Virtumone/winlogon.exe

Hello

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------​
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------​
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------​
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
 
ComboFix 08-04-03.2 - micky 2008-04-03 19:47:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.679 [GMT 1:00]
Running from: C:\Documents and Settings\micky\Local Settings\Temporary Internet Files\Content.IE5\43YWU2YE\ComboFix[1].exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\lehglter.ini
C:\WINDOWS\system32\OYceOqss.ini
C:\WINDOWS\system32\OYceOqss.ini2
C:\WINDOWS\system32\retlghel.dll
C:\WINDOWS\system32\ssqOecYO.dll
C:\WINDOWS\system32\yjfymicq.dll
C:\WINDOWS\system32\yteaqkqe.dll

.
((((((((((((((((((((((((( Files Created from 2008-03-03 to 2008-04-03 )))))))))))))))))))))))))))))))
.

2008-04-03 19:01 . 2008-04-03 19:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-03 18:50 . 2008-04-03 18:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 18:27 . 2008-04-03 18:42 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-03 18:20 . 2008-04-03 18:20 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-03 14:39 . 2008-04-03 16:11 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-03 14:36 . 2008-04-03 16:12 <DIR> d-------- C:\Documents and Settings\micky\.housecall6.6
2008-04-03 12:30 . 2008-04-03 12:31 132,785,556 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-04-03 00:34 . 2008-04-03 00:34 <DIR> d-------- C:\Program Files\ffdshow
2008-04-03 00:33 . 2008-04-03 00:33 <DIR> d-------- C:\Program Files\x264
2008-04-03 00:33 . 2008-04-03 00:33 580,114 --a------ C:\WINDOWS\system32\x264vfw.dll
2008-04-02 22:50 . 2008-04-02 22:50 <DIR> d-------- C:\ie-spyad_zo
2008-04-01 13:44 . 2008-04-02 13:45 1,581,392 --ahs---- C:\WINDOWS\system32\rhuvgpxn.ini
2008-03-31 13:47 . 2008-04-01 10:31 1,597,323 --ahs---- C:\WINDOWS\system32\ykspkmfn.ini
2008-03-31 02:06 . 2008-04-03 00:32 <DIR> d-------- C:\Program Files\Winamp
2008-03-31 01:35 . 2008-03-31 01:35 36,352 --a------ C:\WINDOWS\system32\hgGxXqRi.dll
2008-03-30 18:52 . 2008-03-30 18:59 <DIR> d-------- C:\Program Files\AMD
2008-03-30 18:41 . 2008-03-30 18:41 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-03-24 01:23 . 2008-03-24 01:23 284 --a------ C:\Documents and Settings\micky\Application Data\ViewerApp.dat
2008-03-24 00:24 . 2003-12-03 18:44 13,566 --a------ C:\WINDOWS\system32\drivers\cdrbsvsd.sys
2008-03-24 00:05 . 2004-08-04 00:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-03-24 00:05 . 2004-08-04 00:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-03-24 00:05 . 2004-08-03 23:58 5,376 --a------ C:\WINDOWS\system32\MSPCLOCK.sys
2008-03-23 23:53 . 2001-11-05 10:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-03-23 23:53 . 2002-10-15 23:41 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-03-23 23:53 . 2001-07-03 21:33 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-03-23 23:53 . 2001-11-05 10:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-03-23 23:53 . 2001-11-05 10:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-03-23 23:53 . 2001-07-03 21:39 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-03-12 02:11 . 2008-03-12 02:18 <DIR> d-------- C:\Program Files\Absolute MP3 Splitter
2008-03-05 01:57 . 2008-03-05 01:57 <DIR> d-------- C:\Documents and Settings\micky\dwhelper
2008-03-04 20:45 . 2008-03-04 20:45 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-03-04 20:44 . 2008-03-04 20:45 <DIR> d-------- C:\Documents and Settings\micky\Application Data\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-03 18:41 --------- d-----w C:\Documents and Settings\micky\Application Data\Azureus
2008-04-03 13:21 --------- d-----w C:\Documents and Settings\micky\Application Data\NewsBin
2008-04-02 13:25 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-01 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-26 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 21:38 --------- d-----w C:\Documents and Settings\micky\Application Data\LimeWire
2008-03-24 14:28 --------- d-----w C:\Program Files\WinAVIVideoConverter
2008-03-24 14:28 --------- d-----w C:\Program Files\WinAVI Video Converter
2008-03-24 10:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-20 09:22 --------- d-----w C:\Program Files\NetProject
2008-03-12 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-11 22:04 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-08 21:26 --------- d-----w C:\Program Files\TVUPlayer
2008-03-08 10:38 --------- d-----w C:\Program Files\Soulseek-Test
2008-03-08 00:55 --------- d-----w C:\Program Files\Azureus
2008-03-03 08:20 --------- d-----w C:\Program Files\SWAT 4
2008-02-26 20:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-26 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-26 20:36 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-26 13:03 --------- d-----w C:\Program Files\iTunes
2008-02-26 13:03 --------- d-----w C:\Program Files\iPod
2008-02-26 13:01 --------- d-----w C:\Program Files\QuickTime
2008-02-22 16:33 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-22 16:33 --------- d-----w C:\Program Files\AntiSpyKit 5.3
2008-02-22 09:43 --------- d-----w C:\Program Files\Sotfone
2008-02-07 21:57 --------- d-----w C:\Program Files\ESET
.

((((((((((((((((((((((((((((( snapshot@2008-04-03_11.39.37.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-03 08:14:10 578,848 ----a-w C:\WINDOWS\Downloaded Program Files\tgctlsr.dll
- 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 07:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 07:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 07:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 07:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 07:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2008-04-03 19:04:40 40,960 ----a-w C:\WINDOWS\TEMP\rtdrvmon.exe
+ 2000-08-31 07:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 07:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}]
2008-03-31 01:35 36352 --a------ C:\WINDOWS\system32\hgGxXqRi.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 14:39 1289000]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-14 18:54 53248 C:\WINDOWS\system32\VTTimer.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-27 17:18 949376]
"lxbkbmgr.exe"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 13:02 74672]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"AODAssist.exe"="C:\Program Files\AMD\AMD OverDrive\AODAssist.exe" [2007-10-23 17:50 42496]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2004-10-11 15:54 589824]
"lxbymon.exe"="C:\Program Files\Lexmark P910 Series\lxbymon.exe" [ ]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 13:02 74672]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"EzPrint"="C:\Program Files\Lexmark P910 Series\ezprint.exe" [ ]
"C-Media Mixer"="Mixer.exe" [2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-11-06 09:38 1359967]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C4F31A60-D2C7-4B22-ACE9-AE33C94D7316}"= C:\WINDOWS\system32\hgGxXqRi.dll [2008-03-31 01:35 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGxXqRi]
hgGxXqRi.dll 2008-03-31 01:35 36352 C:\WINDOWS\system32\hgGxXqRi.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" /background
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"Google Update"="C:\Documents and Settings\micky\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" /lang en

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCEyeLic"=C:\Program Files\PCEye2000\pceye2000.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"SoftickPPP"="C:\Program Files\Softick\PPP\Bin\PPPGate.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"AudioDeck"=C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE
"VTTrayp"=VTtrayp.exe
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\WINDOWS\\system32\\lxbkcoms.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12513:TCP"= 12513:TCP:BitComet 12513 TCP
"12513:UDP"= 12513:UDP:BitComet 12513 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 viaide1;viaide1;C:\WINDOWS\system32\DRIVERS\VIAIDEXP.SYS [2001-10-18 12:00]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 18:49]
R2 lxbk_device;lxbk_device;C:\WINDOWS\system32\lxbkcoms.exe [2007-04-26 13:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 20:00]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-22 02:09]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a187a587-efa4-11dc-a1bd-0013d3ab235b}]
\Shell\AutoRun\command - E:\InstallTomTomHOME.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 17:19:59 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-04-01 08:01:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-03 20:05:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\hgGxXqRi.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-03 20:13:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-03 19:12:42
ComboFix2.txt 2008-04-03 10:43:14
Pre-Run: 19,760,779,264 bytes free
Post-Run: 19,804,028,928 bytes free
.
2008-03-12 07:46:33 --- E O F ---
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:52:54, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Mixer.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxbkcoms.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {81705D67-3F73-4983-859B-97D0922E5ABE} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AODAssist.exe] C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [a0623e9e] rundll32.exe "C:\WINDOWS\system32\retlghel.dll",b
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BMa3510d02] Rundll32.exe "C:\WINDOWS\system32\yteaqkqe.dll",s
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.cn/download/SOPCORE.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.215.67:81/activex/AxisCamControl.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbk_device - - C:\WINDOWS\system32\lxbkcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10846 bytes
 
Hello

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\rhuvgpxn.ini
C:\WINDOWS\system32\ykspkmfn.ini
C:\WINDOWS\system32\hgGxXqRi.dll
E:\InstallTomTomHOME.exe

Folder::
C:\Documents and Settings\All Users\Application Data\TEMP
C:\Program Files\AntiSpyKit 5.3

Registry::
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a187a587-efa4-11dc-a1bd-0013d3ab235b}]
Click to expand...

Save this as CFScript.txt, in the same location as ComboFix.exe


Combo-Do.gif


Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Then rename HijackThis.exe to blosh.exe and post a new HijackThis log from it
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:55:05, on 03/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxbkcoms.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {81705D67-3F73-4983-859B-97D0922E5ABE} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AODAssist.exe] C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [lxbymon.exe] "C:\Program Files\Lexmark P910 Series\lxbymon.exe"
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark P910 Series\ezprint.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.cn/download/SOPCORE.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.215.67:81/activex/AxisCamControl.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O20 - Winlogon Notify: hgGxXqRi - hgGxXqRi.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbk_device - - C:\WINDOWS\system32\lxbkcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 11433 bytes
 
Can you post the ComboFix log


1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

O3 - Toolbar: (no name) - {81705D67-3F73-4983-859B-97D0922E5ABE} - (no file)
O8 - Extra context menu item: &Search - ?p=ZKxdm021YYGB
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.explorertool.net/redirect.php (file missing)
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O20 - Winlogon Notify: hgGxXqRi - hgGxXqRi.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.


Then reboot and post a new HijackThis log
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:17:41, on 04/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxbkcoms.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AODAssist.exe] C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.cn/download/SOPCORE.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.215.67:81/activex/AxisCamControl.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbk_device - - C:\WINDOWS\system32\lxbkcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10607 bytes
 
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:17:41, on 04/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\lxbkcoms.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Azureus\Azureus.exe
C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\PROGRA~1\MSNMES~1\msnmsgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [lxbkbmgr.exe] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AODAssist.exe] C:\Program Files\AMD\AMD OverDrive\AODAssist.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Outpost Firewall] C:\Program Files\Agnitum\Outpost Firewall\outpost.exe /waitservice
O4 - HKLM\..\Run: [OutpostFeedBack] C:\Program Files\Agnitum\Outpost Firewall\feedback.exe /dump:os_startup
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Program Files\Agnitum\Outpost Firewall\Plugins\BrowserBar\ie_bar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.iqon.ie
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader4.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6.0/jinstall-6u2-windows-i586-jc.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} - http://download.sopcast.cn/download/SOPCORE.CAB
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://80.38.215.67:81/activex/AxisCamControl.ocx
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {BA162249-F2C5-4851-8ADC-FC58CB424243} (Image Uploader Control) - http://www.profileheaven.com/images/multi-upload/ImageUploader2.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: lxbk_device - - C:\WINDOWS\system32\lxbkcoms.exe
O23 - Service: Nero BackItUp Scheduler 3 - Nero AG - C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Outpost Firewall Service (OutpostFirewall) - Agnitum Ltd. - C:\Program Files\Agnitum\Outpost Firewall\outpost.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 10607 bytes
 
ComboFix 08-04-03.2 - micky 2008-04-04 14:38:20.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.683 [GMT 1:00]
Running from: C:\Documents and Settings\micky\Desktop\ComboFix.exe
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-03-04 to 2008-04-04 )))))))))))))))))))))))))))))))
.

2008-04-04 00:04 . 2008-04-04 10:05 49 --a------ C:\WINDOWS\transp.gif
2008-04-04 00:00 . 2008-04-04 00:00 <DIR> d-------- C:\Program Files\Common Files\Agnitum Shared
2008-04-04 00:00 . 2008-04-04 00:00 <DIR> d-------- C:\Program Files\Agnitum
2008-04-03 18:50 . 2008-04-03 18:50 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 18:27 . 2008-04-03 18:42 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-04-03 18:20 . 2008-04-04 00:29 <DIR> d-------- C:\Program Files\Yahoo!
2008-04-03 14:39 . 2008-04-03 16:11 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-04-03 14:36 . 2008-04-03 16:12 <DIR> d-------- C:\Documents and Settings\micky\.housecall6.6
2008-04-03 12:30 . 2008-04-03 12:31 132,785,556 --a------ C:\SYM_REGISTRY_BACKUP.reg
2008-04-03 00:34 . 2008-04-03 00:34 <DIR> d-------- C:\Program Files\ffdshow
2008-04-03 00:33 . 2008-04-03 00:33 <DIR> d-------- C:\Program Files\x264
2008-04-03 00:33 . 2008-04-03 00:33 580,114 --a------ C:\WINDOWS\system32\x264vfw.dll
2008-04-02 22:50 . 2008-04-02 22:50 <DIR> d-------- C:\ie-spyad_zo
2008-03-31 02:06 . 2008-04-03 00:32 <DIR> d-------- C:\Program Files\Winamp
2008-03-30 18:52 . 2008-03-30 18:59 <DIR> d-------- C:\Program Files\AMD
2008-03-30 18:41 . 2008-03-30 18:41 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-03-24 01:23 . 2008-03-24 01:23 284 --a------ C:\Documents and Settings\micky\Application Data\ViewerApp.dat
2008-03-24 00:24 . 2003-12-03 18:44 13,566 --a------ C:\WINDOWS\system32\drivers\cdrbsvsd.sys
2008-03-24 00:05 . 2004-08-04 00:10 10,880 --a------ C:\WINDOWS\system32\drivers\NdisIP.sys
2008-03-24 00:05 . 2004-08-04 00:10 10,880 --a--c--- C:\WINDOWS\system32\dllcache\ndisip.sys
2008-03-24 00:05 . 2004-08-03 23:58 5,376 --a------ C:\WINDOWS\system32\MSPCLOCK.sys
2008-03-23 23:53 . 2001-11-05 10:23 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2008-03-23 23:53 . 2002-10-15 23:41 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2008-03-23 23:53 . 2001-07-03 21:33 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2008-03-23 23:53 . 2001-11-05 10:23 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2008-03-23 23:53 . 2001-11-05 10:23 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2008-03-23 23:53 . 2001-07-03 21:39 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2008-03-12 02:11 . 2008-03-12 02:18 <DIR> d-------- C:\Program Files\Absolute MP3 Splitter
2008-03-05 01:57 . 2008-03-05 01:57 <DIR> d-------- C:\Documents and Settings\micky\dwhelper
2008-03-04 20:45 . 2008-03-04 20:45 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-03-04 20:44 . 2008-03-04 20:45 <DIR> d-------- C:\Documents and Settings\micky\Application Data\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-04 13:42 --------- d-----w C:\Documents and Settings\micky\Application Data\Azureus
2008-04-04 09:41 --------- d-----w C:\Documents and Settings\micky\Application Data\NewsBin
2008-04-02 13:25 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-01 14:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-26 20:13 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-25 21:38 --------- d-----w C:\Documents and Settings\micky\Application Data\LimeWire
2008-03-24 14:28 --------- d-----w C:\Program Files\WinAVIVideoConverter
2008-03-24 14:28 --------- d-----w C:\Program Files\WinAVI Video Converter
2008-03-24 10:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\CyberLink
2008-03-12 07:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-03-11 22:04 --------- d-----w C:\Program Files\TuneUp Utilities 2008
2008-03-08 21:26 --------- d-----w C:\Program Files\TVUPlayer
2008-03-08 10:38 --------- d-----w C:\Program Files\Soulseek-Test
2008-03-08 00:55 --------- d-----w C:\Program Files\Azureus
2008-03-03 08:20 --------- d-----w C:\Program Files\SWAT 4
2008-02-26 20:42 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-26 20:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-26 20:36 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-02-26 13:03 --------- d-----w C:\Program Files\iTunes
2008-02-26 13:03 --------- d-----w C:\Program Files\iPod
2008-02-26 13:01 --------- d-----w C:\Program Files\QuickTime
2008-02-07 21:57 --------- d-----w C:\Program Files\ESET
2008-02-01 17:07 18,487 ----a-w C:\WINDOWS\system32\Ntaccess.sys
.

((((((((((((((((((((((((((((( snapshot@2008-04-03_11.39.37.37 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-09-03 08:14:10 578,848 ----a-w C:\WINDOWS\Downloaded Program Files\tgctlsr.dll
- 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
- 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2000-08-31 07:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 07:00:00 80,412 ----a-w C:\WINDOWS\grep.exe
+ 2000-08-31 07:00:00 98,816 ----a-w C:\WINDOWS\sed.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\swreg.exe
+ 2000-08-31 07:00:00 136,704 ----a-w C:\WINDOWS\swsc.exe
+ 2000-08-31 07:00:00 212,480 ----a-w C:\WINDOWS\swxcacls.exe
+ 2000-08-31 07:00:00 49,152 ----a-w C:\WINDOWS\VFind.exe
+ 2000-08-31 07:00:00 68,096 ----a-w C:\WINDOWS\zip.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 20:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VTTimer"="VTTimer.exe" [2006-09-14 18:54 53248 C:\WINDOWS\system32\VTTimer.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 20:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-08-27 17:18 949376]
"lxbkbmgr.exe"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 13:02 74672]
"NeroFilterCheck"="C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"AODAssist.exe"="C:\Program Files\AMD\AMD OverDrive\AODAssist.exe" [2007-10-23 17:50 42496]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2007-04-26 13:02 74672]
"Outpost Firewall"="C:\Program Files\Agnitum\Outpost Firewall\outpost.exe" [2007-01-19 14:46 94720]
"OutpostFeedBack"="C:\Program Files\Agnitum\Outpost Firewall\feedback.exe" [2007-01-23 13:54 335872]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 20:00 15360]
"Power2GoExpress"="C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" [2004-11-06 09:38 1359967]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MSMSGS"="C:\Program Files\Messenger\Msmsgs.exe" /background
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
"updateMgr"=C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
"WMPNSCFG"=C:\Program Files\Windows Media Player\WMPNSCFG.exe
"Google Update"="C:\Documents and Settings\micky\Local Settings\Application Data\Google\Update\1.1.17.0\GoogleUpdate.exe" /lang en

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"PCEyeLic"=C:\Program Files\PCEye2000\pceye2000.exe
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"TomTomHOME.exe"="C:\Program Files\TomTom HOME\TomTomHOME.exe" -s
"LVCOMSX"=C:\WINDOWS\system32\LVCOMSX.EXE
"SoftickPPP"="C:\Program Files\Softick\PPP\Bin\PPPGate.exe"
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"AudioDeck"=C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
"Recguard"=C:\WINDOWS\SMINST\RECGUARD.EXE
"VTTrayp"=VTtrayp.exe
"RaidTool"=C:\Program Files\VIA\RAID\raid_tool.exe
"NBKeyScan"="C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
"C-Media Mixer"=Mixer.exe /startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\Program Files\Microsoft ActiveSync\rapimgr.exe"= C:\Program Files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"C:\Program Files\Microsoft ActiveSync\wcescomm.exe"= C:\Program Files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"C:\Program Files\Microsoft ActiveSync\WCESMgr.exe"= C:\Program Files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"C:\\WINDOWS\\system32\\lxbkcoms.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12513:TCP"= 12513:TCP:BitComet 12513 TCP
"12513:UDP"= 12513:UDP:BitComet 12513 UDP
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service

R0 viaide1;viaide1;C:\WINDOWS\system32\DRIVERS\VIAIDEXP.SYS [2001-10-18 12:00]
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX32.sys [2007-09-21 18:49]
R1 SandBox;Outpost Firewall Sandbox Driver;C:\Program Files\Agnitum\Outpost Firewall\kernel\Sandbox.SYS [2007-01-23 17:31]
R1 VFILT;Outpost Firewall Kernel Driver;C:\Program Files\Agnitum\Outpost Firewall\kernel\FILTNT.SYS [2007-01-19 14:46]
R2 lxbk_device;lxbk_device;C:\WINDOWS\system32\lxbkcoms.exe [2007-04-26 13:01]
R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 20:00]
R3 ADBLOCK.DLL;Outpost Firewall PlugIn (ADBLOCK.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\ADBLOCK.DLL [2007-01-19 14:46]
R3 ARP.DLL;Outpost Firewall PlugIn (ARP.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\ARP.DLL [2007-01-19 14:47]
R3 CONTENT.DLL;Outpost Firewall PlugIn (CONTENT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\CONTENT.DLL [2007-01-19 14:46]
R3 DNSCACHE.DLL;Outpost Firewall PlugIn (DNSCACHE.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\DNSCACHE.DLL [2007-01-19 14:46]
R3 FTPFILT.DLL;Outpost Firewall PlugIn (FTPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\FTPFILT.DLL [2007-01-19 14:47]
R3 HTMLFILT.DLL;Outpost Firewall PlugIn (HTMLFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\HTMLFILT.DLL [2007-01-19 14:46]
R3 HTTPFILT.DLL;Outpost Firewall PlugIn (HTTPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\HTTPFILT.DLL [2007-01-19 14:46]
R3 IMAPFILT.DLL;Outpost Firewall PlugIn (IMAPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\IMAPFILT.DLL [2007-01-19 14:46]
R3 MAILFILT.DLL;Outpost Firewall PlugIn (MAILFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\MAILFILT.DLL [2007-01-19 14:46]
R3 NNTPFILT.DLL;Outpost Firewall PlugIn (NNTPFILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\NNTPFILT.DLL [2007-01-19 14:46]
R3 POP3FILT.DLL;Outpost Firewall PlugIn (POP3FILT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\POP3FILT.DLL [2007-01-19 14:46]
R3 PROTECT.DLL;Outpost Firewall PlugIn (PROTECT.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\PROTECT.DLL [2007-01-19 14:47]
R3 SECRET.DLL;Outpost Firewall PlugIn (SECRET.DLL);C:\Program Files\Agnitum\Outpost Firewall\kernel\SECRET.DLL [2007-01-19 14:47]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2007-12-22 02:09]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

.
Contents of the 'Scheduled Tasks' folder
"2008-03-28 17:19:59 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-04-01 08:01:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-04 14:43:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-04 14:44:18
ComboFix-quarantined-files.txt 2008-04-04 13:44:08
ComboFix2.txt 2008-04-03 22:52:54
ComboFix3.txt 2008-04-03 19:13:07
ComboFix4.txt 2008-04-03 10:43:14
Pre-Run: 18,665,893,888 bytes free
Post-Run: 18,644,746,240 bytes free
.
2008-03-12 07:46:33 --- E O F ---
 
Looking good

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how your PC is running
 
Malwarebytes' Anti-Malware 1.10
Database version: 589

Scan type: Full Scan (A:\|C:\|G:\|H:\|I:\|J:\|)
Objects scanned: 98774
Time elapsed: 32 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3935b537-3e6d-04ed-abb3-acb16a699e3b} (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\Program Files\AntiSpyKit 5.3\DbgHelp.Dll.vir (Rogue.Multiple) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\buksutsm.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\yjfymicq.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
 
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  1. Delete ComboFix and its associated files and folders.
  2. Delete VundoFix backups, if present
  3. Delete the C:\Deckard folder, if present
  4. Delete the C:_OtMoveIt folder, if present
  5. Reset the clock settings.
  6. Hide file extensions, if required.
  7. Hide System/Hidden files, if required.
  8. Reset System Restore.



You now need to update your Java and remove your older versions.

Please follow these steps to remove older version Java components.

* Click Start > Control Panel.
* Click Add/Remove Programs.
* Check any item with Java Runtime Environment (JRE) in the name.
* Click the Remove or Change/Remove button.

Download the latest version of Java Runtime Environment (JRE), and install it to your computer from
here



Your using an old version of Adobe Acrobat Reader, this can leave your pc open to vulnerabilities, you can update it here :
http://www.adobe.com/products/acrobat/readstep2.html



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
 
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
 
You must log in or register to reply here.
Back
Top