Hello again people.

**Dunc1988** · 2008-05-21, 13:08

Sorry for the lateness of this reply. I was only able to delete the folder C:\WINDOWS\system32\673351\

All others would not be deleted. I've followed all your other instructions however and here is my HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:17, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\belkin\Bluetooth Software\BTTray.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\Program Files\Trend Micro\HijackThis\Dunc1988.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer provided by BT Openworld
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ACE9226B-8B9A-42E3-8327-4568730E7B8C} - C:\WINDOWS\system32\xxyxWOig.dll
O2 - BHO: (no name) - {BE0FF150-C7FC-4E37-8F92-4E9AF1389238} - C:\WINDOWS\system32\qoMdaArR.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189076179156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - Winlogon Notify: qoMdaArR - C:\WINDOWS\SYSTEM32\qoMdaArR.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: MEMEOI~1|Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9390 bytes

**pskelley** · 2008-05-21, 14:31

Thanks for returning your information and the feedback.

All others would not be deleted. I've followed all your other instructions however and here is my HJT log:

I understand, just hoping. This is another infection called http://en.wikipedia.org/wiki/Vundo_trojan here is a little more information about it when time permits:
http://www.networkworld.com/news/200...-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks...q=winfixer+msn

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/comb...o-use-combofix

Thanks

**Dunc1988** · 2008-05-21, 15:06

ComboFix 08-05-20.5 - Compaq_Owner 2008-05-21 13:35:39.1 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\6SBXGHGZ\www.broadcaster.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\6SBXGHGZ\www.broadcaster.com\played_list.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\#SharedObjects\6SBXGHGZ\www.broadcaster.com\video_queue.sol
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Compaq_Owner\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\resources\VolumeSys.dll
C:\WINDOWS\system32\beefOXyb.ini
C:\WINDOWS\system32\beefOXyb.ini2
C:\WINDOWS\system32\bnxgermy.ini
C:\WINDOWS\system32\deLklnmp.ini
C:\WINDOWS\system32\deLklnmp.ini2
C:\WINDOWS\system32\giOWxyxx.ini
C:\WINDOWS\system32\giOWxyxx.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\qpbktyxa.ini
C:\WINDOWS\system32\ueucatkj.ini
C:\WINDOWS\system32\ymregxnb.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 15:51 . 2008-05-20 16:39 3,256 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-20 15:50 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-20 15:50 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-20 15:50 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-20 15:50 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-20 15:50 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-20 15:50 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-20 15:50 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-20 15:50 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-20 15:45 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-20 15:42 . 2008-05-20 15:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-20 15:25 . 2008-05-20 15:25 0 --a------ C:\WINDOWS\system32\REN2B.tmp
2008-05-20 15:25 . 2008-05-20 15:25 0 --a------ C:\WINDOWS\system32\REN2A.tmp
2008-05-20 13:41 . 2008-05-20 13:41 319,360 --a------ C:\WINDOWS\system32\xxyxWOig.dll
2008-05-20 13:16 . 2008-05-20 13:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 12:14 . 2008-05-20 12:14 91,264 --a------ C:\WINDOWS\system32\axytkbpq.dll
2008-05-20 12:13 . 2008-05-20 12:13 319,360 --a------ C:\WINDOWS\system32\pmnlkLed.dll_old
2008-05-20 11:58 . 2008-05-20 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 10:44 . 2008-05-20 10:47 144 --a------ C:\WINDOWS\wininit.ini
2008-05-20 09:47 . 2008-05-20 09:47 91,264 --a------ C:\WINDOWS\system32\jktacueu.dll
2008-05-19 21:23 . 2008-05-19 21:23 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\TmpRecentIcons
2008-05-19 20:08 . 2008-05-19 20:08 <DIR> d-------- C:\Program Files\KvmSecure
2008-05-19 19:28 . 2008-05-19 19:28 29,824 --a------ C:\WINDOWS\system32\geBqNdAS.dll
2008-05-19 19:22 . 2008-05-19 16:48 176,128 --a------ C:\WINDOWS\gnowmebk.dll
2008-05-19 19:22 . 2008-05-19 16:48 155,648 --------- C:\WINDOWS\gktxaspm.dll_old
2008-05-19 19:22 . 2008-05-19 16:48 94,208 --a------ C:\WINDOWS\ednb.exe
2008-05-19 19:22 . 2008-05-19 16:48 81,920 --a------ C:\WINDOWS\mdtgkswr.exe
2008-05-19 19:22 . 2008-05-19 19:22 29,824 --a------ C:\WINDOWS\system32\qoMdaArR.dll
2008-05-15 15:49 . 2008-05-15 15:49 <DIR> d-------- C:\Program Files\Power Tab Software
2008-05-13 02:53 . 2008-05-13 02:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-13 02:53 . 2008-05-13 02:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-13 02:51 . 2008-05-13 02:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-13 02:51 . 2008-05-13 02:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-13 02:49 . 2008-05-13 02:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-13 02:49 . 2008-05-13 02:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-04-25 18:21 . 2008-05-16 12:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-25 18:21 . 2008-04-25 18:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 17:11 . 2008-04-22 17:45 <DIR> d-------- C:\Program Files\PKR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 12:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-20 15:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-20 14:45 --------- d-----w C:\Program Files\Java
2008-05-20 08:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-05-19 17:53 --------- d-----w C:\Program Files\DivX
2008-05-17 17:32 --------- d-----w C:\Program Files\LimeWire
2008-05-15 11:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 11:12 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-14 11:13 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-10 02:23 --------- d-----w C:\Program Files\uTorrent
2008-04-16 09:58 --------- d-----w C:\Program Files\SpywareGuard
2008-04-07 12:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DVD Profiler
2008-04-07 12:28 --------- d-----w C:\Program Files\DVD Profiler
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\dllcache\win32k.sys
2008-03-09 01:55 827,392 ----a-w C:\WINDOWS\~DFDA34.tmp
2008-03-01 17:36 3,591,680 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-29 08:55 70,656 ----a-w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-02-29 08:55 625,664 ----a-w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-02-22 10:00 13,824 ----a-w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-19 09:44 52,000 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-12 11:47 87,608 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\ezpinst.exe
2007-02-12 11:47 47,360 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\pcouffin.sys
2007-01-19 10:10 8,288 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 07:51 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACE9226B-8B9A-42E3-8327-4568730E7B8C}]
2008-05-20 13:41 319360 --a------ C:\WINDOWS\system32\xxyxWOig.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE0FF150-C7FC-4E37-8F92-4E9AF1389238}]
2008-05-19 19:22 29824 --a------ C:\WINDOWS\system32\qoMdaArR.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA953D6C-40AD-44A6-A4BD-1DD68CB41151}]
2008-05-21 13:52 318848 --a------ C:\WINDOWS\system32\opnlJaxX.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 00:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 04:43 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 05:54 253952]
"DSL Connection Manager"="C:\Program Files\INTEL\DSLSetup\ProDsl.exe" [2002-05-10 20:30 65536]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-15 18:31 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"2888bb35"="C:\WINDOWS\system32\sakruysg.dll" [2008-05-21 13:57 90240]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-10 15:58:39 113664]
BUFFALO NAS Navigator.lnk - C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe [2007-05-11 15:49:20 1070648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-10 15:58:39 113664]
BTTray.lnk - C:\Program Files\belkin\Bluetooth Software\BTTray.exe [2002-04-22 13:26:50 254009]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-08-02 11:56:08 303104]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-09-02 17:41:03 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-09-02 17:40:59 106496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BE0FF150-C7FC-4E37-8F92-4E9AF1389238}"= C:\WINDOWS\system32\qoMdaArR.dll [2008-05-19 19:22 29824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdaArR]
qoMdaArR.dll 2008-05-19 19:22 29824 C:\WINDOWS\system32\qoMdaArR.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\opnlJaxX

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9616:TCP"= 9616:TCP:BitComet 9616 TCP
"9616:UDP"= 9616:UDP:BitComet 9616 UDP

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-12-15 17:31]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S2 P32LOAD;Intel(R) AnyPoint(R) 3240 USB Modem Firmware Loader;C:\WINDOWS\system32\DRIVERS\p31usbld.sys [2002-04-24 00:15]
S3 606218df-91ce-4995-b7f3-d7aa2b75f7ad;606218df-91ce-4995-b7f3-d7aa2b75f7ad;E:\Player\cds300.dll []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
S3 PRO3200P;Intel(R) USB ADSL Modem;C:\WINDOWS\system32\DRIVERS\p32d2kP.sys [2002-04-27 05:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2b0590e-94b5-11d9-bdb5-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa1eaa6b-91cf-11dc-80be-0011d8d65484}]
\Shell\AutoRun\command - J:\InstallTomTomHOME.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 18:57:25 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe
"2008-05-18 17:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
"2008-05-21 12:57:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 13:47:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\XxaJlnpo.ini 344 bytes
C:\WINDOWS\system32\XxaJlnpo.ini2 344 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\qoMdaArR.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\sakruysg.dll
-> C:\WINDOWS\system32\opnlJaxX.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\belkin\Bluetooth Software\BTStackServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-21 13:58:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 12:58:29

Pre-Run: 110,183,702,528 bytes free
Post-Run: 110,399,131,648 bytes free

237 --- E O F --- 2008-05-17 02:04:28

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:04:50, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\FinePixViewer\QuickDCF2.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\Dunc1988.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {ACE9226B-8B9A-42E3-8327-4568730E7B8C} - C:\WINDOWS\system32\xxyxWOig.dll
O2 - BHO: (no name) - {BE0FF150-C7FC-4E37-8F92-4E9AF1389238} - C:\WINDOWS\system32\qoMdaArR.dll
O2 - BHO: (no name) - {EA953D6C-40AD-44A6-A4BD-1DD68CB41151} - C:\WINDOWS\system32\opnlJaxX.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [2888bb35] rundll32.exe "C:\WINDOWS\system32\sakruysg.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189076179156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O20 - Winlogon Notify: qoMdaArR - C:\WINDOWS\SYSTEM32\qoMdaArR.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: MEMEOI~1|Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 10149 bytes

All instructions followed.

Thanks.

**Dunc1988** · 2008-05-21, 15:21

Just as a quick note. Something is now trying to open browser windows to a 'spyware master' which I'm obviously closing and disconnecting from the net while I wait for your reply. My PC is also now suffering some major slowdown and multiple processes I don't recognize are now running.

Thanks,

Dunc

**pskelley** · 2008-05-21, 15:32

Thanks for returning your information, proceed like this:

Can you assure me this is a valid program:
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

We have some tough files, follow the directions carefully. Everytime there is a problem with the CFScript it is because the member rushed and did not take the time to execute the steps properly, please do not make that mistake.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code:

File::
C:\WINDOWS\system32\xxyxWOig.dll
C:\WINDOWS\system32\qoMdaArR.dll
C:\WINDOWS\system32\opnlJaxX.dll
C:\WINDOWS\system32\sakruysg.dll
C:\WINDOWS\system32\axytkbpq.dll
C:\WINDOWS\system32\pmnlkLed.dll_old
C:\WINDOWS\system32\jktacueu.dll
C:\WINDOWS\system32\geBqNdAS.dll
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\gktxaspm.dll_old
C:\WINDOWS\ednb.exe
C:\WINDOWS\mdtgkswr.exe

Save this as CFScript

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {ACE9226B-8B9A-42E3-8327-4568730E7B8C} - C:\WINDOWS\system32\xxyxWOig.dll
O2 - BHO: (no name) - {BE0FF150-C7FC-4E37-8F92-4E9AF1389238} - C:\WINDOWS\system32\qoMdaArR.dll
O2 - BHO: (no name) - {EA953D6C-40AD-44A6-A4BD-1DD68CB41151} - C:\WINDOWS\system32\opnlJaxX.dll
O4 - HKLM\..\Run: [2888bb35] rundll32.exe "C:\WINDOWS\system32\sakruysg.dll",b
O20 - Winlogon Notify: qoMdaArR - C:\WINDOWS\SYSTEM32\qoMdaArR.dll

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix report, a new HJT log and your feedback.

Thanks

**Dunc1988** · 2008-05-21, 16:44

One combofix report sir:

ComboFix 08-05-20.5 - Compaq_Owner 2008-05-21 14:39:08.2 - NTFSx86
Running from: C:\Documents and Settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Compaq_Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\ednb.exe
C:\WINDOWS\gktxaspm.dll_old
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\mdtgkswr.exe
C:\WINDOWS\system32\axytkbpq.dll
C:\WINDOWS\system32\geBqNdAS.dll
C:\WINDOWS\system32\jktacueu.dll
C:\WINDOWS\system32\opnlJaxX.dll
C:\WINDOWS\system32\pmnlkLed.dll_old
C:\WINDOWS\system32\qoMdaArR.dll
C:\WINDOWS\system32\sakruysg.dll
C:\WINDOWS\system32\xxyxWOig.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\ednb.exe
C:\WINDOWS\gktxaspm.dll_old
C:\WINDOWS\gnowmebk.dll
C:\WINDOWS\mdtgkswr.exe
C:\WINDOWS\system32\axytkbpq.dll
C:\WINDOWS\system32\geBqNdAS.dll
C:\WINDOWS\system32\giOWxyxx.ini
C:\WINDOWS\system32\giOWxyxx.ini2
C:\WINDOWS\system32\gsyurkas.ini
C:\WINDOWS\system32\jktacueu.dll
C:\WINDOWS\system32\opnlJaxX.dll
C:\WINDOWS\system32\pmnlkLed.dll_old
C:\WINDOWS\system32\qoMdaArR.dll
C:\WINDOWS\system32\rbpfsgng.ini
C:\WINDOWS\system32\sakruysg.dll
C:\WINDOWS\system32\XxaJlnpo.ini
C:\WINDOWS\system32\xxyxWOig.dll
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-21 14:59 . 2008-05-21 14:59 294 ---hs---- C:\WINDOWS\system32\rbpfsgng.ini
2008-05-21 14:18 . 2008-05-21 14:18 90,240 --a------ C:\WINDOWS\system32\gngsfpbr.dll
2008-05-20 15:51 . 2008-05-20 16:39 3,256 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-20 15:50 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-05-20 15:50 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-05-20 15:50 . 2008-05-15 23:22 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-05-20 15:50 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-05-20 15:50 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\404Fix.exe
2008-05-20 15:50 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-05-20 15:50 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-05-20 15:50 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-05-20 15:45 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-20 15:42 . 2008-05-20 15:42 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-20 15:25 . 2008-05-20 15:25 0 --a------ C:\WINDOWS\system32\REN2B.tmp
2008-05-20 15:25 . 2008-05-20 15:25 0 --a------ C:\WINDOWS\system32\REN2A.tmp
2008-05-20 13:16 . 2008-05-20 13:16 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-20 11:58 . 2008-05-20 11:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-20 10:44 . 2008-05-20 10:47 144 --a------ C:\WINDOWS\wininit.ini
2008-05-19 21:23 . 2008-05-19 21:23 <DIR> d-------- C:\Documents and Settings\Compaq_Owner\Application Data\TmpRecentIcons
2008-05-19 20:08 . 2008-05-19 20:08 <DIR> d-------- C:\Program Files\KvmSecure
2008-05-15 15:49 . 2008-05-15 15:49 <DIR> d-------- C:\Program Files\Power Tab Software
2008-05-13 02:53 . 2008-05-13 02:53 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-05-13 02:53 . 2008-05-13 02:53 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-05-13 02:51 . 2008-05-13 02:51 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-05-13 02:51 . 2008-05-13 02:51 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-05-13 02:49 . 2008-05-13 02:49 161,096 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-05-13 02:49 . 2008-05-13 02:49 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-04-25 18:21 . 2008-05-16 12:05 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-25 18:21 . 2008-04-25 18:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-22 17:11 . 2008-04-22 17:45 <DIR> d-------- C:\Program Files\PKR

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-21 13:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-21 13:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-20 14:45 --------- d-----w C:\Program Files\Java
2008-05-20 08:38 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\uTorrent
2008-05-19 17:53 --------- d-----w C:\Program Files\DivX
2008-05-17 17:32 --------- d-----w C:\Program Files\LimeWire
2008-05-15 11:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-15 11:12 --------- d-----w C:\Program Files\SpywareBlaster
2008-05-14 11:13 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-05-13 01:53 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-05-10 02:23 --------- d-----w C:\Program Files\uTorrent
2008-04-16 09:58 --------- d-----w C:\Program Files\SpywareGuard
2008-04-07 12:32 --------- d-----w C:\Documents and Settings\Compaq_Owner\Application Data\DVD Profiler
2008-04-07 12:28 --------- d-----w C:\Program Files\DVD Profiler
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-09 01:55 827,392 ----a-w C:\WINDOWS\~DFDA34.tmp
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-11-19 09:44 52,000 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-12 11:47 87,608 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\ezpinst.exe
2007-02-12 11:47 47,360 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\pcouffin.sys
2007-01-19 10:10 8,288 ----a-w C:\Documents and Settings\Compaq_Owner\Application Data\ViewerApp.dat
.

((((((((((((((((((((((((((((( snapshot@2008-05-21_13.57.38.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-21 12:46:15 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-21 13:56:20 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-21 10:59:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-05-21 13:02:02 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-05-21 10:59:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-05-21 13:02:02 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-05-21 12:47:48 40,960 ----a-w C:\WINDOWS\Temp\rtdrvmon.exe
+ 2008-05-21 13:58:03 40,960 ----a-w C:\WINDOWS\Temp\rtdrvmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2007-08-25 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-01-31 07:51 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll" [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [2007-08-25 04:51 316784]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-08 00:04 52736]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2004-04-15 04:43 233472]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2004-10-15 05:54 253952]
"DSL Connection Manager"="C:\Program Files\INTEL\DSLSetup\ProDsl.exe" [2002-05-10 20:30 65536]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-07-15 18:31 180269]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"2888bb35"="C:\WINDOWS\system32\gngsfpbr.dll" [2008-05-21 14:18 90240]

C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-10 15:58:39 113664]
BUFFALO NAS Navigator.lnk - C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe [2007-05-11 15:49:20 1070648]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-11-10 15:58:39 113664]
BTTray.lnk - C:\Program Files\belkin\Bluetooth Software\BTTray.exe [2002-04-22 13:26:50 254009]
ExifLauncher2.lnk - C:\Program Files\FinePixViewer\QuickDCF2.exe [2007-08-02 11:56:08 303104]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
Picture Package Menu.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe [2005-09-02 17:41:03 151552]
Picture Package VCD Maker.lnk - C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe [2005-09-02 17:40:59 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qoMdaArR]
qoMdaArR.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-06 23:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 17:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\BUFFALO\\NASNAVI\\NasNavi.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9616:TCP"= 9616:TCP:BitComet 9616 TCP
"9616:UDP"= 9616:UDP:BitComet 9616 UDP

R1 sdcplh;sdcplh;C:\WINDOWS\system32\drivers\sdcplh.sys [2005-12-15 17:31]
R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
S2 P32LOAD;Intel(R) AnyPoint(R) 3240 USB Modem Firmware Loader;C:\WINDOWS\system32\DRIVERS\p31usbld.sys [2002-04-24 00:15]
S3 606218df-91ce-4995-b7f3-d7aa2b75f7ad;606218df-91ce-4995-b7f3-d7aa2b75f7ad;E:\Player\cds300.dll []
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
S3 PRO3200P;Intel(R) USB ADSL Modem;C:\WINDOWS\system32\DRIVERS\p32d2kP.sys [2002-04-27 05:23]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c2b0590e-94b5-11d9-bdb5-806d6172696f}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe protect.ed 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fa1eaa6b-91cf-11dc-80be-0011d8d65484}]
\Shell\AutoRun\command - J:\InstallTomTomHOME.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-18 18:57:25 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Compaq_Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-05-18 17:00:00 C:\WINDOWS\Tasks\Spybot - Search & Destroy.job"
- C:\PROGRA~1\SPYBOT~1\SpybotSD.exe
"2008-05-21 14:12:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 14:58:30
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\rbpfsgng.ini 294 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\gngsfpbr.dll
-> C:\PROGRA~1\Google\GOOGLE~1\GOOGLE~3.DLL
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-05-21 15:12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 14:12:33
ComboFix2.txt 2008-05-21 12:59:04

Pre-Run: 110,358,237,184 bytes free
Post-Run: 110,342,983,680 bytes free

236 --- E O F --- 2008-05-17 02:04:28

One new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:36:28, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\INTEL\DSLSetup\ProDsl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\Dunc1988.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local.
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [DSL Connection Manager] C:\Program Files\INTEL\DSLSetup\ProDsl.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: BUFFALO NAS Navigator.lnk = C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary...r.cab31267.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10...y.cab32846.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1189076179156
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: MEMEOI~1|Memeo AutoBackup (BMUService) - Memeo - C:\Program Files\Memeo\AutoBackup\MemeoService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--
End of file - 9068 bytes

Problems seem to mostly have dissapeared. Just to keep you fully informed; after doing combofix I did the HJT scan only you asked me to do, and found only the o20 - Winlogon Notify: qoMdaArR - C:\WINDOWS\SYSTEM32\qoMdaArR.dll file(which I off course did the fix as per your instruction), all others were already gone. Hopefuly that's a good thing.

Thanks again as always.

**pskelley** · 2008-05-21, 17:17

You did not tell me what this was that I can see?

Can you assure me this is a valid program:
C:\Program Files\BUFFALO\NASNAVI\NasNavi.exe

The HJT log looks clean of malware, remove combofix and the c:\Qoobox\Quarantine\ folder from your computer.

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

**Dunc1988** · 2008-05-21, 17:23

Nasnavi is my External Hard Drive software...thing...it's cool as far as I know.

I can't do the Kaspersky scan currently via IE or Firefox. When attempting it via IE I'm told my 'Licence Has Expired' and that it 'Failed To Initialize'.

Cheers,

Dunc

**pskelley** · 2008-05-21, 17:25

Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file in your next reply.

**Dunc1988** · 2008-05-22, 11:02

Another day, another log for your inspection sir,

Malwarebytes' Anti-Malware 1.12
Database version: 774

Scan type: Full Scan (C:\|)
Objects scanned: 119647
Time elapsed: 1 hour(s), 36 minute(s), 45 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 18
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\e405.e405mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\KvmSecure (Rogue.KVMSecure) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gktxaspm.bxsr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\gktxaspm.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\KvmSecure (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\Infected (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\Suspicious (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\KvmSecure (Rogue.KVMSecure) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080520-173937-591.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1000\A0151984.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1000\A0151986.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP1000\A0151990.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP989\A0149998.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP996\A0151835.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP996\A0151836.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP996\A0151837.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{D8696F73-2D76-412A-A981-4300C43EF86F}\RP997\A0151909.dll (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\vscan.tsi (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Program Files\KvmSecure\zlib.dll (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Start Menu\Programs\KvmSecure\KvmSecure.lnk (Rogue.KVMSecure) -> Quarantined and deleted successfully.
C:\Documents and Settings\Compaq_Owner\Application Data\Microsoft\Internet Explorer\Quick Launch\KvmSecure.lnk (Rogue.KVMSecure) -> Quarantined and deleted successfully.

Cheers,

Dunc

Thread: Hello again people.

Thread Tools

Display

Posting Permissions