probable Virtuamonde infection

G

greenfingers1

New member
Looks like my lad has been accessing things he should have and we have picked up this monster.
Per the instructions I have run Kaspersky which found 16 infections, run Spybot in safe mode which removed all those found by it, then on reboot Teatimer has gone mad as this thing tries to re-infect. I have run HJT BUT it crashed with an error modMain_StartScan() Error #5 but did produce the log. Whether it is complete I can't tell. Both logs below.

Any help given will be greatly appreciate and a donation is guaranteed!
Andrew

Kaspersky log
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 23, 2008 6:50:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/04/2008
Kaspersky Anti-Virus database records: 723063
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
T:\
X:\

Scan Statistics:
Total number of scanned objects: 107919
Number of viruses found: 16
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 03:32:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.dza skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\05KGAHFR\rld[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\05KGAHFR\xpre[1].exe Infected: Trojan-Downloader.Win32.VB.dzb skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\AV9QIF0N\rasesnet[1].exe Infected: Trojan.Win32.Agent.eek skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\BYVDNRVZ\snapsnet[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.dza skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\BYVDNRVZ\snapsnet[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\NQ8Z71KT\wavvsnet[1].exe Infected: Trojan-Downloader.Win32.Small.upn skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\Temporary Internet Files\Content.IE5\SB5JY6FX\kriv[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\~DF136E.tmp Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\~DF1392.tmp Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\~DF472B.tmp Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temp\~DFF8F8.tmp Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\ntuser.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\toshiba\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\toshiba\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.001 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1512\A0222655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1512\A0222656.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1512\A0223655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226816.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226817.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226819.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226821.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226823.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226824.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pik skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226826.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226827.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226828.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226829.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pon skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226831.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226834.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qgr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226837.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226838.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226839.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1517\change.log Object is locked skipped
C:\WINDOWS\apoxqwfv.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\WINDOWS\qdnkewfa.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\atgban.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\mrcpypeh.exe Infected: Trojan-Downloader.Win32.Obfuscated.tm skipped
C:\WINDOWS\SYSTEM32\ocnhnrxa.dll_old Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\WINDOWS\SYSTEM32\pmnkhedd.dll Infected: Trojan.Win32.Agent.eek skipped
C:\WINDOWS\SYSTEM32\uid\HTgn1dll.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\SYSTEM32\uid\HTgn1dll.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\SYSTEM32\uid\HTgn1dll.exe NSIS: infected - 2 skipped
C:\WINDOWS\SYSTEM32\vtutssqo.dll Infected: Trojan.Win32.Agent.eek skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\xcsDd01\xcsDd011065.exe Infected: Trojan-Downloader.Win32.VB.dza skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1d8.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6cc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\vnbptxlf.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dud skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:03:18, on 24/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\vpop3\vpop3svc.exe
C:\PROGRA~1\vpop3\VPOP3.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\ilozyzgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interlinkexpress.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Top Print
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [e03e7cd3] rundll32.exe "C:\WINDOWS\system32\qpgjbnni.dll",b
O4 - HKLM\..\Run: [BMe30d4f4f] Rundll32.exe "C:\WINDOWS\system32\ebrcmjyj.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [7p5j4x2YYa] C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer = 194.106.56.6,194.106.33.42
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd. - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

--
End of file - 6861 bytes
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy. It looks like you have multiple infections, we will need to check for that first.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it greenfingers1.exe that will work. Hackers hide their junk from HJT and we may see more of the infection in the next log.

3) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Post only the C:\rapport.txt

Thanks
 
Rapport log as request

Teatimer now disbaled, HJT renamed to greensfingers1,exe and Smitfruadfix run - log below.

SmitFraudFix v2.318

Scan done at 13:03:28.73, 24/04/2008
Run from C:\Documents and Settings\DIGITAL COPY\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\vpop3\vpop3svc.exe
C:\PROGRA~1\vpop3\VPOP3.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\DIGITAL COPY


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\DIGITAL COPY\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\DIGITA~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Intel(R) PRO/1000 MT Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 194.106.56.6
DNS Server Search Order: 194.106.33.42

HKLM\SYSTEM\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer=194.106.56.6,194.106.33.42
HKLM\SYSTEM\CS2\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer=194.106.56.6,194.106.33.42
HKLM\SYSTEM\CS3\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer=194.106.56.6,194.106.33.42


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
 
Thanks for returning your information, Smitfraudfix found the infection and it also found this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
After we clean, in the next C:\rapport.txt, there may be a very large hosts file (items starting with 127.0.0.1) and I do not need to see it. Edit (remove) it from the C:\rapport.txt before you post it.

Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

Post the C:\rapport.txt and a new HJT log.

Thanks
 
Thanks for this.

A couple of points:

I dont' know if it helps but I have Spywareblaster 4 installed with a Hosts backup done 5 weeks ago prior to the infection and also a System Snapshot restore point done by the same programme then as well.

When I reboot in Normal mode, a Rundll box appears saying Error loading C: \Windows\System32\qpgbnni.dll the specified file could not be found.


Kind regards Andrew

Rapport log having removed 127.0.0.1 entries

SmitFraudFix v2.318

Scan done at 13:54:18.76, 24/04/2008
Run from C:\Documents and Settings\DIGITAL COPY\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts




»»»»»»»»»»»»»»»»»»»»»»»» VACFix

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer=194.106.56.6,194.106.33.42
HKLM\SYSTEM\CS2\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer=194.106.56.6,194.106.33.42
HKLM\SYSTEM\CS3\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer=194.106.56.6,194.106.33.42


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End


HTJ log - run from Greenfingers1.exe

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:08:37, on 24/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\vpop3\vpop3svc.exe
C:\PROGRA~1\vpop3\VPOP3.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\greenfingers1.exe.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Top Print
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F05438B-6B59-42D9-9CB7-4B3AC02F5E19} - (no file)
O2 - BHO: targettedbanner.biz browser enhancer - {16B435F6-B6CE-4F24-A568-944B27ED919C} - C:\WINDOWS\system32\atgban.dll
O2 - BHO: (no name) - {207A4206-0323-4473-A911-81D9D91936ED} - (no file)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - C:\WINDOWS\system32\iifcCtSK.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A54BE1B-B01C-40E5-9170-80A984E9BB89} - C:\WINDOWS\system32\wvUnmjgf.dll (file missing)
O2 - BHO: (no name) - {5fce9b86-7a94-46bd-be94-e37bf344ebbb} - (no file)
O2 - BHO: (no name) - {9B9538D6-51E3-4F97-BDC2-2DF533C7787A} - (no file)
O2 - BHO: (no name) - {B720F184-F573-4712-9743-A5FA7301C416} - C:\WINDOWS\system32\jkkhfddc.dll (file missing)
O2 - BHO: (no name) - {CCB23850-4703-473E-BA67-F26466A5CC09} - C:\WINDOWS\system32\efcdbBsP.dll (file missing)
O2 - BHO: (no name) - {F28C9717-B94C-42DF-ABB2-ABEFE0E069E7} - C:\WINDOWS\system32\qomnlige.dll
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - C:\WINDOWS\system32\pmnkhedd.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [PostSetupCheck] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\atgban.dll" DllStart
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [e03e7cd3] rundll32.exe "C:\WINDOWS\system32\qpgjbnni.dll",b
O4 - HKLM\..\Run: [BMe30d4f4f] Rundll32.exe "C:\WINDOWS\system32\bpfgwfxu.dll",s
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKLM\..\Policies\Explorer\Run: [7p5j4x2YYa] C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer = 194.106.56.6,194.106.33.42
O20 - Winlogon Notify: iifcCtSK - iifcCtSK.dll (file missing)
O20 - Winlogon Notify: pmnkhedd - C:\WINDOWS\SYSTEM32\pmnkhedd.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd. - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

--
End of file - 7743 bytes
 
Thanks for returning your information and the feedback. I am running version 4.0 also, just make sure your protection is enabled and the database is at 10114.

Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks
 
As requesred

Combofix log

ComboFix 08-04-22.5 - DIGITAL COPY 2008-04-24 16:40:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.547 [GMT 1:00]
Running from: C:\Documents and Settings\DIGITAL COPY\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AntiSpywareMaster
C:\Program Files\AntiSpywareMaster\asm.exe
C:\Program Files\PC-Cleaner
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\WINDOWS\apoxqwfv.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\qdnkewfa.dll
C:\WINDOWS\system32\aqlpydnp.dll
C:\WINDOWS\system32\atgban.dll
C:\WINDOWS\system32\bpfgwfxu.dll
C:\WINDOWS\SYSTEM32\cddfhkkj.ini
C:\WINDOWS\SYSTEM32\cddfhkkj.ini2
C:\WINDOWS\system32\crjiakth.dll
C:\WINDOWS\SYSTEM32\egilnmoq.ini
C:\WINDOWS\SYSTEM32\egilnmoq.ini2
C:\WINDOWS\SYSTEM32\fgjmnUvw.ini
C:\WINDOWS\SYSTEM32\fgjmnUvw.ini2
C:\WINDOWS\SYSTEM32\htkaijrc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnkhedd.dll
C:\WINDOWS\SYSTEM32\PsBbdcfe.ini
C:\WINDOWS\SYSTEM32\PsBbdcfe.ini2
C:\WINDOWS\system32\qomnlige.dll
C:\WINDOWS\system32\vtutssqo.dll
C:\WINDOWS\system32bdn.com
C:\WINDOWS\system32hxiwlgpm.dat
C:\WINDOWS\system32ssvchost.com
C:\WINDOWS\system32taack.dat
C:\WINDOWS\system32VBIEWER.OCX
C:\WINDOWS\vnbptxlf.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-24 to 2008-04-24 )))))))))))))))))))))))))))))))
.

2008-04-24 17:01 . 2008-04-24 17:01 <DIR> d-------- C:\Documents and Settings\TEMP
2008-04-24 13:54 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-24 13:54 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-24 13:54 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-24 13:54 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-24 13:54 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-04-24 13:54 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-24 13:54 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-24 13:54 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-24 13:03 . 2008-04-24 13:54 3,428 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-24 10:01 . 2008-04-24 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-24 09:59 . 2008-04-24 09:59 53,312 --a------ C:\WINDOWS\SYSTEM32\jjqjsiob.dll
2008-04-24 09:54 . 2008-04-24 09:54 106,496 --a------ C:\WINDOWS\SYSTEM32\ilozyzgr.exe
2008-04-23 20:44 . 2008-04-23 20:44 98,304 --a------ C:\WINDOWS\SYSTEM32\kfetglax.exe
2008-04-23 14:24 . 2008-04-23 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-23 14:24 . 2008-04-23 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 10:09 . 2008-04-23 14:01 493 --a------ C:\WINDOWS\wininit.ini
2008-04-23 09:02 . 2008-04-23 15:29 1,540,768 --ahs---- C:\WINDOWS\SYSTEM32\innbjgpq.ini
2008-04-22 09:05 . 2008-04-23 08:44 1,542,840 --ahs---- C:\WINDOWS\SYSTEM32\utlrbmps.ini
2008-04-21 09:07 . 2008-04-22 08:50 2,138 --ahs---- C:\WINDOWS\SYSTEM32\tdfpnlgq.ini
2008-04-20 08:59 . 2008-04-21 08:59 1,434 --ahs---- C:\WINDOWS\SYSTEM32\mquhfdlu.ini
2008-04-20 08:56 . 2008-04-20 08:56 1,254 --ahs---- C:\WINDOWS\SYSTEM32\lfnoujye.ini
2008-04-18 08:57 . 2008-04-19 08:57 1,194 --ahs---- C:\WINDOWS\SYSTEM32\elrjqgar.ini
2008-04-17 17:16 . 2008-04-17 17:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd01
2008-04-17 17:16 . 2008-04-17 17:16 <DIR> d-------- C:\Temp\berDrv11
2008-04-17 11:10 . 2008-04-17 11:10 98,304 --a------ C:\WINDOWS\SYSTEM32\mrcpypeh.exe
2008-04-17 08:39 . 2008-04-17 08:39 294 --ahs---- C:\WINDOWS\SYSTEM32\saabrnsm.ini
2008-04-16 08:39 . 2008-04-16 18:33 1,426 --ahs---- C:\WINDOWS\SYSTEM32\axlnpdhf.ini
2008-04-15 08:40 . 2008-04-15 11:34 1,186 --ahs---- C:\WINDOWS\SYSTEM32\sdhbgblw.ini
2008-04-14 08:40 . 2008-04-14 13:52 766 --ahs---- C:\WINDOWS\SYSTEM32\acmtryfd.ini
2008-04-11 22:19 . 2008-04-13 22:20 294 --ahs---- C:\WINDOWS\SYSTEM32\swyyxnbj.ini
2008-04-11 22:08 . 2008-04-11 22:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\bytcdsfq
2008-04-11 22:08 . 2008-04-11 22:08 94,208 --a------ C:\WINDOWS\SYSTEM32\fujyvwjs.exe
2008-04-09 13:26 . 2008-04-09 13:26 127 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-09 10:23 . 2008-04-09 11:59 354 --ahs---- C:\WINDOWS\SYSTEM32\ikqcgirt.ini
2008-04-09 10:20 . 2008-04-24 10:35 109,777 --a------ C:\WINDOWS\BMe30d4f4f.xml
2008-04-08 21:13 . 2008-04-08 21:13 39,883 --a------ C:\WINDOWS\SYSTEM32\targetedbanner-uninst.exe
2008-04-08 21:12 . 2008-04-08 21:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\uid
2008-04-08 21:12 . 2008-04-23 06:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\gui4
2008-04-08 21:12 . 2008-04-08 21:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\ginp
2008-04-08 21:12 . 2008-04-15 08:38 <DIR> d-------- C:\WINDOWS\SYSTEM32\bharebio01
2008-04-08 21:12 . 2008-04-08 21:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\ace2
2008-04-08 21:12 . 2008-04-08 21:12 <DIR> d-------- C:\Temp\wdlw14
2008-04-04 14:13 . 2008-04-04 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-24 15:56 --------- d-----w C:\Program Files\vpop3
2008-04-24 13:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-24 13:31 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-23 13:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-23 13:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 08:45 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-03-26 16:56 0 -c--a-w C:\Documents and Settings\DIGITAL COPY\us14info.exe
2004-09-01 15:11 98 -c-h--w C:\Documents and Settings\DIGITAL COPY\Application Data\srfvdo.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A54BE1B-B01C-40E5-9170-80A984E9BB89}]
C:\WINDOWS\system32\wvUnmjgf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B720F184-F573-4712-9743-A5FA7301C416}]
C:\WINDOWS\system32\jkkhfddc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB23850-4703-473E-BA67-F26466A5CC09}]
C:\WINDOWS\system32\efcdbBsP.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"oenwzcwl"="C:\WINDOWS\system32\napexipq.exe" [2008-04-24 17:03 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-06-23 13:24 684032]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-04-06 09:28 499712]
"PDFCreatorClient"="C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe" [2005-03-21 09:19 450560]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"pdfFactory Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-04-06 09:40 499712]
"RegistryMechanic"="" []
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 10:32 507904]
"OLP-Tray"="C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE" [2006-07-17 17:45 40960]
"MRT"="C:\WINDOWS\system32\MRT.exe" [ ]
"e03e7cd3"="C:\WINDOWS\system32\qpgjbnni.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-10 18:02:00 122880]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"7p5j4x2YYa"= C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcCtSK]
iifcCtSK.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\vpop3\\vpop3status.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\vpop3\\vpop3.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 MrFilter;EasyWrite Driver;C:\WINDOWS\system32\drivers\MrFilter.sys [2002-12-17 20:30]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 05:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 05:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 VPOP3;VPOP3 Email Server;C:\PROGRA~1\vpop3\vpop3svc.exe [2004-06-21 17:09]
S3 SM_sugo2_FUService;sugo2 Status Monitor Service;"C:\Program Files\Samsung\Samsung ML-2570 Series\SPanel\ssmsrvc /Service []

.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-24 17:01:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\system32\regm64.dll 4096 bytes
C:\WINDOWS\system32\ssurf022.dll 4096 bytes
C:\WINDOWS\system32\ssvchost.com 4096 bytes
C:\WINDOWS\system32\ssvchost.exe 4096 bytes
C:\WINDOWS\system32\winlogonpc.exe 4096 bytes
C:\WINDOWS\system32\msvchost.exe 4096 bytes
C:\WINDOWS\system32\ps1.exe 4096 bytes
C:\WINDOWS\system32\hxiwlgpm.dat 4096 bytes
C:\WINDOWS\system32\hxiwlgpm.exe 4096 bytes
C:\WINDOWS\system32\akttzn.exe 4096 bytes
C:\WINDOWS\system32\anticipator.dll 4096 bytes
C:\WINDOWS\system32\msgp.exe 4096 bytes
C:\WINDOWS\system32\winsystem.exe 4096 bytes
C:\WINDOWS\system32\WINWGPX.EXE 4096 bytes
C:\WINDOWS\system32\temp#01.exe 4096 bytes
C:\WINDOWS\system32\thun.dll 4096 bytes
C:\WINDOWS\system32\thun32.dll 4096 bytes
C:\WINDOWS\system32\awtoolb.dll 4096 bytes
C:\WINDOWS\system32\bdn.com 4096 bytes
C:\WINDOWS\system32\mssecu.exe 4096 bytes
C:\WINDOWS\system32\h@tkeysh@@k.dll 4096 bytes
C:\WINDOWS\system32\hoproxy.dll 4096 bytes
C:\WINDOWS\system32\newsd32.exe 4096 bytes
C:\WINDOWS\system32\psof1.exe 4096 bytes
C:\WINDOWS\system32\psoft1.exe 4096 bytes
C:\WINDOWS\system32\regc64.dll 4096 bytes
C:\WINDOWS\system32\Rundl1.exe 4096 bytes

scan completed successfully
hidden files: 27

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SM_sugo2_FUService]
"ImagePath"="\"C:\Program Files\Samsung\Samsung ML-2570 Series\SPanel\ssmsrvc /Service"
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\SYSTEM32\logonui.exe
C:\WINDOWS\SYSTEM32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\PROGRA~1\vpop3\vpop3.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SYSTEM32\rdpclip.exe
C:\WINDOWS\SYSTEM32\msiexec.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE
.
**************************************************************************
.
Completion time: 2008-04-24 17:06:15 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-24 16:06:09

Pre-Run: 54,366,310,400 bytes free
Post-Run: 70,170,587,136 bytes free

219 --- E O F --- 2008-04-09 12:26:40

HJH - log having run Combofix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:09, on 2008-04-24
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\vpop3\vpop3svc.exe
C:\PROGRA~1\vpop3\VPOP3.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\napexipq.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\logon.scr
C:\Program Files\Trend Micro\HijackThis\greenfingers1.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A54BE1B-B01C-40E5-9170-80A984E9BB89} - C:\WINDOWS\system32\wvUnmjgf.dll (file missing)
O2 - BHO: (no name) - {B720F184-F573-4712-9743-A5FA7301C416} - C:\WINDOWS\system32\jkkhfddc.dll (file missing)
O2 - BHO: (no name) - {CCB23850-4703-473E-BA67-F26466A5CC09} - C:\WINDOWS\system32\efcdbBsP.dll (file missing)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [e03e7cd3] rundll32.exe "C:\WINDOWS\system32\qpgjbnni.dll",b
O4 - HKCU\..\Run: [oenwzcwl] C:\WINDOWS\system32\napexipq.exe
O4 - HKLM\..\Policies\Explorer\Run: [7p5j4x2YYa] C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer = 194.106.56.6,194.106.33.42
O20 - Winlogon Notify: iifcCtSK - iifcCtSK.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd. - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

--
End of file - 6780 bytes
 
Sorry for the delay, notifications seems to have stopped working?

Please remove Smitfraudfix from your computer.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\system32\qpgjbnni.dll
C:\WINDOWS\SYSTEM32\jjqjsiob.dll
C:\WINDOWS\system32\napexipq.exe
C:\WINDOWS\SYSTEM32\ilozyzgr.exe
C:\WINDOWS\SYSTEM32\kfetglax.exe
C:\WINDOWS\SYSTEM32\fujyvwjs.exe
C:\WINDOWS\SYSTEM32\mrcpypeh.exe
C:\WINDOWS\SYSTEM32\innbjgpq.ini
C:\WINDOWS\SYSTEM32\utlrbmps.ini
C:\WINDOWS\SYSTEM32\tdfpnlgq.ini
C:\WINDOWS\SYSTEM32\mquhfdlu.ini
C:\WINDOWS\SYSTEM32\lfnoujye.ini
C:\WINDOWS\SYSTEM32\elrjqgar.ini
C:\WINDOWS\SYSTEM32\saabrnsm.ini
C:\WINDOWS\SYSTEM32\axlnpdhf.ini
C:\WINDOWS\SYSTEM32\sdhbgblw.ini
C:\WINDOWS\SYSTEM32\acmtryfd.ini
C:\WINDOWS\SYSTEM32\swyyxnbj.ini

Folder::
C:\WINDOWS\SYSTEM32\bharebio01
C:\Documents and Settings\All Users\Application Data\bytcdsfq

Save this as CFScript

CFScript.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {5A54BE1B-B01C-40E5-9170-80A984E9BB89} - C:\WINDOWS\system32\wvUnmjgf.dll (file missing)
O2 - BHO: (no name) - {B720F184-F573-4712-9743-A5FA7301C416} - C:\WINDOWS\system32\jkkhfddc.dll (file missing)
O2 - BHO: (no name) - {CCB23850-4703-473E-BA67-F26466A5CC09} - C:\WINDOWS\system32\efcdbBsP.dll (file missing)
O4 - HKLM\..\Run: [e03e7cd3] rundll32.exe "C:\WINDOWS\system32\qpgjbnni.dll",b
O4 - HKCU\..\Run: [oenwzcwl] C:\WINDOWS\system32\napexipq.exe
O4 - HKLM\..\Policies\Explorer\Run: [7p5j4x2YYa] C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
O20 - Winlogon Notify: iifcCtSK - iifcCtSK.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the combofix report and a new HJT log. How is the computer running?

Thanks
 
Log having run CFSCRIPT - HJT log below

ComboFix 08-04-22.5 - DIGITAL COPY 2008-04-25 8:51:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.600 [GMT 1:00]
Running from: C:\Documents and Settings\DIGITAL COPY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\DIGITAL COPY\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\SYSTEM32\acmtryfd.ini
C:\WINDOWS\SYSTEM32\axlnpdhf.ini
C:\WINDOWS\SYSTEM32\elrjqgar.ini
C:\WINDOWS\SYSTEM32\fujyvwjs.exe
C:\WINDOWS\SYSTEM32\ilozyzgr.exe
C:\WINDOWS\SYSTEM32\innbjgpq.ini
C:\WINDOWS\SYSTEM32\jjqjsiob.dll
C:\WINDOWS\SYSTEM32\kfetglax.exe
C:\WINDOWS\SYSTEM32\lfnoujye.ini
C:\WINDOWS\SYSTEM32\mquhfdlu.ini
C:\WINDOWS\SYSTEM32\mrcpypeh.exe
C:\WINDOWS\system32\napexipq.exe
C:\WINDOWS\system32\qpgjbnni.dll
C:\WINDOWS\SYSTEM32\saabrnsm.ini
C:\WINDOWS\SYSTEM32\sdhbgblw.ini
C:\WINDOWS\SYSTEM32\swyyxnbj.ini
C:\WINDOWS\SYSTEM32\tdfpnlgq.ini
C:\WINDOWS\SYSTEM32\utlrbmps.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\bytcdsfq
C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.exe
C:\Program Files\Inet Delivery
C:\Program Files\Inet Delivery\inetdl.exe
C:\Program Files\Inet Delivery\intdel.exe
C:\WINDOWS\a.bat
C:\WINDOWS\base64.tmp
C:\WINDOWS\bdn.com
C:\WINDOWS\FVProtect.exe
C:\WINDOWS\iTunesMusic.exe
C:\WINDOWS\mslagent
C:\WINDOWS\mslagent\2_mslagent.dll
C:\WINDOWS\mslagent\mslagent.exe
C:\WINDOWS\mslagent\uninstall.exe
C:\WINDOWS\mssecu.exe
C:\WINDOWS\SYSTEM32\acmtryfd.ini
C:\WINDOWS\SYSTEM32\axlnpdhf.ini
C:\WINDOWS\SYSTEM32\bharebio01
C:\WINDOWS\system32\bsva-egihsg52.exe
C:\WINDOWS\SYSTEM32\elrjqgar.ini
C:\WINDOWS\system32\emesx.dll
C:\WINDOWS\SYSTEM32\fujyvwjs.exe
C:\WINDOWS\SYSTEM32\ilozyzgr.exe
C:\WINDOWS\SYSTEM32\innbjgpq.ini
C:\WINDOWS\SYSTEM32\jjqjsiob.dll
C:\WINDOWS\SYSTEM32\kfetglax.exe
C:\WINDOWS\SYSTEM32\lfnoujye.ini
C:\WINDOWS\SYSTEM32\mquhfdlu.ini
C:\WINDOWS\SYSTEM32\mrcpypeh.exe
C:\WINDOWS\system32\napexipq.exe
C:\WINDOWS\SYSTEM32\saabrnsm.ini
C:\WINDOWS\SYSTEM32\sdhbgblw.ini
C:\WINDOWS\SYSTEM32\swyyxnbj.ini
C:\WINDOWS\SYSTEM32\tdfpnlgq.ini
C:\WINDOWS\SYSTEM32\utlrbmps.ini
C:\WINDOWS\userconfig9x.dll
C:\WINDOWS\Web\def.htm
C:\WINDOWS\winsystem.exe
C:\WINDOWS\zip1.tmp
C:\WINDOWS\zip2.tmp
C:\WINDOWS\zip3.tmp
C:\WINDOWS\zipped.tmp

.
((((((((((((((((((((((((( Files Created from 2008-03-25 to 2008-04-25 )))))))))))))))))))))))))))))))
.

2008-04-25 08:47 . 2008-04-25 08:47 102,400 --a------ C:\WINDOWS\SYSTEM32\xsxqxojg.exe
2008-04-24 13:54 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-04-24 13:54 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-04-24 13:54 . 2008-04-24 08:10 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-04-24 13:54 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-04-24 13:54 . 2008-04-23 22:14 82,944 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-04-24 13:54 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-04-24 13:54 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-04-24 13:54 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-04-24 13:03 . 2008-04-24 13:54 3,428 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2008-04-24 10:01 . 2008-04-24 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-23 14:24 . 2008-04-23 14:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-04-23 14:24 . 2008-04-23 14:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-04-23 10:09 . 2008-04-23 14:01 493 --a------ C:\WINDOWS\wininit.ini
2008-04-17 17:16 . 2008-04-17 17:16 <DIR> d-------- C:\WINDOWS\SYSTEM32\xcsDd01
2008-04-17 17:16 . 2008-04-17 17:16 <DIR> d-------- C:\Temp\berDrv11
2008-04-09 13:26 . 2008-04-09 13:26 127 --a------ C:\WINDOWS\SYSTEM32\MRT.INI
2008-04-09 10:23 . 2008-04-09 11:59 354 --ahs---- C:\WINDOWS\SYSTEM32\ikqcgirt.ini
2008-04-09 10:20 . 2008-04-24 10:35 109,777 --a------ C:\WINDOWS\BMe30d4f4f.xml
2008-04-08 21:13 . 2008-04-08 21:13 39,883 --a------ C:\WINDOWS\SYSTEM32\targetedbanner-uninst.exe
2008-04-08 21:12 . 2008-04-08 21:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\uid
2008-04-08 21:12 . 2008-04-23 06:26 <DIR> d-------- C:\WINDOWS\SYSTEM32\gui4
2008-04-08 21:12 . 2008-04-08 21:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\ginp
2008-04-08 21:12 . 2008-04-08 21:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\ace2
2008-04-08 21:12 . 2008-04-08 21:12 <DIR> d-------- C:\Temp\wdlw14
2008-04-04 14:13 . 2008-04-04 14:14 <DIR> d-------- C:\WINDOWS\SYSTEM32\NtmsData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-25 07:43 --------- d-----w C:\Program Files\vpop3
2008-04-24 13:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-24 13:31 --------- d-----w C:\Program Files\SpywareBlaster
2008-04-23 13:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-23 13:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\win32k.sys
2008-03-08 08:45 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\SYSTEM32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\SYSTEM32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\iedw.exe
2007-03-26 16:56 0 -c--a-w C:\Documents and Settings\DIGITAL COPY\us14info.exe
2004-09-01 15:11 98 -c-h--w C:\Documents and Settings\DIGITAL COPY\Application Data\srfvdo.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-24_17.05.31.96 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-24 15:56:12 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-25 07:43:15 2,048 --s-a-w C:\WINDOWS\BOOTSTAT.DAT
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\akttzn.exe
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\anticipator.dll
+ 2008-04-24 16:03:16 4,096 ----a-w C:\WINDOWS\SYSTEM32\awtoolb.dll
+ 2008-04-24 16:03:16 4,096 ----a-w C:\WINDOWS\SYSTEM32\bdn.com
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\dpcproxy.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\h@tkeysh@@k.dll
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\hoproxy.dll
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\hxiwlgpm.dat
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\hxiwlgpm.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\medup012.dll
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\medup020.dll
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\msgp.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\msnbho.dll
+ 2008-04-24 16:03:16 4,096 ----a-w C:\WINDOWS\SYSTEM32\mssecu.exe
+ 2008-04-24 16:03:18 4,096 ----a-w C:\WINDOWS\SYSTEM32\msvchost.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\mtr2.exe
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\mwin32.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\netode.exe
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\newsd32.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\ps1.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\psof1.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\psoft1.exe
+ 2008-04-24 16:03:18 4,096 ----a-w C:\WINDOWS\SYSTEM32\regc64.dll
+ 2008-04-24 16:03:18 4,096 ----a-w C:\WINDOWS\SYSTEM32\regm64.dll
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\Rundl1.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\smp\msrc.exe
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\sncntr.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\ssurf022.dll
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\ssvchost.com
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\ssvchost.exe
+ 2008-04-24 16:03:16 4,096 ----a-w C:\WINDOWS\SYSTEM32\sysreq.exe
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\taack.dat
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\taack.exe
+ 2008-04-24 16:03:19 4,096 ----a-w C:\WINDOWS\SYSTEM32\temp#01.exe
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\thun.dll
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\thun32.dll
+ 2008-04-24 16:03:16 4,096 ----a-w C:\WINDOWS\SYSTEM32\vbsys2.dll
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\vcatchpi.dll
+ 2008-04-24 16:03:20 4,096 ----a-w C:\WINDOWS\SYSTEM32\winlogonpc.exe
+ 2008-04-24 16:03:17 4,096 ----a-w C:\WINDOWS\SYSTEM32\winsystem.exe
+ 2008-04-24 16:03:16 4,096 ----a-w C:\WINDOWS\SYSTEM32\WINWGPX.EXE
+ 2008-04-25 07:43:31 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1b4.dat
+ 2008-04-25 07:43:21 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_654.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5A54BE1B-B01C-40E5-9170-80A984E9BB89}]
C:\WINDOWS\system32\wvUnmjgf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B720F184-F573-4712-9743-A5FA7301C416}]
C:\WINDOWS\system32\jkkhfddc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CCB23850-4703-473E-BA67-F26466A5CC09}]
C:\WINDOWS\system32\efcdbBsP.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"yinnwirn"="C:\WINDOWS\system32\xsxqxojg.exe" [2008-04-25 08:47 102400]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-08-14 19:22 28672]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2004-06-23 13:24 684032]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"FinePrint Dispatcher v5"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" [2006-04-06 09:28 499712]
"PDFCreatorClient"="C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe" [2005-03-21 09:19 450560]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 09:35 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 09:32 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 09:36 114688]
"pdfFactory Dispatcher v2"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" [2006-04-06 09:40 499712]
"RegistryMechanic"="" []
"Samsung PanelMgr"="C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe" [2006-02-14 10:32 507904]
"OLP-Tray"="C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE" [2006-07-17 17:45 40960]
"MRT"="C:\WINDOWS\system32\MRT.exe" [ ]
"e03e7cd3"="C:\WINDOWS\system32\qpgjbnni.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-01-10 18:02:00 122880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"7p5j4x2YYa"= C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcCtSK]
iifcCtSK.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\vpop3\\vpop3status.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\vpop3\\vpop3.exe"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\WINWORD.EXE"=
"C:\\Program Files\\Microsoft Office\\OFFICE11\\POWERPNT.EXE"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009

R0 MrFilter;EasyWrite Driver;C:\WINDOWS\system32\drivers\MrFilter.sys [2002-12-17 20:30]
R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-03-29 18:31]
R2 ASFAgent;ASF Agent;C:\Program Files\Intel\ASF Agent\ASFAgent.exe [2003-02-10 05:52]
R2 AsfAlrt;AsfAlrt;C:\WINDOWS\System32\drivers\AsfAlrt.sys [2002-12-18 05:31]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-03-29 18:35]
R2 VPOP3;VPOP3 Email Server;C:\PROGRA~1\vpop3\vpop3svc.exe [2004-06-21 17:09]
S3 SM_sugo2_FUService;sugo2 Status Monitor Service;"C:\Program Files\Samsung\Samsung ML-2570 Series\SPanel\ssmsrvc /Service []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d006f9c3-aea5-11da-871b-000d56c082b9}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5067887-bb50-11da-871e-000d56c082b9}]
\Shell\AutoRun\command - E:\setupSNK.exe

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-25 08:53:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\SM_sugo2_FUService]
"ImagePath"="\"C:\Program Files\Samsung\Samsung ML-2570 Series\SPanel\ssmsrvc /Service"
.
Completion time: 2008-04-25 8:54:44
ComboFix-quarantined-files.txt 2008-04-25 07:54:41
ComboFix2.txt 2008-04-24 16:06:16

Pre-Run: 68,453,933,056 bytes free
Post-Run: 70,123,917,312 bytes free

254 --- E O F --- 2008-04-09 12:26:40

HJT log having run CFSCript inb Combofix BUT BEFORE running 'Fix Checked'
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:02:10, on 25/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\vpop3\vpop3svc.exe
C:\PROGRA~1\vpop3\VPOP3.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\xsxqxojg.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\greenfingers1.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A54BE1B-B01C-40E5-9170-80A984E9BB89} - C:\WINDOWS\system32\wvUnmjgf.dll (file missing)
O2 - BHO: (no name) - {B720F184-F573-4712-9743-A5FA7301C416} - C:\WINDOWS\system32\jkkhfddc.dll (file missing)
O2 - BHO: (no name) - {CCB23850-4703-473E-BA67-F26466A5CC09} - C:\WINDOWS\system32\efcdbBsP.dll (file missing)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKLM\..\Run: [e03e7cd3] rundll32.exe "C:\WINDOWS\system32\qpgjbnni.dll",b
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [yinnwirn] C:\WINDOWS\system32\xsxqxojg.exe
O4 - HKLM\..\Policies\Explorer\Run: [7p5j4x2YYa] C:\Documents and Settings\All Users\Application Data\bytcdsfq\zqbuhone.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer = 194.106.56.6,194.106.33.42
O20 - Winlogon Notify: iifcCtSK - iifcCtSK.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd. - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

--
End of file - 6655 bytes
 
HJT log having 'Fix Checked' and run ATF Cleaner. Point 5 )Wasn't sure whether you wanted me to run Combofix again to obtain the combofix report.

Computer seems to be back to normal :-) Perhaps you can confirm logs look OK now.
Thanks Andrew


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:27:36, on 25/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\vpop3\vpop3svc.exe
C:\PROGRA~1\vpop3\VPOP3.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\greenfingers1.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer = 194.106.56.6,194.106.33.42
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd. - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

--
End of file - 6009 bytes
 
Stick with me Andrew, just a few more steps to be sure your computer is clean and safe. This HJT log:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 09:27:36, on 25/04/2008 Looks clean of malware, this is the next step we must complete one way or another.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.
If you install RC, post the C:\*CF-RC.txt*.

Since we do not need to scan with combofix, click NO

RC_whatnext.gif


RC_AllDone.gif


Thanks..Phil
 
Hi Phil

Recovery Console installed - log produced by Combofix below:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
 
Bingo:bigthumb: Let's have Kaspersky Online Scan do a check to make sure we missed nothing. You will have infected files because System Restore still needs to be reset so expect some. Please use these settings:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks...Phil
 
Kaspersky Scan having run HJT Fix Checked and installed Recovery Console
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 5:19:17 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/04/2008
Kaspersky Anti-Virus database records: 725458
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
T:\
X:\

Scan Statistics:
Total number of scanned objects: 81777
Number of viruses found: 27
Number of infected objects: 68
Number of suspicious objects: 0
Duration of the scan process: 01:19:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\DIGITAL COPY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\ntuser.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\apoxqwfv.exe.vir Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\QooBox\Quarantine\C\WINDOWS\qdnkewfa.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\aqlpydnp.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\atgban.dll.vir Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bpfgwfxu.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\crjiakth.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ilozyzgr.exe.vir Infected: Trojan-Downloader.Win32.Obfuscated.un skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jjqjsiob.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kfetglax.exe.vir Infected: Trojan-Downloader.Win32.Obfuscated.uj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mrcpypeh.exe.vir Infected: Trojan-Downloader.Win32.Obfuscated.tm skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\pmnkhedd.dll.vir Infected: Trojan.Win32.Agent.eek skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vtutssqo.dll.vir Infected: Trojan.Win32.Agent.eek skipped
C:\QooBox\Quarantine\C\WINDOWS\vnbptxlf.dll.vir Infected: not-a-virus:AdWare.Win32.Vapsup.dud skipped
C:\QooBox\Quarantine\C\WINDOWS\Web\def.htm.vir Infected: not-virus:Hoax.HTML.Secureinvites.c skipped
C:\QooBox\Quarantine\catchme2008-04-24_165242.17.zip/qomnlige.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qni skipped
C:\QooBox\Quarantine\catchme2008-04-24_165242.17.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1512\A0222655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pjx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1512\A0222656.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1512\A0223655.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmw skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1513\A0225713.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226815.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226816.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226817.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226818.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qoy skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226819.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226820.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpi skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226821.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qol skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226823.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226824.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pik skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226825.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qok skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226826.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226827.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226828.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226829.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pon skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226830.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qor skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226831.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226832.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qpb skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226833.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qov skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226834.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qgr skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226835.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.pmx skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226836.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226837.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226838.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226839.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1515\A0226840.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.qok skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228815.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228819.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228820.dll Infected: not-a-virus:AdWare.Win32.Vapsup.dud skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228821.exe Infected: not-a-virus:AdWare.Win32.Vapsup.dvb skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228822.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228823.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228824.dll Infected: Packed.Win32.Monder.gen skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228825.dll Infected: Trojan.Win32.Agent.eek skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1519\A0228826.dll Infected: Trojan.Win32.Agent.eek skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233098.exe Infected: Trojan-Downloader.Win32.Obfuscated.un skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233100.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233101.exe Infected: Trojan-Downloader.Win32.Obfuscated.uj skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233104.exe Infected: Trojan-Downloader.Win32.Obfuscated.tm skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233113.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233113.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233113.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1520\A0233153.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1521\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{13AFA9DF-74C5-4983-9F73-25857BB89B6C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\uid\HTgn1dll.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\SYSTEM32\uid\HTgn1dll.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.ai skipped
C:\WINDOWS\SYSTEM32\uid\HTgn1dll.exe NSIS: infected - 2 skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\xcsDd01\xcsDd011065.exe Infected: Trojan-Downloader.Win32.VB.dza skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1b0.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6c4.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
I apologize:sad: I should have told you to remove combofix and the C:\Qoobox\Quarantine\ folder before scanning.

C:\QooBox\Quarantine\ <<< delete that folder and contents

C:\WINDOWS\Downloaded Program Files\popcaploader.dll <<< delete that file

C:\WINDOWS\SYSTEM32\uid\ <<< delete that folder and contents

C:\WINDOWS\SYSTEM32\xcsDd01\ <<< delete that folder and contents

Empty the Recycle Bin on the Desktop and restart the computer

Clean infected System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Safe surfing:clown:

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
dear Phil

I have done the deletions as requested, reinstated restore and done another Kaspersky scan which has come up clean. However, I have also started Spybot to update it and so i did Spybot scan which came up with Hoykeys and MediaUpdate so I selected 'Fix' for them and got congratulations. As an afterthought I also ran a HJT log which is attached after the Kaspersky and am concerned by the number of 02 BHO entries showing as I thought it was those we were getting rid of. I wonder if you could take a look at it just to make sure.

Many Thanks

Andrew

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 25, 2008 7:40:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/04/2008
Kaspersky Anti-Virus database records: 725500
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
T:\
X:\

Scan Statistics:
Total number of scanned objects: 68067
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:13:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\DIGITAL COPY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\History\History.IE5\MSHist012008042520080426\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\ntuser.dat Object is locked skipped
C:\Documents and Settings\DIGITAL COPY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D9EBAC49-9999-4356-93A0-3BF040A2D29E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1bc.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_65c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


HJT log after clearup
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:54:40, on 25/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\logonui.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\vpop3\vpop3svc.exe
C:\PROGRA~1\vpop3\VPOP3.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\greenfingers1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.interlinkexpress.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02ABD393-4DE9-4977-84F2-BF18C45A03F4} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F05438B-6B59-42D9-9CB7-4B3AC02F5E19} - (no file)
O2 - BHO: (no name) - {16B435F6-B6CE-4F24-A568-944B27ED919C} - (no file)
O2 - BHO: (no name) - {207A4206-0323-4473-A911-81D9D91936ED} - (no file)
O2 - BHO: (no name) - {24E9519B-3F70-429B-99BC-4B2B49B96F66} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A54BE1B-B01C-40E5-9170-80A984E9BB89} - (no file)
O2 - BHO: (no name) - {5fce9b86-7a94-46bd-be94-e37bf344ebbb} - (no file)
O2 - BHO: (no name) - {9B9538D6-51E3-4F97-BDC2-2DF533C7787A} - (no file)
O2 - BHO: (no name) - {B720F184-F573-4712-9743-A5FA7301C416} - (no file)
O2 - BHO: (no name) - {CCB23850-4703-473E-BA67-F26466A5CC09} - (no file)
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - (no file)
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [PDFCreatorClient] C:\Program Files\JawsSystems\Jaws PDF Creator\PDFClient.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe" /source=HKLM
O4 - HKLM\..\Run: [Samsung PanelMgr] C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - blank (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{36D77840-9846-4610-AF48-CDD11A399296}: NameServer = 194.106.56.6,194.106.33.42
O20 - Winlogon Notify: iifcCtSK - C:\WINDOWS\
O20 - Winlogon Notify: pmnkhedd - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: PDFCreatorMessages - Global Graphics Software Ltd. - C:\WINDOWS\SYSTEM32\PDFCreatorMessages.exe

--
End of file - 7016 bytes
 
Thanks for calling this to my attention, the memory in TeaTimer causes this and be assured, the stuff is not malware, just debris that we can not get out of the log because of TeaTimer. Every so often we have to remove TT from the computer (and Spybot) to clear the stuff, let's do this.

1) Make sure TeaTimer is Disabled

2) Download ResetTeaTimer.bat to the Desktop
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {02ABD393-4DE9-4977-84F2-BF18C45A03F4} - (no file)
O2 - BHO: (no name) - {02ABD393-4DE9-4977-84F2-BF18C45A03F4} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F05438B-6B59-42D9-9CB7-4B3AC02F5E19} - (no file)
O2 - BHO: (no name) - {16B435F6-B6CE-4F24-A568-944B27ED919C} - (no file)
O2 - BHO: (no name) - {5A54BE1B-B01C-40E5-9170-80A984E9BB89} - (no file)
O2 - BHO: (no name) - {5fce9b86-7a94-46bd-be94-e37bf344ebbb} - (no file)
O2 - BHO: (no name) - {9B9538D6-51E3-4F97-BDC2-2DF533C7787A} - (no file)
O2 - BHO: (no name) - {B720F184-F573-4712-9743-A5FA7301C416} - (no file)
O2 - BHO: (no name) - {CCB23850-4703-473E-BA67-F26466A5CC09} - (no file)
O2 - BHO: (no name) - {FB422E7B-3D5E-4D9B-84C2-91B6C888CDE2} - (no file)
O20 - Winlogon Notify: iifcCtSK - C:\WINDOWS\
O20 - Winlogon Notify: pmnkhedd - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

That should do it, but give yourself a couple of days, if all is well there is no need to post and I will close the topic at that point.

Thanks...Phil
 
You must log in or register to reply here.
Back
Top