,056 --a------ C:\WINDOWS\system32\kqahcerr.dll
2007-11-20 23:12 144,480 --a------ C:\WINDOWS\system32\xhjuusfx.dll
2007-11-19 22:04 685,703 ---hs---- C:\WINDOWS\system32\tweuytmo.ini
2007-11-19 22:03 85,056 --a------ C:\WINDOWS\system32\omtyuewt.dll
2007-11-19 22:00 83,008 --a------ C:\WINDOWS\system32\mxebflmn.dll
2007-11-19 21:57 144,480 --a------ C:\WINDOWS\system32\iamwuxck.dll
2007-11-19 16:04 687,469 --a------ C:\WINDOWS\system32\bonoquxl.ini.ren
2007-11-19 16:04 85,056 --a------ C:\WINDOWS\system32\lxuqonob.dll.ren
2007-11-19 16:01 144,480 --a------ C:\WINDOWS\system32\xhhfrlhf.dll
2007-11-19 16:01 144,480 --a------ C:\WINDOWS\system32\omhqanwm.dll.vir
2007-11-19 15:58 83,008 --a------ C:\WINDOWS\system32\klpslxwy.dll
2007-11-19 15:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-19 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-14 22:37 144,480 --a------ C:\WINDOWS\system32\akfjqglo.dll.vir
2007-11-14 22:36 144,480 --a------ C:\WINDOWS\system32\xajurjpa.dll
2007-11-14 22:33 79,424 --a------ C:\WINDOWS\system32\sinngdqn.dll
2007-11-14 22:28 671,136 --a------ C:\WINDOWS\system32\khknlyuj.ini.ren
2007-11-14 22:27 85,056 --a------ C:\WINDOWS\system32\juylnkhk.dll.ren
2007-11-14 19:21 <DIR> d-------- C:\VundoFix Backups
2007-11-14 19:01 79,424 --a------ C:\WINDOWS\system32\krvblvqd.dll
2007-11-14 18:58 671,471 --a------ C:\WINDOWS\system32\amddvtjr.ini.ren
2007-11-14 18:58 85,056 --a------ C:\WINDOWS\system32\rjtvddma.dll.ren
2007-11-13 16:37 144,480 --a------ C:\WINDOWS\system32\zzpdkrxg.dll.vir
2007-11-13 16:37 144,480 --a------ C:\WINDOWS\system32\grsgayuw.dll
2007-11-13 16:34 668,993 ---hs---- C:\WINDOWS\system32\xqmxasba.ini
2007-11-13 16:34 88,128 --a------ C:\WINDOWS\system32\absaxmqx.dll.ren
2007-11-13 16:28 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-12 23:53 590,356 ---hs---- C:\WINDOWS\system32\lcsrxrdo.ini
2007-11-12 23:53 89,664 --a------ C:\WINDOWS\system32\odrxrscl.dll.ren
2007-11-12 23:50 144,480 --a------ C:\WINDOWS\system32\wasurmfl.dll
2007-11-12 23:50 81,472 --a------ C:\WINDOWS\system32\nexwqkpb.dll
2007-11-12 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-12 21:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 20:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-12 20:23 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Simply Super Software
2007-11-12 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-12 20:23 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-12 20:23 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-12 20:23 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-12 20:23 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-12 20:23 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-12 16:52 <DIR> d-------- C:\Documents and Settings\Home\Application Data\WinPatrol
2007-11-12 15:06 81,472 --a------ C:\WINDOWS\system32\cxhdfcee.dll
2007-11-12 15:03 582,926 ---hs---- C:\WINDOWS\system32\twojjhxm.ini
2007-11-11 14:34 27,200 --a------ C:\WINDOWS\system32\8PO5bmr8.exe
2007-11-11 14:32 584,416 ---hs---- C:\WINDOWS\system32\oawqjjyr.ini
2007-11-11 14:30 79,936 --a------ C:\WINDOWS\system32\wxtgbuua.dll
2007-11-11 14:29 347,474 --a------ C:\WINDOWS\system32\jmllm.bak2.ren
2007-11-10 23:00 317,250 --a------ C:\WINDOWS\system32\jmllm.bak1.ren
2007-11-10 22:59 332,119 --ahs---- C:\WINDOWS\system32\jmllm.ini.ren
2007-11-10 22:54 36,352 --a------ C:\WINDOWS\system32\ssqrspq.dll.ren

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 22:50 --------- d-----w C:\Program Files\AntiSpyware
2007-11-28 22:46 --------- d-----w C:\Program Files\lx_cats
2007-11-28 14:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-09 21:31 --------- d-----w C:\Program Files\MSN Messenger
2007-06-25 14:02 6,221,304 ----a-w C:\Program Files\winamp535Setup.exe
2007-06-25 00:53 18,895,728 ----a-w C:\Program Files\MSNSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BE35248-09A1-4E92-8A44-7A997A8418CA}]
2004-08-03 23:56 83456 --a------ C:\WINDOWS\system32\d3d.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 19:33 C:\WINDOWS\system32\VTTimer.exe]
"KAVPersonal50"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2004-11-26 12:32]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 21:01 C:\WINDOWS\SOUNDMAN.EXE]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 17:45]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 08:11]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"QuickTime Task"="C:\PROGRAM FILES\QUICKTIME\QTTASK.exe" [2007-06-29 05:24]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 05:10]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 18:38]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

R0 Klick;Klick;C:\WINDOWS\system32\drivers\klick.sys
R0 Klin;Klin;C:\WINDOWS\system32\drivers\klin.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 ids001b8;ids001b8;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids001b8.sys
S3 klstm;klstm;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\klstm.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 23:02:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-28 23:05:44 - machine was rebooted
.
--- E O F ---


I recognise the files deleted at the beginning of this as files that were installing themselves etc earlier when I first asked for help here.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:08:30, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {128D2B26-D085-4D3E-8B7E-C403428D75F9} - C:\WINDOWS\system32\d3d.dll
O2 - BHO: (no name) - {1BE35248-09A1-4E92-8A44-7A997A8418CA} - C:\WINDOWS\system32\d3d.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CC367375-A3A6-4415-BCDE-A25D66C20CA9} - C:\WINDOWS\system32\d3d.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195778825593
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


Something new - pop-ups etc have come back after running Combofix, as opposed to before when there was an infection but no visible signs of it.

Cabanaramma
2007-11-29, 01:12
Combofix Log:
ComboFix 07-11-19.4C - Home 2007-11-28 22:58:42.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.61 [GMT 0:00]
Running from: C:\Program Files\AntiSpyware\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\akfjqglo.dllbox
C:\WINDOWS\system32\birnnyfc.dllbox
C:\WINDOWS\system32\omhqanwm.dllbox
C:\WINDOWS\system32\uxqpxzwe.dllbox
C:\WINDOWS\system32\yqmcdgkx.dllbox
C:\WINDOWS\system32\zzpdkrxg.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-24 01:30 83,456 --a------ C:\WINDOWS\system32\d3d.dll
2007-11-24 00:52 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-23 00:50 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-23 00:50 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-23 00:50 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-23 00:50 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-20 23:15 689,163 ---hs---- C:\WINDOWS\system32\rrechaqk.ini
2007-11-20 23:15 85,056 --a------ C:\WINDOWS\system32\kqahcerr.dll
2007-11-20 23:12 144,480 --a------ C:\WINDOWS\system32\xhjuusfx.dll
2007-11-19 22:04 685,703 ---hs---- C:\WINDOWS\system32\tweuytmo.ini
2007-11-19 22:03 85,056 --a------ C:\WINDOWS\system32\omtyuewt.dll
2007-11-19 22:00 83,008 --a------ C:\WINDOWS\system32\mxebflmn.dll
2007-11-19 21:57 144,480 --a------ C:\WINDOWS\system32\iamwuxck.dll
2007-11-19 16:04 687,469 --a------ C:\WINDOWS\system32\bonoquxl.ini.ren
2007-11-19 16:04 85,056 --a------ C:\WINDOWS\system32\lxuqonob.dll.ren
2007-11-19 16:01 144,480 --a------ C:\WINDOWS\system32\xhhfrlhf.dll
2007-11-19 16:01 144,480 --a------ C:\WINDOWS\system32\omhqanwm.dll.vir
2007-11-19 15:58 83,008 --a------ C:\WINDOWS\system32\klpslxwy.dll
2007-11-19 15:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-19 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-14 22:37 144,480 --a------ C:\WINDOWS\system32\akfjqglo.dll.vir
2007-11-14 22:36 144,480 --a------ C:\WINDOWS\system32\xajurjpa.dll
2007-11-14 22:33 79,424 --a------ C:\WINDOWS\system32\sinngdqn.dll
2007-11-14 22:28 671,136 --a------ C:\WINDOWS\system32\khknlyuj.ini.ren
2007-11-14 22:27 85,056 --a------ C:\WINDOWS\system32\juylnkhk.dll.ren
2007-11-14 19:21 <DIR> d-------- C:\VundoFix Backups
2007-11-14 19:01 79,424 --a------ C:\WINDOWS\system32\krvblvqd.dll
2007-11-14 18:58 671,471 --a------ C:\WINDOWS\system32\amddvtjr.ini.ren
2007-11-14 18:58 85,056 --a------ C:\WINDOWS\system32\rjtvddma.dll.ren
2007-11-13 16:37 144,480 --a------ C:\WINDOWS\system32\zzpdkrxg.dll.vir
2007-11-13 16:37 144,480 --a------ C:\WINDOWS\system32\grsgayuw.dll
2007-11-13 16:34 668,993 ---hs---- C:\WINDOWS\system32\xqmxasba.ini
2007-11-13 16:34 88,128 --a------ C:\WINDOWS\system32\absaxmqx.dll.ren
2007-11-13 16:28 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-12 23:53 590,356 ---hs---- C:\WINDOWS\system32\lcsrxrdo.ini
2007-11-12 23:53 89,664 --a------ C:\WINDOWS\system32\odrxrscl.dll.ren
2007-11-12 23:50 144,480 --a------ C:\WINDOWS\system32\wasurmfl.dll
2007-11-12 23:50 81,472 --a------ C:\WINDOWS\system32\nexwqkpb.dll
2007-11-12 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-12 21:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 20:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-12 20:23 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Simply Super Software
2007-11-12 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-12 20:23 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2007-11-12 20:23 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-11-12 20:23 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2007-11-12 20:23 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-11-12 20:23 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2007-11-12 16:52 <DIR> d-------- C:\Documents and Settings\Home\Application Data\WinPatrol
2007-11-12 15:06 81,472 --a------ C:\WINDOWS\system32\cxhdfcee.dll
2007-11-12 15:03 582,926 ---hs---- C:\WINDOWS\system32\twojjhxm.ini
2007-11-11 14:34 27,200 --a------ C:\WINDOWS\system32\8PO5bmr8.exe
2007-11-11 14:32 584,416 ---hs---- C:\WINDOWS\system32\oawqjjyr.ini
2007-11-11 14:30 79,936 --a------ C:\WINDOWS\system32\wxtgbuua.dll
2007-11-11 14:29 347,474 --a------ C:\WINDOWS\system32\jmllm.bak2.ren
2007-11-10 23:00 317,250 --a------ C:\WINDOWS\system32\jmllm.bak1.ren
2007-11-10 22:59 332,119 --ahs---- C:\WINDOWS\system32\jmllm.ini.ren
2007-11-10 22:54 36,352 --a------ C:\WINDOWS\system32\ssqrspq.dll.ren

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 22:50 --------- d-----w C:\Program Files\AntiSpyware
2007-11-28 22:46 --------- d-----w C:\Program Files\lx_cats
2007-11-28 14:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-09 21:31 --------- d-----w C:\Program Files\MSN Messenger
2007-06-25 14:02 6,221,304 ----a-w C:\Program Files\winamp535Setup.exe
2007-06-25 00:53 18,895,728 ----a-w C:\Program Files\MSNSetup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BE35248-09A1-4E92-8A44-7A997A8418CA}]
2004-08-03 23:56 83456 --a------ C:\WINDOWS\system32\d3d.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 19:33 C:\WINDOWS\system32\VTTimer.exe]
"KAVPersonal50"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2004-11-26 12:32]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 21:01 C:\WINDOWS\SOUNDMAN.EXE]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 17:45]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 08:11]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"QuickTime Task"="C:\PROGRAM FILES\QUICKTIME\QTTASK.exe" [2007-06-29 05:24]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 05:10]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 18:38]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

R0 Klick;Klick;C:\WINDOWS\system32\drivers\klick.sys
R0 Klin;Klin;C:\WINDOWS\system32\drivers\klin.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 ids001b8;ids001b8;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids001b8.sys
S3 klstm;klstm;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\klstm.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 23:02:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-28 23:05:44 - machine was rebooted
.
--- E O F ---


I recognise the files deleted at the beginning of this as files that were installing themselves etc earlier when I first asked for help here.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:08:30, on 28/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {128D2B26-D085-4D3E-8B7E-C403428D75F9} - C:\WINDOWS\system32\d3d.dll
O2 - BHO: (no name) - {1BE35248-09A1-4E92-8A44-7A997A8418CA} - C:\WINDOWS\system32\d3d.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {CC367375-A3A6-4415-BCDE-A25D66C20CA9} - C:\WINDOWS\system32\d3d.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195778825593
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


Something new - pop-ups etc have come back after running Combofix, as opposed to before when there was an infection but no visible signs of it.

random/random
2007-11-29, 20:50
Open a new notepad window (Start>All programs>accessories>notepad)
Highlight the contents of the below codebox and then press ctrl+c to copy it to the clipboard

DirLook::
C:\Program Files\AntiSpyware
File::
C:\WINDOWS\system32\zzpdkrxg.dll.vir
C:\WINDOWS\system32\xqmxasba.ini
C:\WINDOWS\system32\xhjuusfx.dll
C:\WINDOWS\system32\xhhfrlhf.dll
C:\WINDOWS\system32\xajurjpa.dll
C:\WINDOWS\system32\wxtgbuua.dll
C:\WINDOWS\system32\wasurmfl.dll
C:\WINDOWS\system32\twojjhxm.ini
C:\WINDOWS\system32\tweuytmo.ini
C:\WINDOWS\system32\ssqrspq.dll.ren
C:\WINDOWS\system32\sinngdqn.dll
C:\WINDOWS\system32\rrechaqk.ini
C:\WINDOWS\system32\rjtvddma.dll.ren
C:\WINDOWS\system32\omtyuewt.dll
C:\WINDOWS\system32\omhqanwm.dll.vir
C:\WINDOWS\system32\odrxrscl.dll.ren
C:\WINDOWS\system32\oawqjjyr.ini
C:\WINDOWS\system32\nexwqkpb.dll
C:\WINDOWS\system32\mxebflmn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\lxuqonob.dll.ren
C:\WINDOWS\system32\lcsrxrdo.ini
C:\WINDOWS\system32\krvblvqd.dll
C:\WINDOWS\system32\kqahcerr.dll
C:\WINDOWS\system32\klpslxwy.dll
C:\WINDOWS\system32\khknlyuj.ini.ren
C:\WINDOWS\system32\juylnkhk.dll.ren
C:\WINDOWS\system32\jmllm.ini.ren
C:\WINDOWS\system32\jmllm.bak2.ren
C:\WINDOWS\system32\jmllm.bak1.ren
C:\WINDOWS\system32\iamwuxck.dll
C:\WINDOWS\system32\grsgayuw.dll
C:\WINDOWS\system32\d3d.dll
C:\WINDOWS\system32\cxhdfcee.dll
C:\WINDOWS\system32\bonoquxl.ini.ren
C:\WINDOWS\system32\amddvtjr.ini.ren
C:\WINDOWS\system32\akfjqglo.dll.vir
C:\WINDOWS\system32\absaxmqx.dll.ren
C:\WINDOWS\system32\8PO5bmr8.exe
C:\Program Files\winamp535Setup.exe
C:\Program Files\MSNSetup.exe
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BE35248-09A1-4E92-8A44-7A997A8418CA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{128D2B26-D085-4D3E-8B7E-C403428D75F9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CC367375-A3A6-4415-BCDE-A25D66C20CA9}]

Paste the contents of the clipboard into the notepad window by pressing ctrl+v or edit>paste
Save it to the desktop as CFscript.txt
Now drag and drop CFscript.txt onto combofix.exe as in the picture below and follow the prompts:
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
When finished, it shall produce a log for you. Post that log and a HiJackThis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Cabanaramma
2007-11-30, 02:25
ComboFix Log attached as it's too long to post.

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:20:04, on 30/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195778825593
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

Cabanaramma
2007-11-30, 02:30
Attachment won't work for some reason, so I'll do it the long way.....

ComboFix 07-11-19.4C - Home 2007-11-30 0:09:01.2 - NTFSx86
Running from: C:\Program Files\AntiSpyware\ComboFix.exe
Command switches used :: C:\Documents and Settings\Home\Desktop\CFscript.txt
* Created a new restore point

FILE
C:\Program Files\MSNSetup.exe
C:\Program Files\winamp535Setup.exe
C:\WINDOWS\system32\8PO5bmr8.exe
C:\WINDOWS\system32\absaxmqx.dll.ren
C:\WINDOWS\system32\akfjqglo.dll.vir
C:\WINDOWS\system32\amddvtjr.ini.ren
C:\WINDOWS\system32\bonoquxl.ini.ren
C:\WINDOWS\system32\cxhdfcee.dll
C:\WINDOWS\system32\d3d.dll
C:\WINDOWS\system32\grsgayuw.dll
C:\WINDOWS\system32\iamwuxck.dll
C:\WINDOWS\system32\jmllm.bak1.ren
C:\WINDOWS\system32\jmllm.bak2.ren
C:\WINDOWS\system32\jmllm.ini.ren
C:\WINDOWS\system32\juylnkhk.dll.ren
C:\WINDOWS\system32\khknlyuj.ini.ren
C:\WINDOWS\system32\klpslxwy.dll
C:\WINDOWS\system32\kqahcerr.dll
C:\WINDOWS\system32\krvblvqd.dll
C:\WINDOWS\system32\lcsrxrdo.ini
C:\WINDOWS\system32\lxuqonob.dll.ren
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mxebflmn.dll
C:\WINDOWS\system32\nexwqkpb.dll
C:\WINDOWS\system32\oawqjjyr.ini
C:\WINDOWS\system32\odrxrscl.dll.ren
C:\WINDOWS\system32\omhqanwm.dll.vir
C:\WINDOWS\system32\omtyuewt.dll
C:\WINDOWS\system32\rjtvddma.dll.ren
C:\WINDOWS\system32\rrechaqk.ini
C:\WINDOWS\system32\sinngdqn.dll
C:\WINDOWS\system32\ssqrspq.dll.ren
C:\WINDOWS\system32\tweuytmo.ini
C:\WINDOWS\system32\twojjhxm.ini
C:\WINDOWS\system32\wasurmfl.dll
C:\WINDOWS\system32\wxtgbuua.dll
C:\WINDOWS\system32\xajurjpa.dll
C:\WINDOWS\system32\xhhfrlhf.dll
C:\WINDOWS\system32\xhjuusfx.dll
C:\WINDOWS\system32\xqmxasba.ini
C:\WINDOWS\system32\zzpdkrxg.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MSNSetup.exe
C:\Program Files\winamp535Setup.exe
C:\VundoFix Backups
C:\VundoFix Backups\jmllm.bak2.bad
C:\VundoFix Backups\jmllm.ini.bad
C:\VundoFix Backups\mllmj.dll.bad
C:\VundoFix Backups\omhqanwm.dll.bad
C:\VundoFix Backups\uxqpxzwe.dll.bad
C:\VundoFix Backups\yqmcdgkx.dll.bad
C:\WINDOWS\system32\8PO5bmr8.exe
C:\WINDOWS\system32\absaxmqx.dll.ren
C:\WINDOWS\system32\akfjqglo.dll.vir
C:\WINDOWS\system32\amddvtjr.ini.ren
C:\WINDOWS\system32\bonoquxl.ini.ren
C:\WINDOWS\system32\cxhdfcee.dll
C:\WINDOWS\system32\d3d.dll
C:\WINDOWS\system32\drivers\bikwsmbb.dat
C:\WINDOWS\system32\grsgayuw.dll
C:\WINDOWS\system32\iamwuxck.dll
C:\WINDOWS\system32\jmllm.bak1.ren
C:\WINDOWS\system32\jmllm.bak2.ren
C:\WINDOWS\system32\jmllm.ini.ren
C:\WINDOWS\system32\juylnkhk.dll.ren
C:\WINDOWS\system32\khknlyuj.ini.ren
C:\WINDOWS\system32\klpslxwy.dll
C:\WINDOWS\system32\kqahcerr.dll
C:\WINDOWS\system32\krvblvqd.dll
C:\WINDOWS\system32\lcsrxrdo.ini
C:\WINDOWS\system32\lxuqonob.dll.ren
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mxebflmn.dll
C:\WINDOWS\system32\nexwqkpb.dll
C:\WINDOWS\system32\oawqjjyr.ini
C:\WINDOWS\system32\odrxrscl.dll.ren
C:\WINDOWS\system32\omhqanwm.dll.vir
C:\WINDOWS\system32\omtyuewt.dll
C:\WINDOWS\system32\rjtvddma.dll.ren
C:\WINDOWS\system32\rrechaqk.ini
C:\WINDOWS\system32\sinngdqn.dll
C:\WINDOWS\system32\ssqrspq.dll.ren
C:\WINDOWS\system32\tweuytmo.ini
C:\WINDOWS\system32\twojjhxm.ini
C:\WINDOWS\system32\wasurmfl.dll
C:\WINDOWS\system32\wxtgbuua.dll
C:\WINDOWS\system32\xajurjpa.dll
C:\WINDOWS\system32\xhhfrlhf.dll
C:\WINDOWS\system32\xhjuusfx.dll
C:\WINDOWS\system32\xqmxasba.ini
C:\WINDOWS\system32\zzpdkrxg.dll.vir

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_RXXPCNMK
-------\rxxpcnmk


((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-24 00:52 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-19 15:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-19 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-12 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-12 21:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-12 20:24 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-12 20:23 <DIR> d-------- C:\Documents and Settings\Home\Application Data\Simply Super Software
2007-11-12 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2007-11-12 16:52 <DIR> d-------- C:\Documents and Settings\Home\Application Data\WinPatrol
2007-10-09 21:31 <DIR> d-------- C:\Program Files\MSN Messenger
2007-10-04 19:53 69,632 --a------ C:\WINDOWS\system32\lfgif13n.dll
2007-10-02 16:15 462,848 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2007-10-02 16:15 450,560 --a------ C:\WINDOWS\system32\ltimg13n.dll
2007-10-02 16:15 401,408 --a------ C:\WINDOWS\system32\lfcmp13n.dll
2007-10-02 16:15 299,008 --a------ C:\WINDOWS\system32\ltdis13n.dll
2007-10-02 16:15 206,336 --a------ C:\WINDOWS\system32\ltefx13n.dll
2007-10-02 16:15 163,840 --a------ C:\WINDOWS\system32\ltfil13n.dll
2007-10-02 16:15 57,344 --a------ C:\WINDOWS\system32\lfbmp13n.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 00:03 --------- d-----w C:\Program Files\lx_cats
2007-11-28 23:24 --------- d-----w C:\Program Files\AntiSpyware
2007-11-28 23:18 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\AntiSpyware ----

2007-11-29 12:08 735824 --a------ C:\Program Files\AntiSpyware\Trojan Remover\Trjscan.exe
2007-11-29 12:06 65959 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\online.ini
2007-11-28 23:23 2192 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071128_2323.reg
2007-11-28 23:21 872985 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.zip
2007-11-28 23:21 7596 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\downloaded.ini
2007-11-28 23:21 304574 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.trojans.zip
2007-11-28 23:21 247524 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\desc.english.zip
2007-11-28 23:08 5639 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\hijackthis.log
2007-11-28 22:50 1560556 --a------ C:\Program Files\AntiSpyware\ComboFix.exe
2007-11-28 14:47 9842 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\KeyloggersC.sbi
2007-11-28 14:47 6376 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\PUPSC.sbi
2007-11-28 14:47 415 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Revision.sbi
2007-11-28 14:47 3894 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\DialerC.sbi
2007-11-28 14:47 304394 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Trojans.sbi
2007-11-28 14:47 2911 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\SecurityC.sbi
2007-11-28 14:47 2222 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\HijackersC.sbi
2007-11-28 14:47 170140 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\TrojansC.sbi
2007-11-28 14:47 168010 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\MalwareC.sbi
2007-11-28 14:47 1242 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Cookies.sbi
2007-11-28 14:47 10349 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\SpybotsC.sbi
2007-11-28 11:05 8322 --a------ C:\Program Files\AntiSpyware\Autoruns\AutoRuns.txt
2007-11-28 11:03 581632 --a------ C:\Program Files\AntiSpyware\GMER\gmer.exe
2007-11-28 11:01 7005 --a------ C:\Program Files\AntiSpyware\Autoruns\Eula.txt
2007-11-28 11:01 546176 --a------ C:\Program Files\AntiSpyware\Autoruns\autoruns.exe
2007-11-28 11:01 48090 --a------ C:\Program Files\AntiSpyware\Autoruns\autoruns.chm
2007-11-28 11:01 456064 --a------ C:\Program Files\AntiSpyware\Autoruns\autorunsc.exe
2007-11-28 10:43 1047356 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Targets.nfo
2007-11-27 17:49 583190 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trjlist3.dta
2007-11-27 17:23 4094724 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trjlist2.dta
2007-11-27 17:21 598641 --a------ C:\Program Files\AntiSpyware\Trojan Remover\reflist.dta
2007-11-27 17:04 1001426 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trjlist4.dta
2007-11-27 16:37 9522 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trjlist6.dta
2007-11-27 09:05 45251 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Services.sbs
2007-11-26 23:25 10467 --a------ C:\Program Files\AntiSpyware\GMER\gmerautos.txt
2007-11-26 22:13 5926 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\startuplist.txt
2007-11-26 19:25 41236 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trj_list.dta
2007-11-26 13:14 313462 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Domains.sbs
2007-11-25 14:47 2273856 --a------ C:\Program Files\AntiSpyware\Trojan Remover\rmt.dta
2007-11-23 16:52 869 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trjlist7.dta
2007-11-23 01:08 6006 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071123_0108.reg
2007-11-23 00:35 127 --a------ C:\Program Files\AntiSpyware\fix.reg
2007-11-23 00:33 5417 --a------ C:\Program Files\AntiSpyware\Erunt\LOC_GER.ZIP
2007-11-23 00:33 4090 --a------ C:\Program Files\AntiSpyware\Erunt\ERUNT.LOC
2007-11-23 00:33 38994 --a------ C:\Program Files\AntiSpyware\Erunt\LIESMICH.TXT
2007-11-23 00:33 38912 --a------ C:\Program Files\AntiSpyware\Erunt\AUTOBACK.EXE
2007-11-23 00:33 3275 --a------ C:\Program Files\AntiSpyware\Erunt\ERDNTWIN.LOC
2007-11-23 00:33 31952 --a------ C:\Program Files\AntiSpyware\Erunt\README.TXT
2007-11-23 00:33 2815 --a------ C:\Program Files\AntiSpyware\Erunt\ERDNTDOS.LOC
2007-11-23 00:33 1960 --a------ C:\Program Files\AntiSpyware\Erunt\NTREGOPT.LOC
2007-11-23 00:33 163328 --a------ C:\Program Files\AntiSpyware\Erunt\ERDNT.E_E
2007-11-23 00:33 157696 --a------ C:\Program Files\AntiSpyware\Erunt\ERUNT.EXE
2007-11-23 00:33 140288 --a------ C:\Program Files\AntiSpyware\Erunt\NTREGOPT.EXE
2007-11-22 20:38 963136 --a------ C:\Program Files\AntiSpyware\Trojan Remover\Rmvtrjan.exe
2007-11-21 23:46 78 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071121-234641-600
2007-11-20 22:31 6862 --a------ C:\Program Files\AntiSpyware\show-vundo.vbs
2007-11-20 15:22 5407 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Cookies.sbs
2007-11-19 20:29 649378 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\unins000.exe
2007-11-19 20:29 23244 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\unins000.dat
2007-11-19 18:45 1618 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071119_1845.reg
2007-11-19 18:05 97 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-486
2007-11-19 18:05 94 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-694
2007-11-19 18:05 372 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-661
2007-11-19 18:05 108 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-266
2007-11-19 18:03 108 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180318-330
2007-11-19 18:02 396288 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe
2007-11-19 16:01 144480 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-486.dll
2007-11-19 15:33 812344 --a------ C:\Program Files\AntiSpyware\HJTInstall.exe
2007-11-14 19:16 4996 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071114_1915.reg
2007-11-14 19:00 111005 --a------ C:\Program Files\AntiSpyware\CCleaner\uninst.exe
2007-11-14 18:59 2725528 --a------ C:\Program Files\AntiSpyware\ccsetup202.exe
2007-11-14 18:43 117248 --a------ C:\Program Files\AntiSpyware\VundoFix.exe
2007-11-14 18:41 96978 --a------ C:\Program Files\AntiSpyware\VirtumundoBeGone.exe
2007-11-14 18:40 8646776 --a------ C:\Program Files\AntiSpyware\MalwareRemovalTool-KB890830-V1.35.exe
2007-11-13 16:35 3478 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071113_1634.reg
2007-11-12 21:37 546 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071112_2137.reg
2007-11-12 21:27 21216112 --a------ C:\Program Files\AntiSpyware\aaw2007.exe
2007-11-12 20:23 10562 --a------ C:\Program Files\AntiSpyware\Trojan Remover\unins000.msg
2007-11-12 20:23 10146 --a------ C:\Program Files\AntiSpyware\Trojan Remover\unins000.dat
2007-11-12 20:22 683080 --a------ C:\Program Files\AntiSpyware\Trojan Remover\unins000.exe
2007-11-12 20:22 6476976 --a------ C:\Program Files\AntiSpyware\TrojanRemoverSetup.exe
2007-11-12 18:06 803 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071112_1806.reg
2007-11-12 15:05 671 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20071112_1505.reg
2007-11-10 22:59 319072 --a------ C:\Program Files\AntiSpyware\AnalyseTrendMicro\backups\backup-20071119-180519-694.dll
2007-11-07 12:14 327300 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.malware.zip
2007-11-07 12:14 152758 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.spybots.zip
2007-11-07 12:14 149060 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.hijackers.zip
2007-11-07 11:50 327120 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Malware.sbi
2007-11-07 11:50 152603 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Spybots.sbi
2007-11-07 11:50 148901 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Hijackers.sbi
2007-11-06 09:08 34246 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Tracks.uti
2007-11-06 07:31 791792 --a------ C:\Program Files\AntiSpyware\CCleaner\ccleaner.exe
2007-11-05 10:51 988 --a------ C:\Program Files\AntiSpyware\CCleaner\history.txt
2007-11-03 21:15 606744 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trjhelp.chm
2007-11-01 10:10 141952 --a------ C:\Program Files\AntiSpyware\Adaware\Lang\English.lslang
2007-10-31 15:32 2250104 --a------ C:\Program Files\AntiSpyware\Adaware\Ad-Watch2007.exe
2007-10-31 15:18 2336080 --a------ C:\Program Files\AntiSpyware\Adaware\Ad-Aware2007.exe
2007-10-31 12:14 118189 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.dialer.zip
2007-10-31 11:44 118041 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Dialer.sbi
2007-10-29 13:58 1586528 --a------ C:\Program Files\AntiSpyware\Adaware\AAWLic.exe
2007-10-29 13:27 587096 --a------ C:\Program Files\AntiSpyware\Adaware\aawservice.exe
2007-10-29 12:21 2123128 --a------ C:\Program Files\AntiSpyware\Adaware\HostFileEditor.exe
2007-10-29 12:21 1914224 --a------ C:\Program Files\AntiSpyware\Adaware\ProcessWatch.exe
2007-10-24 12:14 102905 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.pups.zip
2007-10-24 11:56 102761 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\PUPS.sbi
2007-10-22 19:58 6519 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\RegWatch.sbs
2007-10-19 17:34 202 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trweb.dta
2007-10-18 17:23 39896 --a------ C:\Program Files\AntiSpyware\CCleaner\winapp.ini
2007-10-05 17:26 5609 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trjlist5.dta
2007-10-04 12:14 49386 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.keyloggers.zip
2007-10-04 11:33 49240 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Keyloggers.sbi
2007-09-26 12:16 683907 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\startup.zip
2007-09-26 12:15 471585 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\help.english.zip
2007-09-26 11:41 475638 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Help\English.chm

Cabanaramma
2007-11-30, 02:31
2007-09-25 08:00 726376 --a------ C:\Program Files\AntiSpyware\Adaware\CEAPI.dll
2007-09-25 08:00 255336 --a------ C:\Program Files\AntiSpyware\Adaware\AWCCommunicatorDLL.dll
2007-09-25 08:00 238944 --a------ C:\Program Files\AntiSpyware\Adaware\CookieBlocker.dll
2007-09-25 08:00 214352 --a------ C:\Program Files\AntiSpyware\Adaware\AWCoreComm.dll
2007-09-25 08:00 206160 --a------ C:\Program Files\AntiSpyware\Adaware\AWRegWatchDLL.dll
2007-09-19 14:15 3863401 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Startup.tnfo
2007-09-17 14:25 202080 --a------ C:\Program Files\AntiSpyware\Adaware\AWProcessWatch.dll
2007-09-06 13:47 15707 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\URL-Blacklist.sbs
2007-08-31 15:00 439888 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trupd.exe
2007-08-31 10:19 1815912 --a------ C:\Program Files\AntiSpyware\Adaware\lsupdatemanager.exe
2007-08-31 09:48 5196 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Help\English.license.txt
2007-08-30 12:19 87392 --a------ C:\Program Files\AntiSpyware\Adaware\AAWTray.exe
2007-08-29 22:19 567 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20070829_2319.reg
2007-08-29 21:47 278 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20070829_2247.reg
2007-08-29 21:30 1646 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20070829_2230.reg
2007-08-27 09:41 525664 --a------ C:\Program Files\AntiSpyware\Adaware\Update.dll
2007-08-15 22:03 598 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20070815_2303.reg
2007-08-01 12:16 309244 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\tools212.zip
2007-08-01 12:15 24946 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\lang.english.zip
2007-07-31 13:06 622928 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Tools.dll
2007-07-31 10:06 83900 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Languages\English.sbl
2007-07-29 13:03 1334 --a------ C:\Program Files\AntiSpyware\Trojan Remover\tr.bmp
2007-07-25 12:15 559133 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\clsid.zip
2007-07-23 22:45 3320 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20070723_2345.reg
2007-07-23 22:28 5037072 --a------ C:\Program Files\AntiSpyware\spybotsd14.exe
2007-07-23 12:05 558915 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\CLSIDs.sbs
2007-07-11 13:37 636744 --a------ C:\Program Files\AntiSpyware\Adaware\PKArchive84cb.dll
2007-07-11 13:37 274432 --a------ C:\Program Files\AntiSpyware\Adaware\ProcessWatch.dll
2007-07-11 13:37 162304 --a------ C:\Program Files\AntiSpyware\Adaware\unrar.dll
2007-07-05 02:25 311 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20070705_0325.reg
2007-07-04 16:19 2001583 --a------ C:\Program Files\AntiSpyware\Adaware\Help\Ad-Aware2007manual.chm
2007-06-27 23:07 8357 --a------ C:\Program Files\AntiSpyware\CCleaner\cc_20070628_0006.reg
2007-06-21 08:58 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\plus_home_office.prg
2007-06-21 08:55 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\plus_corporate.prg
2007-06-21 08:51 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\professional_corporate.prg
2007-06-07 19:27 188416 --a------ C:\Program Files\AntiSpyware\Adaware\upmanager.dll
2007-06-07 09:18 656817 --a------ C:\Program Files\AntiSpyware\Adaware\Skin\Sedona.LGFF
2007-06-07 09:18 543020 --a------ C:\Program Files\AntiSpyware\Adaware\Skin\Ad-Aware 2007 Pro Default.LGFF
2007-06-06 12:41 126648 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Plugins\TCPIPAddress.dll
2007-06-06 12:15 67308 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\plugtcpip.zip
2007-06-01 16:52 581632 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\registration_helper.prg
2007-06-01 16:49 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\professional_12_months.prg
2007-06-01 16:49 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\plus_24_months.prg
2007-06-01 16:48 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\plus_12_months.prg
2007-06-01 16:46 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\plus_36_months.prg
2007-06-01 16:44 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\professional_24_months.prg
2007-06-01 16:43 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\professional_36_months.prg
2007-06-01 16:41 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\professional_18_months.prg
2007-06-01 16:39 44018 --a------ C:\Program Files\AntiSpyware\Adaware\Registration\plus_18_months.prg
2007-05-30 12:15 8123 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Security.sbi
2007-05-30 12:14 8255 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\includes.security.zip
2007-05-23 13:13 693848 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\advcheck.dll
2007-05-23 12:13 693848 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\advcheck.dll.bak
2007-05-23 12:12 344546 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\advcheck153.zip
2007-05-07 16:30 97280 --a------ C:\Program Files\AntiSpyware\CCleaner\ccleaner.dll
2007-05-03 17:07 112 --a------ C:\Program Files\AntiSpyware\Trojan Remover\epack.dta
2007-04-12 14:13 20480 --a------ C:\Program Files\AntiSpyware\CCleaner\lang-1033.dll
2007-02-18 18:12 35440 --a------ C:\Program Files\AntiSpyware\Trojan Remover\Sschk.exe
2007-02-05 19:26 467552 --a------ C:\Program Files\AntiSpyware\Trojan Remover\Trshlex.dll
2007-01-24 14:45 5756 --a------ C:\Program Files\AntiSpyware\CCleaner\winsys.ini
2007-01-24 14:45 1564 --a------ C:\Program Files\AntiSpyware\CCleaner\winreg.ini
2007-01-05 22:33 271743 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\tools15.zip
2006-12-26 15:38 185432 --a------ C:\Program Files\AntiSpyware\Trojan Remover\trunins.exe
2006-12-05 12:44 3132 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Browserpages.sbs
2006-10-10 09:04 69456 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\ProcWatch.sbs
2006-03-19 11:51 77824 --a------ C:\Program Files\AntiSpyware\CCleaner\CCListBar.ocx
2005-11-16 10:01 65536 --a------ C:\Program Files\AntiSpyware\CCleaner\CCHelper.ocx
2005-09-27 11:10 57344 --a------ C:\Program Files\AntiSpyware\CCleaner\CCSystem.dll
2005-07-25 12:15 34970 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Updates\helpres.english.zip
2005-07-21 13:14 42564 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Help\English.Resident.chm
2005-05-31 10:31 40960 --a------ C:\Program Files\AntiSpyware\CCleaner\CCSubTimer.dll
2005-05-31 10:28 147456 --a------ C:\Program Files\AntiSpyware\CCleaner\CCTreeView.ocx
2005-05-31 10:25 61440 --a------ C:\Program Files\AntiSpyware\CCleaner\CCTab.ocx
2005-05-31 10:22 159744 --a------ C:\Program Files\AntiSpyware\CCleaner\CCListView.ocx
2005-05-31 01:04 95877 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Languages\Deutsch.sbl
2005-05-31 01:04 93352 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Languages\Francais.sbl
2005-05-31 01:04 91038 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Languages\Espanol.sbl
2005-05-31 01:04 89769 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Languages\Italiano.sbl
2005-05-31 01:04 853672 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\SDHelper.dll
2005-05-31 01:04 646 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Dummies\dummy.related.htm
2005-05-31 01:04 6066 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Help\Francais.license.txt
2005-05-31 01:04 5676 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Help\Italiano.license.txt
2005-05-31 01:04 536 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Skins\Colorblind.ini
2005-05-31 01:04 5289 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Help\Deutsch.license.txt
2005-05-31 01:04 4873 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\LSP.sbs
2005-05-31 01:04 47256 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\blindman.exe
2005-05-31 01:04 402 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Dummies\dummy.data.xml
2005-05-31 01:04 28672 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\aports.dll
2005-05-31 01:04 2683 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\OptOut.ini
2005-05-31 01:04 25726 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\messages.zres
2005-05-31 01:04 252 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Dummies\dummy.default.gif
2005-05-31 01:04 252 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Dummies\dummy.dap.gif
2005-05-31 01:04 22528 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\borlndmm.dll
2005-05-31 01:04 2161 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Default configuration.ini
2005-05-31 01:04 15872 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\delphimm.dll
2005-05-31 01:04 139776 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\ZipDll.dll
2005-05-31 01:04 122368 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\UnzDll.dll
2005-05-31 00:04 48640 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
2005-05-31 00:04 4393096 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\SpybotSD.exe
2005-05-31 00:04 417408 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Update.exe
2005-05-31 00:04 1415824 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
2005-04-29 11:29 167 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Revision.sbs
2005-04-27 14:25 214 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Searchpages.sbs
2005-04-26 18:41 1270 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\OperaPlugins.sbs
2004-10-12 11:14 26624 --a------ C:\Program Files\AntiSpyware\Adaware\alert.wav
2003-01-01 19:48 992 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Logs.uts
2003-01-01 19:48 51 --a------ C:\Program Files\AntiSpyware\Spybot - Search & Destroy\Includes\Dialer.sbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"SpybotSD TeaTimer"="C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 00:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2005-03-07 19:33 C:\WINDOWS\system32\VTTimer.exe]
"KAVPersonal50"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" [2004-11-26 12:32]
"SoundMan"="SOUNDMAN.EXE" [2002-11-19 21:01 C:\WINDOWS\SOUNDMAN.EXE]
"lxcrmon.exe"="C:\Program Files\Lexmark 2400 Series\lxcrmon.exe" [2006-01-22 17:45]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2006-02-02 08:11]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-31 17:44]
"QuickTime Task"="C:\PROGRAM FILES\QUICKTIME\QTTASK.exe" [2007-06-29 05:24]
"EzPrint"="C:\Program Files\Lexmark 2400 Series\ezprint.exe" [2006-02-07 05:10]
"LXCRCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 18:38]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-03 23:56]

R0 Klick;Klick;C:\WINDOWS\system32\drivers\klick.sys
R0 Klin;Klin;C:\WINDOWS\system32\drivers\klin.sys
R0 viamraid;viamraid;C:\WINDOWS\system32\DRIVERS\viamraid.sys
R1 Klmc;Klmc;C:\WINDOWS\system32\drivers\klmc.sys
R2 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe
R3 bkn50USB;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\rt2500usb.sys
S3 ids001b8;ids001b8;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\ids001b8.sys
S3 klstm;klstm;\??\C:\Documents and Settings\All Users\Application Data\Kaspersky Anti-Virus Personal\5.0\bases\klstm.sys
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys
S3 SIS163u;SiS163 USB Wireless LAN Adapter Driver;C:\WINDOWS\system32\DRIVERS\sis163u.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 00:14:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-30 0:17:31 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-28 23:05
.
--- E O F ---

random/random
2007-11-30, 21:26
Download and scan with SUPERAntiSypware (http://www.superantispyware.com/) Free for Home Users Double-click SUPERAntiSypware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Udates". (If you encounter any problems while downloading the updates, manually download and unzip them from here (http://www.superantispyware.com/definitions.html).)
Under "Configuration and Preferences", click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked (leave all others unchecked): Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining. Click the "Close" button to leave the control center screen.
Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:\Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan.
Click "Next" to start the scan. Please be patient while it scans your computer.
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes".
To retrieve the removal information after reboot, launch SUPERAntispyware again. Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply, along with a new HijackTHis log & a description of any remaining problems. Click Close to exit the program.

Cabanaramma
2007-12-01, 04:11
Scan Log:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/01/2007 at 01:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 01:03:37

Memory items scanned : 404
Memory threats detected : 0
Registry items scanned : 4364
Registry threats detected : 0
File items scanned : 32193
File threats detected : 18

Adware.Tracking Cookie
C:\Documents and Settings\Home\Cookies\home@pcprivacytool[1].txt
C:\Documents and Settings\Home\Cookies\home@protect.spyguardpro[1].txt
C:\Documents and Settings\Home\Cookies\home@shop.pcprivacytool[1].txt
C:\Documents and Settings\Home\Cookies\home@privacy.pcprivacytool[1].txt
C:\Documents and Settings\Home\Cookies\home@2440[3].txt
C:\Documents and Settings\Home\Cookies\home@spyguardpro[2].txt
C:\Documents and Settings\Home\Cookies\home@2440[2].txt

Adware.Vundo-Variant
C:\PROGRAM FILES\ANTISPYWARE\ANALYSETRENDMICRO\BACKUPS\BACKUP-20071119-180519-694.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222523.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222531.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222539.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP66\A0224286.DLL

Adware.Vundo-Variant/Small-A
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222526.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222527.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222528.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222530.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222533.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B8EE8118-149E-4481-8096-6D6FBFCC0E33}\RP64\A0222535.DLL


HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:08:22, on 01/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiSpyware\Adaware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Lexmark 2400 Series\lxcrmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Lexmark 2400 Series\ezprint.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AntiSpyware\Super\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AntiSpyware\AnalyseTrendMicro\AnalyseTrendMicro.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\ANTISP~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [lxcrmon.exe] "C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\PROGRAM FILES\QUICKTIME\QTTASK.EXE" -atboottime
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 2400 Series\ezprint.exe"
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\AntiSpyware\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\AntiSpyware\Super\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://download.windowsupdate.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1195778825593
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\AntiSpyware\Super\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\AntiSpyware\Adaware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe


No remaining problems that I can see, pop-ups have disappeared again

random/random
2007-12-01, 12:24
You now appear to be clean. Congratulations!

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints (http://www.malwarecomplaints.info/index.php), you need to be registered to post as unfortunately we were hit with too many spam posting to allow guest posting to continue just find your country room and register your complaint.

Below are some steps to follow in order to dramatically lower the chances of reinfection
You may have already implemented some of the steps below, however you should follow any steps that you have not already implemented
Turn System Restore off
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.Restart
Turn System Restore on
On the Desktop, right click on the My Computer icon.
Click Properties.
Click the System Restore tab.
Uncheck *Turn off System Restore*.
Click Apply, and then click OK.
Note: only do this once, and not on a regular basis
Make sure that you keep your antivirus updated
New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software
Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
Make sure you install all the security updates for Windows, Internet explorer & Microsoft Office
Whenever a security problem in its software is found, Microsoft will usually create a patch for it to that after the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC
Go here (http://www.update.microsoft.com/microsoftupdate/v6/muoptdefault.aspx) to check for & install updates to Microsoft applications
Note: The update process uses activex, so you will need to use internet explorer for it, and allow the activex control that it wants to install
Keep your non-Microsoft applications updated as well
Microsoft isn't the only company whose products can contain security vulnerabilities, to check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Software Inspector (http://secunia.com/software_inspector) - I suggest that you run it at least once a month
Make Internet Explorer more secure
Click Start > Run
Type Inetcpl.cpl & click OK
Click on the Security tab
Click Reset all zones to default level
Make sure the Internet Zone is selected & Click Custom level
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
Next Click OK, then Apply button and then OK to exit the Internet Properties page.
Install SpywareBlaster & make sure to update it regularly
SpywareBlaster sets killbits in the registry to prevent known malicious activex controls from installing themselves on your computer.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster from here (http://www.javacoolsoftware.com/sbdownload.html)
Install and use Spybot Search & Destroy
Instructions are located here (http://www.bleepingcomputer.com/tutorials/tutorial43.html)
Make sure you update, reimmunize & scan regularly
Make use of the HOSTS file included with Spybot Search & Destroy
Every version of windows includes a hosts file as part of them. A hosts file is a bit like a phone book, it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites
Spybot Search & Destroy has a good HOSTS file built in, to enable the HOSTS file in Spybot Search & Destroy
Run Spybot Search & Destroy
Click on Mode, and then place a tick next to Advanced mode
Click Yes
In the left hand pane of Spybot Search & Destroy, click on Tools, and then on Hosts File
Click on Add Spybot-S&D hosts listNote: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue
Click Start > Run Type services.msc & click OK
In the list, find the service called DNS Client & double click on it. On the dropdown box, change the setting from automatic to manual. Click OK & then close the Services windowFor a more detailed explanation of the HOSTS file, click here (http://forum.malwareremoval.com/viewtopic.php?t=22187)
Install a-squared Free & update and scan with it regularly
a-squared free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here (http://www.emsisoft.com/en/software/free/)
Note: If you have a dialup internet connection, you may also like to install a-squared Anti-Dialer (http://www.emsisoft.com/en/software/antidialer/) which provides some real time protection against premium rate dialers
Finally I am trying to make one point very clear. It is absolutely essential to keep all of your security programs up to date

Cabanaramma
2007-12-04, 18:21
Thank you so much for your help, can't tell you how much I appreciate it!

One last question, I ran the Eset Online Scan again, just to be sure, and this came up:
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2701 (20071204)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=61d481c885ca9d41bd835a2893012679
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-12-04 04:14:20
# local_time=2007-12-04 04:14:20 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=124664
# found=22
# scan_time=2597
C:\qoobox\Quarantine\C\VundoFix Backups\mllmj.dll.bad.vir Win32/Adware.Virtumonde application 0115EA648DD1EAC9EE1E7221D9F6A38F
C:\qoobox\Quarantine\C\VundoFix Backups\omhqanwm.dll.bad.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\VundoFix Backups\uxqpxzwe.dll.bad.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\VundoFix Backups\yqmcdgkx.dll.bad.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\WINDOWS\system32\akfjqglo.dll.vir.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\WINDOWS\system32\grsgayuw.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\iamwuxck.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\juylnkhk.dll.ren.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\klpslxwy.dll.vir Win32/BHO.G trojan 0A93E54EB34B5443D98B76EE8C26D7FF
C:\qoobox\Quarantine\C\WINDOWS\system32\kqahcerr.dll.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\krvblvqd.dll.vir Win32/BHO.G trojan 5CCFD60AE18A22A6D15197D519446123
C:\qoobox\Quarantine\C\WINDOWS\system32\lxuqonob.dll.ren.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\mxebflmn.dll.vir Win32/BHO.G trojan 0A93E54EB34B5443D98B76EE8C26D7FF
C:\qoobox\Quarantine\C\WINDOWS\system32\omhqanwm.dll.vir.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829
C:\qoobox\Quarantine\C\WINDOWS\system32\omtyuewt.dll.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\rjtvddma.dll.ren.vir Win32/Adware.Virtumonde application F813296BC2544BAA539683D509B7BFF3
C:\qoobox\Quarantine\C\WINDOWS\system32\sinngdqn.dll.vir Win32/BHO.G trojan 5CCFD60AE18A22A6D15197D519446123
C:\qoobox\Quarantine\C\WINDOWS\system32\wasurmfl.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\xajurjpa.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\xhhfrlhf.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\xhjuusfx.dll.vir Win32/Adware.SecToolbar application EB231039C5027BE29FAAB15C80E25FB4
C:\qoobox\Quarantine\C\WINDOWS\system32\zzpdkrxg.dll.vir.vir Win32/Adware.SecToolbar application FE971D3C328F96C17C1C618AF2212829

Those files are safe now aren't they? Not a threat?

random/random
2007-12-04, 19:18
All the files it found were in C:\qoobox\. That's the quarantine folder for combofix, and so you can delete it.