Zlob and Obfuskated viruses found by AVG but still no resolution!!!!

arsenal_4_life · 04-12-2008, 09:19 PM

Hi there

On the 12/4/08 I first started having these virus problems and I am a computer nube so I have no clue what to do

.

I believe that I have a Zlob and Obfuskated virus on my comp and using AVG i managed to place them in the virus vault. After this though i still recieve messages saying there is a virus threat and it has the obfuskated thing in its file name. I have scanned my comp with both norton and AVG but norton doesn't seem to pick anything up!!!! I don't know what to do. Here is the main txt from the HijackThisLog. I Have attached the extra txt as well as a print screen of my virus vault.

Please help ASAP, I will be forever grateful

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-13 12:28:43
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
35: 2008-04-13 02:58:53 UTC - RP159 - Deckard's System Scanner Restore Point
34: 2008-04-12 10:09:49 UTC - RP158 - Spybot-S&D Spyware removal
33: 2008-04-12 09:26:48 UTC - RP157 - Last known good configuration
32: 2008-04-12 09:26:41 UTC - RP156 - Software Distribution Service 3.0
31: 2008-04-12 09:26:41 UTC - RP155 - System Checkpoint

-- First Restore Point --
1: 2008-04-12 09:26:26 UTC - RP125 - Software Distribution Service 3.0

Backed up registry hives.
Performed disk cleanup.

-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-04-13 12:31:52
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\All Users\Application Data\ryxkrijy\zqzkzmpk.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Sony\SonicStage\SSAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Sinhala Kit\SinhalaKit.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.msn.com/spbasic.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\cbXQjijJ.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O2 - BHO: (no name) - {6C1CE2D8-7E44-4DF7-9B5F-C76CC6564B86} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Common Files\Symantec Shared\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A5641D3B-D9AC-ED59-8FDC-A028EA7160CC} - C:\WINDOWS\system32\shlur.dll (file missing)
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\opnljjh.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\sccaewms.dll (file missing)
O2 - BHO: (no name) - {F25F0503-678E-4E2B-9440-9DD38AE8FDB3} - C:\WINDOWS\system32\mlJCRkkL.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKLM\..\Policies\Explorer\Run: [0k9arSpcjn] C:\Documents and Settings\All Users\Application Data\ryxkrijy\zqzkzmpk.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Sinhala Kit.lnk = C:\Program Files\Sinhala Kit\SinhalaKit.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/s...irector/sw.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://download.microsoft.com/downlo...eckControl.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/act...a/nprdtinf.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab Class) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - https://bigpondmusic.com/activex/multidownx.cab
O18 - Protocol: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - C:\Program Files\Belarc\Advisor\System\BAVoilaX.dll
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll (file missing)
O20 - Winlogon Notify: cbXQjijJ - C:\WINDOWS\system32\cbXQjijJ.dll (file missing)
O20 - Winlogon Notify: opnljjh - C:\WINDOWS\system32\opnljjh.dll (file missing)
O20 - Winlogon Notify: winzwr32 - C:\WINDOWS\system32\winzwr32.dll (file missing)
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O22 - SharedTaskScheduler: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\Program Files\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\Speed Disk\NOPDB.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: - C:\WINDOWS\system32\ad.html

--
End of file - 14258 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 GBDevice - c:\windows\system32\drivers\gbdevice.sys <Not Verified; Symantec Corporation; Norton GoBack>
R0 GoBack2K - c:\windows\system32\drivers\goback2k.sys <Not Verified; Symantec Corporation; Norton GoBack>
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys <Not Verified; Protection Technology; StarForce Protection System>
R0 sisidex - c:\windows\system32\drivers\sisidex.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R0 sisperf (Add Performance Filter Driver) - c:\windows\system32\drivers\sisperf.sys <Not Verified; Silicon Integrated Systems Corp.; SiS Filer Driver>
R1 BANTExt (Belarc SMBios Access) - c:\windows\system32\drivers\bantext.sys
R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R3 MusCDriverV32 - c:\windows\system32\drivers\muscdriverv32.sys <Not Verified; Windows (R) 2000/XP; Windows (R) 2000/XP Driver>
R3 MusCVideo32 - c:\windows\system32\drivers\muscvideo32.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys (file missing)
S2 GBFSHook - c:\windows\system32\drivers\gbfshook.sys <Not Verified; Symantec Corporation; Norton GoBack>
S3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys (file missing)
S3 BlueletSCOAudio (Bluetooth SCO Audio Service) - c:\windows\system32\drivers\blueletscoaudio.sys (file missing)
S3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys (file missing)
S3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys (file missing)
S3 mcdbus (Driver for MagicISO SCSI Host Controller) - c:\windows\system32\drivers\mcdbus.sys (file missing)
S3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
S3 PVUSB (CESG502 USB Driver) - c:\windows\system32\drivers\cesg502.sys <Not Verified; Hitachi Semiconductor and Devices Sales Co.,Ltd.; CESG502>
S3 SDdriver - c:\windows\system32\drivers\sddriver.sys <Not Verified; Symantec Corporation; Norton Speed Disk>
S3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys (file missing)
S3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 bgsvcgen (B's Recorder GOLD Library General Service) - c:\windows\system32\bgsvcgen.exe <Not Verified; B.H.A Corporation; B's Recorder GOLD8>
R2 Speed Disk service - c:\progra~1\norton~1\norton~3\speedd~1\nopdb.exe <Not Verified; Symantec Corporation; Norton Speed Disk>

S3 Imapi Helper - "d:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>
S3 PACSPTISVR - c:\program files\common files\sony shared\avlib\pacsptisvr.exe <Not Verified; ; PACSPTISVR Module>
S3 SoundMovieServer - "c:\windows\system32\snmvtsvc.exe" <Not Verified; SoundMovieServer; SoundMovieServer>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-03-31 19:17:08 622 --a------ C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job

-- Files created between 2008-03-13 and 2008-04-13 -----------------------------

2008-04-12 20:11:09 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 20:11:08 2539 --a------ C:\WINDOWS\unins000.dat
2008-04-12 18:56:14 95763 --ahs---- C:\WINDOWS\system32\LkkRCJlm.ini2
2008-04-12 10:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\ryxkrijy
2008-04-08 16:33:50 7437824 --a------ C:\WINDOWS\system32\smfcore.dll
2008-04-08 16:33:50 0 d-------- C:\Program Files\Flash FLV to Video Audio Converter
2008-04-08 16:31:45 0 d-------- C:\Program Files\Aplus FLV to MP3 Converter
2008-04-08 16:28:07 0 d-------- C:\Mp3 Output
2008-04-08 16:05:35 0 d-------- C:\Documents and Settings\Owner\Application Data\River Past G5
2008-04-08 16:05:35 0 d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-03-31 19:11:00 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-03-27 16:08:27 0 d-------- C:\OutputFolder
2008-03-26 18:30:31 0 d-------- C:\WINDOWS\system32\Adobe
2008-03-25 11:07:31 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-25 11:07:31 383238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-03-21 10:27:08 0 d-------- C:\WhAEM
2008-03-21 10:27:08 0 d-------- C:\Program Files\WhAEM
2008-03-21 10:27:08 0 d-------- C:\Program Files\Common Files\ESRI
2008-03-17 13:57:32 0 d-------- C:\Program Files\SystemRequirementsLab

-- Find3M Report ---------------------------------------------------------------

2008-04-13 12:31:39 0 d-------- C:\Documents and Settings\Owner\Application Data\DNA
2008-04-13 12:31:24 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-09 15:59:03 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-04-08 16:26:15 0 d-------- C:\Program Files\Common Files
2008-03-28 17:09:04 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-08 15:00:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Locktime
2008-03-01 11:48:25 0 d-------- C:\Program Files\DNA
2008-02-22 17:14:36 0 d-------- C:\Program Files\Java
2008-02-20 18:17:49 0 d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-02-19 19:05:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-19 19:03:13 0 d-------- C:\Program Files\Norton Internet Security
2008-02-19 19:02:58 0 d-------- C:\Program Files\Symantec
2008-02-19 19:01:52 0 d-------- C:\Program Files\Windows Sidebar
2008-02-13 14:19:45 0 d-------- C:\Program Files\FLV Player

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02715E47-5A8E-495B-8F63-0D30470B8E72}]
C:\WINDOWS\system32\cbXQjijJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
07/02/2008 01:35 PM 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C1CE2D8-7E44-4DF7-9B5F-C76CC6564B86}]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
19/02/2008 07:01 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5641D3B-D9AC-ED59-8FDC-A028EA7160CC}]
C:\WINDOWS\system32\shlur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}]
C:\WINDOWS\system32\opnljjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F18F04B0-9CF1-4b93-B004-77A288BEE28B}]
C:\WINDOWS\system32\sccaewms.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25F0503-678E-4E2B-9440-9DD38AE8FDB3}]
C:\WINDOWS\system32\mlJCRkkL.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [07/02/2008 01:35 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [12/07/2002 07:45 PM]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [05/05/2003 08:57 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [26/01/2008 11:17 AM]
"AGRSMMSG"="AGRSMMSG.exe" [04/03/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/05/2006 03:31 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [23/12/2007 07:31 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 12:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [21/07/2006 10:21 AM]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [16/05/2006 04:50 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/01/2005 03:01 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [14/06/2006 04:24 PM]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [05/02/2007 10:11 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [07/02/2008 04:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 09:30 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/10/2004 01:54 AM]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [16/05/2006 04:51 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11/04/2008 10:59 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Sinhala Kit.lnk - C:\Program Files\Sinhala Kit\SinhalaKit.exe [26/08/2007 8:42:32 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"DisableTaskMgr"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"0k9arSpcjn"=C:\Documents and Settings\All Users\Application Data\ryxkrijy\zqzkzmpk.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030}"= C:\WINDOWS\system32\opnljjh.dll [ ]
"{02715E47-5A8E-495B-8F63-0D30470B8E72}"= C:\WINDOWS\system32\cbXQjijJ.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtst]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQjijJ]
cbXQjijJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljjh]
opnljjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzwr32]
winzwr32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mlJCRkkL

*Newly Created Service* - COMHOST

-- Hosts -----------------------------------------------------------------------

127.0.0.1 sds-qckads.com
127.0.0.1 status.qckads.com
127.0.0.1 www.qoolaid.com
127.0.0.1 www.qoologic.com
127.0.0.1 www.CLKPrecision.com
127.0.0.1 www.urllogic.com
127.0.0.1 www.clkoptimizer.com
127.0.0.1 www.isearch.com
127.0.0.1 isearch.com
127.0.0.1 www.idownload.com

20 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-04-13 12:33:57 ------------

**Pancake** · 04-14-2008, 06:34 PM

http://i254.photobucket.com/albums/h...1/ATT00219.jpg

Please download SDFix from here and save it to your desktop

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please copy and paste that log in your next reply.

=================================

Ok.We need to download ComboFix.exe. This will give a better view to the files running and also hidden on your computer.

Please visit this webpage for download links, and instructions for running ComboFix

When the tool is finished, it will produce a report for you. Please copy and paste the "C:\ComboFix.txt" along with a new HijackThis log so that we can continue to do any further cleaning that your system may require.

Caution: Never run and remove files with Combofix unless supervised by a security analyst.

NOTE: Combofix prevents autorun of all CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you - please let me know.

arsenal_4_life · 04-16-2008, 06:26 PM

Thanks alot for all the help Eddy

I have done everything you have asked and i'm now posting the logs. Are any other steps necessary????

HIJACK THIS

Deckard's System Scanner v20071014.68
Run by Owner on 2008-04-17 10:43:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:44:46 AM, on 17/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Sinhala Kit\SinhalaKit.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.6.0_03\bin\jucheck.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll
O2 - BHO: (no name) - {6C1CE2D8-7E44-4DF7-9B5F-C76CC6564B86} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A5641D3B-D9AC-ED59-8FDC-A028EA7160CC} - C:\WINDOWS\system32\shlur.dll (file missing)
O2 - BHO: (no name) - {F25F0503-678E-4E2B-9440-9DD38AE8FDB3} - C:\WINDOWS\system32\mlJCRkkL.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [OM_Monitor] C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Sinhala Kit.lnk = C:\Program Files\Sinhala Kit\SinhalaKit.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Rip YouTube File - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra 'Tools' menuitem: Rip YouTube file embedded in this page - {38E51477-DDB4-4aed-9D61-D0C193E10749} - C:\Program Files\AllMusicConverter\YouTubeRipper.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {34F12AFD-E9B5-492A-85D2-40FA4535BE83} (AxProdInfoCtl Class) - http://www.symantec.com/techsupp/act...a/nprdtinf.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {F1D54B0B-B6EA-43B5-BD26-A79D3DBF47E3} (Multidownx Control) - http://bigpondmusic.com/activex/multidownx.cab
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll (file missing)
O20 - Winlogon Notify: cbXQjijJ - cbXQjijJ.dll (file missing)
O20 - Winlogon Notify: opnljjh - opnljjh.dll (file missing)
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O22 - SharedTaskScheduler: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoBack Polling Service (GBPoll) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - D:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InstallShield Licensing Service - Macrovision - C:\Program Files\Common Files\InstallShield Shared\Service\InstallShield Licensing Service.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SoundMovieServer - SoundMovieServer - C:\WINDOWS\system32\snmvtsvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.EXE
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - C:\WINDOWS\system32\ad.html

--
End of file - 11575 bytes

-- Files created between 2008-03-17 and 2008-04-17 -----------------------------

2008-04-17 10:44:28 0 d-------- C:\Program Files\Trend Micro
2008-04-17 10:27:57 0 d-------- C:\cmdcons
2008-04-17 10:26:47 68096 --a------ C:\WINDOWS\zip.exe
2008-04-17 10:26:47 49152 --a------ C:\WINDOWS\VFind.exe
2008-04-17 10:26:47 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-04-17 10:26:47 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-04-17 10:26:47 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-04-17 10:26:47 98816 --a------ C:\WINDOWS\sed.exe
2008-04-17 10:26:47 80412 --a------ C:\WINDOWS\grep.exe
2008-04-17 10:26:47 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-04-17 09:55:56 0 d-------- C:\WINDOWS\ERUNT
2008-04-17 08:52:03 0 --a------ C:\WINDOWS\system32\ydcjqhat.exe
2008-04-16 19:46:52 0 --a------ C:\WINDOWS\system32\lcxulina.exe
2008-04-15 19:29:32 0 --a------ C:\WINDOWS\system32\bulwrmzq.exe
2008-04-15 15:02:29 0 --a------ C:\WINDOWS\system32\crytojwl.exe
2008-04-15 13:21:08 0 --a------ C:\WINDOWS\system32\baxkruvm.exe
2008-04-15 08:51:27 0 --a------ C:\WINDOWS\system32\mtcvmrgb.exe
2008-04-15 07:45:44 0 --a------ C:\WINDOWS\system32\ahsfyrqx.exe
2008-04-14 13:19:28 0 --a------ C:\WINDOWS\system32\rorqdqpg.exe
2008-04-14 10:56:31 0 --a------ C:\WINDOWS\system32\hmdqjiha.exe
2008-04-14 10:09:25 0 --a------ C:\WINDOWS\system32\ozwduzch.exe
2008-04-14 09:02:48 0 --a------ C:\WINDOWS\system32\abcvytcz.exe
2008-04-14 08:04:18 0 --a------ C:\WINDOWS\system32\fsvuxsfo.exe
2008-04-13 18:43:22 0 --a------ C:\WINDOWS\system32\ehgpavyx.exe
2008-04-13 15:26:31 0 --a------ C:\WINDOWS\system32\qrefohux.exe
2008-04-13 12:47:23 0 d-------- C:\Program Files\Panda Security
2008-04-12 20:11:09 691545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 20:11:08 2539 --a------ C:\WINDOWS\unins000.dat
2008-04-12 10:41:10 0 d-------- C:\Documents and Settings\All Users\Application Data\ryxkrijy
2008-04-08 16:33:50 7437824 --a------ C:\WINDOWS\system32\smfcore.dll
2008-04-08 16:33:50 0 d-------- C:\Program Files\Flash FLV to Video Audio Converter
2008-04-08 16:31:45 0 d-------- C:\Program Files\Aplus FLV to MP3 Converter
2008-04-08 16:28:07 0 d-------- C:\Mp3 Output
2008-04-08 16:05:35 0 d-------- C:\Documents and Settings\Owner\Application Data\River Past G5
2008-04-08 16:05:35 0 d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-03-31 19:11:00 0 d-------- C:\Documents and Settings\LocalService\Desktop
2008-03-27 16:08:27 0 d-------- C:\OutputFolder
2008-03-26 18:30:31 0 d-------- C:\WINDOWS\system32\Adobe
2008-03-25 11:07:31 765952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-25 11:07:31 383238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-03-21 10:27:08 0 d-------- C:\WhAEM
2008-03-21 10:27:08 0 d-------- C:\Program Files\WhAEM
2008-03-21 10:27:08 0 d-------- C:\Program Files\Common Files\ESRI
2008-03-17 13:57:32 0 d-------- C:\Program Files\SystemRequirementsLab

-- Find3M Report ---------------------------------------------------------------

2008-04-17 10:44:29 0 d-------- C:\Documents and Settings\Owner\Application Data\DNA
2008-04-17 10:31:48 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-04-17 10:31:23 0 d-------- C:\Program Files\Common Files
2008-04-09 15:59:03 0 d-------- C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-28 17:09:04 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2008-03-08 15:00:41 0 d-------- C:\Documents and Settings\Owner\Application Data\Locktime
2008-03-01 11:48:25 0 d-------- C:\Program Files\DNA
2008-02-22 17:14:36 0 d-------- C:\Program Files\Java
2008-02-20 18:17:49 0 d-------- C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-02-19 19:05:01 0 d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-19 19:03:13 0 d-------- C:\Program Files\Norton Internet Security
2008-02-19 19:02:58 0 d-------- C:\Program Files\Symantec
2008-02-19 19:01:52 0 d-------- C:\Program Files\Windows Sidebar

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
07/02/2008 01:35 PM 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C1CE2D8-7E44-4DF7-9B5F-C76CC6564B86}]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
19/02/2008 07:01 PM 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5641D3B-D9AC-ED59-8FDC-A028EA7160CC}]
C:\WINDOWS\system32\shlur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25F0503-678E-4E2B-9440-9DD38AE8FDB3}]
C:\WINDOWS\system32\mlJCRkkL.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [07/02/2008 01:35 PM 349552]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 11:50 AM]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [12/07/2002 07:45 PM]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [05/05/2003 08:57 AM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [26/01/2008 11:17 AM]
"AGRSMMSG"="AGRSMMSG.exe" [04/03/2005 12:01 PM C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [29/05/2006 03:31 PM]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [23/12/2007 07:31 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 12:11 AM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [21/07/2006 10:21 AM]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [16/05/2006 04:50 PM]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [12/01/2005 03:01 AM]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [14/06/2006 04:24 PM]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [05/02/2007 10:11 AM]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [07/02/2008 04:19 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [28/02/2006 09:30 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/10/2004 01:54 AM]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [16/05/2006 04:51 PM]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [11/04/2008 10:59 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Sinhala Kit.lnk - C:\Program Files\Sinhala Kit\SinhalaKit.exe [26/08/2007 8:42:32 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtst]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQjijJ]
cbXQjijJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljjh]
opnljjh.dll

*Newly Created Service* - COMHOST

-- End of Deckard's System Scanner: finished at 2008-04-17 10:46:03 ------------

SDFIX

b]SDFix: Version 1.171 [/b]
Run by Administrator on Thu 17/04/2008 at 09:59 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\Documents and Settings\All Users\Start Menu\Online Security Guide.url - Deleted
C:\Documents and Settings\All Users\Start Menu\Security Troubleshooting.url - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt - Deleted
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt - Deleted

Folder C:\Documents and Settings\LocalService\Application Data\NetMon - Removed

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1353.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 10:18:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe"="C:\\Program Files\\Telstra\\Cable Login\\bpcable.exe:*:Enabled:BigPond Cable Client"
"C:\\Program Files\\Telstra\\Cable Login\\bpcService.exe"="C:\\Program Files\\Telstra\\Cable Login\\bpcService.exe:*:Enabled:BigPond Cable Client (running as a service)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"D:\\utorrent.exe"="D:\\utorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:Enabled:DNA"
"C:\\Documents and Settings\\Owner\\My Documents\\BitTorrent\\bittorrent.exe"="C:\\Documents and Settings\\Owner\\My Documents\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Fri 29 Feb 2008 625,664 A.SH. --- "C:\Program Files\Internet Explorer\iexplore.exe"
Wed 4 Aug 2004 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Tue 14 Nov 2006 794 A.SH. --- "C:\WINDOWS\system32\tstwa.tmp"
Sun 19 Nov 2006 588,500 A.SH. --- "C:\WINDOWS\system32\tstwa.bak2"
Sun 19 Nov 2006 589,109 A.SH. --- "C:\WINDOWS\system32\tstwa.bak1"
Tue 16 May 2006 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Sat 23 Jun 2001 23,552 A..H. --- "C:\Documents and Settings\All Users\Documents\Sampath\~WRL0351.tmp"
Tue 11 Sep 2001 19,456 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0001.tmp"
Sat 15 Sep 2001 19,968 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0003.tmp"
Sun 20 Oct 2002 48,128 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0016.tmp"
Sun 3 Nov 2002 28,672 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0061.tmp"
Sun 20 Oct 2002 51,200 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0103.tmp"
Sun 20 Oct 2002 56,320 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0191.tmp"
Sun 3 Nov 2002 28,160 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0370.tmp"
Sun 20 Oct 2002 58,368 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL0495.tmp"
Sun 20 Oct 2002 51,712 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL1061.tmp"
Sun 20 Oct 2002 50,688 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL1160.tmp"
Sun 20 Oct 2002 49,152 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL1464.tmp"
Sun 20 Oct 2002 51,200 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL1547.tmp"
Sun 3 Nov 2002 28,672 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL1821.tmp"
Sun 20 Oct 2002 56,832 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL1829.tmp"
Sun 20 Oct 2002 57,856 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL1880.tmp"
Sun 20 Oct 2002 55,296 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL2188.tmp"
Fri 1 Oct 2004 80,384 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL2547.tmp"
Sun 3 Nov 2002 26,624 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL3206.tmp"
Fri 1 Oct 2004 144,384 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL3345.tmp"
Sun 20 Oct 2002 52,224 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL3952.tmp"
Sun 20 Oct 2002 58,368 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL4034.tmp"
Sun 3 Nov 2002 28,672 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL4035.tmp"
Sun 20 Oct 2002 58,368 A..H. --- "C:\Documents and Settings\All Users\Documents\Tharaka\~WRL4085.tmp"
Sun 29 Apr 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sat 19 Jan 2008 400 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COH32LU.reg"
Sat 19 Jan 2008 403 A..H. --- "C:\Program Files\Common Files\Symantec Shared\COH\COHDLU.reg"
Mon 23 May 2005 6,566,429 A..H. --- "C:\Documents and Settings\All Users\Documents\Sampath\Other Stuff\ArcadeInstallFull202RC2-google.exe"
Sat 19 Mar 2005 31,850,249 A..H. --- "C:\Documents and Settings\All Users\Documents\Sampath\Other Stuff\F1\df2demo0.exe"
Fri 25 Feb 2005 4,638,702 A..H. --- "C:\Documents and Settings\All Users\Documents\Sampath\Other Stuff\Music\f1dm3dfx.zip"
Thu 5 Jun 1997 509,952 A..H. --- "C:\Documents and Settings\All Users\Documents\Sampath\Other Stuff\Music\F1WIN.EXE"
Sat 14 Aug 2004 19,456 A..H. --- "C:\Documents and Settings\All Users\Documents\Sampath\School Work\science\~WRL3431.tmp"
Fri 25 Mar 2005 1,138,176 A..H. --- "C:\Documents and Settings\All Users\Documents\Sampath\School Work\Woodwork\~WRL2922.tmp"
Sat 27 Aug 2005 30,208 A..H. --- "C:\Documents and Settings\Owner\Desktop\Sumudu\Year 12 Work\English\~WRL0002.tmp"
Fri 23 Sep 2005 26,112 A..H. --- "C:\Documents and Settings\Owner\Desktop\Sumudu\Year 12 Work\English\~WRL0054.tmp"
Fri 23 Sep 2005 20,480 A..H. --- "C:\Documents and Settings\Owner\Desktop\Sumudu\Year 12 Work\English\~WRL0504.tmp"
Fri 23 Sep 2005 34,816 A..H. --- "C:\Documents and Settings\Owner\Desktop\Sumudu\Year 12 Work\English\~WRL1844.tmp"
Fri 23 Sep 2005 26,624 A..H. --- "C:\Documents and Settings\Owner\Desktop\Sumudu\Year 12 Work\English\~WRL3276.tmp"
Fri 23 Sep 2005 19,456 A..H. --- "C:\Documents and Settings\Owner\Desktop\Sumudu\Year 12 Work\English\~WRL3322.tmp"
Fri 23 Sep 2005 35,328 A..H. --- "C:\Documents and Settings\Owner\Desktop\Sumudu\Year 12 Work\English\~WRL3797.tmp"

Finished!

COMPLEX LOG

ComboFix 08-04-16.2 - Owner 2008-04-17 10:28:19.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.365 [GMT 9.5:30]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\PPATCH~1
C:\Documents and Settings\Administrator\Application Data\PPATCH~1\??pPatch\
C:\Program Files\Common Files\{0426F~1
C:\Program Files\Common Files\{3426F~1
C:\Program Files\icroso~1
C:\Program Files\icroso~1\?icrosoft\
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\components
C:\WINDOWS\system32\components\flx0.dll
C:\WINDOWS\system32\components\flx1.dll
C:\WINDOWS\system32\LkkRCJlm.ini
C:\WINDOWS\system32\LkkRCJlm.ini2

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))
.

2008-04-17 09:55 . 2008-04-17 09:56 <DIR> d-------- C:\WINDOWS\ERUNT
2008-04-17 09:52 . 2008-04-17 10:22 <DIR> d-------- C:\SDFix
2008-04-17 08:52 . 2008-04-17 08:52 94,208 --a------ C:\WINDOWS\system32\ydcjqhat.exe
2008-04-16 19:46 . 2008-04-16 19:46 106,496 --a------ C:\WINDOWS\system32\lcxulina.exe
2008-04-15 19:29 . 2008-04-15 19:29 98,304 --a------ C:\WINDOWS\system32\bulwrmzq.exe
2008-04-15 15:02 . 2008-04-15 15:02 90,112 --a------ C:\WINDOWS\system32\crytojwl.exe
2008-04-15 13:21 . 2008-04-15 13:21 90,112 --a------ C:\WINDOWS\system32\baxkruvm.exe
2008-04-15 08:51 . 2008-04-15 08:51 94,208 --a------ C:\WINDOWS\system32\mtcvmrgb.exe
2008-04-15 07:45 . 2008-04-15 07:45 106,496 --a------ C:\WINDOWS\system32\ahsfyrqx.exe
2008-04-14 13:19 . 2008-04-14 13:19 94,208 --a------ C:\WINDOWS\system32\rorqdqpg.exe
2008-04-14 10:56 . 2008-04-14 10:56 98,304 --a------ C:\WINDOWS\system32\hmdqjiha.exe
2008-04-14 10:09 . 2008-04-14 10:09 98,304 --a------ C:\WINDOWS\system32\ozwduzch.exe
2008-04-14 09:02 . 2008-04-14 09:02 98,304 --a------ C:\WINDOWS\system32\abcvytcz.exe
2008-04-14 08:04 . 2008-04-14 08:04 90,112 --a------ C:\WINDOWS\system32\fsvuxsfo.exe
2008-04-13 18:43 . 2008-04-13 18:43 90,112 --a------ C:\WINDOWS\system32\ehgpavyx.exe
2008-04-13 15:26 . 2008-04-13 15:26 106,496 --a------ C:\WINDOWS\system32\qrefohux.exe
2008-04-13 12:47 . 2008-04-13 12:47 <DIR> d-------- C:\Program Files\Panda Security
2008-04-13 12:28 . 2008-04-13 12:28 <DIR> d-------- C:\Deckard
2008-04-12 20:11 . 2008-04-12 19:43 691,545 --a------ C:\WINDOWS\unins000.exe
2008-04-12 20:11 . 2008-04-12 20:11 2,539 --a------ C:\WINDOWS\unins000.dat
2008-04-12 10:41 . 2008-04-17 09:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ryxkrijy
2008-04-08 16:33 . 2008-04-08 16:33 <DIR> d-------- C:\Program Files\Flash FLV to Video Audio Converter
2008-04-08 16:33 . 2007-05-31 23:47 7,437,824 --a------ C:\WINDOWS\system32\smfcore.dll
2008-04-08 16:31 . 2008-04-08 16:33 <DIR> d-------- C:\Program Files\Aplus FLV to MP3 Converter
2008-04-08 16:28 . 2008-04-08 16:28 <DIR> d-------- C:\Mp3 Output
2008-04-08 16:05 . 2008-04-08 16:05 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\River Past G5
2008-04-08 16:05 . 2008-04-08 16:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\River Past G5
2008-03-27 16:08 . 2008-03-27 16:08 <DIR> d-------- C:\OutputFolder
2008-03-26 18:30 . 2008-03-28 17:16 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-03-25 11:07 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-03-25 11:07 . 2007-02-25 15:36 383,238 --a------ C:\WINDOWS\system32\libmp3lame-0.dll
2008-03-21 15:49 . 2008-03-25 07:06 244 --ah----- C:\sqmnoopt19.sqm
2008-03-21 15:49 . 2008-03-25 07:05 244 --ah----- C:\sqmnoopt18.sqm
2008-03-21 15:49 . 2008-03-24 18:02 244 --ah----- C:\sqmnoopt17.sqm
2008-03-21 15:49 . 2008-03-25 07:06 232 --ah----- C:\sqmdata19.sqm
2008-03-21 15:49 . 2008-03-25 07:05 232 --ah----- C:\sqmdata18.sqm
2008-03-21 15:49 . 2008-03-24 18:02 232 --ah----- C:\sqmdata17.sqm
2008-03-21 15:48 . 2008-03-24 18:02 244 --ah----- C:\sqmnoopt16.sqm
2008-03-21 15:48 . 2008-03-24 18:02 232 --ah----- C:\sqmdata16.sqm
2008-03-21 10:27 . 2008-03-21 10:27 <DIR> d-------- C:\WhAEM
2008-03-21 10:27 . 2008-03-21 10:27 <DIR> d-------- C:\Program Files\WhAEM
2008-03-21 10:27 . 2008-03-21 10:27 <DIR> d-------- C:\Program Files\Common Files\ESRI
2008-03-17 13:57 . 2008-03-17 13:57 <DIR> d-------- C:\Program Files\SystemRequirementsLab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-17 01:02 --------- d-----w C:\Documents and Settings\Owner\Application Data\DNA
2008-04-17 01:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-16 23:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-04-12 10:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-09 06:29 --------- d-----w C:\Documents and Settings\Owner\Application Data\BitTorrent
2008-03-25 01:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-08 05:30 --------- d-----w C:\Documents and Settings\Owner\Application Data\Locktime
2008-03-08 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Locktime
2008-03-06 11:02 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 11:02 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 11:02 10,537 ----a-w C:\WINDOWS\system32\drivers\coh_mon.cat
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-01 02:18 --------- d-----w C:\Program Files\DNA
2008-02-22 07:44 --------- d-----w C:\Program Files\Java
2008-02-20 08:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\GetRightToGo
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-19 09:35 --------- d-----w C:\Documents and Settings\Owner\Application Data\Symantec
2008-02-19 09:33 --------- d-----w C:\Program Files\Norton Internet Security
2008-02-19 09:32 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-19 09:32 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-02-19 09:32 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-02-19 09:32 10,563 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-19 09:32 --------- d-----w C:\Program Files\Symantec
2008-02-19 09:31 --------- d-----w C:\Program Files\Windows Sidebar
2008-02-06 21:43 579,464 ----a-w C:\WINDOWS\system32\SymNeti.dll
2008-02-06 21:43 207,240 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-09-05 12:29 28,560 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-02-15 09:14 342 ----a-w C:\Program Files\INSTALL.LOG
2006-11-20 08:32 5,180,760 ----a-w C:\Documents and Settings\Owner\CONFIGW.EXE
2006-11-20 05:53 25,424 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2006-08-19 05:22 81,920 ----a-w C:\Documents and Settings\Owner\Application Data\ezpinst.exe
2006-08-19 05:22 47,360 ----a-w C:\Documents and Settings\Owner\Application Data\pcouffin.sys
2006-07-25 07:31 1,112 ----a-w C:\Program Files\config.ini
2006-11-19 09:31 589,109 --sha-w C:\WINDOWS\system32\tstwa.bak1
2006-11-19 09:31 588,500 --sha-w C:\WINDOWS\system32\tstwa.bak2
2006-11-19 10:38 589,109 --sha-w C:\WINDOWS\system32\tstwa.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
2008-02-07 13:35 349552 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C1CE2D8-7E44-4DF7-9B5F-C76CC6564B86}]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2008-02-19 19:01 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5641D3B-D9AC-ED59-8FDC-A028EA7160CC}]
C:\WINDOWS\system32\shlur.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25F0503-678E-4E2B-9440-9DD38AE8FDB3}]
C:\WINDOWS\system32\mlJCRkkL.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= "C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll" [2008-02-07 13:35 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.5\CoIEPlg.dll [2008-02-07 13:35 349552]

[HKEY_CLASSES_ROOT\clsid\{7febefe3-6b19-4349-98d2-ffb09d4b49ca}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 21:30 15360]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 01:54 1694208]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\Monitor.exe" [2006-05-16 16:51 57344]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-04-11 10:59 288576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 19:45 106496]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 08:57 143360]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-26 11:17 51048]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 12:01 88209 C:\WINDOWS\AGRSMMSG.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-29 15:31 282624]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-12-23 07:31 579072]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11 132496]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-21 10:21 180269]
"OM_Monitor"="C:\Program Files\OLYMPUS\OLYMPUS Master\FirstStart.exe" [2006-05-16 16:50 40960]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 03:01 32768]
"ISUSPM"="C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-06-14 16:24 278528]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2007-02-05 10:11 476728]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-02-07 16:19 718704]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 21:30 15360]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-10-27 08:32 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Sinhala Kit.lnk - C:\Program Files\Sinhala Kit\SinhalaKit.exe [2007-08-26 08:42:32 57344]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtst]
C:\WINDOWS\system32\awtst.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQjijJ]
cbXQjijJ.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljjh]
opnljjh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=

R2 LiveUpdate Notice;LiveUpdate Notice;"C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon []
R3 MusCDriverV32;MusCDriverV32;C:\WINDOWS\system32\drivers\MusCDriverV32.sys [2007-12-14 16:07]
R3 MusCVideo32;MusCVideo32;C:\WINDOWS\system32\DRIVERS\MusCVideo32.sys [2007-12-14 16:07]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 20:32]
S3 PVUSB;CESG502 USB Driver;C:\WINDOWS\system32\DRIVERS\CESG502.sys [2002-06-12 22:50]
S3 SoundMovieServer;SoundMovieServer;"C:\WINDOWS\system32\snmvtsvc.exe" [2007-12-14 16:06]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 09:47:08 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-17 10:34:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Norton SystemWorks\Norton GoBack\GBPoll.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\PROGRA~1\NORTON~1\NORTON~3\NPROTECT.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\PROGRA~1\NORTON~1\NORTON~3\SPEEDD~1\NOPDB.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-17 10:39:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-17 01:08:45

Pre-Run: 48,360,067,072 bytes free
Post-Run: 48,457,506,816 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-09 02:31:04 --- E O F ---

**Pancake** · 04-16-2008, 06:54 PM

Now for the cleanup.

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\cbXQjijJ.dll (file missing)
O2 - BHO: (no name) - {6C1CE2D8-7E44-4DF7-9B5F-C76CC6564B86} - C:\WINDOWS\system32\awtst.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A5641D3B-D9AC-ED59-8FDC-A028EA7160CC} - C:\WINDOWS\system32\shlur.dll (file missing)
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\opnljjh.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\sccaewms.dll (file missing)
O2 - BHO: (no name) - {F25F0503-678E-4E2B-9440-9DD38AE8FDB3} - C:\WINDOWS\system32\mlJCRkkL.dll (file missing)
O20 - Winlogon Notify: awtst - C:\WINDOWS\system32\awtst.dll (file missing)
O20 - Winlogon Notify: cbXQjijJ - C:\WINDOWS\system32\cbXQjijJ.dll (file missing)
O20 - Winlogon Notify: opnljjh - C:\WINDOWS\system32\opnljjh.dll (file missing)
O20 - Winlogon Notify: winzwr32 - C:\WINDOWS\system32\winzwr32.dll (file missing)
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O22 - SharedTaskScheduler: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O24 - Desktop Component 0: - C:\WINDOWS\system32\ad.html

Reboot.................

===========================

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Quote:

Killall::

File::
C:\WINDOWS\system32\ydcjqhat.exe
C:\WINDOWS\system32\lcxulina.exe
C:\WINDOWS\system32\bulwrmzq.exe
C:\WINDOWS\system32\crytojwl.exe
C:\WINDOWS\system32\baxkruvm.exe
C:\WINDOWS\system32\mtcvmrgb.exe
C:\WINDOWS\system32\ahsfyrqx.exe
C:\WINDOWS\system32\rorqdqpg.exe
C:\WINDOWS\system32\hmdqjiha.exe
C:\WINDOWS\system32\ozwduzch.exe
C:\WINDOWS\system32\abcvytcz.exe
C:\WINDOWS\system32\fsvuxsfo.exe
C:\WINDOWS\system32\ehgpavyx.exe
C:\WINDOWS\system32\qrefohux.exe
C:\Documents and Settings\All Users\Application Data\ryxkrijy
C:\WINDOWS\system32\ad.html
C:\WINDOWS\system32\tstwa.tmp
C:\WINDOWS\system32\tstwa.bak2
C:\WINDOWS\system32\tstwa.bak1
C:\sqmnoopt19.sqm
C:\sqmnoopt18.sqm
C:\sqmnoopt17.sqm
C:\sqmdata19.sqm
C:\sqmdata18.sqm
C:\sqmdata17.sqm
C:\sqmnoopt16.sqm
C:\sqmdata16.sqm

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6C1CE2D8-7E44-4DF7-9B5F-C76CC6564B86}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A5641D3B-D9AC-ED59-8FDC-A028EA7160CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F25F0503-678E-4E2B-9440-9DD38AE8FDB3}]
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source="-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtst]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbXQjijJ]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnljjh]

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.Altering this script in any way could damage your compter*

arsenal_4_life · 04-16-2008, 08:48 PM

When using Hijack This I couldn't find these files:
O2 - BHO: (no name) - {02715E47-5A8E-495B-8F63-0D30470B8E72} - C:\WINDOWS\system32\cbXQjijJ.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {CFE9E8A8-38C0-4EF8-AEC2-5035EFE81030} - C:\WINDOWS\system32\opnljjh.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\sccaewms.dll (file missing)
O20 - Winlogon Notify: winzwr32 - C:\WINDOWS\system32\winzwr32.dll (file missing)
O21 - SSODL: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)
O22 - SharedTaskScheduler: cussers - {ff170564-36c8-43f7-9100-559e166405cf} - (no file)

I have used the fix check function on the other files. Should i proceed and use the combo fix tool???

Our Communities

Automotive Communities

RV & Travel Trailer Communities

Marine Communities