Page 1 of 2 12 LastLast
Results 1 to 10 of 20

Thread: Infected PC won't even boot

  1. 2009-03-16, 21:35 #1
    piesplus
    piesplus is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    19

    Default Infected PC won't even boot

    Hi,
    I'm posting on behalf of a friend whose PC has become infected to the extent that he can no longer log in - once he clicks on his login on the welcome screen, the PC just hangs.

    I booted into safe mode with networking and ran HJT (log below).

    Any help with disinfecting the system wouldl be very much appreciated.

    Thanks
    Simon


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 23:07:52, on 10/03/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Safe mode with network support

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Simon Anti-malware\HiJackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: (no name) - {3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - (no file)
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\yyihtmhx.dll
    O2 - BHO: (no name) - {8A488754-CD06-44B9-84E6-092AC9AD02EC} - C:\WINDOWS\system32\fcccyVlJ.dll (file missing)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: (no name) - {D2E3CF9F-9F8B-407A-BD09-46E9722D1707} - (no file)
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Jjatagesagu] rundll32.exe "C:\WINDOWS\Lgoxiw.dll",e
    O4 - HKLM\..\Run: [Xjevo] rundll32.exe "C:\WINDOWS\ucopemiyuvacas.dll",e
    O4 - HKLM\..\Run: [9831bb0a] rundll32.exe "C:\WINDOWS\system32\lcvewrsc.dll",b
    O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
    O4 - HKLM\..\Run: [Explorer] C:\WINDOWS\system32\msrstart.exe
    O4 - HKLM\..\RunOnce: [ScanNClnPostRbt] C:\NSS\Nss.exe /OnReboot
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKLM\..\Policies\Explorer\Run: [xccinit] C:\WINDOWS\system32\inf\rundll33.exe C:\WINDOWS\xccdf16_090305a.dll xccd16
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
    O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: Symantec Eraser Service (EraserSvc10910) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe (file missing)
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
    O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 13665 bytes
  2. 2009-03-18, 10:22 #2
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi


    Please visit this webpage for download links, and instructions for running ComboFix tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix

    Please ensure you read this guide carefully and install the Recovery Console first.

    The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

    Once installed, you should see a blue screen prompt that says:

    The Recovery Console was successfully installed.

    Please continue as follows:

    1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link
      Remember to re-enable them afterwards.

    2. Click Yes to allow ComboFix to continue scanning for malware.


    When the tool is finished, it will produce a report for you.

    Please include the following reports for further review, and so we may continue cleansing the system:

    C:\ComboFix.txt
    New HijackThis log.

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  3. 2009-03-20, 02:05 #3
    piesplus
    piesplus is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    19

    Default ComboFix ran ok

    Hi Blade81,

    Thanks for your response. I ran ComboFix from safe mode and the PC will now boot cleanly into normal mode. It reported Norton 360 running at the time though - I was unable to disable it because there was no system tray icon in safe mode and when I opened it through the start menu I got a window saying that it did not run in safe mode and thus there were no controls available to switch it off. The ComboFix run didn't appear to report any errors due to this so I hope it ran successfully.

    The ComboFix log file was 718KB so I have removed a large chunk of similar entries from the text below (they are all deleted files from various folders under C:\Documents and Settings\<username>\Application Data\SpamBlockerUtility). I've also replaced the actual usernames in these paths with <USER1> and <USER2> as this is a public forum and I am posting on behalf of my friends who own the machine. If you want the full unedited file then let me know and I'll PM or e-mail it to you.

    I ran HJT immediately after ComboFix and attach the log file below. As soon as ComboFix had done its job, the PC suddenly realised it was about a year out of date (and a whole service pack!) with regards to MS patches and started installing them. It is now up to SP3 and so I ran a final HJT afterwards and the log for this is in the following post (due to size restrictions).

    Please let me know if there appears to be anything else wrong with the machine. There are only two things that currently concern me:

    1. Something called Max Secure Spyware Detector is still installed and shows a splash screen when a user logs in and a system tray popup prompting the user to purchase a full version for real-time monitoring. I thought this was malware initially but googling it looks like it might be real (free) anti-spyware. Are you able to confirm this? Do you recommend leaving it in place or uninstalling it?

    2. The Norton 360 icon is not showing in the system tray and I am unable to get a window for it up using any of the Start menu entries. Securty Centre does report that the 360 firewall is running though so something might be preventing it from displaying the window. I'm not sure if the SP3 upgrade had anything to do with this or not. Perhaps it just needs re-installing?

    Thanks again for all your help. I know I need to check for the latest versions of Flash, Acrobat Reader, Java etc and ensure that Windows Update runs automatically and I will do all those once we are happy the machine in no longer infected.

    Cheers
    Simon


    Edited ComboFix log:
    ***************************************************

    ComboFix 09-03-18.01 - <USER1> 2009-03-19 19:59:03.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.228 [GMT 0:00]
    Running from: c:\documents and settings\<USER1>\Desktop\ComboFxx.exe
    AV: Norton 360 *On-access scanning enabled* (Updated)
    FW: Norton 360 *enabled*
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\<USER2>\Application Data\SpamBlocker
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\eskin\empty_bg_st.htm
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\eskin\FileManager.txt
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1159100558.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1160169674.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1160936845.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1161981290.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1163534820.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1164150835.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1165532625.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1168193611.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1174346232.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1178994973.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\HostOI\static\1\030104_emte10_prv.gif
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\HostOI\static\1\030104_emte11_prv.gif
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\HostOI\static\1\030104_emte12_prv.gif
    .
    .
    . Lots and lots of these removed
    .
    .
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip
    c:\documents and settings\<USER1>\Application Data\SpamBlocker
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\eskin\empty_bg_st.htm
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\eskin\FileManager.txt
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\SpamBlockerUtility.log
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1164308358.log
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1164643400.log.
    .
    .
    . Lots of these removed too
    .
    .
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip
    c:\program files\Common Files\{9831B~1
    c:\program files\Common Files\{9831B~2
    c:\program files\newdotnet
    c:\program files\newdotnet\uninstall.exe
    c:\windows\b.exe
    c:\windows\BM9b028896.txt
    c:\windows\BM9b028896.xml
    c:\windows\cookies.ini
    c:\windows\IE4 Error Log.txt
    c:\windows\Install.txt
    c:\windows\Lgoxiw.dll
    c:\windows\system\xccef090305.exe
    c:\windows\system32\998.exe
    c:\windows\system32\afisicx.exe
    c:\windows\system32\ahtn.htm
    c:\windows\system32\aityroll.ini
    c:\windows\system32\alnoyrjx.ini
    c:\windows\system32\atrxpgqt.ini
    c:\windows\system32\ayJQBKkj.ini
    c:\windows\system32\ayJQBKkj.ini2
    c:\windows\system32\bayaKnmp.ini
    c:\windows\system32\bayaKnmp.ini2
    c:\windows\system32\bercscgq.ini
    c:\windows\system32\bfoogcna.ini
    c:\windows\system32\bhpxucyy.ini
    c:\windows\system32\bhvvhfao.ini
    c:\windows\system32\bszip.dll
    c:\windows\system32\bund1
    c:\windows\system32\bund1\temp.txt
    c:\windows\system32\bwcjiehv.ini
    c:\windows\system32\bxtcaajy.ini
    c:\windows\system32\cdjwmtde.ini
    c:\windows\system32\cdLSvvut.ini
    c:\windows\system32\cdLSvvut.ini2
    c:\windows\system32\chert5-998.exe
    c:\windows\system32\ciekyphx.ini
    c:\windows\system32\cisscsjh.ini
    c:\windows\system32\cjcmueon.ini
    c:\windows\system32\CJijlnnn.ini
    c:\windows\system32\CJijlnnn.ini2
    c:\windows\system32\cnhppvya.ini
    c:\windows\system32\comsa32.sys
    c:\windows\system32\csrwevcl.ini
    c:\windows\system32\daqvcrsn.ini
    c:\windows\system32\DgfffMoq.ini
    c:\windows\system32\DgfffMoq.ini2
    c:\windows\system32\dkbhcmxe.ini
    c:\windows\system32\drivers\core.cache.dsk
    c:\windows\system32\drivers\seneka.sys
    c:\windows\system32\drivers\senekafdomlquq.sys
    c:\windows\system32\edaodcdw.ini
    c:\windows\system32\eshxcvnv.ini
    c:\windows\system32\evcjnvxx.ini
    c:\windows\system32\fcccyVlJ.dll.vir
    c:\windows\system32\flsycqwx.ini
    c:\windows\system32\fqepnqev.ini
    c:\windows\system32\fsdswwox.ini
    c:\windows\system32\ggQrCKkj.ini
    c:\windows\system32\ggQrCKkj.ini2
    c:\windows\system32\gmsiyrhb.ini
    c:\windows\system32\GPWvyccf.ini
    c:\windows\system32\GPWvyccf.ini2
    c:\windows\system32\gQssvGgh.ini
    c:\windows\system32\gQssvGgh.ini2
    c:\windows\system32\hgcheck.exe
    c:\windows\system32\hklVDJjl.ini
    c:\windows\system32\hklVDJjl.ini2
    c:\windows\system32\hlesyrxi.ini
    c:\windows\system32\hNXGPXyb.ini
    c:\windows\system32\hNXGPXyb.ini2
    c:\windows\system32\hpwonjyc.ini
    c:\windows\system32\hxhyjecx.ini
    c:\windows\system32\hyknjsou.ini
    c:\windows\system32\ibayrtlg.ini
    c:\windows\system32\inf\rundll33.exe
    c:\windows\system32\inf\xccdfb16_090305.dll
    c:\windows\system32\inf\xccefb090305.scr
    c:\windows\system32\init32.exe
    c:\windows\system32\Install.txt
    c:\windows\system32\ipfsalwj.ini
    c:\windows\system32\ivsnyhoy.ini
    c:\windows\system32\ivwrkvex.ini
    c:\windows\system32\jacqohaw.ini
    c:\windows\system32\JlVycccf.ini
    c:\windows\system32\JlVycccf.ini2
    c:\windows\system32\jogqlioy.ini
    c:\windows\system32\jqjgkqny.ini
    c:\windows\system32\juwrjcnf.ini
    c:\windows\system32\kktejunk.ini
    c:\windows\system32\kRttAcdd.ini
    c:\windows\system32\kRttAcdd.ini2
    c:\windows\system32\ktynqbdi.ini
    c:\windows\system32\lceullmt.ini
    c:\windows\system32\llmgwxvs.ini
    c:\windows\system32\llpmhnjs.ini
    c:\windows\system32\LVFedfhk.ini
    c:\windows\system32\LVFedfhk.ini2
    c:\windows\system32\mabidwe.exe
    c:\windows\system32\mamhthli.ini
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\micro1
    c:\windows\system32\mlltwali.ini
    c:\windows\system32\mojwrtmc.ini
    c:\windows\system32\mwwdxniw.ini
    c:\windows\system32\naqjywbj.ini
    c:\windows\system32\nbniwlkp.ini
    c:\windows\system32\nhiwfrtj.ini
    c:\windows\system32\njtjpxuc.ini
    c:\windows\system32\nmrnowsm.ini
    c:\windows\system32\nnnxydlr.ini
    c:\windows\system32\nswmacxl.ini
    c:\windows\system32\ntdll64.exe
    c:\windows\system32\nxqvmnvf.ini
    c:\windows\system32\omarqngt.ini
    c:\windows\system32\oprYFfii.ini
    c:\windows\system32\oprYFfii.ini2
    c:\windows\system32\OqqXIkkj.ini
    c:\windows\system32\OqqXIkkj.ini2
    c:\windows\system32\petvxyyu.ini
    c:\windows\system32\phnsvpjh.ini
    c:\windows\system32\phsjuxfg.ini
    c:\windows\system32\pofqomil.ini
    c:\windows\system32\prhxavrp.ini
    c:\windows\system32\qAIPAJjl.ini
    c:\windows\system32\qAIPAJjl.ini2
    c:\windows\system32\qdshgmbk.ini
    c:\windows\system32\qttvDfhk.ini
    c:\windows\system32\qttvDfhk.ini2
    c:\windows\system32\relkauer.ini
    c:\windows\system32\rinppyti.ini
    c:\windows\system32\ryshycrp.ini
    c:\windows\system32\sckgoxap.ini
    c:\windows\system32\scmjcqtd.ini
    c:\windows\system32\senekadf.dat
    c:\windows\system32\senekagomylyab.dll
    c:\windows\system32\senekalog.dat
    c:\windows\system32\senekarnlnfutd.dll
    c:\windows\system32\senekawqjesiym.dat
    c:\windows\system32\senekaxfuwprmj.dll
    c:\windows\system32\sficnrmc.ini
    c:\windows\system32\sguoqhuc.ini
    c:\windows\system32\sguoqhuc.ini2
    c:\windows\system32\sguoqhuc.tmp
    c:\windows\system32\smyrymwj.ini
    c:\windows\system32\sopidkc.exe
    c:\windows\system32\sovyrgif.ini
    c:\windows\system32\suBLoUvw.ini
    c:\windows\system32\suBLoUvw.ini2
    c:\windows\system32\suluqicf.ini
    c:\windows\system32\suwwyGgh.ini
    c:\windows\system32\suwwyGgh.ini2
    c:\windows\system32\svyGQXyb.ini
    c:\windows\system32\svyGQXyb.ini2
    c:\windows\system32\sYFLknmp.ini
    c:\windows\system32\sYFLknmp.ini2
    c:\windows\system32\tAyccccf.ini
    c:\windows\system32\tAyccccf.ini2
    c:\windows\system32\TAyIlnpo.ini
    c:\windows\system32\TAyIlnpo.ini2
    c:\windows\system32\tbbkfpue.ini
    c:\windows\system32\tkrayagj.ini
    c:\windows\system32\tkseqnte.ini
    c:\windows\system32\tmpxccacj2.exe
    c:\windows\system32\tofsehbk.ini
    c:\windows\system32\tpszxyd.sys
    c:\windows\system32\txiexbdh.ini
    c:\windows\system32\uBJjPqru.ini
    c:\windows\system32\uBJjPqru.ini2
    c:\windows\system32\ubwvlxnx.ini
    c:\windows\system32\uniq.tll
    c:\windows\system32\usliwlvn.ini
    c:\windows\system32\uvoxbvhq.ini
    c:\windows\system32\uyevqhyh.ini
    c:\windows\system32\uyvxilij.ini
    c:\windows\system32\VEghgMoq.ini
    c:\windows\system32\VEghgMoq.ini2
    c:\windows\system32\vgqrabay.ini
    c:\windows\system32\vsnqppyt.ini
    c:\windows\system32\w.exe
    c:\windows\system32\warning.gif
    c:\windows\system32\win32hlp.cnf
    c:\windows\system32\wioyndel.ini
    c:\windows\system32\wvbnialp.ini
    c:\windows\system32\WyHNonmp.ini
    c:\windows\system32\WyHNonmp.ini2
    c:\windows\system32\xcchit32.ini
    c:\windows\system32\xevbjoga.ini
    c:\windows\system32\xGMUDJlm.ini
    c:\windows\system32\xGMUDJlm.ini2
    c:\windows\system32\xxnlgsnn.ini
    c:\windows\system32\yaHklUvw.ini
    c:\windows\system32\yaHklUvw.ini2
    c:\windows\system32\YGfLlnmp.ini
    c:\windows\system32\YGfLlnmp.ini2
    c:\windows\system32\YGjkmUvw.ini
    c:\windows\system32\YGjkmUvw.ini2
    c:\windows\system32\yhommkys.ini
    c:\windows\system32\yhvldekt.ini
    c:\windows\system32\yiagogpp.ini
    c:\windows\system32\yktiiiwd.ini
    c:\windows\system32\ynmhipyn.ini
    c:\windows\Tasks.\AntiSpywareBot Scheduled Scan.job
    c:\windows\xccdf16_090305a.dll
    c:\windows\xccdf32_090305a.dll
    c:\windows\xccwinsys.ini

    c:\windows\system32\userinit.exe . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SENEKA
    -------\Legacy_AFISICX
    -------\Legacy_CLIENT_IP-IPX
    -------\Legacy_IAS
    -------\Legacy_MABIDWE
    -------\Legacy_NNSERV
    -------\Legacy_SOPIDKC
    -------\Service_afisicx
    -------\Service_Ias
    -------\Service_mabidwe
    -------\Service_NNServ
    -------\Service_sopidkc


    ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
    .

    2009-03-19 19:42 . 2009-03-19 19:42 134,656 --a------ c:\windows\oretibux.dll
    2009-03-19 19:30 . 2009-03-19 19:30 42,496 --a------ c:\windows\system32\kuzSniper.exe
    2009-03-10 23:07 . 2009-03-10 23:07 <DIR> d-------- C:\Simon Anti-malware
    2009-03-10 22:55 . 2009-03-10 22:55 54,968 --ah----- c:\windows\system32\mlfcache.dat
    2009-03-10 22:53 . 2009-03-10 22:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-03-10 22:53 . 2009-03-10 22:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-03-10 19:07 . 2009-03-11 08:29 <DIR> d-------- C:\NSS
    2009-03-01 18:37 . 2009-03-10 19:32 <DIR> d-------- c:\windows\system32\3361
    2009-03-01 18:37 . 2009-03-01 18:37 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
    2009-03-01 18:37 . 2009-03-01 18:37 30 --a------ c:\windows\system32\hgset.ini
    2009-03-01 18:36 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
    2009-02-28 20:25 . 2009-03-19 20:10 <DIR> d-------- c:\windows\system32\inf
    2009-02-28 20:25 . 2009-02-28 20:25 155,175 --a------ c:\windows\system32\icv.exe
    2009-02-22 23:15 . 2009-02-22 23:15 <DIR> d-------- c:\program files\SpywareDetector
    2009-02-22 23:15 . 2009-01-22 10:29 1,060,864 --a------ c:\windows\system32\CheckDll.dll
    2009-02-22 23:15 . 2009-01-07 17:20 13,776 --a------ c:\windows\system32\SDEarlyDelete.exe
    2009-02-22 23:15 . 2009-02-22 23:15 110 --a------ c:\windows\system32\SDEarlyDelete.ini
    2009-02-22 23:15 . 2005-02-06 09:02 104 --a------ c:\windows\system32\ProxySettings.ini
    2009-02-22 23:15 . 2009-03-19 20:15 63 --a------ c:\windows\system\SysSD.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-19 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
    2009-03-12 11:36 34,008 ----a-w c:\documents and settings\<USER1>\Application Data\wklnhst.dat
    2009-03-10 19:03 --------- d-----w c:\documents and settings\<USER1>\Application Data\Apple Computer
    2009-02-27 21:09 --------- d-----w c:\program files\Common Files\Symantec Shared
    2009-02-11 18:45 --------- d-----w c:\documents and settings\<USER1>\Application Data\Canon
    2006-12-03 19:48 1,188 ----a-w c:\documents and settings\<USER2>\Application Data\wklnhst.dat
    2008-06-30 12:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
    .

    ------- Sigcheck -------

    2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
    2009-02-13 18:37 104960 c204f3fc26dae0efcf91b8ed9fa50220 c:\windows\system32\userinit.exe
    2009-02-13 18:37 104960 c204f3fc26dae0efcf91b8ed9fa50220 c:\windows\system32\dllcache\userinit.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-10-07 66912]

    [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
    2008-10-07 20:09 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77AB5974-55A3-4737-9FD5-B93C64307F78}]
    2009-01-28 21:26 104960 --a------ c:\windows\system32\yyihtmhx.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
    "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
    "SiSRaid"="c:\program files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2004-12-22 892928]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-21 185872]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
    "TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "Xjevo"="c:\windows\oretibux.dll" [2009-03-19 134656]
    "SDActiveMonitor"="c:\program files\SpywareDetector\SDActiveMonitor.exe" [2009-01-31 1366528]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    FreeventsSchedule.lnk - c:\freevents\FreeventsSchedule.exe [2005-11-05 16384]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)
    "NoActiveDesktopChanges"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\explorer.exe,"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
    2008-12-01 11:15 475136 c:\program files\SpywareDetector\SDNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
    backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
    backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FreeventsSchedule.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\FreeventsSchedule.lnk
    backup=c:\windows\pss\FreeventsSchedule.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
    backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
    backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
    --a------ 2007-04-23 11:23 1032640 c:\program files\Kontiki\KHost.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    --a------ 2004-03-19 14:17 78960 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    -ra------ 2007-01-10 11:06 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
    --a------ 2005-12-29 10:22 543232 c:\program files\btbb_wcm\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-10 19:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-08-05 20:56 64512 c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    --a------ 2006-11-17 13:21 50736 c:\program files\Common Files\AOL\1170888625\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
    --a------ 2007-04-23 11:23 1032640 c:\program files\Kontiki\KHost.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2007-06-18 15:10 271360 c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2002-09-13 21:42 212992 c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
    --a------ 2004-11-15 15:04 135168 c:\program files\Digital Media Reader\shwiconEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-10-21 19:04 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    --a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
    --a------ 2006-08-31 16:01 448040 c:\progra~1\Yahoo!\YOP\yop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    --a------ 2004-10-07 19:50 88363 c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    --a------ 2005-03-24 06:20 77824 c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=
    "c:\\Program Files\\AOL 9.0a\\waol.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\AOL 9.0b\\waol.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
    "c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
    "c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
    "c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2005-11-05 11970]
    R1 SDManager;SDManager;c:\program files\SpywareDetector\SDManager.sys [2009-02-22 13696]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
    R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2005-11-05 130112]
    R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2005-11-05 296259]
    R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2005-11-05 137793]
    R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2005-11-05 611444]
    R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2005-11-05 27984]
    S0 phkwnqcg;phkwnqcg;c:\windows\system32\drivers\foubfhsx.sys []
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]
    S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2005-10-15 2304]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST
    *Deregistered* - ALG
    *Deregistered* - AOL ACS
    *Deregistered* - Apple Mobile Device
    *Deregistered* - Ati HotKey Poller
    *Deregistered* - ATI Smart
    *Deregistered* - AudioSrv
    *Deregistered* - Automatic LiveUpdate Scheduler
    *Deregistered* - Bonjour Service
    *Deregistered* - Browser
    *Deregistered* - ccSetMgr
    *Deregistered* - CLTNetCnService
    *Deregistered* - comHost
    *Deregistered* - COMSysApp
    *Deregistered* - CryptSvc
    *Deregistered* - DcomLaunch
    *Deregistered* - Dhcp
    *Deregistered* - dmserver
    *Deregistered* - ehRecvr
    *Deregistered* - ehSched
    *Deregistered* - ERSvc
    *Deregistered* - EventSystem
    *Deregistered* - FastUserSwitchingCompatibility
    *Deregistered* - helpsvc
    *Deregistered* - HidServ
    *Deregistered* - ImapiService
    *Deregistered* - iPod Service
    *Deregistered* - KService
    *Deregistered* - lanmanserver
    *Deregistered* - lanmanworkstation
    *Deregistered* - LiveUpdate Notice
    *Deregistered* - LmHosts
    *Deregistered* - McrdSvc
    *Deregistered* - MDM
    *Deregistered* - Netman
    *Deregistered* - Nla
    *Deregistered* - Pml Driver HPZ12
    *Deregistered* - PolicyAgent
    *Deregistered* - ProtectedStorage
    *Deregistered* - RasMan
    *Deregistered* - RemoteRegistry
    *Deregistered* - RpcSs
    *Deregistered* - SamSs
    *Deregistered* - Schedule
    *Deregistered* - SDMainSvc
    *Deregistered* - SDService
    *Deregistered* - seclogon
    *Deregistered* - SENS
    *Deregistered* - SharedAccess
    *Deregistered* - ShellHWDetection
    *Deregistered* - Spooler
    *Deregistered* - sprtsvc_TalkTalk
    *Deregistered* - srservice
    *Deregistered* - SSDPSRV
    *Deregistered* - stisvc
    *Deregistered* - Symantec Core LC
    *Deregistered* - TapiSrv
    *Deregistered* - TermService
    *Deregistered* - tgsrvc_TalkTalk
    *Deregistered* - Themes
    *Deregistered* - TrkWks
    *Deregistered* - W32Time
    *Deregistered* - WANMiniportService
    *Deregistered* - WebClient
    *Deregistered* - winmgmt
    *Deregistered* - wscsvc
    *Deregistered* - wuauserv
    *Deregistered* - WudfSvc
    *Deregistered* - WZCSVC

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b07a7fbc-a1ea-11dd-88db-00142a6a9209}]
    \Shell\AutoRun\command - J:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2009-03-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - (no file)
    BHO-{8A488754-CD06-44B9-84E6-092AC9AD02EC} - c:\windows\system32\fcccyVlJ.dll
    BHO-{D2E3CF9F-9F8B-407A-BD09-46E9722D1707} - (no file)
    HKLM-Run-9831bb0a - c:\windows\system32\lcvewrsc.dll
    HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
    MSConfigStartUp-abqviwza - c:\windows\system32\ieiuuhwr.exe
    MSConfigStartUp-Motive SmartBridge - c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: antimalwareguard.com
    Trusted Zone: gomyhit.com
    Trusted Zone: antimalwareguard.com
    Trusted Zone: gomyhit.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-19 20:15:55
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\system32\drivers\foubfhsx.sys 25088 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(988)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\SpywareDetector\SDNotify.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
    c:\windows\system32\ati2evxx.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\Common Files\AOL\ACS\AOLacsd.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
    c:\windows\ehome\ehrecvr.exe
    c:\windows\ehome\ehSched.exe
    c:\program files\Kontiki\KService.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\HPZipm12.exe
    c:\program files\SpywareDetector\SDMainService.exe
    c:\program files\SpywareDetector\SDService.exe
    c:\program files\TalkTalk\bin\sprtsvc.exe
    c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe
    c:\windows\wanmpsvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-19 20:24:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-19 20:24:24

    Pre-Run: 108,846,133,248 bytes free
    Post-Run: 108,647,653,376 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    6058 --- E O F --- 2008-12-18 23:35:53


    *****************************************************










    HJT log from immediatley after ComboFix ran:

    *******************************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:29, on 2009-03-19
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\TalkTalk\bin\sprtcmd.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Kontiki\KService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SpywareDetector\SDMainService.exe
    C:\Program Files\SpywareDetector\SDService.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Simon Anti-malware\HiJackThis.exe
    C:\WINDOWS\SoftwareDistribution\Download\2342e087142544189c3e4dbf170c3418\update\update.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\yyihtmhx.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Xjevo] rundll32.exe "C:\WINDOWS\oretibux.dll",e
    O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
    O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
    O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 14156 bytes

    *************************************
  4. 2009-03-20, 02:06 #4
    piesplus
    piesplus is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    19

    Default HJT log after XP SP3 upgrade

    Here is the HJT log that I ran after the machine had been upgraded to XP SP3:

    Hi Blade81,

    Thanks for your response. I ran ComboFix successfully from safe mode and the PC will now boot cleanly into normal mode. It reported Norton 360 running at the time though - I was unable to disable it because there was no system tray icon in safe mode and when I opened it through the start menu I got a window saying that it did not run in safe mode so there were no controls available to switch it off.

    The ComboFix log file was 718KB so I have removed a large chunk of similar entries from the text below (they are all deleted files from various folders under C:\Documents and Settings\<username>\Application Data\SpamBlockerUtility). I've also replaced the actual usernames in these paths with <USER1> and <USER2> as this is a public forum and I am posting on behalf of my friends who own the machine. If you want the full unedited file then let me know and I'll PM or e-mail it to you.

    I ran HJT immediately after ComboFix and attach the log file below. As soon as ComboFix had done it's job, the PC suddenly realised it was about a year out of date (and a whole service pack!) with regards to MS patches and started intalling them. It is now up to SP3 and so I ran a final HJT afterwards and the log for this is in the following post (due to size restrictions).

    Please let me know if there appears to be anything else wrong with the machine. There are only two things that currently concern me:

    1. Something called Max Secure Spyware Detector is still installed and shows a splash screen when a user logs in and a system tray popup prompting the user to purchase a full version for real-time monitoring. I thought this was malware initially but googling it looks like it might be real (free) anti-spyware. Are you able to confirm this? Do you recommend leaving it in place or uninstalling it?

    2. The Norton 360 icon is not showing in the system tray and I am unable to get a window for it up using any of the Start menu entries. Securty Centre does report that the 360 firewall is running though so something might be preventing it from displaying the window. I'm not sure if the SP3 upgrade had anything to do with this or not. Perhaps it just needs re-installing?

    Thanks again for all your help. I know I need to check for the latest versions of Flash, Acrobat Reader, Java etc and ensure that Windows Update runs automatically and I will do all those once we are happy the machine in no longer infected.

    Cheers
    Simon


    Edited ComboFix log:
    ***************************************************

    ComboFix 09-03-18.01 - <USER1> 2009-03-19 19:59:03.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.510.228 [GMT 0:00]
    Running from: c:\documents and settings\<USER1>\Desktop\ComboFxx.exe
    AV: Norton 360 *On-access scanning enabled* (Updated)
    FW: Norton 360 *enabled*
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\<USER2>\Application Data\SpamBlocker
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\eskin\empty_bg_st.htm
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\eskin\FileManager.txt
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1159100558.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1160169674.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1160936845.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1161981290.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1163534820.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1164150835.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1165532625.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1168193611.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1174346232.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1178994973.log
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\HostOI\static\1\030104_emte10_prv.gif
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\HostOI\static\1\030104_emte11_prv.gif
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\HostOI\static\1\030104_emte12_prv.gif
    .
    .
    . Lots and lots of these removed
    .
    .
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip
    c:\documents and settings\<USER2>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip
    c:\documents and settings\<USER1>\Application Data\SpamBlocker
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\eskin\empty_bg_st.htm
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\eskin\FileManager.txt
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\SpamBlockerUtility.log
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1164308358.log
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\SpamBlockerUtility_1164643400.log.
    .
    .
    . Lots of these removed too
    .
    .
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\t2_bg.xip
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\top7.xip
    c:\documents and settings\<USER1>\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\DownLoad\tsd_bg.xip
    c:\program files\Common Files\{9831B~1
    c:\program files\Common Files\{9831B~2
    c:\program files\newdotnet
    c:\program files\newdotnet\uninstall.exe
    c:\windows\b.exe
    c:\windows\BM9b028896.txt
    c:\windows\BM9b028896.xml
    c:\windows\cookies.ini
    c:\windows\IE4 Error Log.txt
    c:\windows\Install.txt
    c:\windows\Lgoxiw.dll
    c:\windows\system\xccef090305.exe
    c:\windows\system32\998.exe
    c:\windows\system32\afisicx.exe
    c:\windows\system32\ahtn.htm
    c:\windows\system32\aityroll.ini
    c:\windows\system32\alnoyrjx.ini
    c:\windows\system32\atrxpgqt.ini
    c:\windows\system32\ayJQBKkj.ini
    c:\windows\system32\ayJQBKkj.ini2
    c:\windows\system32\bayaKnmp.ini
    c:\windows\system32\bayaKnmp.ini2
    c:\windows\system32\bercscgq.ini
    c:\windows\system32\bfoogcna.ini
    c:\windows\system32\bhpxucyy.ini
    c:\windows\system32\bhvvhfao.ini
    c:\windows\system32\bszip.dll
    c:\windows\system32\bund1
    c:\windows\system32\bund1\temp.txt
    c:\windows\system32\bwcjiehv.ini
    c:\windows\system32\bxtcaajy.ini
    c:\windows\system32\cdjwmtde.ini
    c:\windows\system32\cdLSvvut.ini
    c:\windows\system32\cdLSvvut.ini2
    c:\windows\system32\chert5-998.exe
    c:\windows\system32\ciekyphx.ini
    c:\windows\system32\cisscsjh.ini
    c:\windows\system32\cjcmueon.ini
    c:\windows\system32\CJijlnnn.ini
    c:\windows\system32\CJijlnnn.ini2
    c:\windows\system32\cnhppvya.ini
    c:\windows\system32\comsa32.sys
    c:\windows\system32\csrwevcl.ini
    c:\windows\system32\daqvcrsn.ini
    c:\windows\system32\DgfffMoq.ini
    c:\windows\system32\DgfffMoq.ini2
    c:\windows\system32\dkbhcmxe.ini
    c:\windows\system32\drivers\core.cache.dsk
    c:\windows\system32\drivers\seneka.sys
    c:\windows\system32\drivers\senekafdomlquq.sys
    c:\windows\system32\edaodcdw.ini
    c:\windows\system32\eshxcvnv.ini
    c:\windows\system32\evcjnvxx.ini
    c:\windows\system32\fcccyVlJ.dll.vir
    c:\windows\system32\flsycqwx.ini
    c:\windows\system32\fqepnqev.ini
    c:\windows\system32\fsdswwox.ini
    c:\windows\system32\ggQrCKkj.ini
    c:\windows\system32\ggQrCKkj.ini2
    c:\windows\system32\gmsiyrhb.ini
    c:\windows\system32\GPWvyccf.ini
    c:\windows\system32\GPWvyccf.ini2
    c:\windows\system32\gQssvGgh.ini
    c:\windows\system32\gQssvGgh.ini2
    c:\windows\system32\hgcheck.exe
    c:\windows\system32\hklVDJjl.ini
    c:\windows\system32\hklVDJjl.ini2
    c:\windows\system32\hlesyrxi.ini
    c:\windows\system32\hNXGPXyb.ini
    c:\windows\system32\hNXGPXyb.ini2
    c:\windows\system32\hpwonjyc.ini
    c:\windows\system32\hxhyjecx.ini
    c:\windows\system32\hyknjsou.ini
    c:\windows\system32\ibayrtlg.ini
    c:\windows\system32\inf\rundll33.exe
    c:\windows\system32\inf\xccdfb16_090305.dll
    c:\windows\system32\inf\xccefb090305.scr
    c:\windows\system32\init32.exe
    c:\windows\system32\Install.txt
    c:\windows\system32\ipfsalwj.ini
    c:\windows\system32\ivsnyhoy.ini
    c:\windows\system32\ivwrkvex.ini
    c:\windows\system32\jacqohaw.ini
    c:\windows\system32\JlVycccf.ini
    c:\windows\system32\JlVycccf.ini2
    c:\windows\system32\jogqlioy.ini
    c:\windows\system32\jqjgkqny.ini
    c:\windows\system32\juwrjcnf.ini
    c:\windows\system32\kktejunk.ini
    c:\windows\system32\kRttAcdd.ini
    c:\windows\system32\kRttAcdd.ini2
    c:\windows\system32\ktynqbdi.ini
    c:\windows\system32\lceullmt.ini
    c:\windows\system32\llmgwxvs.ini
    c:\windows\system32\llpmhnjs.ini
    c:\windows\system32\LVFedfhk.ini
    c:\windows\system32\LVFedfhk.ini2
    c:\windows\system32\mabidwe.exe
    c:\windows\system32\mamhthli.ini
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\micro1
    c:\windows\system32\mlltwali.ini
    c:\windows\system32\mojwrtmc.ini
    c:\windows\system32\mwwdxniw.ini
    c:\windows\system32\naqjywbj.ini
    c:\windows\system32\nbniwlkp.ini
    c:\windows\system32\nhiwfrtj.ini
    c:\windows\system32\njtjpxuc.ini
    c:\windows\system32\nmrnowsm.ini
    c:\windows\system32\nnnxydlr.ini
    c:\windows\system32\nswmacxl.ini
    c:\windows\system32\ntdll64.exe
    c:\windows\system32\nxqvmnvf.ini
    c:\windows\system32\omarqngt.ini
    c:\windows\system32\oprYFfii.ini
    c:\windows\system32\oprYFfii.ini2
    c:\windows\system32\OqqXIkkj.ini
    c:\windows\system32\OqqXIkkj.ini2
    c:\windows\system32\petvxyyu.ini
    c:\windows\system32\phnsvpjh.ini
    c:\windows\system32\phsjuxfg.ini
    c:\windows\system32\pofqomil.ini
    c:\windows\system32\prhxavrp.ini
    c:\windows\system32\qAIPAJjl.ini
    c:\windows\system32\qAIPAJjl.ini2
    c:\windows\system32\qdshgmbk.ini
    c:\windows\system32\qttvDfhk.ini
    c:\windows\system32\qttvDfhk.ini2
    c:\windows\system32\relkauer.ini
    c:\windows\system32\rinppyti.ini
    c:\windows\system32\ryshycrp.ini
    c:\windows\system32\sckgoxap.ini
    c:\windows\system32\scmjcqtd.ini
    c:\windows\system32\senekadf.dat
    c:\windows\system32\senekagomylyab.dll
    c:\windows\system32\senekalog.dat
    c:\windows\system32\senekarnlnfutd.dll
    c:\windows\system32\senekawqjesiym.dat
    c:\windows\system32\senekaxfuwprmj.dll
    c:\windows\system32\sficnrmc.ini
    c:\windows\system32\sguoqhuc.ini
    c:\windows\system32\sguoqhuc.ini2
    c:\windows\system32\sguoqhuc.tmp
    c:\windows\system32\smyrymwj.ini
    c:\windows\system32\sopidkc.exe
    c:\windows\system32\sovyrgif.ini
    c:\windows\system32\suBLoUvw.ini
    c:\windows\system32\suBLoUvw.ini2
    c:\windows\system32\suluqicf.ini
    c:\windows\system32\suwwyGgh.ini
    c:\windows\system32\suwwyGgh.ini2
    c:\windows\system32\svyGQXyb.ini
    c:\windows\system32\svyGQXyb.ini2
    c:\windows\system32\sYFLknmp.ini
    c:\windows\system32\sYFLknmp.ini2
    c:\windows\system32\tAyccccf.ini
    c:\windows\system32\tAyccccf.ini2
    c:\windows\system32\TAyIlnpo.ini
    c:\windows\system32\TAyIlnpo.ini2
    c:\windows\system32\tbbkfpue.ini
    c:\windows\system32\tkrayagj.ini
    c:\windows\system32\tkseqnte.ini
    c:\windows\system32\tmpxccacj2.exe
    c:\windows\system32\tofsehbk.ini
    c:\windows\system32\tpszxyd.sys
    c:\windows\system32\txiexbdh.ini
    c:\windows\system32\uBJjPqru.ini
    c:\windows\system32\uBJjPqru.ini2
    c:\windows\system32\ubwvlxnx.ini
    c:\windows\system32\uniq.tll
    c:\windows\system32\usliwlvn.ini
    c:\windows\system32\uvoxbvhq.ini
    c:\windows\system32\uyevqhyh.ini
    c:\windows\system32\uyvxilij.ini
    c:\windows\system32\VEghgMoq.ini
    c:\windows\system32\VEghgMoq.ini2
    c:\windows\system32\vgqrabay.ini
    c:\windows\system32\vsnqppyt.ini
    c:\windows\system32\w.exe
    c:\windows\system32\warning.gif
    c:\windows\system32\win32hlp.cnf
    c:\windows\system32\wioyndel.ini
    c:\windows\system32\wvbnialp.ini
    c:\windows\system32\WyHNonmp.ini
    c:\windows\system32\WyHNonmp.ini2
    c:\windows\system32\xcchit32.ini
    c:\windows\system32\xevbjoga.ini
    c:\windows\system32\xGMUDJlm.ini
    c:\windows\system32\xGMUDJlm.ini2
    c:\windows\system32\xxnlgsnn.ini
    c:\windows\system32\yaHklUvw.ini
    c:\windows\system32\yaHklUvw.ini2
    c:\windows\system32\YGfLlnmp.ini
    c:\windows\system32\YGfLlnmp.ini2
    c:\windows\system32\YGjkmUvw.ini
    c:\windows\system32\YGjkmUvw.ini2
    c:\windows\system32\yhommkys.ini
    c:\windows\system32\yhvldekt.ini
    c:\windows\system32\yiagogpp.ini
    c:\windows\system32\yktiiiwd.ini
    c:\windows\system32\ynmhipyn.ini
    c:\windows\Tasks.\AntiSpywareBot Scheduled Scan.job
    c:\windows\xccdf16_090305a.dll
    c:\windows\xccdf32_090305a.dll
    c:\windows\xccwinsys.ini

    c:\windows\system32\userinit.exe . . . is infected!!

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SENEKA
    -------\Legacy_AFISICX
    -------\Legacy_CLIENT_IP-IPX
    -------\Legacy_IAS
    -------\Legacy_MABIDWE
    -------\Legacy_NNSERV
    -------\Legacy_SOPIDKC
    -------\Service_afisicx
    -------\Service_Ias
    -------\Service_mabidwe
    -------\Service_NNServ
    -------\Service_sopidkc


    ((((((((((((((((((((((((( Files Created from 2009-02-19 to 2009-03-19 )))))))))))))))))))))))))))))))
    .

    2009-03-19 19:42 . 2009-03-19 19:42 134,656 --a------ c:\windows\oretibux.dll
    2009-03-19 19:30 . 2009-03-19 19:30 42,496 --a------ c:\windows\system32\kuzSniper.exe
    2009-03-10 23:07 . 2009-03-10 23:07 <DIR> d-------- C:\Simon Anti-malware
    2009-03-10 22:55 . 2009-03-10 22:55 54,968 --ah----- c:\windows\system32\mlfcache.dat
    2009-03-10 22:53 . 2009-03-10 22:53 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2009-03-10 22:53 . 2009-03-10 22:55 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2009-03-10 19:07 . 2009-03-11 08:29 <DIR> d-------- C:\NSS
    2009-03-01 18:37 . 2009-03-10 19:32 <DIR> d-------- c:\windows\system32\3361
    2009-03-01 18:37 . 2009-03-01 18:37 108,336 --a------ c:\windows\system32\MSWINSCK.OCX
    2009-03-01 18:37 . 2009-03-01 18:37 30 --a------ c:\windows\system32\hgset.ini
    2009-03-01 18:36 . 2002-02-15 14:02 676,352 --a------ c:\windows\system32\rtl60.bpl
    2009-02-28 20:25 . 2009-03-19 20:10 <DIR> d-------- c:\windows\system32\inf
    2009-02-28 20:25 . 2009-02-28 20:25 155,175 --a------ c:\windows\system32\icv.exe
    2009-02-22 23:15 . 2009-02-22 23:15 <DIR> d-------- c:\program files\SpywareDetector
    2009-02-22 23:15 . 2009-01-22 10:29 1,060,864 --a------ c:\windows\system32\CheckDll.dll
    2009-02-22 23:15 . 2009-01-07 17:20 13,776 --a------ c:\windows\system32\SDEarlyDelete.exe
    2009-02-22 23:15 . 2009-02-22 23:15 110 --a------ c:\windows\system32\SDEarlyDelete.ini
    2009-02-22 23:15 . 2005-02-06 09:02 104 --a------ c:\windows\system32\ProxySettings.ini
    2009-02-22 23:15 . 2009-03-19 20:15 63 --a------ c:\windows\system\SysSD.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-03-19 20:16 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
    2009-03-12 11:36 34,008 ----a-w c:\documents and settings\<USER1>\Application Data\wklnhst.dat
    2009-03-10 19:03 --------- d-----w c:\documents and settings\<USER1>\Application Data\Apple Computer
    2009-02-27 21:09 --------- d-----w c:\program files\Common Files\Symantec Shared
    2009-02-11 18:45 --------- d-----w c:\documents and settings\<USER1>\Application Data\Canon
    2006-12-03 19:48 1,188 ----a-w c:\documents and settings\<USER2>\Application Data\wklnhst.dat
    2008-06-30 12:44 324,976 ----a-w c:\program files\mozilla firefox\components\coFFPlgn.dll
    .

    ------- Sigcheck -------

    2008-04-14 00:12 26112 a93aee1928a9d7ce3e16d24ec7380f89 c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
    2009-02-13 18:37 104960 c204f3fc26dae0efcf91b8ed9fa50220 c:\windows\system32\userinit.exe
    2009-02-13 18:37 104960 c204f3fc26dae0efcf91b8ed9fa50220 c:\windows\system32\dllcache\userinit.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
    "{0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2}"= "c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL" [2008-10-07 66912]

    [HKEY_CLASSES_ROOT\clsid\{0579b4b6-0293-4d73-b02d-5ebb0ba0f0a2}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2}]
    2008-10-07 20:09 66912 --a------ c:\program files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77AB5974-55A3-4737-9FD5-B93C64307F78}]
    2009-01-28 21:26 104960 --a------ c:\windows\system32\yyihtmhx.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
    "msnmsgr"="c:\program files\MSN Messenger\msnmsgr.exe" [2007-01-19 5674352]
    "kdx"="c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 339968]
    "SiSRaid"="c:\program files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2004-12-22 892928]
    "ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-17 51048]
    "osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-10-21 185872]
    "CanonSolutionMenu"="c:\program files\Canon\SolutionMenu\CNSLMAIN.exe" [2008-03-10 689488]
    "CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2008-03-17 1848648]
    "TalkTalk"="c:\program files\TalkTalk\bin\sprtcmd.exe" [2007-10-12 202016]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "Xjevo"="c:\windows\oretibux.dll" [2009-03-19 134656]
    "SDActiveMonitor"="c:\program files\SpywareDetector\SDActiveMonitor.exe" [2009-01-31 1366528]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-10 15360]
    "Nokia.PCSync"="c:\program files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-06-19 1241088]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    FreeventsSchedule.lnk - c:\freevents\FreeventsSchedule.exe [2005-11-05 16384]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
    "NoSetActiveDesktop"= 1 (0x1)
    "NoActiveDesktopChanges"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "Userinit"="c:\windows\explorer.exe,"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SDNotify]
    2008-12-01 11:15 475136 c:\program files\SpywareDetector\SDNotify.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "msacm.clmp3enc"= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]
    "Debugger"=c:\windows\system32\alg.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
    BootExecute REG_MULTI_SZ SDEarlyDelete\0autocheck autochk *

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
    backup=c:\windows\pss\AOL 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
    backup=c:\windows\pss\BT Broadband Desktop Help.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^FreeventsSchedule.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\FreeventsSchedule.lnk
    backup=c:\windows\pss\FreeventsSchedule.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
    backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
    backup=c:\windows\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Ralink Wireless Utility.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Ralink Wireless Utility.lnk
    backup=c:\windows\pss\Ralink Wireless Utility.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
    --a------ 2007-04-23 11:23 1032640 c:\program files\Kontiki\KHost.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    --a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
    --a------ 2004-03-19 14:17 78960 c:\progra~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
    -ra------ 2007-01-10 11:06 71216 c:\program files\Common Files\AOL\ACS\AOLDial.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
    --a------ 2005-12-29 10:22 543232 c:\program files\btbb_wcm\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-10 19:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a------ 2005-08-05 20:56 64512 c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    --a------ 2006-11-17 13:21 50736 c:\program files\Common Files\AOL\1170888625\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
    --a------ 2005-05-11 23:12 49152 c:\program files\HP\HP Software Update\hpwuSchd2.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
    --a------ 2007-04-23 11:23 1032640 c:\program files\Kontiki\KHost.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --------- 2004-10-13 16:24 1694208 c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
    --a------ 2007-01-19 11:54 5674352 c:\program files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
    --a------ 2007-06-18 15:10 271360 c:\program files\Nokia\Nokia PC Suite 6\LaunchApplication.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
    --a------ 2002-09-13 21:42 212992 c:\windows\SMINST\Recguard.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2007-09-25 01:11 132496 c:\program files\Java\jre1.6.0_03\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunKistEM]
    --a------ 2004-11-15 15:04 135168 c:\program files\Digital Media Reader\shwiconEM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-10-21 19:04 185872 c:\program files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    --a------ 2006-07-21 16:19 129536 c:\progra~1\Yahoo!\browser\ybrwicon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
    --a------ 2006-08-31 16:01 448040 c:\progra~1\Yahoo!\YOP\yop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
    --a------ 2004-10-07 19:50 88363 c:\windows\AGRSMMSG.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
    --a------ 2005-03-24 06:20 77824 c:\windows\SOUNDMAN.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
    "c:\\Program Files\\AOL 9.0\\waol.exe"=
    "c:\\Program Files\\AOL 9.0a\\waol.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
    "c:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
    "c:\\Program Files\\AOL 9.0b\\waol.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Yahoo!\\browser\\ybrowser.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\WINDOWS\\system32\\rtcshare.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\MSN Messenger\\livecall.exe"=
    "c:\\Program Files\\Kontiki\\KService.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\TalkTalk\\agent\\bin\\bcont.exe"=
    "c:\\Program Files\\Common Files\\SupportSoft\\bin\\tgsrvc.exe"=
    "c:\\Program Files\\TalkTalk\\agent\\bin\\bcont_nm.exe"=
    "c:\\Program Files\\TalkTalk\\bin\\sprtcmd.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=

    R1 HCW88AUD;Hauppauge WinTV 88x Audio Capture;c:\windows\system32\drivers\hcw88aud.sys [2005-11-05 11970]
    R1 SDManager;SDManager;c:\program files\SpywareDetector\SDManager.sys [2009-02-22 13696]
    R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-26 101936]
    R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;c:\windows\system32\drivers\hcw88bda.sys [2005-11-05 130112]
    R3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;c:\windows\system32\drivers\hcw88tse.sys [2005-11-05 296259]
    R3 HCW88TUNE;Hauppauge WinTV 88x Tuner;c:\windows\system32\drivers\hcw88tun.sys [2005-11-05 137793]
    R3 hcw88vid;Hauppauge WinTV 88x Video;c:\windows\system32\drivers\hcw88vid.sys [2005-11-05 611444]
    R3 HCW88XBAR;Hauppauge WinTV 88x Crossbar;c:\windows\system32\drivers\hcw88bar.sys [2005-11-05 27984]
    S0 phkwnqcg;phkwnqcg;c:\windows\system32\drivers\foubfhsx.sys []
    S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]
    S3 pcistub;pcistub;c:\windows\system32\pcistub.sys [2005-10-15 2304]

    --- Other Services/Drivers In Memory ---

    *NewlyCreated* - COMHOST
    *Deregistered* - ALG
    *Deregistered* - AOL ACS
    *Deregistered* - Apple Mobile Device
    *Deregistered* - Ati HotKey Poller
    *Deregistered* - ATI Smart
    *Deregistered* - AudioSrv
    *Deregistered* - Automatic LiveUpdate Scheduler
    *Deregistered* - Bonjour Service
    *Deregistered* - Browser
    *Deregistered* - ccSetMgr
    *Deregistered* - CLTNetCnService
    *Deregistered* - comHost
    *Deregistered* - COMSysApp
    *Deregistered* - CryptSvc
    *Deregistered* - DcomLaunch
    *Deregistered* - Dhcp
    *Deregistered* - dmserver
    *Deregistered* - ehRecvr
    *Deregistered* - ehSched
    *Deregistered* - ERSvc
    *Deregistered* - EventSystem
    *Deregistered* - FastUserSwitchingCompatibility
    *Deregistered* - helpsvc
    *Deregistered* - HidServ
    *Deregistered* - ImapiService
    *Deregistered* - iPod Service
    *Deregistered* - KService
    *Deregistered* - lanmanserver
    *Deregistered* - lanmanworkstation
    *Deregistered* - LiveUpdate Notice
    *Deregistered* - LmHosts
    *Deregistered* - McrdSvc
    *Deregistered* - MDM
    *Deregistered* - Netman
    *Deregistered* - Nla
    *Deregistered* - Pml Driver HPZ12
    *Deregistered* - PolicyAgent
    *Deregistered* - ProtectedStorage
    *Deregistered* - RasMan
    *Deregistered* - RemoteRegistry
    *Deregistered* - RpcSs
    *Deregistered* - SamSs
    *Deregistered* - Schedule
    *Deregistered* - SDMainSvc
    *Deregistered* - SDService
    *Deregistered* - seclogon
    *Deregistered* - SENS
    *Deregistered* - SharedAccess
    *Deregistered* - ShellHWDetection
    *Deregistered* - Spooler
    *Deregistered* - sprtsvc_TalkTalk
    *Deregistered* - srservice
    *Deregistered* - SSDPSRV
    *Deregistered* - stisvc
    *Deregistered* - Symantec Core LC
    *Deregistered* - TapiSrv
    *Deregistered* - TermService
    *Deregistered* - tgsrvc_TalkTalk
    *Deregistered* - Themes
    *Deregistered* - TrkWks
    *Deregistered* - W32Time
    *Deregistered* - WANMiniportService
    *Deregistered* - WebClient
    *Deregistered* - winmgmt
    *Deregistered* - wscsvc
    *Deregistered* - wuauserv
    *Deregistered* - WudfSvc
    *Deregistered* - WZCSVC

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b07a7fbc-a1ea-11dd-88db-00142a6a9209}]
    \Shell\AutoRun\command - J:\LaunchU3.exe -a
    .
    Contents of the 'Scheduled Tasks' folder

    2009-02-27 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2009-03-12 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
    - c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{3CAB59B4-55A3-4737-9FD5-B93C6430BF75} - (no file)
    BHO-{8A488754-CD06-44B9-84E6-092AC9AD02EC} - c:\windows\system32\fcccyVlJ.dll
    BHO-{D2E3CF9F-9F8B-407A-BD09-46E9722D1707} - (no file)
    HKLM-Run-9831bb0a - c:\windows\system32\lcvewrsc.dll
    HKLM-Explorer_Run-xccinit - c:\windows\system32\inf\rundll33.exe
    MSConfigStartUp-abqviwza - c:\windows\system32\ieiuuhwr.exe
    MSConfigStartUp-Motive SmartBridge - c:\progra~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://securityresponse.symantec.com/avcenter/fix_homepage/
    mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
    uInternet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    IE: &Windows Live Search - c:\program files\Windows Live Toolbar\msntb.dll/search.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    Trusted Zone: antimalwareguard.com
    Trusted Zone: gomyhit.com
    Trusted Zone: antimalwareguard.com
    Trusted Zone: gomyhit.com
    DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-03-19 20:15:55
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...


    c:\windows\system32\drivers\foubfhsx.sys 25088 bytes executable

    scan completed successfully
    hidden files: 1

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(988)
    c:\windows\system32\Ati2evxx.dll
    c:\program files\SpywareDetector\SDNotify.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
    c:\windows\system32\ati2evxx.exe
    c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    c:\program files\Common Files\AOL\ACS\AOLacsd.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE
    c:\windows\ehome\ehrecvr.exe
    c:\windows\ehome\ehSched.exe
    c:\program files\Kontiki\KService.exe
    c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    c:\windows\system32\HPZipm12.exe
    c:\program files\SpywareDetector\SDMainService.exe
    c:\program files\SpywareDetector\SDService.exe
    c:\program files\TalkTalk\bin\sprtsvc.exe
    c:\program files\Common Files\SupportSoft\bin\tgsrvc.exe
    c:\windows\wanmpsvc.exe
    c:\windows\ehome\mcrdsvc.exe
    c:\windows\system32\dllhost.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-03-19 20:24:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-03-19 20:24:24

    Pre-Run: 108,846,133,248 bytes free
    Post-Run: 108,647,653,376 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect

    6058 --- E O F --- 2008-12-18 23:35:53


    *****************************************************










    HJT log from immediatley after ComboFix ran:

    *******************************************

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 20:29, on 2009-03-19
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16762)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\TalkTalk\bin\sprtcmd.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Kontiki\KService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SpywareDetector\SDMainService.exe
    C:\Program Files\SpywareDetector\SDService.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Simon Anti-malware\HiJackThis.exe
    C:\WINDOWS\SoftwareDistribution\Download\2342e087142544189c3e4dbf170c3418\update\update.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\yyihtmhx.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Xjevo] rundll32.exe "C:\WINDOWS\oretibux.dll",e
    O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
    O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
    O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 14156 bytes

    *************************************
  5. 2009-03-20, 11:44 #5
    piesplus
    piesplus is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    19

    Default

    Sorry, just realised I posted the same thing twice. Here is the real HJT log after the machine was upgraded to SP3:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:04, on 2009-03-19
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SpywareDetector\SDMainService.exe
    C:\Program Files\SpywareDetector\SDService.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\TalkTalk\bin\sprtcmd.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\SpywareDetector\SDActiveMonitor.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\PROGRA~1\Yahoo!\browser\ycommon.exe
    C:\Simon Anti-malware\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {77AB5974-55A3-4737-9FD5-B93C64307F78} - C:\WINDOWS\system32\yyihtmhx.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: Ask Toolbar BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
    O3 - Toolbar: Ask Toolbar - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Xjevo] rundll32.exe "C:\WINDOWS\oretibux.dll",e
    O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
    O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
    O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 14262 bytes
  6. 2009-03-20, 15:26 #6
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Hi again,


    1. I'm not familiar with that program and would uninstall it.

    2. Yes, reinstall may be needed. However, don't do this until system is all clean.



    Upload following files to http://www.virustotal.com and post back the results:
    c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe
    c:\windows\system32\userinit.exe

    Uninstall AskBar if not installed on purpose.



    Please download Malwarebytes' Anti-Malware to your desktop.

    • Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Be sure that everything is checked, and click Remove Selected.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
    • Please post contents of that file in your next reply.



    After that start hjt, do a system scan, check (if found):
    F2 - REG:system.ini: UserInit=C:\WINDOWS\explorer.exe,
    O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)

    Close browsers and fix checked.



    Open notepad and copy/paste the text in the quotebox below into it:

    Code:
    Driver::
phkwnqcg

File::
c:\windows\system32\yyihtmhx.dll
c:\windows\oretibux.dll
c:\windows\system32\kuzSniper.exe
c:\windows\system32\hgset.ini
c:\windows\system32\rtl60.bpl
c:\windows\system32\icv.exe
c:\StubInstaller.exe
c:\windows\system32\drivers\foubfhsx.sys

Folder::
c:\windows\system32\3361
C:\Program Files\Rapid Antivirus

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77AB5974-55A3-4737-9FD5-B93C64307F78}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Xjevo"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=-
"NoActiveDesktopChanges"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashDisp.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashserv.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\Antivirus-ashSimpl.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\avesvc.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdmcon.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdnagent.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdss.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\bdswitch.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\DefWatch.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\xcommsvr.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=-

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\StubInstaller.exe"=-

    Save this as
    CFScript

    A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.



    Refering to the picture above, drag CFScript into ComboFix.exe
    Then post the resultant log.


    Combofix should never take more that 20 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    If that happened we want to know, and also what process you had to end.



    Uninstall old Adobe Reader versions and get the latest one here or get Foxit Reader here. Make sure you don't install toolbar if choose Foxit Reader!


    Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

    Updating Java:
    • Download the latest version of Java Runtime Environment (JRE) 6 Update 12.
    • Click the
      Download
      button to the right.
    • Select Windows on platform combobox and check the box that says:
      Accept License Agreement. Click continue.
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java versions.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on jre-6u12-windows-i586-p.exe to install the newest version. Uncheck MSN toolbar if it's offered there.




    Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

    Double-click ATF Cleaner.exe to open it

    Under Main choose:
    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache
    *The other boxes are optional*
    Then click the Empty Selected button.

    If you use Firefox:
    Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    If you use Opera:
    Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

    Click Exit on the Main menu to close the program.


    Please run an online scan with Kaspersky Online Scanner as instructed in the screenshot here. If you get a message that latest Java must be installed "enable" the Java add-ons in IE7. Do that using "manage add-ons" from the IE7 toolbar.


    Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  7. 2009-03-26, 13:01 #7
    piesplus
    piesplus is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    19

    Default Some results

    Hi Blade81,
    I've got some results for the virustotal scans.

    For c:\windows\system32\userinit.exe:

    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.03.23 -
    AhnLab-V3 5.0.0.2 2009.03.23 -
    AntiVir 7.9.0.120 2009.03.23 -
    Authentium 5.1.2.4 2009.03.23 -
    Avast 4.8.1335.0 2009.03.23 -
    AVG 8.5.0.283 2009.03.23 -
    BitDefender 7.2 2009.03.23 -
    CAT-QuickHeal 10.00 2009.03.23 -
    ClamAV 0.94.1 2009.03.23 -
    Comodo 1082 2009.03.23 -
    DrWeb 4.44.0.09170 2009.03.23 -
    eSafe 7.0.17.0 2009.03.23 -
    eTrust-Vet 31.6.6412 2009.03.23 -
    F-Prot 4.4.4.56 2009.03.23 -
    F-Secure 8.0.14470.0 2009.03.23 -
    Fortinet 3.117.0.0 2009.03.23 -
    GData 19 2009.03.23 -
    Ikarus T3.1.1.48.0 2009.03.23 -
    K7AntiVirus 7.10.678 2009.03.21 -
    Kaspersky 7.0.0.125 2009.03.23 -
    McAfee 5561 2009.03.22 -
    McAfee+Artemis 5561 2009.03.22 -
    McAfee-GW-Edition 6.7.6 2009.03.23 -
    Microsoft 1.4502 2009.03.23 -
    NOD32 3953 2009.03.21 -
    Norman 6.00.06 2009.03.23 -
    nProtect 2009.1.8.0 2009.03.23 -
    Panda 10.0.0.10 2009.03.22 -
    PCTools 4.4.2.0 2009.03.23 -
    Prevx1 V2 2009.03.23 -
    Rising 21.22.02.00 2009.03.23 -
    Sophos 4.39.0 2009.03.23 -
    Sunbelt 3.2.1858.2 2009.03.22 -
    Symantec 1.4.4.12 2009.03.23 -
    TheHacker 6.3.3.4.287 2009.03.23 -
    TrendMicro 8.700.0.1004 2009.03.23 -
    ViRobot 2009.3.23.1660 2009.03.23 -
    VirusBuster 4.6.5.0 2009.03.22 -
    Additional information
    File size: 26112 bytes
    MD5...: a93aee1928a9d7ce3e16d24ec7380f89
    SHA1..: 513f8bdf67a5a9e09803cfb61f590b39f2683853
    SHA256: 944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f
    SHA512: b4df088a96dda785b1a2edb32ef72554fb8000d01a29668f0da0614f6100c8ea
    59c31790d5248e551543efd36684b12b687df55cbeaa36b8c31decf686980f42
    ssdeep: 768:0RMJi8jDLIDSAaQFxfftjaLacmkLGKOq:0RMJbDMDSA7FxffJaLaSLG9q

    PEiD..: -
    TrID..: File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic Win/DOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    PEInfo: PE Structure information

    ( base data )
    entrypointaddress.: 0x54ad
    timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)
    machinetype.......: 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
    .data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
    .rsrc 0x8000 0xb50 0xc00 3.27 bac832e39f87c4f5f640e5d5c6a1c2fc

    ( 9 imports )
    > USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
    > ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
    > CRYPT32.dll: CryptProtectData
    > WINSPOOL.DRV: SpoolerInit
    > ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
    > NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
    > WLDAP32.dll: -, -, -, -, -, -
    > msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
    > KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW

    ( 0 exports )

    ThreatExpert info: http://www.threatexpert.com/report.a...16d24ec7380f89


    For c:\windows\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\userinit.exe:

    Antivirus Version Last Update Result
    a-squared 4.0.0.101 2009.03.23 -
    AhnLab-V3 5.0.0.2 2009.03.23 -
    AntiVir 7.9.0.120 2009.03.23 -
    Authentium 5.1.2.4 2009.03.23 -
    Avast 4.8.1335.0 2009.03.23 -
    AVG 8.5.0.283 2009.03.23 -
    BitDefender 7.2 2009.03.23 -
    CAT-QuickHeal 10.00 2009.03.23 -
    ClamAV 0.94.1 2009.03.23 -
    Comodo 1082 2009.03.23 -
    DrWeb 4.44.0.09170 2009.03.23 -
    eSafe 7.0.17.0 2009.03.23 -
    eTrust-Vet 31.6.6412 2009.03.23 -
    F-Prot 4.4.4.56 2009.03.23 -
    F-Secure 8.0.14470.0 2009.03.23 -
    Fortinet 3.117.0.0 2009.03.23 -
    GData 19 2009.03.23 -
    Ikarus T3.1.1.48.0 2009.03.23 -
    K7AntiVirus 7.10.678 2009.03.21 -
    Kaspersky 7.0.0.125 2009.03.23 -
    McAfee 5561 2009.03.22 -
    McAfee+Artemis 5561 2009.03.22 -
    McAfee-GW-Edition 6.7.6 2009.03.23 -
    Microsoft 1.4502 2009.03.23 -
    NOD32 3953 2009.03.21 -
    Norman 6.00.06 2009.03.23 -
    nProtect 2009.1.8.0 2009.03.23 -
    Panda 10.0.0.10 2009.03.22 -
    PCTools 4.4.2.0 2009.03.23 -
    Prevx1 V2 2009.03.23 -
    Rising 21.22.02.00 2009.03.23 -
    Sophos 4.39.0 2009.03.23 -
    Sunbelt 3.2.1858.2 2009.03.22 -
    Symantec 1.4.4.12 2009.03.23 -
    TheHacker 6.3.3.4.287 2009.03.23 -
    TrendMicro 8.700.0.1004 2009.03.23 -
    ViRobot 2009.3.23.1660 2009.03.23 -
    VirusBuster 4.6.5.0 2009.03.22 -
    Additional information
    File size 26112 bytes
    MD5... a93aee1928a9d7ce3e16d24ec7380f89
    SHA1.. 513f8bdf67a5a9e09803cfb61f590b39f2683853
    SHA256 944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f
    SHA512 b4df088a96dda785b1a2edb32ef72554fb8000d01a29668f0da0614f6100c8ea
    59c31790d5248e551543efd36684b12b687df55cbeaa36b8c31decf686980f42
    ssdeep 7680RMJi8jDLIDSAaQFxfftjaLacmkLGKOq0RMJbDMDSA7FxffJaLaSLG9q

    PEiD.. -
    TrID.. File type identification
    Win32 Executable MS Visual C++ (generic) (65.2%)
    Win32 Executable Generic (14.7%)
    Win32 Dynamic Link Library (generic) (13.1%)
    Generic WinDOS Executable (3.4%)
    DOS Executable Generic (3.4%)
    PEInfo PE Structure information

    ( base data )
    entrypointaddress. 0x54ad
    timedatestamp..... 0x480251a8 (Sun Apr 13 183208 2008)
    machinetype....... 0x14c (I386)

    ( 3 sections )
    name viradd virsiz rawdsiz ntrpy md5
    .text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
    .data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
    .rsrc 0x8000 0xb50 0xc00 3.27 bac832e39f87c4f5f640e5d5c6a1c2fc

    ( 9 imports )
    USER32.dll CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW, LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout, SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx, CharNextW
    ADVAPI32.dll RegOpenKeyExA, ReportEventW, RegisterEventSourceW, DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW, GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey, RegQueryValueExA
    CRYPT32.dll CryptProtectData
    WINSPOOL.DRV SpoolerInit
    ntdll.dll RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint, wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp, memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
    NETAPI32.dll DsGetDcNameW, NetApiBufferFree
    WLDAP32.dll -, -, -, -, -, -
    msvcrt.dll __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv, _XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3, _controlfp, _cexit, exit
    KERNEL32.dll CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary, lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc, GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject, DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA, SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess, GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount, QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc, GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority, ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread, GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW, lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId, SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW

    ( 0 exports )

    ThreatExpert info httpwww.threatexpert.comreport.aspxmd5=a93aee1928a9d7ce3e16d24ec7380f89



    Re: malwarebytes, the update function won't work - it fails to connect to the site, so I am running it without update. I'm not sure if there is any way round this.

    I'll post the rest of the info when I get it (scan running now).

    regds
    Simon
  8. 2009-03-26, 16:15 #8
    Blade81
    Blade81 is offline
    Security Expert: Emeritus Blade81's Avatar
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    25,288

    Default

    Ok. I'll get back to this when you have other reports ready
    Microsoft Windows Insider MVP 2016-2020
    Microsoft MVP Consumer Security 2008-2015
    UNITE member since 2006

    If you have problems create a thread in the forum, please.

    Malware removal instructions are for the correspondent user's case only.
  9. 2009-03-29, 22:19 #9
    piesplus
    piesplus is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    19

    Default More reports

    Hi Blade81,

    Here are some more reports. I haven't been able to run the final Kaspersky scan yet due to Java install issues on the PC. I am sorting these out and will post it shortly.

    Malwarebytes log:
    (I have changed the actual username to {USER1} to protect my friend's privacy)

    Malwarebytes' Anti-Malware 1.34
    Database version: 1749
    Windows 5.1.2600 Service Pack 3

    2009-03-26 17:28:54
    mbam-log-2009-03-26 (17-28-53).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 266452
    Time elapsed: 6 hour(s), 7 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 1
    Registry Keys Infected: 49
    Registry Values Infected: 1
    Registry Data Items Infected: 0
    Folders Infected: 26
    Files Infected: 603

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\CLSID\{168dc258-1455-4e61-8590-9dac2f27b675} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{1a8642f1-dc80-4edc-a39d-0fb62a58b455} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{3f91eb90-ef62-44ee-a685-fac29af111cd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{5c29c7e4-5321-4cad-be2e-877666bed5df} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{83dfb6ee-ab18-41b5-86d4-b544a141d67e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{88d6cf0e-cf70-4c24-bf6e-e4e414bc649c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{8f6a82a2-d7b1-443e-bb9f-f7dc887dd618} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{9856e2d8-ffb2-4fe5-8cad-d5ad6a35a804} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a3d06987-c35e-49e4-8fe2-ac67b9fbfb4c} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{a58c497b-3ee2-45e7-9594-daca6be2a0d0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ad0a3058-fd49-4f98-a514-fd055201835e} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{ad5915ea-b61a-4dba-b5c8-ef4b2df0a3c7} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{b15fd82e-85bc-430d-90cb-65db1b030510} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{bb187c0d-6f53-4f3e-9590-98fd3a7364a2} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{c5041fd9-4819-4dc4-b20e-c950b5b03d2a} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{d17726cc-d4dd-4c4a-9671-471d56e413b5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{db8cce99-59c6-4552-8bfc-058feb38d6ce} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{dc3a04ee-cdd7-4407-915c-a5502f97eecd} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{e1a63484-a022-4d42-830a-fbd411514440} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{e282c728-189d-419e-8ee2-1601f4b39ba5} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f0d4b23a-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f0d4b23c-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\{f0d4b230-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\videoegg.activexloader (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\videoegg.activexloader.1 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{af2e62b6-f9e1-4d4f-a10a-9dc8e6dcbcc0} (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdss.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xcommsvr.exe (Security.Hijack) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f0d4b231-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{f0d4b23b-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/publisher,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\MozillaPlugins\@videoegg.com/updater,version=0.2.0 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\phkwnqcg (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\phkwnqcg (Rootkit.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\phkwnqcg (Rootkit.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa} (Adware.AskSBAR) -> Quarantined and deleted successfully.

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    C:\Documents and Settings\All Users\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources\gid329 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources\gid329\cid1124 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources\gid329\cid1124\bebo03 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources\gid329\cid1124\bebo03\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources\VideoEgg\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources\VideoEgg\messages (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources\gid329 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources\gid329\cid1124 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources\gid329\cid1124\bebo03 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4152\resources\gid329\cid1124\bebo03\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\resources (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\messages (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\2663 (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\4458 (Adware.VideoEgg) -> Quarantined and deleted successfully.

    Files Infected:
    C:\Documents and Settings\All Users\Application Data\VideoEgg\user.dat (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources\gid329\cid1124\bebo03\images\aol_watermark.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources\gid329\cid1124\bebo03\images\audio_combo.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Data\Resources\gid329\cid1124\bebo03\images\audio_source.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
    .
    .
    .

    loads of these removed to save space

    .
    .
    .
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\webcam_slide.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\images\webcams_title.png (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\resources\VideoEgg\messages\messages.en-US.bundle (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\4520\zlib.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Publisher\publisher.ver (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\2663\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\2663\updater.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\4458\libcurlve.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\4458\updater.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\VideoEggBroker.exe (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Documents and Settings\{USER1}\Application Data\VideoEgg\Updater\updater.ver (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Program Files\AskSBar\bar\1.bin\A2HIGHIN.EXE (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\AskSBar\bar\1.bin\A2PLUGIN.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    C:\Program Files\AskSBar\bar\1.bin\ASKSBAR.DLL (Adware.AskSBAR) -> Delete on reboot.
    C:\Program Files\AskSBar\bar\1.bin\NPASKSBR.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\Mozilla Firefox\plugins\NPAskSBr.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Program Files\VideoEgg\Loader\2663\npvideoegg-loader.dll (Adware.VideoEgg) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\chert5-998.exe.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\seneka.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\senekafdomlquq.sys.vir (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\fcccyVlJ.dll.vir.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\senekagomylyab.dll.vir (Trojan.Seneka) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\senekarnlnfutd.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\Qoobox\Quarantine\C\WINDOWS\system32\senekaxfuwprmj.dll.vir (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505022.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505023.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505024.dll (Trojan.Seneka) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505025.dll (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505060.exe (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505062.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505279.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505280.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505281.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\System Volume Information\_restore{4BF2C15B-24E1-4387-A592-E87432727BAE}\RP871\A0505282.exe (Rogue.Installer) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\bhryismg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\bkasoemj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ccqcnksw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\chscncws.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\drivers\foubfhsx.sys (Rootkit.Agent) -> Delete on reboot.
    C:\WINDOWS\system32\dtqcjmcs.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\dwiiitky.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\eiwbewdi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\eqgbcvhh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ffkuz.dll (Trojan.Downloader) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\fhblnsgk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\haonyg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\hpgtcwmo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\iiexlymh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ijwoaimb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\itspsn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jilixvyu.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jwlasfpi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\jxhqholo.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\khfhhd.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lbywnoii.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lcwoiuyj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\lrbvlylb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mlpkfn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\mswonrmn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\murvpk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\nflafj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\oafhvvhb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ollfflya.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\oxvvroiv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\qoMfcBTn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\quxhvngh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\rwktcf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\urglkxwb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wapjlr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wdcdoade.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wifateit.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wpalkidj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\wpwdht.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xcejyhxh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xhpykeic.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\xxvnjcve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ytfkpkok.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\ywnqdhvv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\yyihtmhx.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.




    HJT log run after Malwarebytes run:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:35, on 2009-03-26
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\TalkTalk\bin\sprtcmd.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\SpywareDetector\SDActiveMonitor.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SpywareDetector\SDMainService.exe
    C:\Program Files\SpywareDetector\SDService.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Simon Anti-malware\HiJackThis.exe
    C:\WINDOWS\system32\wuauclt.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Xjevo] rundll32.exe "C:\WINDOWS\oretibux.dll",e
    O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
    O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O15 - Trusted Zone: *.antimalwareguard.com
    O15 - Trusted Zone: *.gomyhit.com
    O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
    O15 - Trusted Zone: *.gomyhit.com (HKLM)
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
    O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 13834 bytes





    HJT log run after I checked and removed the entries you suggested:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 17:38, on 2009-03-26
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16791)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe
    C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
    C:\Program Files\TalkTalk\bin\sprtcmd.exe
    C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    C:\Program Files\SpywareDetector\SDActiveMonitor.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    C:\Program Files\Kontiki\KHost.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\HPZipm12.exe
    C:\Program Files\SpywareDetector\SDMainService.exe
    C:\Program Files\SpywareDetector\SDService.exe
    C:\Program Files\TalkTalk\bin\sprtsvc.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Simon Anti-malware\HiJackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://securityresponse.symantec.com.../fix_homepage/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=2057
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    R3 - URLSearchHook: (no name) - {0579B4B6-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O2 - BHO: Ask Search Assistant BHO - {0579B4B1-0293-4d73-B02D-5EBB0BA0F0A2} - C:\Program Files\AskSBar\SrchAstt\1.bin\A2SRCHAS.DLL
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll
    O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
    O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
    O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll
    O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
    O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
    O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
    O4 - HKLM\..\Run: [TalkTalk] "C:\Program Files\TalkTalk\bin\sprtcmd.exe" /P TalkTalk
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [Xjevo] rundll32.exe "C:\WINDOWS\oretibux.dll",e
    O4 - HKLM\..\Run: [SDActiveMonitor] C:\Program Files\SpywareDetector\SDActiveMonitor.exe -AUTO
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
    O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
    O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab56986.cab
    O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
    O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
    O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
    O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
    O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: SDMainSvc - Max Secure Software - C:\Program Files\SpywareDetector\SDMainService.exe
    O23 - Service: SDService - Max Secure Software - C:\Program Files\SpywareDetector\SDService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SupportSoft Sprocket Service (TalkTalk) (sprtsvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\TalkTalk\bin\sprtsvc.exe
    O23 - Service: SupportSoft RemoteAssist - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\ssrc.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: SupportSoft Repair Service (TalkTalk) (tgsrvc_TalkTalk) - SupportSoft, Inc. - C:\Program Files\Common Files\Supportsoft\bin\tgsrvc.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 13426 bytes




    More to follow
  10. 2009-03-29, 22:27 #10
    piesplus
    piesplus is offline
    Junior Member
    Join Date
    Jan 2009
    Posts
    19

    Default Yet more reports

    Hi Blade81,

    I have the log from running CFScript against ComboFix but it is 440KB in size and won't fit into a post. Do you want me to split it and submit it across several posts or is there some other way of getting it to you?

    regds
    Simon
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules