Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Please Help

Started by welcome123 , May 18 2008 06:13 AM

This topic is locked

#1
welcome123

Posted 18 May 2008 - 06:13 AM

Member

Member
57 posts

Hi, I have this error popping up on startup, my S/P is btinternet with norton security built in, i get this error on start up,

Explorer.exe bad image, system32kfuyjetp.dll is not a valid windows image,

Now!! My norton dont show in the task bar anymore, it did find a virus vundo but cant remove or delete it, i have tried but to no avail!, Here is my hyjack log, would someone be so kind as to take a look and point me in the right direction as to getting this sorted out, thanks and kind regards, johnny.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:12:52 PM, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [881c48f3] rundll32.exe "C:\WINDOWS\system32\iwpdaybu.dll",b
O4 - HKLM\..\Run: [BM8b2f7b6f] Rundll32.exe "C:\WINDOWS\system32\fgwxyuxf.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206979970212
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206979941230
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6858 bytes

#2
kahdah

Posted 18 May 2008 - 06:24 AM

GeekU Teacher

Retired Staff
15,822 posts

Hello welcome123

Welcome to G2Go.

=====================
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.

Edited by kahdah, 18 May 2008 - 06:24 AM.

#3
welcome123

Posted 18 May 2008 - 08:03 AM

Member

Topic Starter
Member
57 posts

Hi mate, first of all thank you for taking the time to help,

Here is the combofix log file,

ComboFix 08-05-15.3 - Administrator 2008-05-18 14:34:02.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.226 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\beyjskvp.ini
C:\WINDOWS\system32\driver
C:\WINDOWS\system32\driver\btcusb.inf
C:\WINDOWS\system32\GjkUxyxx.ini
C:\WINDOWS\system32\GjkUxyxx.ini2
C:\WINDOWS\system32\pfcjktwv.ini
C:\WINDOWS\system32\ubyadpwi.ini
C:\WINDOWS\system32\xpynijif.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 11:37 . 2008-05-18 11:37 117,312 --a------ C:\WINDOWS\system32\iwpdaybu.dll
2008-05-18 11:35 . 2008-05-18 11:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-18 11:31 . 2008-05-18 11:31 133,184 --a------ C:\WINDOWS\system32\bqjedtui.dll
2008-05-18 11:22 . 2008-05-18 11:22 124,992 --a------ C:\WINDOWS\system32\fgwxyuxf.dll
2008-05-18 11:19 . 2008-05-18 11:19 52,340 --a------ C:\WINDOWS\system32\kfuyjetp.dll
2008-05-17 10:30 . 2008-05-17 10:30 134,208 --a------ C:\WINDOWS\system32\exrhkihy.dll
2008-05-17 10:21 . 2008-05-17 10:21 116,288 --a------ C:\WINDOWS\system32\pvksjyeb.dll
2008-05-17 10:12 . 2008-05-17 10:12 52,336 --a------ C:\WINDOWS\system32\ymhimcef.dll
2008-05-17 10:09 . 2008-05-17 10:09 126,016 --a------ C:\WINDOWS\system32\xdtrvyqr.dll
2008-05-16 10:26 . 2008-05-16 10:26 135,744 --a------ C:\WINDOWS\system32\aanpdkmo.dll
2008-05-16 10:08 . 2008-05-16 10:08 52,336 --a------ C:\WINDOWS\system32\rxskfttb.dll
2008-05-16 10:07 . 2008-05-16 10:07 126,016 --a------ C:\WINDOWS\system32\mugfmkwl.dll
2008-05-15 12:14 . 2008-05-15 12:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-15 11:34 . 2008-05-15 11:42 <DIR> d-------- C:\VundoFix Backups
2008-05-15 10:03 . 2008-05-15 10:03 134,720 --a------ C:\WINDOWS\system32\tdkgvevv.dll
2008-05-15 10:00 . 2008-05-15 10:00 125,504 --a------ C:\WINDOWS\system32\hvqjuxgx.dll
2008-05-15 10:00 . 2008-05-18 11:19 109,807 --a------ C:\WINDOWS\BM8b2f7b6f.xml
2008-05-15 09:59 . 2008-05-15 09:59 52,340 --a------ C:\WINDOWS\system32\bcgksgsq.dll
2008-05-14 12:51 . 2008-05-14 12:52 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-05-14 12:48 . 2008-05-14 12:48 371,200 --a------ C:\WINDOWS\system32\xxyxUkjG.dll
2008-05-14 12:43 . 2008-05-14 12:43 57,856 --a------ C:\WINDOWS\system32\awttrPHx.dll
2008-05-14 11:38 . 2008-05-14 11:38 <DIR> d-------- C:\Program Files\MagicISO
2008-05-14 11:26 . 2008-05-14 11:26 <DIR> d-------- C:\Program Files\PowerISO
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Real
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-07 11:00 . 2008-05-07 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-05 18:43 . 2008-05-05 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-01 18:10 . 2008-05-01 18:10 <DIR> d-------- C:\_ok2delete
2008-04-30 15:13 . 2008-04-30 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-30 15:10 . 2008-04-30 15:14 <DIR> d-------- C:\Program Files\QuickTime
2008-04-29 13:20 . 2008-04-29 13:20 <DIR> d-------- C:\Program Files\Cooking Quest
2008-04-29 12:18 . 2008-04-29 12:18 <DIR> d-------- C:\Program Files\VSO
2008-04-29 12:18 . 2008-04-29 12:18 68,960 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys
2008-04-29 12:18 . 2008-04-29 12:18 47,360 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-04-28 09:00 . 2008-04-28 09:00 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-28 08:49 . 2008-04-28 08:49 301 --a------ C:\WINDOWS\jpxq_m64.ini
2008-04-27 18:00 . 2008-04-27 18:00 <DIR> d-------- C:\Program Files\ProPoster
2008-04-25 15:15 . 2008-04-25 15:15 <DIR> d-------- C:\Program Files\Google
2008-04-23 13:05 . 2008-04-23 13:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-04-19 15:22 . 2008-04-19 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-19 15:18 . 2008-04-19 15:18 <DIR> d-------- C:\Program Files\Bonjour
2008-04-19 15:06 . 2008-04-19 15:06 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 13:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-14 15:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-01 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-28 08:00 --------- d-----w C:\Program Files\Xerox One Touch
2008-04-28 08:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-19 14:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-18 12:18 --------- d-----w C:\Program Files\BearShare
2008-04-13 23:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Program Files\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-05 19:59 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-02 19:37 --------- d-----w C:\Program Files\PartyGaming
2008-04-02 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-02 11:10 --------- d-----w C:\Program Files\IVT Corporation
2008-04-01 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-31 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-31 17:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-31 16:57 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-31 16:44 --------- d-----w C:\Program Files\uTorrent
2008-03-31 16:38 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-03-31 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-31 16:30 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-31 16:25 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 16:25 --------- d-----w C:\Program Files\Windows Live
2008-03-31 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 15:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-31 15:52 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 15:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 15:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-31 15:52 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 15:20 --------- d-----w C:\Program Files\CONEXANT
2008-03-31 15:00 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2003-07-15 14:33 225,280 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2002-10-09 09:11 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-08-23 14:06 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
2002-07-09 08:23 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2002-05-20 08:20 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{083262BA-5296-42FA-AEDC-869F8EC7C1CD}]
2008-05-18 14:50 371200 --a------ C:\WINDOWS\system32\wvUmlmMf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab01752b-2e27-4a39-9251-9b7a8a4c49ba}]
2008-05-18 11:31 133184 --a------ C:\WINDOWS\system32\bqjedtui.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB6A01B5-E57A-4BCD-B692-4B475B4F96B9}]
2008-05-14 12:48 371200 --a------ C:\WINDOWS\system32\xxyxUkjG.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
2008-05-14 12:43 57856 --a------ C:\WINDOWS\system32\awttrPHx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"881c48f3"="C:\WINDOWS\system32\iwpdaybu.dll" [2008-05-18 11:37 117312]
"BM8b2f7b6f"="C:\WINDOWS\system32\fgwxyuxf.dll" [2008-05-18 11:22 124992]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"= C:\WINDOWS\system32\awttrPHx.dll [2008-05-14 12:43 57856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttrPHx]
awttrPHx.dll 2008-05-14 12:43 57856 C:\WINDOWS\system32\awttrPHx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\wvUmlmMf

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\881c48f3]
--a------ 2008-05-17 10:21 116288 C:\WINDOWS\system32\pvksjyeb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8b2f7b6f]
--a------ 2008-05-17 10:09 126016 C:\WINDOWS\system32\xdtrvyqr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-10 06:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2006-12-30 16:43 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2006-12-30 16:43 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2003-06-12 16:14 86016 C:\Program Files\Xerox One Touch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 08:11 771704 C:\PROGRA~1\Symantec\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-30 15:10 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-10 10:47 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 13:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-01-10 17:41 223984 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b83f2581-236c-11dd-b177-000e35400a07}]
\Shell\AutoRun\command - D:\setup.exe

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 16:34:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 10:10:48 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-05-12 20:05:46 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Administrator.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 14:45:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\awttrPHx.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\iwpdaybu.dll
-> C:\WINDOWS\system32\liaknqjq.dll
-> C:\WINDOWS\system32\wvUmlmMf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
.
**************************************************************************
.
Completion time: 2008-05-18 14:57:47 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-05-18 13:56:43

Pre-Run: 36,794,290,176 bytes free
Post-Run: 40,577,044,480 bytes free

245 --- E O F --- 2008-04-09 22:12:08

And here is the hyjackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:59:16 PM, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [881c48f3] rundll32.exe "C:\WINDOWS\system32\iwpdaybu.dll",b
O4 - HKLM\..\Run: [BM8b2f7b6f] Rundll32.exe "C:\WINDOWS\system32\liaknqjq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206979970212
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206979941230
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 6881 bytes

#4
kahdah

Posted 18 May 2008 - 08:20 AM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome

===============
1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\liaknqjq.dll
C:\WINDOWS\system32\iwpdaybu.dll
C:\WINDOWS\system32\bqjedtui.dll
C:\WINDOWS\system32\fgwxyuxf.dll
C:\WINDOWS\system32\kfuyjetp.dll
C:\WINDOWS\system32\exrhkihy.dll
C:\WINDOWS\system32\pvksjyeb.dll
C:\WINDOWS\system32\ymhimcef.dll
C:\WINDOWS\system32\xdtrvyqr.dll
C:\WINDOWS\system32\aanpdkmo.dll
C:\WINDOWS\system32\rxskfttb.dll
C:\WINDOWS\system32\mugfmkwl.dll
C:\WINDOWS\system32\tdkgvevv.dll
C:\WINDOWS\system32\hvqjuxgx.dll
C:\WINDOWS\BM8b2f7b6f.xml
C:\WINDOWS\system32\bcgksgsq.dll
C:\WINDOWS\system32\xxyxUkjG.dll
C:\WINDOWS\system32\awttrPHx.dll
C:\WINDOWS\jpxq_m64.ini
C:\WINDOWS\system32\iwpdaybu.dll
C:\WINDOWS\system32\fgwxyuxf.dll
C:\WINDOWS\system32\wvUmlmMf.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{083262BA-5296-42FA-AEDC-869F8EC7C1CD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ab01752b-2e27-4a39-9251-9b7a8a4c49ba}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB6A01B5-E57A-4BCD-B692-4B475B4F96B9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E243A8E7-6244-49E0-A361-22DBF30FD46C}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"881c48f3"=-
"BM8b2f7b6f"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E243A8E7-6244-49E0-A361-22DBF30FD46C}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awttrPHx]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\881c48f3]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM8b2f7b6f]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b83f2581-236c-11dd-b177-000e35400a07}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#5
welcome123

Posted 18 May 2008 - 08:59 AM

Member

Topic Starter
Member
57 posts

Once again, Thanks.

ComboFix 08-05-15.3 - Administrator 2008-05-18 15:34:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.188 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM8b2f7b6f.xml
C:\WINDOWS\jpxq_m64.ini
C:\WINDOWS\system32\aanpdkmo.dll
C:\WINDOWS\system32\awttrPHx.dll
C:\WINDOWS\system32\bcgksgsq.dll
C:\WINDOWS\system32\bqjedtui.dll
C:\WINDOWS\system32\exrhkihy.dll
C:\WINDOWS\system32\fgwxyuxf.dll
C:\WINDOWS\system32\hvqjuxgx.dll
C:\WINDOWS\system32\iwpdaybu.dll
C:\WINDOWS\system32\kfuyjetp.dll
C:\WINDOWS\system32\liaknqjq.dll
C:\WINDOWS\system32\mugfmkwl.dll
C:\WINDOWS\system32\pvksjyeb.dll
C:\WINDOWS\system32\rxskfttb.dll
C:\WINDOWS\system32\tdkgvevv.dll
C:\WINDOWS\system32\wvUmlmMf.dll
C:\WINDOWS\system32\xdtrvyqr.dll
C:\WINDOWS\system32\xxyxUkjG.dll
C:\WINDOWS\system32\ymhimcef.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\WINDOWS\BM8b2f7b6f.xml
C:\WINDOWS\jpxq_m64.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aanpdkmo.dll
C:\WINDOWS\system32\apdulifk.ini
C:\WINDOWS\system32\awttrPHx.dll
C:\WINDOWS\system32\bcgksgsq.dll
C:\WINDOWS\system32\bqjedtui.dll
C:\WINDOWS\system32\exrhkihy.dll
C:\WINDOWS\system32\fgwxyuxf.dll
C:\WINDOWS\system32\GjkUxyxx.ini
C:\WINDOWS\system32\GjkUxyxx.ini2
C:\WINDOWS\system32\hvqjuxgx.dll
C:\WINDOWS\system32\iwpdaybu.dll
C:\WINDOWS\system32\kfuyjetp.dll
C:\WINDOWS\system32\liaknqjq.dll
C:\WINDOWS\system32\mugfmkwl.dll
C:\WINDOWS\system32\pvksjyeb.dll
C:\WINDOWS\system32\rxskfttb.dll
C:\WINDOWS\system32\tdkgvevv.dll
C:\WINDOWS\system32\xdtrvyqr.dll
C:\WINDOWS\system32\xxyxUkjG.dll
C:\WINDOWS\system32\ymhimcef.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 15:31 . 2008-05-18 15:31 133,184 --a------ C:\WINDOWS\system32\itkclacy.dll
2008-05-18 15:28 . 2008-05-18 15:28 117,312 --a------ C:\WINDOWS\system32\kfiludpa.dll
2008-05-18 15:08 . 2008-05-18 15:08 124,992 --a------ C:\WINDOWS\system32\kwldkmry.dll
2008-05-18 15:08 . 2008-05-18 15:08 47,956 --a------ C:\WINDOWS\system32\gwgxwwou.dll
2008-05-18 15:06 . 2008-05-18 15:06 133,120 --a------ C:\WINDOWS\system32\yqlnlnug.dll
2008-05-18 14:57 . 2008-05-18 15:26 354 --ahs---- C:\WINDOWS\system32\ubyadpwi.ini
2008-05-18 14:51 . 2008-05-18 14:51 28,916 --a------ C:\WINDOWS\system32\trpyypcb.dll
2008-05-18 11:35 . 2008-05-18 11:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 12:14 . 2008-05-15 12:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-14 12:51 . 2008-05-14 12:52 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-05-14 11:38 . 2008-05-14 11:38 <DIR> d-------- C:\Program Files\MagicISO
2008-05-14 11:26 . 2008-05-14 11:26 <DIR> d-------- C:\Program Files\PowerISO
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Real
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-07 11:00 . 2008-05-07 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-05 18:43 . 2008-05-05 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-01 18:10 . 2008-05-01 18:10 <DIR> d-------- C:\_ok2delete
2008-04-30 15:13 . 2008-04-30 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-30 15:10 . 2008-04-30 15:14 <DIR> d-------- C:\Program Files\QuickTime
2008-04-29 13:20 . 2008-04-29 13:20 <DIR> d-------- C:\Program Files\Cooking Quest
2008-04-29 12:18 . 2008-04-29 12:18 <DIR> d-------- C:\Program Files\VSO
2008-04-29 12:18 . 2008-04-29 12:18 68,960 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys
2008-04-29 12:18 . 2008-04-29 12:18 47,360 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-04-28 09:00 . 2008-04-28 09:00 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-27 18:00 . 2008-04-27 18:00 <DIR> d-------- C:\Program Files\ProPoster
2008-04-25 15:15 . 2008-04-25 15:15 <DIR> d-------- C:\Program Files\Google
2008-04-23 13:05 . 2008-04-23 13:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-04-19 15:22 . 2008-04-19 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-19 15:18 . 2008-04-19 15:18 <DIR> d-------- C:\Program Files\Bonjour
2008-04-19 15:06 . 2008-04-19 15:06 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 13:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-14 15:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-01 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-28 08:00 --------- d-----w C:\Program Files\Xerox One Touch
2008-04-28 08:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-19 14:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-18 12:18 --------- d-----w C:\Program Files\BearShare
2008-04-13 23:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Program Files\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-05 19:59 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-02 19:37 --------- d-----w C:\Program Files\PartyGaming
2008-04-02 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-02 11:10 --------- d-----w C:\Program Files\IVT Corporation
2008-04-01 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-31 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-31 17:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-31 16:57 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-31 16:44 --------- d-----w C:\Program Files\uTorrent
2008-03-31 16:38 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-03-31 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-31 16:30 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-31 16:25 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 16:25 --------- d-----w C:\Program Files\Windows Live
2008-03-31 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 15:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-31 15:52 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 15:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 15:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-31 15:52 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 15:20 --------- d-----w C:\Program Files\CONEXANT
2008-03-31 15:00 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2003-07-15 14:33 225,280 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2002-10-09 09:11 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-08-23 14:06 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
2002-07-09 08:23 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2002-05-20 08:20 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-18_14.51.36.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 13:44:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 14:49:03 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{547245c4-a8d9-42f9-9a30-4a2e273bc5f8}]
2008-05-18 15:31 133184 --a------ C:\WINDOWS\system32\itkclacy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-10 06:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2006-12-30 16:43 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2006-12-30 16:43 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2003-06-12 16:14 86016 C:\Program Files\Xerox One Touch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 08:11 771704 C:\PROGRA~1\Symantec\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-30 15:10 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-10 10:47 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 13:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-01-10 17:41 223984 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 16:34:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 10:10:48 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-05-12 20:05:46 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Administrator.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 15:49:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V1.41-delta.exe
C:\d631116100cfd5c51620442ef33bb4\mrtstub.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\MRT.exe
.
**************************************************************************
.
Completion time: 2008-05-18 15:55:32 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 14:55:02
ComboFix2.txt 2008-05-18 13:57:52

Pre-Run: 40,884,326,400 bytes free
Post-Run: 40,836,542,464 bytes free

246 --- E O F --- 2008-04-09 22:12:08

Hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:56:30 PM, on 18/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V1.41-delta.exe
c:\d631116100cfd5c51620442ef33bb4\mrtstub.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\WINDOWS\system32\MRT.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: {8f5cb372-e2a4-03a9-9f24-9d8a4c542745} - {547245c4-a8d9-42f9-9a30-4a2e273bc5f8} - C:\WINDOWS\system32\itkclacy.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206979970212
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206979941230
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7576 bytes

#6
kahdah

Posted 18 May 2008 - 09:21 AM

GeekU Teacher

Retired Staff
15,822 posts

1. Please open Notepad

Click Start , then Run
type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KILLALL::

File::
C:\WINDOWS\system32\itkclacy.dll
C:\WINDOWS\system32\kfiludpa.dll
C:\WINDOWS\system32\kwldkmry.dll
C:\WINDOWS\system32\gwgxwwou.dll
C:\WINDOWS\system32\yqlnlnug.dll
C:\WINDOWS\system32\ubyadpwi.ini
C:\WINDOWS\system32\trpyypcb.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{547245c4-a8d9-42f9-9a30-4a2e273bc5f8}]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:[list][*]Combofix.txt[

#7
welcome123

Posted 18 May 2008 - 09:46 AM

Member

Topic Starter
Member
57 posts

Looking good!

, No horrible popup on startup or shutdown, Looking pretty clean thanks to you. Here's the log.

ComboFix 08-05-15.3 - Administrator 2008-05-18 16:33:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.245 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\gwgxwwou.dll
C:\WINDOWS\system32\itkclacy.dll
C:\WINDOWS\system32\kfiludpa.dll
C:\WINDOWS\system32\kwldkmry.dll
C:\WINDOWS\system32\trpyypcb.dll
C:\WINDOWS\system32\ubyadpwi.ini
C:\WINDOWS\system32\yqlnlnug.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gwgxwwou.dll
C:\WINDOWS\system32\itkclacy.dll
C:\WINDOWS\system32\kfiludpa.dll
C:\WINDOWS\system32\kwldkmry.dll
C:\WINDOWS\system32\trpyypcb.dll
C:\WINDOWS\system32\ubyadpwi.ini
C:\WINDOWS\system32\yqlnlnug.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 11:35 . 2008-05-18 11:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 12:14 . 2008-05-15 12:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-14 12:51 . 2008-05-14 12:52 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-05-14 11:38 . 2008-05-14 11:38 <DIR> d-------- C:\Program Files\MagicISO
2008-05-14 11:26 . 2008-05-14 11:26 <DIR> d-------- C:\Program Files\PowerISO
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Real
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-07 11:00 . 2008-05-07 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-05 18:43 . 2008-05-05 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-01 18:10 . 2008-05-01 18:10 <DIR> d-------- C:\_ok2delete
2008-04-30 15:13 . 2008-04-30 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-30 15:10 . 2008-04-30 15:14 <DIR> d-------- C:\Program Files\QuickTime
2008-04-29 13:20 . 2008-04-29 13:20 <DIR> d-------- C:\Program Files\Cooking Quest
2008-04-29 12:18 . 2008-04-29 12:18 <DIR> d-------- C:\Program Files\VSO
2008-04-29 12:18 . 2008-04-29 12:18 68,960 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys
2008-04-29 12:18 . 2008-04-29 12:18 47,360 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-04-28 09:00 . 2008-04-28 09:00 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-27 18:00 . 2008-04-27 18:00 <DIR> d-------- C:\Program Files\ProPoster
2008-04-25 15:15 . 2008-04-25 15:15 <DIR> d-------- C:\Program Files\Google
2008-04-23 13:05 . 2008-04-23 13:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-04-19 15:22 . 2008-04-19 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-19 15:18 . 2008-04-19 15:18 <DIR> d-------- C:\Program Files\Bonjour
2008-04-19 15:06 . 2008-04-19 15:06 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 13:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-14 15:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-01 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-28 08:00 --------- d-----w C:\Program Files\Xerox One Touch
2008-04-28 08:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-19 14:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-18 12:18 --------- d-----w C:\Program Files\BearShare
2008-04-13 23:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Program Files\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-05 19:59 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-02 19:37 --------- d-----w C:\Program Files\PartyGaming
2008-04-02 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-02 11:10 --------- d-----w C:\Program Files\IVT Corporation
2008-04-01 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-31 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-31 17:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-31 16:57 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-31 16:44 --------- d-----w C:\Program Files\uTorrent
2008-03-31 16:38 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-03-31 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-31 16:30 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-31 16:25 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 16:25 --------- d-----w C:\Program Files\Windows Live
2008-03-31 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 15:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-31 15:52 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 15:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 15:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-31 15:52 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 15:20 --------- d-----w C:\Program Files\CONEXANT
2008-03-31 15:00 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2003-07-15 14:33 225,280 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2002-10-09 09:11 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-08-23 14:06 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
2002-07-09 08:23 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2002-05-20 08:20 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-18_14.51.36.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 13:44:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 15:36:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-10 06:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2006-12-30 16:43 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2006-12-30 16:43 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2003-06-12 16:14 86016 C:\Program Files\Xerox One Touch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 08:11 771704 C:\PROGRA~1\Symantec\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-30 15:10 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-10 10:47 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 13:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-01-10 17:41 223984 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 16:34:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 10:10:48 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-05-12 20:05:46 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Administrator.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 16:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-05-18 16:42:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 15:42:22
ComboFix2.txt 2008-05-18 14:55:33
ComboFix3.txt 2008-05-18 13:57:52

Pre-Run: 40,825,397,248 bytes free
Post-Run: 40,824,283,136 bytes free

206 --- E O F --- 2008-05-18 14:57:27

#8
kahdah

Posted 18 May 2008 - 10:02 AM

GeekU Teacher

Retired Staff
15,822 posts

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
===========================================================
Please download ATF Cleaner by Atribune.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
================================================================
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as button:
Save the file in txt format to your desktop.
Post that information in your next post.

#9
welcome123

Posted 18 May 2008 - 11:22 AM

Member

Topic Starter
Member
57 posts

Hi, here is the combofix log,

ComboFix 08-05-15.3 - Administrator 2008-05-18 16:33:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.245 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\gwgxwwou.dll
C:\WINDOWS\system32\itkclacy.dll
C:\WINDOWS\system32\kfiludpa.dll
C:\WINDOWS\system32\kwldkmry.dll
C:\WINDOWS\system32\trpyypcb.dll
C:\WINDOWS\system32\ubyadpwi.ini
C:\WINDOWS\system32\yqlnlnug.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\gwgxwwou.dll
C:\WINDOWS\system32\itkclacy.dll
C:\WINDOWS\system32\kfiludpa.dll
C:\WINDOWS\system32\kwldkmry.dll
C:\WINDOWS\system32\trpyypcb.dll
C:\WINDOWS\system32\ubyadpwi.ini
C:\WINDOWS\system32\yqlnlnug.dll

.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.

2008-05-18 11:35 . 2008-05-18 11:35 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-15 12:14 . 2008-05-15 12:19 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-05-14 12:51 . 2008-05-14 12:52 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-05-14 11:38 . 2008-05-14 11:38 <DIR> d-------- C:\Program Files\MagicISO
2008-05-14 11:26 . 2008-05-14 11:26 <DIR> d-------- C:\Program Files\PowerISO
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Real
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-05-10 10:47 . 2008-05-10 10:47 <DIR> d-------- C:\Program Files\Common Files\Real
2008-05-07 11:00 . 2008-05-07 11:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2008-05-05 18:43 . 2008-05-05 18:43 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-05-01 18:10 . 2008-05-01 18:10 <DIR> d-------- C:\_ok2delete
2008-04-30 15:13 . 2008-04-30 15:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Program Files\Apple Software Update
2008-04-30 15:12 . 2008-04-30 15:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-04-30 15:10 . 2008-04-30 15:14 <DIR> d-------- C:\Program Files\QuickTime
2008-04-29 13:20 . 2008-04-29 13:20 <DIR> d-------- C:\Program Files\Cooking Quest
2008-04-29 12:18 . 2008-04-29 12:18 <DIR> d-------- C:\Program Files\VSO
2008-04-29 12:18 . 2008-04-29 12:18 68,960 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys
2008-04-29 12:18 . 2008-04-29 12:18 47,360 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2008-04-28 09:00 . 2008-04-28 09:00 7,680 --ahs---- C:\WINDOWS\Thumbs.db
2008-04-27 18:00 . 2008-04-27 18:00 <DIR> d-------- C:\Program Files\ProPoster
2008-04-25 15:15 . 2008-04-25 15:15 <DIR> d-------- C:\Program Files\Google
2008-04-23 13:05 . 2008-04-23 13:05 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-04-22 12:19 . 2001-08-17 13:56 7,552 --a--c--- C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-04-19 15:22 . 2008-04-19 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-04-19 15:18 . 2008-04-19 15:18 <DIR> d-------- C:\Program Files\Bonjour
2008-04-19 15:06 . 2008-04-19 15:06 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-18 13:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-14 15:11 --------- d-----w C:\Documents and Settings\Administrator\Application Data\uTorrent
2008-05-01 17:12 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-01 17:12 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-28 08:00 --------- d-----w C:\Program Files\Xerox One Touch
2008-04-28 08:00 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-19 14:18 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-18 12:18 --------- d-----w C:\Program Files\BearShare
2008-04-13 23:08 --------- d-----w C:\Documents and Settings\Administrator\Application Data\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Program Files\Yahoo!
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2008-04-06 10:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-04-05 19:59 --------- d-----w C:\Program Files\Microsoft ActiveSync
2008-04-02 19:37 --------- d-----w C:\Program Files\PartyGaming
2008-04-02 11:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2008-04-02 11:10 --------- d-----w C:\Program Files\IVT Corporation
2008-04-01 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\EPSON
2008-03-31 19:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2008-03-31 17:01 --------- d-----w C:\Program Files\MSXML 6.0
2008-03-31 16:57 --------- d-----w C:\Program Files\MSXML 4.0
2008-03-31 16:44 --------- d-----w C:\Program Files\uTorrent
2008-03-31 16:38 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2008-03-31 16:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Macrovision
2008-03-31 16:30 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-03-31 16:25 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-31 16:25 --------- d-----w C:\Program Files\Windows Live
2008-03-31 16:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 15:52 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-31 15:52 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-31 15:52 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-31 15:52 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-31 15:52 --------- d-----w C:\Program Files\Symantec
2008-03-31 15:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-31 15:20 --------- d-----w C:\Program Files\CONEXANT
2008-03-31 15:00 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-19 09:40 1,845,888 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 18:49 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 06:52 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2003-07-15 14:33 225,280 ----a-w C:\WINDOWS\inf\i386\rtscan.dll
2002-10-09 09:11 61,440 ----a-w C:\WINDOWS\inf\i386\onetUSD.dll
2002-08-23 14:06 13,824 ----a-w C:\WINDOWS\inf\i386\Usbscan.sys
2002-07-09 08:23 36,864 ----a-w C:\WINDOWS\inf\i386\Vizmicro.dll
2002-05-20 08:20 172,032 ----a-w C:\WINDOWS\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-18_14.51.36.43 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-18 13:44:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-18 15:36:36 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-06 05:56:20 19,836,024 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-05-09 21:35:04 16,863,864 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 00:56 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2007-01-10 06:59 115816 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
-ra------ 2006-12-30 16:43 126976 C:\WINDOWS\system32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
-ra------ 2006-12-30 16:43 155648 C:\WINDOWS\system32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OneTouch Monitor]
--a------ 2003-06-12 16:14 86016 C:\Program Files\Xerox One Touch\OneTouchMon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
--a------ 2007-01-14 08:11 771704 C:\PROGRA~1\Symantec\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-04-30 15:10 413696 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-05-10 10:47 185632 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 13:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
--a------ 2008-01-10 17:41 223984 C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 16:34:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 10:10:48 C:\WINDOWS\Tasks\Critical Battery Alarm Program.job"
"2008-05-12 20:05:46 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Administrator.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 16:36:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2008-05-18 16:42:49 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-18 15:42:22
ComboFix2.txt 2008-05-18 14:55:33
ComboFix3.txt 2008-05-18 13:57:52

Pre-Run: 40,825,397,248 bytes free
Post-Run: 40,824,283,136 bytes free

206 --- E O F --- 2008-05-18 14:57:27

And now the Kaspersky Log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 18, 2008 6:17:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/05/2008
Kaspersky Anti-Virus database records: 783003
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 52741
Number of viruses found: 5
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 00:41:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe/file36 Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe/file64 Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe/file65 Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\ophcrack-livecd-1.2.2.iso/slax/ophcrack/ophcrack-win32-installer-2.4.1.exe Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\ophcrack-livecd-1.2.2.iso ISOimage: infected - 4 skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\slax\ophcrack\ophcrack-win32-installer-2.4.1.exe/file36 Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\slax\ophcrack\ophcrack-win32-installer-2.4.1.exe/file64 Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\slax\ophcrack\ophcrack-win32-installer-2.4.1.exe/file65 Infected: not-a-virus:PSWTool.Win32.PWDump.d skipped
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\slax\ophcrack\ophcrack-win32-installer-2.4.1.exe Inno: infected - 3 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\Downloads\Driver.Magician.v3.28 + Fully Working Keygen\DriverMagician.exe/data0000.cab/is153766.exe Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\Documents and Settings\Administrator\My Documents\Downloads\Driver.Magician.v3.28 + Fully Working Keygen\DriverMagician.exe/data0000.cab Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\Documents and Settings\Administrator\My Documents\Downloads\Driver.Magician.v3.28 + Fully Working Keygen\DriverMagician.exe Rsrc-Package: infected - 2 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-18_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\15E68C94.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\412775B0.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Symantec\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Symantec\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Symantec\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\aanpdkmo.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awttrPHx.dll.vir Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bcgksgsq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\exrhkihy.dll.vir Infected: Trojan.Win32.Monder.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gwgxwwou.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kfuyjetp.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rxskfttb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\trpyypcb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ymhimcef.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP6\A0000166.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP6\A0000167.dll Infected: Trojan-Downloader.Win32.ConHook.pr skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP6\A0000168.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP6\A0000170.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP6\A0000174.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP6\A0000178.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP6\A0000181.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP8\A0000236.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP8\A0000240.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.mju skipped
C:\System Volume Information\_restore{8B6CB6DA-4A0F-4D59-B33A-1D38666976C9}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9397C94E-78E7-4B79-BEDB-67C7D2A140B8}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#10
kahdah

Posted 18 May 2008 - 02:49 PM

GeekU Teacher

Retired Staff
15,822 posts

Please delete these folders\files :
C:\Documents and Settings\Administrator\Desktop\ophcrack-livec\ophcrack-livecd-1.2.2.iso
C:\Documents and Settings\Administrator\My Documents\Downloads\Driver.Magician.v3.28 + Fully Working Keygen

Also Post a new Hijackthis log and the Malware Bytes Log please.

#11
welcome123

Posted 19 May 2008 - 12:13 AM

Member

Topic Starter
Member
57 posts

Hiya, Sorry for the delay, I got called out to work, Just got back in, My lappy is running so good now,
Thanks for all your time in helping me,
I do get paid at the end of the week and you have my word i will be donating to your site because without people like you peeps would be in a right state so once again, Thanks.

Here are the logs you asked for,

Malwarebytes' Anti-Malware 1.12
Database version: 762

Scan type: Quick Scan
Objects scanned: 35036
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Nice!!!

Here's the HiJackThis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:11:54 AM, on 19/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.bt.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1206979970212
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1206979941230
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7187 bytes

#12
kahdah

Posted 19 May 2008 - 02:40 AM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome and thanks

================================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/

Now click on Fix Checked and then close Hijackthis.
======================================================
Follow these steps to uninstall Combofix and tools used in the removal of malware

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

Also delete\uninstall anything that we used that is left over.
=========================================================================
After that your log is clean.

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

#13
welcome123

Posted 19 May 2008 - 03:34 AM

Member

Topic Starter
Member
57 posts

All Done kahdah !!,
Once again, i can't thank you enough, My word is my bond,
it won't be a great amount but as you know every little helps,

Kind regards and respect, Johnny

#14
kahdah

Posted 19 May 2008 - 08:16 PM

GeekU Teacher

Retired Staff
15,822 posts

You are welcome and Thank you and yes every bit is appreciated

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If your the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Edited by kahdah, 19 May 2008 - 08:16 PM.