PDA

View Full Version : Lots of Bugs



gooner
2008-04-15, 15:29
:sad:Please help my pc is infected with lots of problems
I have run spybot but they keep coming back.
Thanking you in advance.

Please find attached the hjt log and the kaspersky report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:23:14, on 15/04/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\BT\ISecP\app\Console.exe
C:\WINDOWS\system32\mcntklwd.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O2 - BHO: (no name) - {40659EC0-507E-7DAD-5713-5800B8C281BC} - C:\WINDOWS\System32\rxbws.dll (file missing)
O2 - BHO: (no name) - {4D63CDCD-5174-78A8-0413-5800B8C28BB7} - C:\WINDOWS\System32\sun.dll (file missing)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {8FD2108D-6D0A-4D19-BF5F-E93480873774} - C:\WINDOWS\System32\awvtr.dll (file missing)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\System32\cbxuttq.dll (file missing)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: {c368bf3d-36bf-84ab-a494-608bcf4417ff} - {ff7144fc-b806-494a-ba48-fb63d3fb863c} - C:\WINDOWS\System32\onwugvyd.dll (file missing)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Internet Security Pack Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ESP] C:\Program Files\BT\ISecP\app\start.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mcntklwd.exe DWram
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM97687271] Rundll32.exe "C:\WINDOWS\System32\bymglxns.dll",s
O4 - HKLM\..\Run: [945b41ed] rundll32.exe "C:\WINDOWS\System32\wvitisnv.dll",b
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKCU\..\Run: [Swso] "C:\PROGRA~1\COMMON~1\WNSXS~1\arpa.exe" -vt ndrv
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Jcwkaqb] C:\WINDOWS\s?mbols\d?xplore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntklwd.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\kjwnw64j.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www.btsecurity.bt.com/bt/bin/wizard.exe
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BT Internet Security Pack System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\BT\ISecP\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Kerr\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Remote Registry RemoteRegistryWZCSVC (RemoteRegistryWZCSVC) - Unknown owner - C:\WINDOWS\System32\actxprxyc.exe
O23 - Service: Smart Card SCardSvrVSS (SCardSvrVSS) - Unknown owner - C:\WINDOWS\System32\advapi32k.exe

--
End of file - 8669 bytes-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 15, 2008 1:14:42 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/04/2008
Kaspersky Anti-Virus database records: 706125
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 25640
Number of viruses found: 16
Number of infected objects: 40
Number of suspicious objects: 18
Duration of the scan process: 01:06:26

Infected Object Name / Virus Name / Last Action
C:\94.tmp Infected: Trojan-PSW.Win32.Agent.afg skipped
C:\Documents and Settings\All Users\Application Data\Authentium\ESPC\prf\imdb.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\ESPC\prf\{D2F5620D-8DB3-427d-9356-04AB08B907CB} Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bluebeam Software\Brewery\V4\Printer Support\BBPDFPortMon.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader7.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip/bokja.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC22.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip/bokja.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC33.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant12.zip/180ax.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant16.zip/180ax.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant22.zip/saap.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant22.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant9.zip/sais.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango14.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango14.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango8.zip/zango.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Zango8.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Kerr\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt3.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.WinFixer.c skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt3.tmp/stream Infected: not-a-virus:FraudTool.Win32.WinFixer.c skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt3.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt4.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.WinFixer.c skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt4.tmp/stream Infected: not-a-virus:FraudTool.Win32.WinFixer.c skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt4.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt9D.tmp/stream/data0007 Infected: not-a-virus:FraudTool.Win32.WinFixer.c skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt9D.tmp/stream Infected: not-a-virus:FraudTool.Win32.WinFixer.c skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\.tt9D.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\IjlVlclY.exe Infected: not-virus:Hoax.Win32.Renos.bhz skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\~DF40A0.tmp Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\~DF7A44.tmp Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\8RA3AT6X\file2[1].exe Infected: Trojan-PSW.Win32.Agent.afg skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\8RA3AT6X\file4[1].exe Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\8RA3AT6X\mail[1] Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\L4QUDBRA\index[1].html Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\MQ07NFPQ\file1[1].exe Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\QPEHKPCH\img[1] Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\QPEHKPCH\index[2].html Infected: Trojan-Downloader.JS.Psyme.adn skipped
C:\Documents and Settings\Kerr\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kerr\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\gobackio.bin Object is locked skipped
C:\Program Files\Outerinfo\OiUninstaller.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\Program Files\Outerinfo\OiUninstaller.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016124.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016126.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016148.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016150.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016177.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016179.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016188.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016190.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016191.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016192.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016193.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP238\A0020828.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021909.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021910.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021911.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021913.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021919.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021920.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021923.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021923.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021926.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.at skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0025930.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028986.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028988.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028989.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028991.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028992.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.at skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028996.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028997.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.at skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0029001.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0029005.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0030071.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.hh skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0030071.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP241\A0032106.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP241\A0033159.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP241\A0033174.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP242\A0034174.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036211.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036212.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036214.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036215.exe Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036216.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036217.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036218.dll Infected: not-a-virus:AdWare.Win32.Rabio.h skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036219.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0036219.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037284.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037285.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037287.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037289.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037291.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP245\A0037374.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP247\A0038418.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0039455.dll Infected: Backdoor.Win32.Agent.frr skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041465.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041485.ocx Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041486.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041487.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041488.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041489.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041490.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041491.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041492.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041493.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041494.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041495.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041496.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041497.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041498.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP250\A0043494.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP250\A0043495.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP250\A0043498.exe Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP250\A0043499.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.HTML.Secureinvites.b skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\system32\3465282683.dat Object is locked skipped
C:\WINDOWS\system32\5FaNbu.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\9k72rW.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\actxprxyc.exe Object is locked skipped
C:\WINDOWS\system32\buRiCu.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\DaQs2X.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\GBh2KF.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\mcntklwb.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.aj skipped
C:\WINDOWS\system32\mcntklwd.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.at skipped
C:\WINDOWS\system32\nMBlAh.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\sncmpJ.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

Scan process completed.

pskelley
2008-04-16, 15:07
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are badly infected and this is the reason why:
http://forums.spybot.info/showthread.php?t=425

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:
How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451
When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Genuine Windows
http://www.microsoft.com/genuine/

Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log using the Post Reply button.

Thanks

gooner
2008-04-17, 10:49
Hi PSKelly Thanks for your help i have done what you asked and here is the hjt log as requested

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:47:23, on 17/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\system32\mcntklwd.exe
C:\Program Files\BT\ISecP\app\Console.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sbwltbxa.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15651c7c-e812-44a2-a9ac-b467a2233e7d} - (no file)
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O2 - BHO: (no name) - {40659EC0-507E-7DAD-5713-5800B8C281BC} - C:\WINDOWS\System32\rxbws.dll (file missing)
O2 - BHO: (no name) - {4D63CDCD-5174-78A8-0413-5800B8C28BB7} - C:\WINDOWS\System32\sun.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {622cc208-b014-4fe0-801b-874a5e5e403a} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8FD2108D-6D0A-4D19-BF5F-E93480873774} - C:\WINDOWS\System32\awvtr.dll (file missing)
O2 - BHO: (no name) - {9c5b2f29-1f46-4639-a6b4-828942301d3e} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\System32\cbxuttq.dll (file missing)
O2 - BHO: {c368bf3d-36bf-84ab-a494-608bcf4417ff} - {ff7144fc-b806-494a-ba48-fb63d3fb863c} - C:\WINDOWS\System32\onwugvyd.dll (file missing)
O2 - BHO: (no name) - {ffff0001-0002-101a-a3c9-08002b2f49fb} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Internet Security Pack Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ESP] C:\Program Files\BT\ISecP\app\start.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\mcntklwd.exe DWram
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM97687271] Rundll32.exe "C:\WINDOWS\System32\bymglxns.dll",s
O4 - HKLM\..\Run: [945b41ed] rundll32.exe "C:\WINDOWS\System32\wvitisnv.dll",b
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKCU\..\Run: [Swso] "C:\PROGRA~1\COMMON~1\WNSXS~1\arpa.exe" -vt ndrv
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Jcwkaqb] C:\WINDOWS\s?mbols\d?xplore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Deewoo.lnk = C:\WINDOWS\system32\mcntklwd.exe
O4 - Startup: DW_Start.lnk = C:\WINDOWS\system32\kjwnw64j.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www.btsecurity.bt.com/bt/bin/wizard.exe
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208416003828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208415966734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BT Internet Security Pack System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\BT\ISecP\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Kerr\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Remote Registry RemoteRegistryWZCSVC (RemoteRegistryWZCSVC) - Unknown owner - C:\WINDOWS\System32\actxprxyc.exe
O23 - Service: Smart Card SCardSvrVSS (SCardSvrVSS) - Unknown owner - C:\WINDOWS\System32\advapi32k.exe

--
End of file - 8314 bytes

pskelley
2008-04-18, 02:56
Thanks for returning your information, you have several nasty infections and this will probably take a while. I suggest you read the links I posted if there is information on this computer that needs to be secure, please also stay offline except when troubleshooting, the junk will download more.
If you have any tools I use, delete them and download them new from the links I provide. It is very important that you read and follow the directions carefully, the tools will not work unless you do.

1) C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of the folder in red
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally post the contents of the Report.txt back on the forum with a new HijackThis log

(wait until you finish to post reports and logs)

4) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the log from SDFix, the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

gooner
2008-04-18, 10:59
Hi PSKelly
Please find attached the three logs I hope have done them all ok.You guys do a great job.


SDFix: Version 1.171
Run by Kerr on 18/04/2008 at 08:23

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default Desktop Wallpaper

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\SYSTEM32\CTFMONB.BMP - Deleted
C:\92.TMP - Deleted
C:\96.TMP - Deleted
C:\97.TMP - Deleted
C:\99.TMP - Deleted
C:\9C.TMP - Deleted
C:\Program Files\Sysmnt\Ssmgr.exe - Deleted
C:\Program Files\stc\csv5p070.exe - Deleted
C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\Deewoo.lnk - Deleted
C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\DW_Start.lnk - Deleted
C:\WINDOWS\123messenger.per - Deleted
C:\WINDOWS\180ax.exe - Deleted
C:\WINDOWS\apphelp32.dll - Deleted
C:\WINDOWS\asferror32.dll - Deleted
C:\WINDOWS\asycfilt32.dll - Deleted
C:\WINDOWS\athprxy32.dll - Deleted
C:\WINDOWS\ati2dvaa32.dll - Deleted
C:\WINDOWS\ati2dvag32.dll - Deleted
C:\WINDOWS\audiosrv32.dll - Deleted
C:\WINDOWS\autodisc32.dll - Deleted
C:\WINDOWS\avifile32.dll - Deleted
C:\WINDOWS\avisynthex32.dll - Deleted
C:\WINDOWS\aviwrap32.dll - Deleted
C:\WINDOWS\bjam.dll - Deleted
C:\WINDOWS\bokja.exe - Deleted
C:\WINDOWS\browserad.dll - Deleted
C:\WINDOWS\cdsm32.dll - Deleted
C:\WINDOWS\changeurl_30.dll - Deleted
C:\WINDOWS\didduid.ini - Deleted
C:\WINDOWS\Installer\id53.exe - Deleted
C:\WINDOWS\licencia.txt - Deleted
C:\WINDOWS\msa64chk.dll - Deleted
C:\WINDOWS\msapasrc.dll - Deleted
C:\WINDOWS\mspphe.dll - Deleted
C:\WINDOWS\mssvr.exe - Deleted
C:\WINDOWS\ntnut.exe - Deleted
C:\WINDOWS\saiemod.dll - Deleted
C:\WINDOWS\shdocpe.dll - Deleted
C:\WINDOWS\shdocpl.dll - Deleted
C:\WINDOWS\swin32.dll - Deleted
C:\WINDOWS\system32\MSNSA32.dll - Deleted
C:\WINDOWS\system32\ntnut32.exe - Deleted
C:\WINDOWS\system32\pac.txt - Deleted
C:\WINDOWS\system32\shdocpe.dll - Deleted
C:\WINDOWS\system32\SIPSPI32.dll - Deleted
C:\WINDOWS\system32\WER8274.DLL - Deleted
C:\WINDOWS\system32\winfrun32.bin - Deleted
C:\WINDOWS\system32\winpfz37.sys - Deleted
C:\WINDOWS\system32\zxdnt3d.cfg - Deleted
C:\WINDOWS\telefonos.txt - Deleted
C:\WINDOWS\Temp\SALM.EXE - Deleted
C:\WINDOWS\textos.txt - Deleted
C:\WINDOWS\voiceip.dll - Deleted
C:\WINDOWS\winsb.dll - Deleted



Folder C:\Program Files\stc - Removed
Folder C:\Program Files\Sysmnt - Removed
Folder C:\Program Files\Common Files\WinSecureAv - Removed


Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 08:27:21
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

Remaining Files :


File Backups: - C:\SDFix\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 14 Apr 2008 41,984 ..SHR --- "C:\WINDOWS\system32\actxprxyc.exe"
Mon 7 Apr 2008 41,984 ..SHR --- "C:\WINDOWS\system32\advapi32k.exe"
Fri 18 Apr 2008 217,360 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\9407ff8f78ca16e2ac85358356496f17\BIT2.tmp"
Fri 18 Apr 2008 1,667,488 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fec3752563e444ecc6182e8b7e8bd110\BIT3.tmp"

Finished!
ComboFix 08-04-16.5 - Kerr 2008-04-18 8:37:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.33 [GMT 1:00]
Running from: C:\Documents and Settings\Kerr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kerr\Application Data\MBOLS~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\W?nSxS\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\SmartVideoCodec
C:\Program Files\SmartVideoCodec\install.ico
C:\Program Files\SmartVideoCodec\Uninstall.exe
C:\WINDOWS\BM97687271.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\mcntklwd.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-18 08:34 . 2008-04-18 08:34 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-18 08:34 . 2008-04-18 08:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 08:21 . 2008-04-18 08:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-18 08:17 . 2008-04-18 08:17 <DIR> d-------- C:\SDFix
2008-04-18 03:00 . 2008-04-18 03:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-17 08:28 . 2008-04-17 08:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-17 08:28 . 2008-04-17 08:28 <DIR> d-------- C:\WINDOWS\ehome
2008-04-17 08:21 . 2002-08-29 11:41 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-04-17 08:20 . 2002-08-29 11:41 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2008-04-17 08:19 . 2002-08-29 11:40 1,180,672 --a------ C:\WINDOWS\system32\d3d8.dll
2008-04-17 08:10 . 2004-07-01 23:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-17 08:10 . 2004-07-01 00:59 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2008-04-17 08:10 . 2004-07-01 23:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-04-17 08:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-17 08:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-17 08:07 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-17 08:07 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-17 08:07 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-17 08:07 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-17 08:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-17 08:07 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-17 08:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-17 08:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-17 08:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-15 13:22 . 2008-04-15 13:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 11:55 . 2008-04-15 11:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 11:55 . 2008-04-15 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 14:27 . 2008-04-14 14:26 41,984 -r-hs---- C:\WINDOWS\system32\actxprxyc.exe
2008-04-14 12:24 . 2008-04-14 12:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-14 12:20 . 2008-04-14 12:20 4,672 --a------ C:\WINDOWS\system32\sncmpJ.syz
2008-04-08 08:08 . 2008-04-08 08:08 4,672 --a------ C:\WINDOWS\system32\GBh2KF.syz
2008-04-07 13:40 . 2008-04-07 13:40 4,672 --a------ C:\WINDOWS\system32\DaQs2X.syz
2008-04-07 12:39 . 2008-04-07 12:39 4,672 --a------ C:\WINDOWS\system32\9k72rW.syz
2008-04-07 12:36 . 2008-04-07 12:36 4,672 --a------ C:\WINDOWS\system32\nMBlAh.syz
2008-04-07 12:26 . 2008-04-07 12:26 4,672 --a------ C:\WINDOWS\system32\buRiCu.syz
2008-04-07 12:23 . 2008-04-07 12:23 229 --a------ C:\Documents and Settings\Kerr\iexpIore.exe
2008-04-07 12:21 . 2008-04-14 12:20 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-07 12:21 . 2008-04-07 12:21 77,008 --a------ C:\94.tmp
2008-04-07 12:21 . 2008-04-07 12:21 41,984 -r-hs---- C:\WINDOWS\system32\advapi32k.exe
2008-04-07 12:21 . 2008-04-07 12:21 215 --a------ C:\90.tmp
2008-04-07 12:21 . 2008-04-15 11:33 32 --a-s---- C:\WINDOWS\system32\3465282683.dat
2008-04-07 12:20 . 2008-04-07 12:20 4,672 --a------ C:\WINDOWS\system32\5FaNbu.syz
2008-03-27 09:25 . 2008-03-27 09:26 1,674 --ahs---- C:\WINDOWS\system32\vnsitivw.ini
2008-03-26 09:06 . 2008-03-27 09:24 1,614 --ahs---- C:\WINDOWS\system32\plpnyijn.ini
2008-03-25 12:53 . 2008-03-25 12:53 <DIR> d-------- C:\Documents and Settings\Kerr\Application Data\Grisoft
2008-03-25 12:52 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-25 12:47 . 2008-03-25 12:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 12:47 . 2008-04-15 15:36 <DIR> d-------- C:\Documents and Settings\Kerr\Application Data\AVG7
2008-03-25 12:46 . 2008-03-25 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 12:46 . 2008-04-07 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 08:55 . 2008-03-26 09:06 1,314 --ahs---- C:\WINDOWS\system32\dxhpjkdv.ini
2008-03-22 10:05 . 2008-03-25 08:52 1,074 --ahs---- C:\WINDOWS\system32\woohsdxu.ini
2008-03-20 09:06 . 2008-03-22 10:02 954 --ahs---- C:\WINDOWS\system32\halldckq.ini
2008-03-19 11:35 . 2008-03-19 11:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-19 11:30 . 2008-03-19 11:31 <DIR> d-------- C:\Program Files\CleanUp!
2008-03-19 11:28 . 2008-04-07 14:57 <DIR> d-------- C:\VundoFix Backups
2008-03-19 09:20 . 2008-03-20 09:01 834 --ahs---- C:\WINDOWS\system32\nrwfldbe.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 10:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 09:58 --------- d-----w C:\Program Files\RegCure
2008-03-14 09:58 --------- d-----w C:\Program Files\RABCO(2)
2008-03-14 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-03 10:25 --------- d-----w C:\Program Files\SolidWorks
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40659EC0-507E-7DAD-5713-5800B8C281BC}]
C:\WINDOWS\System32\rxbws.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D63CDCD-5174-78A8-0413-5800B8C28BB7}]
C:\WINDOWS\System32\sun.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FD2108D-6D0A-4D19-BF5F-E93480873774}]
C:\WINDOWS\System32\awvtr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff7144fc-b806-494a-ba48-fb63d3fb863c}]
C:\WINDOWS\System32\onwugvyd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Swso"="C:\PROGRA~1\COMMON~1\WNSXS~1\arpa.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 10:01 68856]
"Jcwkaqb"="C:\WINDOWS\s?mbols\d?xplore.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 11:41 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESP"="C:\Program Files\BT\ISecP\app\start.exe" [2006-12-11 09:31 62952]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 08:14 188416]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 11:42 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"BM97687271"="C:\WINDOWS\System32\bymglxns.dll" [ ]
"945b41ed"="C:\WINDOWS\System32\wvitisnv.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 11:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 12:49 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Norton GoBack.lnk - C:\Program Files\Norton GoBack\GBTray.exe [2004-08-13 12:26:46 803976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-10-23 20:51 233472 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 12:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-08-29 11:41 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-25 15:37 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-25 10:01 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\System32\drivers\GRFILTER.sys [2006-05-31 11:51]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\System32\Drivers\GRTdiMon.sys [2006-09-12 14:43]
S2 RemoteRegistryWZCSVC;Remote Registry RemoteRegistryWZCSVC;C:\WINDOWS\System32\actxprxyc.exe [2008-04-14 14:26]
S2 SCardSvrVSS;Smart Card SCardSvrVSS;C:\WINDOWS\System32\advapi32k.exe [2008-04-07 12:21]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 08:43:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT\ISecP\App\console.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2008-04-18 8:52:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 07:51:38

Pre-Run: 99,976,994,816 bytes free
Post-Run: 99,896,905,728 bytes free
.
2008-04-18 02:00:57 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:55:52, on 18/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT\ISecP\app\Console.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O2 - BHO: (no name) - {40659EC0-507E-7DAD-5713-5800B8C281BC} - C:\WINDOWS\System32\rxbws.dll (file missing)
O2 - BHO: (no name) - {4D63CDCD-5174-78A8-0413-5800B8C28BB7} - C:\WINDOWS\System32\sun.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8FD2108D-6D0A-4D19-BF5F-E93480873774} - C:\WINDOWS\System32\awvtr.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: {c368bf3d-36bf-84ab-a494-608bcf4417ff} - {ff7144fc-b806-494a-ba48-fb63d3fb863c} - C:\WINDOWS\System32\onwugvyd.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Internet Security Pack Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ESP] C:\Program Files\BT\ISecP\app\start.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [BM97687271] Rundll32.exe "C:\WINDOWS\System32\bymglxns.dll",s
O4 - HKLM\..\Run: [945b41ed] rundll32.exe "C:\WINDOWS\System32\wvitisnv.dll",b
O4 - HKCU\..\Run: [Swso] "C:\PROGRA~1\COMMON~1\WNSXS~1\arpa.exe" -vt ndrv
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Jcwkaqb] C:\WINDOWS\s?mbols\d?xplore.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www.btsecurity.bt.com/bt/bin/wizard.exe
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208416003828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208415966734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BT Internet Security Pack System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\BT\ISecP\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Kerr\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Remote Registry RemoteRegistryWZCSVC (RemoteRegistryWZCSVC) - Unknown owner - C:\WINDOWS\System32\actxprxyc.exe
O23 - Service: Smart Card SCardSvrVSS (SCardSvrVSS) - Unknown owner - C:\WINDOWS\System32\advapi32k.exe

--
End of file - 7799 bytes

pskelley
2008-04-19, 12:29
Thanks for returning your information and sorry about the last response. I did not get my notification when you posted as I should have.

Before we start, I am not familiar with this program:
http://www.btbroadbandoffice.com/internetapplications/security
It appears it offers an antivirus program and a firewall. You must be sure you are running only one antivirus program and one firewall, see this:
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

I also see: Authentium\AntiVirus\ and C:\PROGRA~1\Grisoft\AVG7\ before you post again, uninstall all but one.

I do not recognize this item, do you know what it is?
O23 - Service: Remote Registry RemoteRegistryWZCSVC (RemoteRegistryWZCSVC) - Unknown owner - C:\WINDOWS\System32\actxprxyc.exe
If you do not, use this free scanner http://virusscan.jotti.org/
to scan that file in red and post the results.

do the same for this one if you don't know it:
O23 - Service: Smart Card SCardSvrVSS (SCardSvrVSS) - Unknown owner - C:\WINDOWS\System32\advapi32k.exe


1) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open notepad and copy/paste the text in the codebox below into it:


File::
C:\WINDOWS\System32\bymglxns.dll
C:\WINDOWS\System32\wvitisnv.dll
C:\WINDOWS\system32\vnsitivw.ini
C:\WINDOWS\system32\plpnyijn.ini
C:\WINDOWS\system32\dxhpjkdv.ini
C:\WINDOWS\system32\woohsdxu.ini
C:\WINDOWS\system32\halldckq.ini
C:\WINDOWS\system32\nrwfldbe.ini

Folder::
C:\SDFix
C:\VundoFix Backups

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {40659EC0-507E-7DAD-5713-5800B8C281BC} - C:\WINDOWS\System32\rxbws.dll (file missing)
O2 - BHO: (no name) - {4D63CDCD-5174-78A8-0413-5800B8C28BB7} - C:\WINDOWS\System32\sun.dll (file missing)
O2 - BHO: (no name) - {8FD2108D-6D0A-4D19-BF5F-E93480873774} - C:\WINDOWS\System32\awvtr.dll (file missing)
O2 - BHO: {c368bf3d-36bf-84ab-a494-608bcf4417ff} - {ff7144fc-b806-494a-ba48-fb63d3fb863c} - C:\WINDOWS\System32\onwugvyd.dll (file missing)
O4 - HKLM\..\Run: [BM97687271] Rundll32.exe "C:\WINDOWS\System32\bymglxns.dll",s
O4 - HKLM\..\Run: [945b41ed] rundll32.exe "C:\WINDOWS\System32\wvitisnv.dll",b
O4 - HKCU\..\Run: [Swso] "C:\PROGRA~1\COMMON~1\WNSXS~1\arpa.exe" -vt ndrv
O4 - HKCU\..\Run: [Jcwkaqb] C:\WINDOWS\s?mbols\d?xplore.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxanet.net/code/chm/xpre.chm::/xpreload.ocx

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

(? marks are wild cards hackers use to confuse us, you should be able to tel wich folder it is)

C:\PROGRAM FILES~1\COMMON FILES~1\WNSXS~1\ <<< delete that folder and contents

C:\WINDOWS\s?mbols\ <<< delete that folder and contents

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix log, a new HJT log and tell me how the computer is running.

Thanks

gooner
2008-04-21, 12:18
Hi PSKelly
The program that you are not familiar with is British Telecom Internet Security pack that has its own anti virus & anti spyware in it.Here are the logs you requested the computer seems to running a little better not so slow.

gooner
2008-04-21, 12:19
ComboFix 08-04-16.5 - Kerr 2008-04-18 8:37:43.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.33 [GMT 1:00]
Running from: C:\Documents and Settings\Kerr\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Kerr\Application Data\MBOLS~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\wnsxs~1\W?nSxS\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Program Files\SmartVideoCodec
C:\Program Files\SmartVideoCodec\install.ico
C:\Program Files\SmartVideoCodec\Uninstall.exe
C:\WINDOWS\BM97687271.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\mcntklwd.exe
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-18 to 2008-04-18 )))))))))))))))))))))))))))))))
.

2008-04-18 08:34 . 2008-04-18 08:34 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2008-04-18 08:34 . 2008-04-18 08:34 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-04-18 08:21 . 2008-04-18 08:21 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-18 08:17 . 2008-04-18 08:17 <DIR> d-------- C:\SDFix
2008-04-18 03:00 . 2008-04-18 03:00 <DIR> d-------- C:\WINDOWS\system32\bits
2008-04-17 08:28 . 2008-04-17 08:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-04-17 08:28 . 2008-04-17 08:28 <DIR> d-------- C:\WINDOWS\ehome
2008-04-17 08:21 . 2002-08-29 11:41 3,494,303 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-04-17 08:20 . 2002-08-29 11:41 1,128,960 --a------ C:\WINDOWS\system32\mmcndmgr.dll
2008-04-17 08:19 . 2002-08-29 11:40 1,180,672 --a------ C:\WINDOWS\system32\d3d8.dll
2008-04-17 08:10 . 2004-07-01 23:08 331,776 --a------ C:\WINDOWS\system32\winhttp.dll
2008-04-17 08:10 . 2004-07-01 00:59 158,720 --------- C:\WINDOWS\system32\xpob2res.dll
2008-04-17 08:10 . 2004-07-01 23:08 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,680 -----c--- C:\WINDOWS\system32\dllcache\bitsprx2.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,680 --------- C:\WINDOWS\system32\bitsprx2.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx3.dll
2008-04-17 08:10 . 2004-07-01 23:08 7,168 --------- C:\WINDOWS\system32\bitsprx3.dll
2008-04-17 08:08 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-17 08:08 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-17 08:07 . 2007-07-30 19:19 549,720 --a------ C:\WINDOWS\system32\wuapi.dll
2008-04-17 08:07 . 2007-07-30 19:19 325,976 --a------ C:\WINDOWS\system32\wucltui.dll
2008-04-17 08:07 . 2007-07-30 19:19 216,408 --a------ C:\WINDOWS\system32\wuaucpl.cpl
2008-04-17 08:07 . 2007-07-30 19:19 43,352 --a------ C:\WINDOWS\system32\wups2.dll
2008-04-17 08:07 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2008-04-17 08:07 . 2007-07-30 19:18 33,624 --a------ C:\WINDOWS\system32\wups.dll
2008-04-17 08:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2008-04-17 08:07 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2008-04-17 08:07 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2008-04-15 13:22 . 2008-04-15 13:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 11:55 . 2008-04-15 11:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-04-15 11:55 . 2008-04-15 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-14 14:27 . 2008-04-14 14:26 41,984 -r-hs---- C:\WINDOWS\system32\actxprxyc.exe
2008-04-14 12:24 . 2008-04-14 12:24 <DIR> d--h----- C:\WINDOWS\PIF
2008-04-14 12:20 . 2008-04-14 12:20 4,672 --a------ C:\WINDOWS\system32\sncmpJ.syz
2008-04-08 08:08 . 2008-04-08 08:08 4,672 --a------ C:\WINDOWS\system32\GBh2KF.syz
2008-04-07 13:40 . 2008-04-07 13:40 4,672 --a------ C:\WINDOWS\system32\DaQs2X.syz
2008-04-07 12:39 . 2008-04-07 12:39 4,672 --a------ C:\WINDOWS\system32\9k72rW.syz
2008-04-07 12:36 . 2008-04-07 12:36 4,672 --a------ C:\WINDOWS\system32\nMBlAh.syz
2008-04-07 12:26 . 2008-04-07 12:26 4,672 --a------ C:\WINDOWS\system32\buRiCu.syz
2008-04-07 12:23 . 2008-04-07 12:23 229 --a------ C:\Documents and Settings\Kerr\iexpIore.exe
2008-04-07 12:21 . 2008-04-14 12:20 160,256 --a------ C:\WINDOWS\system32\blackster.scr
2008-04-07 12:21 . 2008-04-07 12:21 77,008 --a------ C:\94.tmp
2008-04-07 12:21 . 2008-04-07 12:21 41,984 -r-hs---- C:\WINDOWS\system32\advapi32k.exe
2008-04-07 12:21 . 2008-04-07 12:21 215 --a------ C:\90.tmp
2008-04-07 12:21 . 2008-04-15 11:33 32 --a-s---- C:\WINDOWS\system32\3465282683.dat
2008-04-07 12:20 . 2008-04-07 12:20 4,672 --a------ C:\WINDOWS\system32\5FaNbu.syz
2008-03-27 09:25 . 2008-03-27 09:26 1,674 --ahs---- C:\WINDOWS\system32\vnsitivw.ini
2008-03-26 09:06 . 2008-03-27 09:24 1,614 --ahs---- C:\WINDOWS\system32\plpnyijn.ini
2008-03-25 12:53 . 2008-03-25 12:53 <DIR> d-------- C:\Documents and Settings\Kerr\Application Data\Grisoft
2008-03-25 12:52 . 2007-05-30 13:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-03-25 12:47 . 2008-03-25 12:47 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-03-25 12:47 . 2008-04-15 15:36 <DIR> d-------- C:\Documents and Settings\Kerr\Application Data\AVG7
2008-03-25 12:46 . 2008-03-25 12:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-25 12:46 . 2008-04-07 12:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-03-25 08:55 . 2008-03-26 09:06 1,314 --ahs---- C:\WINDOWS\system32\dxhpjkdv.ini
2008-03-22 10:05 . 2008-03-25 08:52 1,074 --ahs---- C:\WINDOWS\system32\woohsdxu.ini
2008-03-20 09:06 . 2008-03-22 10:02 954 --ahs---- C:\WINDOWS\system32\halldckq.ini
2008-03-19 11:35 . 2008-03-19 11:35 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-19 11:30 . 2008-03-19 11:31 <DIR> d-------- C:\Program Files\CleanUp!
2008-03-19 11:28 . 2008-04-07 14:57 <DIR> d-------- C:\VundoFix Backups
2008-03-19 09:20 . 2008-03-20 09:01 834 --ahs---- C:\WINDOWS\system32\nrwfldbe.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-26 15:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 10:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 09:58 --------- d-----w C:\Program Files\RegCure
2008-03-14 09:58 --------- d-----w C:\Program Files\RABCO(2)
2008-03-14 09:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-03 10:25 --------- d-----w C:\Program Files\SolidWorks
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40659EC0-507E-7DAD-5713-5800B8C281BC}]
C:\WINDOWS\System32\rxbws.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4D63CDCD-5174-78A8-0413-5800B8C28BB7}]
C:\WINDOWS\System32\sun.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8FD2108D-6D0A-4D19-BF5F-E93480873774}]
C:\WINDOWS\System32\awvtr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ff7144fc-b806-494a-ba48-fb63d3fb863c}]
C:\WINDOWS\System32\onwugvyd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Swso"="C:\PROGRA~1\COMMON~1\WNSXS~1\arpa.exe" [ ]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 10:01 68856]
"Jcwkaqb"="C:\WINDOWS\s?mbols\d?xplore.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 11:41 1511453]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ESP"="C:\Program Files\BT\ISecP\app\start.exe" [2006-12-11 09:31 62952]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe" [2006-01-13 08:14 188416]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-04-15 11:42 579584]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25 6731312]
"BM97687271"="C:\WINDOWS\System32\bymglxns.dll" [ ]
"945b41ed"="C:\WINDOWS\System32\wvitisnv.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-08-29 11:41 13312]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-03-25 12:49 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Norton GoBack.lnk - C:\Program Files\Norton GoBack\GBTray.exe [2004-08-13 12:26:46 803976]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 0 (0x0)

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^Deewoo.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\Deewoo.lnk
backup=C:\WINDOWS\pss\Deewoo.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^DW_Start.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\DW_Start.lnk
backup=C:\WINDOWS\pss\DW_Start.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^Microsoft Find Fast.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\Microsoft Find Fast.lnk
backup=C:\WINDOWS\pss\Microsoft Find Fast.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Kerr^Start Menu^Programs^Startup^Office Startup.lnk]
path=C:\Documents and Settings\Kerr\Start Menu\Programs\Startup\Office Startup.lnk
backup=C:\WINDOWS\pss\Office Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager]
--a------ 2003-10-23 20:51 233472 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2003-06-25 12:24 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2002-08-29 11:41 1511453 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-04-25 15:37 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-25 10:01 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

R0 GRFILTER;Authentium NDIS Driver;C:\WINDOWS\System32\drivers\GRFILTER.sys [2006-05-31 11:51]
R2 GRTdiMon;Authentium TDI Mon;C:\WINDOWS\System32\Drivers\GRTdiMon.sys [2006-09-12 14:43]
S2 RemoteRegistryWZCSVC;Remote Registry RemoteRegistryWZCSVC;C:\WINDOWS\System32\actxprxyc.exe [2008-04-14 14:26]
S2 SCardSvrVSS;Smart Card SCardSvrVSS;C:\WINDOWS\System32\advapi32k.exe [2008-04-07 12:21]

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-18 08:43:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\System32\tsd32.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\BT\ISecP\App\console.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\system32\wpabaln.exe
.
**************************************************************************
.
Completion time: 2008-04-18 8:52:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-18 07:51:38

Pre-Run: 99,976,994,816 bytes free
Post-Run: 99,896,905,728 bytes free
.
2008-04-18 02:00:57 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:09:59, on 21/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
c:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\Program Files\BT\ISecP\app\Console.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
c:\Program Files\BT\ISecP\App\splash.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Internet Security Pack Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ESP] C:\Program Files\BT\ISecP\app\start.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www.btsecurity.bt.com/bt/bin/wizard.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208416003828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208415966734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BT Internet Security Pack System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\BT\ISecP\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server Avg7Alrtuploadmgr (Avg7Alrtuploadmgr) - Unknown owner - C:\WINDOWS\System32\1025k.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Kerr\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: Remote Registry RemoteRegistryWZCSVC (RemoteRegistryWZCSVC) - Unknown owner - C:\WINDOWS\System32\actxprxyc.exe
O23 - Service: Smart Card SCardSvrVSS (SCardSvrVSS) - Unknown owner - C:\WINDOWS\System32\advapi32k.exe

--
End of file - 6247 bytes

File to upload & scan:
Service
Service load: 0% 100%

File: advapi32k.exe
Status: INFECTED/MALWARE
MD5: b54e513f42a0f92cf1ef1870177c3ec4
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 21 Apr 2008 08:40:19 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Backdoor.Win32.Bifrose.afc
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Sus/UnkPacker (probable variant)
VirusBuster Found nothing
VBA32 Found nothing

File to upload & scan:
Service
Service load: 0% 100%

File: actxprxyc.exe
Status: INFECTED/MALWARE
MD5: 4650b0c24e16257d0ef8cdf6d41deef9
Packers detected: -
Bit9 reports: File not found

Scanner results
Scan taken on 21 Apr 2008 08:36:54 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.XPACK.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/Generic-A
VirusBuster Found nothing
VBA32 Found nothing

pskelley
2008-04-21, 15:33
Thanks for returning your information and the feedback, looks like we have two more nasties to remove. Neither Service shows as valid either when I check them here: http://www.castlecops.com/O23.html

1) Make sure files and folders are still visible.

2) Disable the Service
Click Start > Run and type services.msc
Scroll down to Remote Registry RemoteRegistryWZCSVC and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

Do the same with: Smart Card SCardSvrVSS

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O23 - Service: Remote Registry RemoteRegistryWZCSVC (RemoteRegistryWZCSVC) - Unknown owner - C:\WINDOWS\System32\actxprxyc.exe
O23 - Service: Smart Card SCardSvrVSS (SCardSvrVSS) - Unknown owner - C:\WINDOWS\System32\advapi32k.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\System32\actxprxyc.exe <<< delete that file

C:\WINDOWS\System32\advapi32k.exe <<< delete that file

Restart and post a new HJT log and tell me how the computer is running.

Thanks

gooner
2008-04-21, 16:07
Hi PSKelly
I disabled the two services as you said but when i ran HJT the 023-services did not show in the log file.I then deleted the two files that you noted.Here is a new HJT log as requested the computer seems to running better at least we dont have the beatles crawling accross the screen anymore:) Thanks for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:02:06, on 21/04/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton GoBack\GBTray.exe
C:\Program Files\BT\ISecP\app\Console.exe
c:\Program Files\BT\ISecP\App\syssvcnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton GoBack\GBPoll.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wpabaln.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AuthPopupBHO01.cBHO - {3C7195F6-D788-4D50-BA72-2EE212EDAC78} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: BT Internet Security Pack Popup Blocker - {2C0A5F28-48D8-408B-9172-9C6121025BCE} - C:\Program Files\BT\ISecP\App\popupbho01.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ESP] C:\Program Files\BT\ISecP\app\start.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Norton GoBack.lnk = C:\Program Files\Norton GoBack\GBTray.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1B4F9DD7-2D7C-44B5-9126-73206DA0AE75} (CNavigationManager Object) - http://www.btsecurity.bt.com/bt/bin/wizard.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1208416003828
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1208415966734
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/cabs/flash/swflash.cab
O23 - Service: BT Internet Security Pack System Service (AuthSysSvc) - Authentium, Inc. - c:\Program Files\BT\ISecP\App\syssvcnt.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server Avg7Alrtuploadmgr (Avg7Alrtuploadmgr) - Unknown owner - C:\WINDOWS\System32\1025k.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton GoBack\GBPoll.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Kerr\LOCALS~1\Temp\hpdj.exe (file missing)

--
End of file - 5972 bytes

pskelley
2008-04-21, 16:54
Thanks for returning your HJT log and it looks good, I'll have suggestion that might help your computer run better before we finish, first we have this bridge to cross.

1) Remove SDFix from your computer, does not update so do not keep it.

2) I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

http://img.photobucket.com/albums/v666/sUBs/RC_whatnext.gif

http://img.photobucket.com/albums/v666/sUBs/RC_AllDone.gif

Thanks

gooner
2008-04-22, 11:15
Hi PSKelly
Thanks for all your help glad to here bugs have gone.I have deleted sdfix.exe from the desktop and i have installed RC,glad to hear that you may have something to make computer run better is there more cleaning up to do?
Here is RC log

winxpsp1_en_pro_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

pskelley
2008-04-22, 13:33
Thanks for the feedback, so I don't forget...as soon as you are clean, you need to get to Windows Updates and install all critical updates for your system (SP#2). I strongly suggest you update your browser to IE7 also. Once again, please DO NOT do this until we are sure you are clean.

Remove combofix and the C:\Qoobox\Quarantine\ folder from your computer and run a new Kaspersky Online Scan using these settings.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

gooner
2008-04-22, 16:10
Hi PSKelly
Im really sorry but windows update said updates are ready to install this morning so i installed them one of which was SP2 SORRY:sad: here the scan log you requested.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 22, 2008 2:06:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/04/2008
Kaspersky Anti-Virus database records: 645024
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 67445
Number of viruses found: 9
Number of infected objects: 48
Number of suspicious objects: 1
Duration of the scan process: 01:50:20

Infected Object Name / Virus Name / Last Action
C:\94.tmp Infected: Trojan-PSW.Win32.Agent.afg skipped
C:\Documents and Settings\All Users\Application Data\Authentium\ESPC\prf\imdb.bin Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Authentium\ESPC\prf\{D2F5620D-8DB3-427d-9356-04AB08B907CB} Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Bluebeam Software\Brewery\V4\Printer Support\BBPDFPortMon.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Kerr\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\History\History.IE5\MSHist012008042220080423\index.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\~DF45A7.tmp Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temp\~DFCB47.tmp Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kerr\Local Settings\Temporary Internet Files\Content.IE5\MQ07NFPQ\file1[1].exe Object is locked skipped
C:\Documents and Settings\Kerr\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kerr\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\gobackio.bin Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080421-095851-849 Suspicious: Exploit.HTML.Mht skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016126.exe Infected: Trojan-Downloader.Win32.Zlob.gzc skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016150.exe Infected: Trojan-Downloader.Win32.Zlob.gzc skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016179.exe Infected: Trojan-Downloader.Win32.Zlob.gzc skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016188.dll Object is locked skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP209\A0016192.exe Infected: Trojan-Downloader.Win32.Zlob.hdq skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP238\A0020828.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021909.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021910.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021911.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021913.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021919.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0021920.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP239\A0025930.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028988.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028989.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0028991.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0029001.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP240\A0029005.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP241\A0032106.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP241\A0033159.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP241\A0033174.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP242\A0034174.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037284.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037285.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP243\A0037291.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP245\A0037374.exe Infected: Trojan-Downloader.Win32.Delf.fjs skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP247\A0038418.exe Infected: Trojan-Downloader.Win32.Delf.ezu skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041465.exe Infected: Trojan-Downloader.Win32.Delf.fjs skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041486.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041487.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041488.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041489.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041490.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041491.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041492.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041493.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041494.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP249\A0041496.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP250\A0043494.exe Infected: Trojan.Win32.Agent.fbo skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP250\A0043495.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP250\A0043499.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{7487559D-6B8D-43D3-BF31-93E843FD5092}\RP370\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2C7451EB-B429-48A0-BC4B-8D854F5749D1}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\1025k.exe Object is locked skipped
C:\WINDOWS\system32\5FaNbu.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\769520041.dat Object is locked skipped
C:\WINDOWS\system32\9k72rW.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\buRiCu.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\DaQs2X.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\GBh2KF.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\nMBlAh.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\sncmpJ.syz Infected: Rootkit.Win32.Agent.ahs skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-04-22, 16:21
Let's hope it does not cause you problems, Microsoft specifies that SP#2 should only be installed on a clean computer.

Here is what we have to do yet.

1) Delete all files in red
C:\94.tmp
C:\WINDOWS\system32\5FaNbu.syz
C:\WINDOWS\system32\9k72rW.syz
C:\WINDOWS\system32\buRiCu.syz
C:\WINDOWS\system32\DaQs2X.syz
C:\WINDOWS\system32\GBh2KF.syz
C:\WINDOWS\system32\nMBlAh.syz
C:\WINDOWS\system32\sncmpJ.syz

2) Follow the instructions to delete this item in red
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080421-095851-849http://www.bleepingcomputer.com/tutorials/tutorial42.html#HTRestore

3) Empty the Recycle Bin on the Desktop

4) Restart the computer

5) Follow these directions to clean infected System Restore files:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

gooner
2008-04-23, 10:34
Hi PSKelly
I have done the last set of instructions does that mea my computer is clean now?.I have been looking at the links you sent me very interesting.Thanks:)

pskelley
2008-04-23, 12:36
Unless you have malware issues to report, you are good to go. Safe surfing:bigthumb: