Help please - Browser going to wied search engines

D

dockerit

New member
I seem to have an intermittent problem with my browser - every now and again it goes to a wierd search engine ( different ones ) rather than to the site i selected from google.

Ive run both spybot and adaware

I use avast home edition and it has picked up 2 viruses - both locked safetly away in the secure chest - but it continues to happen - any one help ( please )

here is the logfile

thanks

Tony


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:02, on 15/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\2kgnxk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\2kgnxk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Common Files\Ahead\Lib\NeroScoutOptions.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Common Files\Ahead\lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.meshcomputers.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DFB9BE4-DE27-4E6E-A451-D4C83068757B} - c:\windows\system32\dmconfigc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E1A55360-1A90-480D-B93B-E317830F1D41} - C:\WINDOWS\system32\cdralv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrayStartup] C:\Program Files\BT Auto Backup\VaultClientTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-3538119436-1032828688-3854300513-1008\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Andrea')
O4 - HKUS\S-1-5-21-3538119436-1032828688-3854300513-1008\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe (User 'Andrea')
O4 - HKUS\S-1-5-21-3538119436-1032828688-3854300513-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" (User 'Andrea')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.co...frontdoorFD.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tonydockerill.spaces.msn.com//Photo...ad/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: xqdiiebh - C:\WINDOWS\SYSTEM32\dmconfigc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe

--
End of file - 14578 bytes
 
Hi dockerit

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\2kgnxk.exe

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
 
Ok - as requested .....an thanks

Hi Shaba - hmmm this looks a bit rubbish doesnt it !!

Scan taken on 19 Apr 2008 11:12:47 (GMT)
A-Squared Found nothing
AntiVir Found TR/Crypt.Morphine.Gen
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found Packed.Morphine.C
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found a variant of Win32/Small.BB
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found Mal/TibsPak
VirusBuster Found nothing
VBA32 Found nothing

Help ???
 
missed a bit i think...

This was the top of the file...

Service load: 0% 100%

File: 2kgnxk.exe
Status: INFECTED/MALWARE
MD5: 97da01d02b8b44dff6353c2617886617
Packers detected: -
Bit9 reports: File not found
 
Hi

Yes, it surely does.

Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\WINDOWS\system32\2kgnxk.exe

Go to spykiller

Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.

After that, please reply here and we'll continue.
 
Files for Shaba

Hi Shaba - ive been to spykiller and have posted the files as requested, hopefully it worked ( i cant see the uploaded files ?)

Thanks

Tony
 
Hi

That's OK, I can see them :)

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report
 
hmmmm - not working im afraid

Hi Shaba....i have some problems with Combofix im afraid. I dio as advised but it starts and then my whole machine keels over.

It reboots and i get the 'serious problem' dialog box....windows took me to the MSN support page with the log below-


Corrupted error report

Unfortunately, the error report you submitted is corrupted and cannot be analyzed. Corrupted error reports are rare. They can be caused by hardware or software problems, and they usually indicate a serious problem with your computer.

Troubleshooting

--------------------------------------------------------------------------------


Scenario 1: Click here if this is the first corrupted error report for this computer

Note any programs you have recently added your computer.
To check for recently added programs:

1. Click Start, click Control Panel, and then click Add or Remove Programs.

2. In the Sort by drop-down box, select Date Last Used, and then select Show updates.

3. The Last Used On date typically shows when you installed a program. If you installed an update to a program, you will see an Installed on date.

Note any hardware you have recently added to your computer, including random access memory (RAM), video cards, sound cards, or hard drives.

Make sure that you have a good backup copy of your files. To make a backup of your files, you can use the Backup or Restore Wizard.
To start the Backup or Restore Wizard:



have tried combo fix 3 times and get the same thing , it only gets as far as telling me its changing my clock settings ? then reboots ?:


What next ?

Tony
 
oh dear

The macine wont go in to safe mode now ??!! i hit F8 , choose safe mode and it just keels over when i get to the log on screen ??? never had that before ??

??
 
Hi

Try to choose from that menu first Last Known Good Configuration.

And let me know if it works now.
 
ok - it worked

got combofix going - here is the log -
ComboFix 08-04-18.3 - Tony 2008-04-22 19:37:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1044 [GMT 1:00]
Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\system32\appcert
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\dmconfigc.dll . . . . failed to delete

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_fqqozoku
-------\fqqozoku


((((((((((((((((((((((((( Files Created from 2008-03-22 to 2008-04-22 )))))))))))))))))))))))))))))))
.

2008-04-22 16:09 . 2008-04-22 16:09 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\pnbfihzq
2008-04-16 20:49 . 2008-04-16 20:49 244 --ah----- C:\sqmnoopt15.sqm
2008-04-16 20:49 . 2008-04-16 20:49 232 --ah----- C:\sqmdata15.sqm
2008-04-15 11:56 . 2008-04-15 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 08:28 . 2008-04-15 08:22 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-15 08:28 . 2008-04-15 08:28 2,546 --a------ C:\WINDOWS\unins000.dat
2008-04-14 19:31 . 2008-04-22 16:09 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-14 19:31 . 2008-04-14 19:31 6,490,880 --a------ C:\WINDOWS\system32\upsrynoe.dat
2008-04-14 19:31 . 2008-04-14 19:31 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-14 19:31 . 2008-04-14 19:31 638,208 --a------ C:\WINDOWS\system32\egoqjvjs.dat
2008-04-14 19:31 . 2008-04-14 19:31 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-14 19:31 . 2008-04-14 19:31 35,584 --a------ C:\WINDOWS\system32\bmaskxxw.dat
2008-04-14 19:30 . 2008-04-22 11:10 43,264 --a------ C:\WINDOWS\system32\midoicjs.dat
2008-04-14 19:30 . 2008-04-14 19:30 36,608 --a------ C:\WINDOWS\system32\ufqouilh.dat
2008-04-14 19:30 . 20,608 C:\WINDOWS\system32\drivers\pnaazkne.dat
2008-04-13 19:21 . 2008-04-22 11:10 190,720 --a------ C:\WINDOWS\system32\sbyfrnmh.dat
2008-04-13 19:13 . 2004-05-10 03:35 88,064 --a------ C:\WINDOWS\system32\cdralv.dll
2008-04-13 19:13 . 2008-04-18 20:05 82,944 --a------ C:\WINDOWS\system32\dmconfigc.dll
2008-04-13 19:13 . 2008-03-26 21:53 16,896 --a------ C:\WINDOWS\system32\2kgnxk.exe
2008-04-11 15:14 . 2008-04-11 15:14 97,728 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-04-08 13:44 . 2008-04-08 13:44 <DIR> d-------- C:\Program Files\Research In Motion
2008-04-06 15:59 . 2008-04-06 15:59 244 --ah----- C:\sqmnoopt14.sqm
2008-04-06 15:59 . 2008-04-06 15:59 232 --ah----- C:\sqmdata14.sqm
2008-04-01 13:49 . 2008-04-01 13:49 244 --ah----- C:\sqmnoopt13.sqm
2008-04-01 13:49 . 2008-04-01 13:49 232 --ah----- C:\sqmdata13.sqm
2008-03-30 19:54 . 2008-03-30 19:54 244 --ah----- C:\sqmnoopt12.sqm
2008-03-30 19:54 . 2008-03-30 19:54 232 --ah----- C:\sqmdata12.sqm
2008-03-29 23:02 . 2008-03-29 23:02 244 --ah----- C:\sqmnoopt11.sqm
2008-03-29 23:02 . 2008-03-29 23:02 232 --ah----- C:\sqmdata11.sqm
2008-03-29 12:19 . 2008-03-29 12:19 244 --ah----- C:\sqmnoopt10.sqm
2008-03-29 12:19 . 2008-03-29 12:19 232 --ah----- C:\sqmdata10.sqm
2008-03-28 18:30 . 2008-03-28 18:30 244 --ah----- C:\sqmnoopt09.sqm
2008-03-28 18:30 . 2008-03-28 18:30 232 --ah----- C:\sqmdata09.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-15 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 07:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-27 08:16 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-24 17:27 --------- d-----w C:\Program Files\exPressit S.E. 3.0
2008-03-03 18:22 81 ----a-w C:\CTX.DAT
2008-02-29 19:04 --------- d-----w C:\Documents and Settings\Tony\Application Data\ArcSoft
2008-02-29 18:42 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-29 18:41 --------- d-----w C:\Program Files\Western Digital Technologies
2008-02-27 18:56 --------- d-----w C:\Program Files\Windows Live
2008-02-01 11:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-05-08 07:16 81 ----a-w C:\Documents and Settings\Andrea\CTX.DAT
2005-07-18 14:00 224 ----a-w C:\Documents and Settings\Tony\Application Data\wklnhst.dat
2005-07-06 14:02 16,291,424 ----a-w C:\Program Files\jre-1_5_0_04-windows-i586-p.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4DFB9BE4-DE27-4E6E-A451-D4C83068757B}]
2008-04-18 20:05 82944 --a------ c:\windows\system32\dmconfigc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1A55360-1A90-480D-B93B-E317830F1D41}]
2004-05-10 03:35 88064 --a------ C:\WINDOWS\system32\cdralv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-25 18:27 1591808]
"PowerBar"="" []
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-04-11 15:42 2075584]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]
"2kgnxk"="C:\WINDOWS\system32\2kgnxk.exe" [2008-03-26 21:53 16896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"CARPService"="carpserv.exe" [2003-01-08 21:42 4608 C:\WINDOWS\system32\carpserv.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 10:03 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"AsioReg"="REGSVR32.exe" [2004-08-04 13:00 11776 C:\WINDOWS\system32\regsvr32.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 18:21 110744]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE" [2004-06-08 18:33 69721]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"NWEReboot"="" []
"CTHelper"="CTHELPER.EXE" [2003-06-20 04:55 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2005-04-12 16:27 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 20:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 21:00 65536]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-17 13:31 155648]
"TrayStartup"="C:\Program Files\BT Auto Backup\VaultClientTray.exe" [2008-01-30 17:18 1246552]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 00:52 849280]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-29 19:41 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"2kgnxk"="C:\WINDOWS\system32\2kgnxk.exe" [2008-03-26 21:53 16896]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xqdiiebh]
dmconfigc.dll 2008-04-18 20:05 82944 C:\WINDOWS\system32\dmconfigc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Creative\\SBAudigy2ZS\\WaveStudio\\CTWave32.exe"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=
"C:\\Program Files\\Infogrames\\Monopoly\\Monopoly.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\LEGO Media\\Constructive\\LEGO LOCO\\Exe\\Loco.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\2kgnxk.exe"=

R0 lnuunrrt;lnuunrrt;C:\WINDOWS\system32\drivers\pnaazkne.dat []
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 13:00]
R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2008-01-30 17:18]
R2 VaultClientUpgrade;BT Auto Backup Upgrade Service;C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe [2008-01-30 17:18]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-01-13 16:22]
R3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2003-06-27 04:08]
S2 Hauppauge;Hauppauge WinTV PVR - USB Service;C:\WINDOWS\system32\DRIVERS\hcwncusb.sys []
S3 CW100;CW100 Device;C:\WINDOWS\system32\DRIVERS\CW100.sys [2002-05-24 14:50]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);C:\WINDOWS\system32\Drivers\hpzs2k12.sys [2002-06-20 10:51]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 22:34]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 14:39]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 14:39]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 14:39]
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2003-05-09 16:55]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fqqozoku

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0c13b66-e6f5-11dc-bdc4-101111111111}]
\Shell\AutoRun\command - F:\WD_Windows_Tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 18:35:09 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-04-16 13:54:00 C:\WINDOWS\Tasks\RoxioUpdator.job"
- C:\Program Files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-22 19:50:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet004\Services\lnuunrrt]
"ImagePath"="system32\drivers\pnaazkne.dat"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
.
**************************************************************************
.
Completion time: 2008-04-22 19:55:57 - machine was rebooted [Tony]
ComboFix-quarantined-files.txt 2008-04-22 18:55:49

Pre-Run: 27,376,472,064 bytes free
Post-Run: 30,160,445,440 bytes free

200 --- E O F --- 2008-04-14 07:22:44


will also post the text file on spykiller under 'files for shaba'

here is the hijack log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:19:15, on 22/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\2kgnxk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4DFB9BE4-DE27-4E6E-A451-D4C83068757B} - c:\windows\system32\dmconfigc.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E1A55360-1A90-480D-B93B-E317830F1D41} - C:\WINDOWS\system32\cdralv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TrayStartup] C:\Program Files\BT Auto Backup\VaultClientTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tonydockerill.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O20 - Winlogon Notify: xqdiiebh - C:\WINDOWS\SYSTEM32\dmconfigc.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe

--
End of file - 12484 bytes


thanks Shaba....maybe things are looking better ???
 
Hi

A bit, yes.

* Download GMER from
here:
Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply.
 
ok - next step done

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-23 22:20:29
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAAD12D98]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAAD12CB8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAAD1312A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAAD128AA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAAD12D2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAAD127C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAAD1283C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAAD12E42]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAAD12E02]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAAD12F84]

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntkrnlpa.exe!ObReferenceObjectByHandle + 4BF 805AFCFB 7 Bytes JMP BA329346 pnaazkne.dat
? pnaazkne.dat The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2464] kernel32.dll!SetUnhandledExceptionFilter 7C84467D 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe (Windows Live Messenger/Microsoft Corporation)

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[964] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[964] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [028F2070] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [028F20B0] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [028F2030] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [028F2000] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\iexplore.exe[4284] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [028F4C50] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[5076] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [02772070] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[5076] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [027720B0] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[5076] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [02772030] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[5076] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [02772000] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[5076] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [02774C50] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\nvata \Device\0000008f AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\USBSTOR \Device\000000a3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a6 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a7 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\nvata \Device\NvAta0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\nvata \Device\NvAta1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\nvata \Device\NvAta2 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\nvata \Device\0000008c AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\VClone \Device\Scsi\VClone1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\VClone \Device\Scsi\VClone1Port0Path0Target0Lun0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\nvata \Device\0000008d AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \FileSystem\Fastfat \Fat 95231C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Services - GMER 1.0.14 ----

Service system32\drivers\pnaazkne.dat (*** hidden *** ) [BOOT] lnuunrrt <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\.eta@ Google Earth.etafile
Reg HKLM\SOFTWARE\Classes\.eta@Content Type application/earthviewer
Reg HKLM\SOFTWARE\Classes\.kml@ Google Earth.kmlfile
Reg HKLM\SOFTWARE\Classes\.kml@Content Type application/vnd.google-earth.kml+xml
Reg HKLM\SOFTWARE\Classes\.kmz@ Google Earth.kmzfile
Reg HKLM\SOFTWARE\Classes\.kmz@Content Type application/vnd.google-earth.kmz
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg HKLM\SOFTWARE\Classes\data-file\Shell
Reg HKLM\SOFTWARE\Classes\data-file\Shell\open
Reg HKLM\SOFTWARE\Classes\data-file\Shell\open\command
Reg HKLM\SOFTWARE\Classes\data-file\Shell\open\command@ C:\WINDOWS\notepad.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile@ Google Earth ETA
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell\open
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell\open\command
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell\open\command@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\googleearth.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile@ Google Earth KML
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\DefaultIcon@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\kml_file.ico
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open\command
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open\command@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\googleearth.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open\command@OldValue
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile@ Google Earth KMZ
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\DefaultIcon@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\kmz_file.ico
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open\command
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open\command@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\googleearth.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open\command@OldValue
Reg HKLM\SOFTWARE\Classes\MSIDXS@ Microsoft OLE DB Provider for Indexing Service
Reg HKLM\SOFTWARE\Classes\MSIDXS\Clsid
Reg HKLM\SOFTWARE\Classes\MSIDXS\Clsid@ {F9AE8980-7E52-11d0-8964-00C04FD611D7}
Reg HKLM\SOFTWARE\Classes\MSIDXS ErrorLookup@ Microsoft OLE DB Error Lookup for Indexing Service
Reg HKLM\SOFTWARE\Classes\MSIDXS ErrorLookup\Clsid
Reg HKLM\SOFTWARE\Classes\MSIDXS ErrorLookup\Clsid@ {F9AE8981-7E52-11d0-8964-00C04FD611D7}

---- EOF - GMER 1.0.14 ----


some weird warning messages popped about rootkit activity but i just proceeded - hope this was right

tony
 
Hi

Yes, there is rootkit activity so that is normal.

Run gmer.exe
Click the tab called Processes and click the Safe... button. The computer will reboot and the Gmer screen will open.
Click Files... and browse to the following file:
C:\windows\system32\drivers\pnaazkne.dat
Now click Delete

Now click the Services tab. Click the entries in red one by one with your right mouse button and click Delete... Answer Yes to all the warning windows.
When you've removed all the Service entries in red, reboot your computer.

Re-run gmer

Post a fresh gmer log.
 
ok - all done

no red files though ?? that good ?

GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-04-25 20:13:39
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAC5DED98]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAC5DECB8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAC5DF12A]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAC5DE8AA]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAC5DED2E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAC5DE7C8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAC5DE83C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAC5DEE42]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAC5DEE02]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAC5DEF84]

---- User IAT/EAT - GMER 1.0.14 ----

IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00370002
IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00370000
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExA] [02952070] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryExW] [029520B0] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] [02952030] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] [02952000] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll
IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3564] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [02954C50] C:\Program Files\Canon\Easy-WebPrint\EWPCore.dll

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\nvata \Device\0000008e AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\USBSTOR \Device\000000a4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a6 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a7 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\USBSTOR \Device\000000a8 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\nvata \Device\00000090 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)

AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \Driver\nvata \Device\NvAta0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\nvata \Device\NvAta1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\nvata \Device\NvAta2 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\VClone \Device\Scsi\VClone1 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\VClone \Device\Scsi\VClone1Port0Path0Target0Lun0 AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \Driver\nvata \Device\0000008d AnyDVD.sys (AnyDVD Filter Driver/SlySoft, Inc.)
Device \FileSystem\Fastfat \Fat 9F0D8C8A

AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\.eta@ Google Earth.etafile
Reg HKLM\SOFTWARE\Classes\.eta@Content Type application/earthviewer
Reg HKLM\SOFTWARE\Classes\.kml@ Google Earth.kmlfile
Reg HKLM\SOFTWARE\Classes\.kml@Content Type application/vnd.google-earth.kml+xml
Reg HKLM\SOFTWARE\Classes\.kmz@ Google Earth.kmzfile
Reg HKLM\SOFTWARE\Classes\.kmz@Content Type application/vnd.google-earth.kmz
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ...
Reg HKLM\SOFTWARE\Classes\data-file\Shell
Reg HKLM\SOFTWARE\Classes\data-file\Shell\open
Reg HKLM\SOFTWARE\Classes\data-file\Shell\open\command
Reg HKLM\SOFTWARE\Classes\data-file\Shell\open\command@ C:\WINDOWS\notepad.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile@ Google Earth ETA
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell\open
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell\open\command
Reg HKLM\SOFTWARE\Classes\Google Earth.etafile\shell\open\command@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\googleearth.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile@ Google Earth KML
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\DefaultIcon@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\kml_file.ico
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open\command
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open\command@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\googleearth.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.kmlfile\shell\open\command@OldValue
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile@ Google Earth KMZ
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\DefaultIcon@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\kmz_file.ico
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open\command
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open\command@ C:\Documents and Settings\Andrea\Application Data\Google\Google Earth\googleearth.exe "%1"
Reg HKLM\SOFTWARE\Classes\Google Earth.kmzfile\shell\open\command@OldValue
Reg HKLM\SOFTWARE\Classes\MSIDXS@ Microsoft OLE DB Provider for Indexing Service
Reg HKLM\SOFTWARE\Classes\MSIDXS\Clsid
Reg HKLM\SOFTWARE\Classes\MSIDXS\Clsid@ {F9AE8980-7E52-11d0-8964-00C04FD611D7}
Reg HKLM\SOFTWARE\Classes\MSIDXS ErrorLookup@ Microsoft OLE DB Error Lookup for Indexing Service
Reg HKLM\SOFTWARE\Classes\MSIDXS ErrorLookup\Clsid
Reg HKLM\SOFTWARE\Classes\MSIDXS ErrorLookup\Clsid@ {F9AE8981-7E52-11d0-8964-00C04FD611D7}

---- Files - GMER 1.0.14 ----

File C:\Documents and Settings\Tony\Cookies\tony@bbc.co[2].txt 656 bytes
File C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\MDMT6HSZ\GlobalNavVjo23_SignInEbay_e561i6485855_en_GB_s[1].css 0 bytes
File C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\MDMT6HSZ\eBayISAPI[2].htm 190456 bytes
File C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\MDMT6HSZ\eBayISAPI[4].htm 0 bytes
File C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\QT47WNA3\imgCrnrO4[3].gif 0 bytes
File C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\QT47WNA3\7364786[1].htm 0 bytes
File C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\SJS3AJKV\areaTitleDeployment_SSL_e5611uk[1].css 0 bytes
File C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\SJS3AJKV\imgCrnrO3[1].gif 0 bytes

---- EOF - GMER 1.0.14 ----
 
Hi

Yes, that is good.

Re-run combofix.

Post:

- a fresh HijackThis log
- combofix report
 
ok - done.....

ComboFix 08-04-18.3 - Tony 2008-04-27 17:41:18.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1045 [GMT 1:00]
Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 14:52 . 2008-04-26 14:53 <DIR> d-------- C:\Program Files\Juice
2008-04-26 14:52 . 2008-04-26 14:52 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\iPodder
2008-04-26 13:54 . 2008-04-26 13:54 <DIR> d-------- C:\Documents and Settings\All Users\SonicStage
2008-04-26 13:23 . 2008-04-26 13:23 <DIR> d-------- C:\Program Files\Bonjour
2008-04-26 13:20 . 2008-04-26 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-26 12:36 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Sony Corporation
2008-04-26 12:36 . 2001-09-13 02:15 90,112 --------- C:\WINDOWS\snymsico.dll
2008-04-26 12:36 . 2002-08-08 15:51 38,951 --------- C:\WINDOWS\system32\drivers\NETMDUSB.sys
2008-04-26 12:36 . 2005-10-31 10:46 36,679 --------- C:\WINDOWS\system32\drivers\NETMD052.sys
2008-04-26 12:36 . 2003-11-10 12:31 36,232 --------- C:\WINDOWS\system32\drivers\NETMD033.sys
2008-04-26 12:36 . 2003-04-01 18:55 35,319 --------- C:\WINDOWS\system32\drivers\NETMD031.sys
2008-04-26 12:36 . 2001-08-31 15:07 27,255 --------- C:\WINDOWS\system32\drivers\NWWMUSB.sys
2008-04-26 12:36 . 2002-09-11 10:20 11,510 --------- C:\WINDOWS\system32\drivers\VMCUSB.sys
2008-04-26 12:35 . 2008-04-26 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-04-26 12:35 . 2006-05-11 12:05 770,048 --a------ C:\WINDOWS\system32\CDDBUISony.dll
2008-04-26 12:35 . 2006-05-11 12:02 643,072 --a------ C:\WINDOWS\system32\CDDBControlSony.dll
2008-04-26 12:35 . 2006-05-11 12:03 585,728 --a------ C:\WINDOWS\system32\CddbMusicIDSony.dll
2008-04-26 12:35 . 2006-05-11 12:05 73,728 --a------ C:\WINDOWS\system32\CddbLinkSony.dll
2008-04-26 12:34 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Sony
2008-04-26 12:34 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2008-04-26 12:34 . 2008-04-26 13:54 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Sony Corporation
2008-04-23 21:35 . 2008-04-25 19:10 250 --a------ C:\WINDOWS\gmer.ini
2008-04-23 16:59 . 2008-04-23 16:59 <DIR> d-------- C:\Documents and Settings\Jade\Application Data\NCH Swift Sound
2008-04-22 16:09 . 2008-04-22 16:09 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\pnbfihzq
2008-04-16 20:49 . 2008-04-16 20:49 244 --ah----- C:\sqmnoopt15.sqm
2008-04-16 20:49 . 2008-04-16 20:49 232 --ah----- C:\sqmdata15.sqm
2008-04-15 11:56 . 2008-04-15 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 08:28 . 2008-04-15 08:22 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-15 08:28 . 2008-04-15 08:28 2,546 --a------ C:\WINDOWS\unins000.dat
2008-04-14 19:31 . 2008-04-22 16:09 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-14 19:31 . 2008-04-14 19:31 6,490,880 --a------ C:\WINDOWS\system32\upsrynoe.dat
2008-04-14 19:31 . 2008-04-14 19:31 1,015,808 --a------ C:\WINDOWS\system32\libeay32.dll
2008-04-14 19:31 . 2008-04-14 19:31 638,208 --a------ C:\WINDOWS\system32\egoqjvjs.dat
2008-04-14 19:31 . 2008-04-14 19:31 196,608 --a------ C:\WINDOWS\system32\libssl32.dll
2008-04-14 19:31 . 2008-04-14 19:31 35,584 --a------ C:\WINDOWS\system32\bmaskxxw.dat
2008-04-14 19:30 . 2008-04-22 11:10 43,264 --a------ C:\WINDOWS\system32\midoicjs.dat
2008-04-14 19:30 . 2008-04-14 19:30 36,608 --a------ C:\WINDOWS\system32\ufqouilh.dat
2008-04-13 19:21 . 2008-04-22 11:10 190,720 --a------ C:\WINDOWS\system32\sbyfrnmh.dat
2008-04-13 19:13 . 2004-05-10 03:35 88,064 --a------ C:\WINDOWS\system32\cdralv.dll
2008-04-13 19:13 . 2008-03-26 21:53 16,896 --a------ C:\WINDOWS\system32\2kgnxk.exe
2008-04-11 15:14 . 2008-04-11 15:14 97,728 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-04-08 13:44 . 2008-04-08 13:44 <DIR> d-------- C:\Program Files\Research In Motion
2008-04-06 15:59 . 2008-04-06 15:59 244 --ah----- C:\sqmnoopt14.sqm
2008-04-06 15:59 . 2008-04-06 15:59 232 --ah----- C:\sqmdata14.sqm
2008-04-01 13:49 . 2008-04-01 13:49 244 --ah----- C:\sqmnoopt13.sqm
2008-04-01 13:49 . 2008-04-01 13:49 232 --ah----- C:\sqmdata13.sqm
2008-03-30 19:54 . 2008-03-30 19:54 244 --ah----- C:\sqmnoopt12.sqm
2008-03-30 19:54 . 2008-03-30 19:54 232 --ah----- C:\sqmdata12.sqm
2008-03-29 23:02 . 2008-03-29 23:02 244 --ah----- C:\sqmnoopt11.sqm
2008-03-29 23:02 . 2008-03-29 23:02 232 --ah----- C:\sqmdata11.sqm
2008-03-29 12:19 . 2008-03-29 12:19 244 --ah----- C:\sqmnoopt10.sqm
2008-03-29 12:19 . 2008-03-29 12:19 232 --ah----- C:\sqmdata10.sqm
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-28 18:30 . 2008-03-28 18:30 244 --ah----- C:\sqmnoopt09.sqm
2008-03-28 18:30 . 2008-03-28 18:30 232 --ah----- C:\sqmdata09.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 12:23 --------- d-----w C:\Documents and Settings\Tony\Application Data\Apple Computer
2008-04-26 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-26 12:22 --------- d-----w C:\Program Files\QuickTime
2008-04-26 11:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 07:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-27 08:16 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-24 17:27 --------- d-----w C:\Program Files\exPressit S.E. 3.0
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-14 22:24 93,128 ----a-w C:\WINDOWS\system32\ElbyCDIO.dll
2008-03-03 18:22 81 ----a-w C:\CTX.DAT
2008-02-29 19:04 --------- d-----w C:\Documents and Settings\Tony\Application Data\ArcSoft
2008-02-29 18:41 364,544 ----a-w C:\WINDOWS\system32\WDBtnMgr.exe
2008-02-29 18:41 --------- d-----w C:\Program Files\Western Digital Technologies
2008-02-27 18:56 --------- d-----w C:\Program Files\Windows Live
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-16 08:59 659,456 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-01 11:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-05-08 07:16 81 ----a-w C:\Documents and Settings\Andrea\CTX.DAT
2005-07-18 14:00 224 ----a-w C:\Documents and Settings\Tony\Application Data\wklnhst.dat
2005-07-06 14:02 16,291,424 ----a-w C:\Program Files\jre-1_5_0_04-windows-i586-p.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_19.55.29.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 18:47:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 14:08:57 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 20:35:06 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 19:29:06 761,856 ----a-r C:\WINDOWS\gmer.exe
+ 2008-04-26 12:23:08 86,016 ----a-r C:\WINDOWS\Installer\{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}\PrntWzrdIco.exe
+ 2007-07-24 14:17:08 81,920 ----a-w C:\WINDOWS\system32\dns-sd.exe
+ 2007-07-24 14:17:08 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
+ 2008-04-23 20:35:06 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2008-04-22 18:51:24 222,729 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-04-27 14:13:09 222,733 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-04-22 18:51:40 83,292 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-27 15:33:42 83,292 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-22 18:51:40 464,348 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-27 15:33:42 464,348 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-27 11:44:35 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_74c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1A55360-1A90-480D-B93B-E317830F1D41}]
2004-05-10 03:35 88064 --a------ C:\WINDOWS\system32\cdralv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-25 18:27 1591808]
"PowerBar"="" []
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-04-11 15:42 2075584]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]
"2kgnxk"="C:\WINDOWS\system32\2kgnxk.exe" [2008-03-26 21:53 16896]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"CARPService"="carpserv.exe" [2003-01-08 21:42 4608 C:\WINDOWS\system32\carpserv.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 10:03 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"AsioReg"="REGSVR32.exe" [2004-08-04 13:00 11776 C:\WINDOWS\system32\regsvr32.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 18:21 110744]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE" [2004-06-08 18:33 69721]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"NWEReboot"="" []
"CTHelper"="CTHELPER.EXE" [2003-06-20 04:55 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2005-04-12 16:27 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 20:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 21:00 65536]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"TrayStartup"="C:\Program Files\BT Auto Backup\VaultClientTray.exe" [2008-01-30 17:18 1246552]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 00:52 849280]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-29 19:41 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"2kgnxk"="C:\WINDOWS\system32\2kgnxk.exe" [2008-03-26 21:53 16896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Creative\\SBAudigy2ZS\\WaveStudio\\CTWave32.exe"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=
"C:\\Program Files\\Infogrames\\Monopoly\\Monopoly.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\LEGO Media\\Constructive\\LEGO LOCO\\Exe\\Loco.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\WINDOWS\\system32\\2kgnxk.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 13:00]
R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2008-01-30 17:18]
R2 VaultClientUpgrade;BT Auto Backup Upgrade Service;C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe [2008-01-30 17:18]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-01-13 16:22]
R3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2003-06-27 04:08]
S0 lnuunrrt;lnuunrrt;C:\WINDOWS\system32\drivers\pnaazkne.dat []
S2 Hauppauge;Hauppauge WinTV PVR - USB Service;C:\WINDOWS\system32\DRIVERS\hcwncusb.sys []
S3 CW100;CW100 Device;C:\WINDOWS\system32\DRIVERS\CW100.sys [2002-05-24 14:50]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);C:\WINDOWS\system32\Drivers\hpzs2k12.sys [2002-06-20 10:51]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 22:34]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 14:39]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 14:39]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 14:39]
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2003-05-09 16:55]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fqqozoku

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0c13b66-e6f5-11dc-bdc4-101111111111}]
\Shell\AutoRun\command - F:\WD_Windows_Tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 11:58:41 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-04-16 13:54:00 C:\WINDOWS\Tasks\RoxioUpdator.job"
- C:\Program Files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 17:44:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet004\Services\lnuunrrt]
"ImagePath"="system32\drivers\pnaazkne.dat"
.
Completion time: 2008-04-27 17:48:20
ComboFix-quarantined-files.txt 2008-04-27 16:48:15
ComboFix2.txt 2008-04-27 14:07:48
ComboFix3.txt 2008-04-22 18:55:58

Pre-Run: 32,566,525,952 bytes free
Post-Run: 32,541,196,288 bytes free

221 --- E O F --- 2008-04-14 07:22:44



hijack this log -

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:16, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\2kgnxk.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {791C9162-A53E-43B8-831D-0167E2B3D037} - C:\WINDOWS\system32\cdralv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {E1A55360-1A90-480D-B93B-E317830F1D41} - C:\WINDOWS\system32\cdralv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TrayStartup] C:\Program Files\BT Auto Backup\VaultClientTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tonydockerill.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe

--
End of file - 13221 bytes

my browser still redirects im afraid....guess we arent done huh ?
 
Hi

No, we are not done.

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\upsrynoe.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\egoqjvjs.dat
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\bmaskxxw.dat
C:\WINDOWS\system32\midoicjs.dat
C:\WINDOWS\system32\ufqouilh.dat
C:\WINDOWS\system32\sbyfrnmh.dat
C:\WINDOWS\system32\cdralv.dll
C:\WINDOWS\system32\2kgnxk.exe

Driver::
lnuunrrt

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E1A55360-1A90-480D-B93B-E317830F1D41}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"2kgnxk"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
ok - combo run again.....

it ran ok....here is the log shaba

ComboFix 08-04-18.3 - Tony 2008-04-27 19:22:11.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.948 [GMT 1:00]
Running from: C:\Documents and Settings\Tony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tony\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\2kgnxk.exe
C:\WINDOWS\system32\bmaskxxw.dat
C:\WINDOWS\system32\cdralv.dll
C:\WINDOWS\system32\egoqjvjs.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\midoicjs.dat
C:\WINDOWS\system32\sbyfrnmh.dat
C:\WINDOWS\system32\ufqouilh.dat
C:\WINDOWS\system32\upsrynoe.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\2kgnxk.exe
C:\WINDOWS\system32\bmaskxxw.dat
C:\WINDOWS\system32\cdralv.dll
C:\WINDOWS\system32\egoqjvjs.dat
C:\WINDOWS\system32\libeay32.dll
C:\WINDOWS\system32\libssl32.dll
C:\WINDOWS\system32\midoicjs.dat
C:\WINDOWS\system32\sbyfrnmh.dat
C:\WINDOWS\system32\ufqouilh.dat
C:\WINDOWS\system32\upsrynoe.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_LNUUNRRT
-------\Service_lnuunrrt


((((((((((((((((((((((((( Files Created from 2008-03-27 to 2008-04-27 )))))))))))))))))))))))))))))))
.

2008-04-26 14:52 . 2008-04-26 14:53 <DIR> d-------- C:\Program Files\Juice
2008-04-26 14:52 . 2008-04-26 14:52 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\iPodder
2008-04-26 13:54 . 2008-04-26 13:54 <DIR> d-------- C:\Documents and Settings\All Users\SonicStage
2008-04-26 13:23 . 2008-04-26 13:23 <DIR> d-------- C:\Program Files\Bonjour
2008-04-26 13:20 . 2008-04-26 13:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-26 12:36 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Sony Corporation
2008-04-26 12:36 . 2001-09-13 02:15 90,112 --------- C:\WINDOWS\snymsico.dll
2008-04-26 12:36 . 2002-08-08 15:51 38,951 --------- C:\WINDOWS\system32\drivers\NETMDUSB.sys
2008-04-26 12:36 . 2005-10-31 10:46 36,679 --------- C:\WINDOWS\system32\drivers\NETMD052.sys
2008-04-26 12:36 . 2003-11-10 12:31 36,232 --------- C:\WINDOWS\system32\drivers\NETMD033.sys
2008-04-26 12:36 . 2003-04-01 18:55 35,319 --------- C:\WINDOWS\system32\drivers\NETMD031.sys
2008-04-26 12:36 . 2001-08-31 15:07 27,255 --------- C:\WINDOWS\system32\drivers\NWWMUSB.sys
2008-04-26 12:36 . 2002-09-11 10:20 11,510 --------- C:\WINDOWS\system32\drivers\VMCUSB.sys
2008-04-26 12:35 . 2008-04-26 12:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sony Corporation
2008-04-26 12:35 . 2006-05-11 12:05 770,048 --a------ C:\WINDOWS\system32\CDDBUISony.dll
2008-04-26 12:35 . 2006-05-11 12:02 643,072 --a------ C:\WINDOWS\system32\CDDBControlSony.dll
2008-04-26 12:35 . 2006-05-11 12:03 585,728 --a------ C:\WINDOWS\system32\CddbMusicIDSony.dll
2008-04-26 12:35 . 2006-05-11 12:05 73,728 --a------ C:\WINDOWS\system32\CddbLinkSony.dll
2008-04-26 12:34 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Sony
2008-04-26 12:34 . 2008-04-26 12:36 <DIR> d-------- C:\Program Files\Common Files\Sony Shared
2008-04-26 12:34 . 2008-04-26 13:54 <DIR> d-------- C:\Documents and Settings\Tony\Application Data\Sony Corporation
2008-04-23 21:35 . 2008-04-25 19:10 250 --a------ C:\WINDOWS\gmer.ini
2008-04-23 16:59 . 2008-04-23 16:59 <DIR> d-------- C:\Documents and Settings\Jade\Application Data\NCH Swift Sound
2008-04-22 16:09 . 2008-04-22 16:09 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\pnbfihzq
2008-04-16 20:49 . 2008-04-16 20:49 244 --ah----- C:\sqmnoopt15.sqm
2008-04-16 20:49 . 2008-04-16 20:49 232 --ah----- C:\sqmdata15.sqm
2008-04-15 11:56 . 2008-04-15 11:56 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 08:28 . 2008-04-15 08:22 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-15 08:28 . 2008-04-15 08:28 2,546 --a------ C:\WINDOWS\unins000.dat
2008-04-14 19:31 . 2008-04-22 16:09 <DIR> d-------- C:\Program Files\Common Files\Mozilla Shared
2008-04-11 15:14 . 2008-04-11 15:14 97,728 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2008-04-08 13:44 . 2008-04-08 13:44 <DIR> d-------- C:\Program Files\Research In Motion
2008-04-06 15:59 . 2008-04-06 15:59 244 --ah----- C:\sqmnoopt14.sqm
2008-04-06 15:59 . 2008-04-06 15:59 232 --ah----- C:\sqmdata14.sqm
2008-04-01 13:49 . 2008-04-01 13:49 244 --ah----- C:\sqmnoopt13.sqm
2008-04-01 13:49 . 2008-04-01 13:49 232 --ah----- C:\sqmdata13.sqm
2008-03-30 19:54 . 2008-03-30 19:54 244 --ah----- C:\sqmnoopt12.sqm
2008-03-30 19:54 . 2008-03-30 19:54 232 --ah----- C:\sqmdata12.sqm
2008-03-29 23:02 . 2008-03-29 23:02 244 --ah----- C:\sqmnoopt11.sqm
2008-03-29 23:02 . 2008-03-29 23:02 232 --ah----- C:\sqmdata11.sqm
2008-03-29 12:19 . 2008-03-29 12:19 244 --ah----- C:\sqmnoopt10.sqm
2008-03-29 12:19 . 2008-03-29 12:19 232 --ah----- C:\sqmdata10.sqm
2008-03-28 23:37 . 2008-03-28 23:37 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-03-28 23:37 . 2008-03-28 23:37 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-03-28 18:30 . 2008-03-28 18:30 244 --ah----- C:\sqmnoopt09.sqm
2008-03-28 18:30 . 2008-03-28 18:30 232 --ah----- C:\sqmdata09.sqm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-26 12:23 --------- d-----w C:\Documents and Settings\Tony\Application Data\Apple Computer
2008-04-26 12:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-26 12:22 --------- d-----w C:\Program Files\QuickTime
2008-04-26 11:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-15 07:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-15 07:29 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-27 08:16 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-24 17:27 --------- d-----w C:\Program Files\exPressit S.E. 3.0
2008-03-03 18:22 81 ----a-w C:\CTX.DAT
2008-02-29 19:04 --------- d-----w C:\Documents and Settings\Tony\Application Data\ArcSoft
2008-02-29 18:41 --------- d-----w C:\Program Files\Western Digital Technologies
2008-02-27 18:56 --------- d-----w C:\Program Files\Windows Live
2008-02-01 11:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2007-05-08 07:16 81 ----a-w C:\Documents and Settings\Andrea\CTX.DAT
2005-07-18 14:00 224 ----a-w C:\Documents and Settings\Tony\Application Data\wklnhst.dat
2005-07-06 14:02 16,291,424 ----a-w C:\Program Files\jre-1_5_0_04-windows-i586-p.exe
.

((((((((((((((((((((((((((((( snapshot@2008-04-22_19.55.29.14 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-22 18:47:07 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-27 18:24:41 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-04-23 20:35:06 819,200 ----a-w C:\WINDOWS\gmer.dll
+ 2008-03-03 19:29:06 761,856 ----a-r C:\WINDOWS\gmer.exe
+ 2008-04-26 12:23:08 86,016 ----a-r C:\WINDOWS\Installer\{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}\PrntWzrdIco.exe
+ 2007-07-24 14:17:08 81,920 ----a-w C:\WINDOWS\system32\dns-sd.exe
+ 2007-07-24 14:17:08 61,440 ----a-w C:\WINDOWS\system32\dnssd.dll
+ 2008-04-23 20:35:06 86,097 ----a-w C:\WINDOWS\system32\drivers\gmer.sys
- 2008-04-22 18:51:24 222,729 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2008-04-27 18:24:59 222,734 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
- 2008-04-22 18:51:40 83,292 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-04-27 15:33:42 83,292 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-04-22 18:51:40 464,348 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-27 15:33:42 464,348 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-04-27 18:24:46 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_72c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"FreeRAM XP"="C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" [2006-03-25 18:27 1591808]
"PowerBar"="" []
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe" [2008-04-11 15:42 2075584]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [ ]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 15:06 118784 C:\WINDOWS\system32\ptipbmf.dll]
"CARPService"="carpserv.exe" [2003-01-08 21:42 4608 C:\WINDOWS\system32\carpserv.exe]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-07-02 10:03 57344]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE" [2003-06-18 01:00 45056]
"AsioReg"="REGSVR32.exe" [2004-08-04 13:00 11776 C:\WINDOWS\system32\regsvr32.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2005-01-14 18:21 110744]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 32768]
"{1290A33C-85F5-4164-A1BE-7DD299D4986A}"="C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE" [2004-06-08 18:33 69721]
"PinnacleDriverCheck"="C:\WINDOWS\system32\PSDrvCheck.exe" [2004-03-10 16:26 406016]
"NWEReboot"="" []
"CTHelper"="CTHELPER.EXE" [2003-06-20 04:55 24576 C:\WINDOWS\system32\CTHELPER.EXE]
"SBDrvDet"="C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe" [2002-12-03 18:06 45056]
"VirtualCloneDrive"="C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" [2005-04-12 16:27 45056]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58 856064]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 20:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 21:00 65536]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-08-11 21:43 7630848]
"nwiz"="nwiz.exe" [2006-08-11 21:43 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-08-11 21:43 86016 C:\WINDOWS\system32\nvmctray.dll]
"Easy-PrintToolBox"="C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.exe" [2004-01-14 02:10 409600]
"TrayStartup"="C:\Program Files\BT Auto Backup\VaultClientTray.exe" [2008-01-30 17:18 1246552]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe" [2007-02-06 00:52 849280]
"WD Button Manager"="WDBtnMgr.exe" [2008-02-29 19:41 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"2kgnxk"="C:\WINDOWS\system32\2kgnxk.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-03-28 23:37 413696]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2006-01-07 02:36 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\CyberLink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Creative\\SBAudigy2ZS\\WaveStudio\\CTWave32.exe"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\game.dat"=
"C:\\Program Files\\EA Games\\Command and Conquer Generals\\patchget.dat"=
"C:\\Program Files\\Infogrames\\Monopoly\\Monopoly.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero ShowTime\\ShowTime.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\WINDOWS\\system32\\ftp.exe"=
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"=
"C:\\Program Files\\LEGO Media\\Constructive\\LEGO LOCO\\Exe\\Loco.exe"=
"C:\\WINDOWS\\system32\\fxsclnt.exe"=
"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe [2004-08-04 13:00]
R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2008-01-30 17:18]
R2 VaultClientUpgrade;BT Auto Backup Upgrade Service;C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe [2008-01-30 17:18]
R3 Bonifay;Bonifay;C:\WINDOWS\system32\DRIVERS\Bonifay.sys [2005-01-13 16:22]
R3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\system32\DRIVERS\CamDrL21.sys [2003-06-27 04:08]
S2 Hauppauge;Hauppauge WinTV PVR - USB Service;C:\WINDOWS\system32\DRIVERS\hcwncusb.sys []
S3 CW100;CW100 Device;C:\WINDOWS\system32\DRIVERS\CW100.sys [2002-05-24 14:50]
S3 HPZs2k12;Storage Class Driver for IEEE-1284.4 (HPZ12);C:\WINDOWS\system32\Drivers\hpzs2k12.sys [2002-06-20 10:51]
S3 NUVision;NUVision II Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys [2001-10-28 22:34]
S3 PIXMCV;JVC Communication PIX-MCV Driver;C:\WINDOWS\system32\Drivers\pixmcvc.sys [2003-12-05 14:39]
S3 PIXMCVA;JVC PIX-MCV Audio Capture;C:\WINDOWS\system32\Drivers\pixmcva.sys [2003-12-05 14:39]
S3 PIXMCVV;JVC PIX-MCV Video Capture;C:\WINDOWS\system32\Drivers\pixmcvv.sys [2003-12-05 14:39]
S4 SI3112r;Silicon Image SiI 3512 SATARaid Controller;C:\WINDOWS\system32\DRIVERS\SI3112r.sys [2003-05-09 16:55]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
fqqozoku

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f0c13b66-e6f5-11dc-bdc4-101111111111}]
\Shell\AutoRun\command - F:\WD_Windows_Tools\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-04-26 11:58:41 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\rundll32.exe
"2008-04-16 13:54:00 C:\WINDOWS\Tasks\RoxioUpdator.job"
- C:\Program Files\Common Files\Roxio Shared\Autoupdater\autoupdater.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-27 19:25:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2008-04-27 19:33:07 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-27 18:33:02
ComboFix2.txt 2008-04-27 16:48:21
ComboFix3.txt 2008-04-27 14:07:48
ComboFix4.txt 2008-04-22 18:55:58

Pre-Run: 32,496,312,320 bytes free
Post-Run: 32,491,040,768 bytes free

249 --- E O F --- 2008-04-14 07:22:44


and the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:20, on 27/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\BT Auto Backup\VaultClientTray.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Logitech\Video\LowLight.exe
C:\Program Files\Java\jre1.5.0_07\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Canon Easy Web Print Helper - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [{1290A33C-85F5-4164-A1BE-7DD299D4986A}] C:\Program Files\CyberLink\PowerBackup\PBKScheduler.EXE
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [TrayStartup] C:\Program Files\BT Auto Backup\VaultClientTray.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [2kgnxk] C:\WINDOWS\system32\2kgnxk.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [FreeRAM XP] "C:\Program Files\YourWare Solutions\FreeRAM XP Pro\FreeRAM XP Pro.exe" -win
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVDtray.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O14 - IERESET.INF: START_PAGE_URL=http://www.meshcomputers.com
O16 - DPF: {0A43D7AC-D6C1-4622-B309-BF975F427C0E} (first direct internet banking plus digital safe) - https://internetbankingplus1.firstdirect.com/ibplus/frontdoorFD.cab
O16 - DPF: {2A493D5F-8914-4D3E-8BF3-767F281862F4} (TraderMediaImgX Control) - http://sell.autotrader.co.uk/uk-ola/common/TraderMediaX.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.truprint.co.uk/TruprintActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://tonydockerill.spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/51/install/gtdownls.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe

--
End of file - 12940 bytes



have i done this correct - i got a bit confused ?

tony
 
You must log in or register to reply here.
Back
Top