Trojans causing big problems - mllmm.dll/exe

[DavyCampbell]

Hi

I am having difficulty in removing some malware and would appreciate any help that you could give me .

The main symptoms are as follows.
1. PC is taking approx 10 times longer than normal to boot.
2. Windows installer will not run
3. System restore will not run.
4. Internet Explorer will not run (and will not install)
5. Taskbar and "Start Button" had disappeared but I have manged to get these back.
6. Message during bootup "C:\Windows\system32\mllmm.exe - Windows cannot access the specified device path or file.


I have followed through the steps 1-5 that you suggest as best I can as described below.

Step 1: None of the programs on on my PC.
Step 2: Can't run pandascan as I can't run Internet Explorer.
Step 3: Spyware Blaster downloaded and running OK. IE-Spyad will not download (the save file button is greyed out)
Step 4: I have Service Pack 2
Step 5: Have run Deckards System scanner and included/attached the results.

I did run prevxsifree (from prevx.com) and it came up with the following as problems:
C:\WINDOWS\system32\winrkq32.dll winlogon-notify / win* trojan-a
C:\WINDOWS\system32\xxayyy.dll trojan.vundo
C:\WINDOWS\system31\pmkji.dll trojan.vundo
C:\WINDOWS\system32\mllmm.dll trojan.vundo
C:\WINDOWS\system32\ddccb.exe convert.sys.exec
C:\WINDOWS\system32\pmkji.exe convert.sys.exec
C:\WINDOWS\system32\mllmm.exe convert.sys.exec
C:\WINDOWS\Temp\win3d.exe generic5.nzv
C:\WINDOWS\Temp\win88.exe generic5.nzv
C:\WINDOWS\Temp\win8d.exe trojan.dropper
C:\WINDOWS\Temp\win43.exe trojan.dropper
C:\Docs and Settings\Dave\Local Settings\Temp\TMPIE.tmp
C:\Docs and Settinds\Dave\Local Settings\Temp\TMP13F.tmp

I couldn't run their full version of software as windows installer is not working.

The Deckards scan result is below and I really would appreaciate some advice as I am completely stuck.

Regards

Dave

Deckard's System Scanner v20071014.68
Run by Dave on 2007-12-31 01:03:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Unable to create WMI object; The operation completed successfully.


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:04:59, on 31/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PrevxCSI\prevxcsi.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Dave\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www-config.strath.ac.uk/proxy.config
F3 - REG:win.ini: load=C:\WINDOWS\system32\mllmm.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {40FEE370-8984-4170-B61D-CAB66D3E7263} - C:\WINDOWS\system32\mllmm.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {FA16FE06-B462-470E-9653-79C54B1871FF} - C:\WINDOWS\system32\xxyayyy.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKUS\S-1-5-21-2549592396-362823445-1022436175-1014\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-2549592396-362823445-1022436175-1014\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe" (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.strath.ac.uk/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123689417140
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123686694019
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: winrkq32 - C:\WINDOWS\SYSTEM32\winrkq32.dll
O20 - Winlogon Notify: xxyayyy - C:\WINDOWS\SYSTEM32\xxyayyy.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7990 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3 aeaudio - c:\windows\system32\drivers\aeaudio.sys <Not Verified; Andrea Electronics Corporation; Andrea Audio Driver>
3 akshasp (Aladdin HASP Key) - c:\windows\system32\drivers\akshasp.sys <Not Verified; Aladdin Knowledge Systems Ltd.; Aladdin HASP Function Device Driver>
3 aksusb (Aladdin USB Key) - c:\windows\system32\drivers\aksusb.sys <Not Verified; Aladdin Knowledge Systems Ltd.; Aladdin WDM Device Driver for USB Protection Devices>
3 E1000 (Intel(R) PRO/1000 Network Connection Driver) - c:\windows\system32\drivers\e1000325.sys <Not Verified; Intel Corporation; Intel(R) PRO/1000 Adapter>
2 Hardlock - c:\windows\system32\drivers\hardlock.sys <Not Verified; Aladdin Knowledge Systems Ltd.; Hardlock Device Driver for Windows NT>
2 Haspnt - c:\windows\system32\drivers\haspnt.sys <Not Verified; Aladdin Knowledge Systems; Windows NT HASP Kernel Device Driver>
3 ialm - c:\windows\system32\drivers\ialmnt5.sys <Not Verified; Intel Corporation; Intel Graphics Accelerator Drivers for Windows NT(R)>
3 LHidUsbK (Logitech SetPoint USB Receiver device driver) - c:\windows\system32\drivers\lhidusbk.sys <Not Verified; Logitech, Inc.; Logitech SetPoint(TM)>
1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
3 pxark - c:\windows\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
3 smwdm - c:\windows\system32\drivers\smwdm.sys <Not Verified; Analog Devices, Inc.; SoundMAX Digital Audio Driver>
0 snapman (Acronis Snapshots Manager) - c:\windows\system32\drivers\snapman.sys <Not Verified; Acronis; Acronis Snapshot API>
3 usb_rndisx (USB RNDIS Adapter) - c:\windows\system32\drivers\usb8023x.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
3 WinDriver6 - c:\windows\system32\drivers\windrvr6.sys <Not Verified; Jungo; WinDriver Device Driver>
2 XilinxPC4Driver - c:\windows\system32\drivers\xpc4drvr.sys <Not Verified; Xilinx, Inc.; Xilinx PC4 Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2 Apple Mobile Device - c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe
2 KService - c:\program files\kontiki\kservice.exe
2 ProtexisLicensing - c:\windows\system32\psiservice.exe <Not Verified; ; PSIService>
3 usnsvc (Messenger Sharing USN Journal Reader service) - c:\windows\system32\svchost.exe


-- Device Manager: Disabled ----------------------------------------------------

Unable to create WMI object.

-- Scheduled Tasks -------------------------------------------------------------

2007-12-30 17:03:33 256 --a------ C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
2007-12-27 14:51:03 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-11-30 and 2007-12-31 -----------------------------

2007-12-31 01:04:51 0 d-------- C:\Program Files\Trend Micro
2007-12-31 00:46:55 0 d-------- C:\Program Files\SpywareBlaster
2007-12-31 00:17:18 3584 --a------ C:\WINDOWS\system32\pmkji.exe
2007-12-31 00:17:15 344576 -----n--- C:\WINDOWS\system32\pmkji.dll
2007-12-30 20:27:07 10624 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2007-12-30 20:26:47 0 d-------- C:\Program Files\PrevxCSI
2007-12-30 20:17:24 3584 --a------ C:\WINDOWS\system32\ddccb.exe
2007-12-30 19:28:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 19:28:20 0 d-------- C:\Documents and Settings\Dave\Application Data\PrevxCSI
2007-12-30 18:49:01 0 d-------- C:\Documents and Settings\Dave\Application Data\Windows Desktop Search
2007-12-30 18:13:37 3584 --a------ C:\WINDOWS\system32\mllmm.exe
2007-12-30 11:01:08 80464 --ahs---- C:\WINDOWS\system32\mmllm.ini2
2007-12-30 11:01:03 344576 --a------ C:\WINDOWS\system32\mllmm.dll
2007-12-30 10:56:03 0 dr-h----- C:\$VAULT$.AVG
2007-12-30 10:55:56 0 d-------- C:\Program Files\Outerinfo
2007-12-30 10:55:46 24576 --a------ C:\WINDOWS\system32\winrkq32.dll
2007-12-30 10:55:37 38912 --a------ C:\WINDOWS\system32\xxyayyy.dll
2007-12-30 08:45:29 0 d-------- C:\Program Files\PixiePack Codec Pack
2007-12-30 08:43:51 0 d-------- C:\Documents and Settings\Dave\Application Data\Tunebite
2007-12-30 08:43:19 0 d-------- C:\Program Files\RapidSolution
2007-12-30 08:43:19 0 d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2007-12-30 01:45:35 0 d-------- C:\Documents and Settings\Dave\Videos
2007-12-30 01:45:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-12-29 21:28:42 0 d-------- C:\Program Files\Kontiki
2007-12-18 19:09:10 0 d-------- C:\Documents and Settings\Yvonne\Application Data\Snapfish
2007-12-14 19:56:45 0 d-------- C:\Program Files\iPod
2007-12-14 19:56:32 0 d-------- C:\Program Files\iTunes
2007-12-14 19:55:07 0 d-------- C:\Program Files\QuickTime
2007-12-14 19:54:05 0 d-------- C:\Program Files\Apple Software Update
2007-12-14 19:53:37 0 d-------- C:\Program Files\Common Files\Apple
2007-12-14 19:53:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-14 19:46:22 0 d-------- C:\Program Files\Windows Media Connect 2
2007-12-14 19:43:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF
2007-12-04 09:12:57 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-12-04 09:12:54 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-12-03 11:46:16 0 --a------ C:\Documents and Settings\All Users\Application Data\f7129022-a000-4847-db07-470265a73c4f


-- Find3M Report ---------------------------------------------------------------

2007-12-31 00:09:26 8405015 --a------ C:\WINDOWS\TempFile
2007-12-30 19:25:19 0 d-------- C:\Program Files\MSN Messenger
2007-12-30 18:11:26 0 d-------- C:\Documents and Settings\Dave\Application Data\AVG7
2007-12-30 11:27:29 0 d-------- C:\Program Files\Napster
2007-12-30 11:27:27 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-30 01:39:36 0 d-------- C:\Program Files\blueyonder IST
2007-12-30 01:39:31 0 d-------- C:\Program Files\Motive
2007-12-14 19:53:37 0 d-------- C:\Program Files\Common Files
2007-12-14 19:42:52 0 d-------- C:\Program Files\Windows Media Connect
2007-12-14 09:09:47 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-14 09:09:10 88 -r-hs---- C:\WINDOWS\system32\3B6DF67A15.sys
2007-12-07 17:43:29 0 d-------- C:\Documents and Settings\Dave\Application Data\Adobe
2007-12-06 13:24:21 0 d-------- C:\Program Files\Picasa2
2007-12-05 2250 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-28 20:33:56 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-16 20:55:06 0 d-------- C:\Documents and Settings\Dave\Application Data\uTorrent
2007-11-16 20:15:41 0 d-------- C:\Program Files\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]
21/12/2007 16:28 172032 --a------ C:\Program Files\Outerinfo\Outerinfo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{40FEE370-8984-4170-B61D-CAB66D3E7263}]
30/12/2007 11:01 344576 --a------ C:\WINDOWS\system32\mllmm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FA16FE06-B462-470E-9653-79C54B1871FF}]
30/12/2007 10:55 38912 --a------ C:\WINDOWS\system32\xxyayyy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [22/03/2004 14:23 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [31/12/2007 00:29]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []
"Outerinfo"="C:\Program Files\Outerinfo\Outerinfo.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 13:11 233472]
"{FA16FE06-B462-470E-9653-79C54B1871FF}"= C:\WINDOWS\system32\xxyayyy.dll [30/12/2007 10:55 38912]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winrkq32]
winrkq32.dll 30/12/2007 10:55 24576 C:\WINDOWS\system32\winrkq32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyayyy]
xxyayyy.dll 30/12/2007 10:55 38912 C:\WINDOWS\system32\xxyayyy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1060284298-1482476501-839522115-32116\Scripts\Logon\0\0]
"Script"=jhnew.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc

*Newly Created Service* - PXARK

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe



-- End of Deckard's System Scanner: finished at 2007-12-31 01:05:43 ------------

[DavyCampbell]

Bump

[DavyCampbell]

Bump >> Bump

[Glaswegian]

Hi and welcome to TSF.

My name is Iain and I will be helping you clean your system.

You may wish to Subscribe to this thread (Thread Tools > Subscribe to this thread) so that you are notified when you receive a reply.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.

Note that the fix may take several posts. Please continue to respond to my instructions until I confirm that your log is clean. Remember that although your symptoms may vanish, this does NOT mean that your system is clean.

If there is anything you don't understand, please ask BEFORE proceeding with the fixes.

Please ensure that you follow the instructions in the order I have them listed.


Combofix
Download ComboFix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

CAUTION! Combofix should not be run without supervision - we cannot be held responsible if you end up re-installing Windows!

1. Close any open browsers and physically disconnect from the Internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

[DavyCampbell]

Hi Iain thanks for the help

I have downloaded combofix.exe and copied it to the desktop.
I had to download it on another PC and then copy it over on a USB drive as the button to save it (from the combofix.exe link) was greyed out. Also, I had to use DOS to copy it to the desktop as windows explorer wouldn't let me drag & drop the file or copy & paste it.

I have tried to disable AVG but when I go into AVG Test Centre > Control Centre I get the message "Cannot Launch AVG Free Control Centre"

I also tried to disable the Windows Firewall by selecting Control Panel > Windows Firewall
but I get the following message:

"Windows Firewall Settings cannot be displayed because the associated service is not running. Do you want to start the Windows Firewall/Internet Connections Sharing (ICS) Service?"

When I click yes I get the following:

"Windows cannot start the Windows Firewall/Internet Connections Sharing (ICS) Service"

Should I run combofix now or is there anything else that you would suggest to ensure that my anti-virus is disabled?

Regards

Davy

[Glaswegian]

Hi Davy

Sounds as though the AV is not running - just run CF as per my instructions and we'll have a look at the log. If it doesn't work we can try another method.

[DavyCampbell]

Hi Iain

Combofix.txt listed below

ComboFix 08-01-09.2 - Dave 2008-01-10 0:02:20.1 - NTFSx86
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Dave\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Dave\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Dave\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\OinUninstall.exe
C:\Program Files\outerinfo\OiUninstaller.exe
C:\Program Files\outerinfo\Outerinfo.dll
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.ini2
C:\WINDOWS\system32\pmkjh.dll
C:\WINDOWS\system32\winrkq32.dll
C:\WINDOWS\system32\xxyayyy.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-10 to 2008-01-10 )))))))))))))))))))))))))))))))
.

2008-01-10 00:00 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 19:56 . 2008-01-09 18:20 1,495,667 --a------ C:\desktop
2008-01-09 19:55 . 2008-01-09 18:20 1,495,667 --a------ C:\Documents and Settings\Dave\ComboFix.exe
2008-01-09 19:54 . 2008-01-09 18:20 1,495,667 --a------ C:\ComboFix.exe
2008-01-09 18:22 . 2008-01-09 18:22 3,584 --a------ C:\WINDOWS\system32\pmkjh.exe
2007-12-31 01:04 . 2007-12-31 01:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 01:02 . 2007-12-31 01:02 <DIR> d-------- C:\Deckard
2007-12-31 00:46 . 2007-12-31 00:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-31 00:46 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-31 00:17 . 2007-12-31 00:17 3,584 --a------ C:\WINDOWS\system32\pmkji.exe
2007-12-30 20:27 . 2007-12-31 00:21 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2007-12-30 20:26 . 2008-01-10 00:03 <DIR> d-------- C:\Program Files\PrevxCSI
2007-12-30 20:17 . 2007-12-30 20:17 3,584 --a------ C:\WINDOWS\system32\ddccb.exe
2007-12-30 19:28 . 2007-12-31 00:21 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\PrevxCSI
2007-12-30 19:28 . 2007-12-30 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 18:49 . 2007-12-30 18:49 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Windows Desktop Search
2007-12-30 18:13 . 2007-12-30 18:13 3,584 --a------ C:\WINDOWS\system32\mllmm.exe
2007-12-30 17:34 . 2007-12-30 18:02 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-30 17:34 . 2007-12-30 18:02 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-30 17:19 . 2007-12-30 17:19 23,825,067 --a------ C:\Documents and Settings\Dave\2007-04-29_DRM_FIX.zip
2007-12-30 08:45 . 2007-12-30 08:45 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2007-12-30 08:43 . 2007-12-30 08:43 <DIR> d-------- C:\Program Files\RapidSolution
2007-12-30 08:43 . 2007-12-30 09:15 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Tunebite
2007-12-30 08:43 . 2007-12-30 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2007-12-30 08:43 . 2007-12-11 09:52 26,784 --a------ C:\WINDOWS\system32\drivers\tbhsd.sys
2007-12-30 01:45 . 2007-12-30 01:45 <DIR> d-------- C:\Documents and Settings\Dave\Videos
2007-12-30 01:45 . 2007-12-30 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-12-29 21:28 . 2007-12-30 19:25 <DIR> d-------- C:\Program Files\Kontiki
2007-12-18 19:09 . 2007-12-18 19:09 <DIR> d-------- C:\Documents and Settings\Yvonne\Application Data\Snapfish
2007-12-14 19:57 . 2007-12-30 02:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-14 19:57 . 2007-12-14 19:57 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-14 19:56 . 2007-12-30 11:27 <DIR> d-------- C:\Program Files\iTunes
2007-12-14 19:56 . 2007-12-14 19:56 <DIR> d-------- C:\Program Files\iPod
2007-12-14 19:55 . 2007-12-30 11:27 <DIR> d-------- C:\Program Files\QuickTime
2007-12-14 19:54 . 2007-12-14 19:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-14 19:53 . 2007-12-14 19:53 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-14 19:53 . 2007-12-14 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-14 19:46 . 2007-12-30 17:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-14 19:43 . 2007-12-14 19:45 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 18:32 --------- d-----w C:\Documents and Settings\Dave\Application Data\AVG7
2007-12-30 19:25 --------- d-----w C:\Program Files\MSN Messenger
2007-12-30 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 11:27 --------- d-----w C:\Program Files\Napster
2007-12-30 11:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-30 04:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-30 01:39 --------- d-----w C:\Program Files\Motive
2007-12-30 01:39 --------- d-----w C:\Program Files\blueyonder IST
2007-12-14 19:42 --------- d-----w C:\Program Files\Windows Media Connect
2007-12-10 13:06 --------- d-----w C:\Documents and Settings\Yvonne\Application Data\Corel
2007-12-06 13:24 --------- d-----w C:\Program Files\Picasa2
2007-12-05 22:06 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-28 20:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-16 20:55 --------- d-----w C:\Documents and Settings\Dave\Application Data\uTorrent
2007-11-16 20:15 --------- d-----w C:\Program Files\uTorrent
2007-11-14 19:23 --------- d-----w C:\Documents and Settings\Yvonne\Application Data\AVG7
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-03-22 14:23 30208 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-10 00:03 457728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-09 19:29 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1060284298-1482476501-839522115-32116\Scripts\Logon\0\0]
"Script"=jhnew.vbs


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 14:51:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 17:03:33 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-10 00:13:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2008-01-10 0:15:58 - machine was rebooted [Dave]
ComboFix-quarantined-files.txt 2008-01-10 00:15:56
.
2007-12-07 13:39:44 --- E O F ---


Deckards System Scan results below (Didn't appear to genarate an extra.txt this time)

Deckard's System Scanner v20071014.68
Run by Dave on 2008-01-10 00:24:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 510 MiB (512 MiB recommended).


-- HijackThis (run as Dave.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:24:23, on 10/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Dave\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Dave.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www-config.strath.ac.uk/proxy.config
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-2549592396-362823445-1022436175-1014\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.strath.ac.uk/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123689417140
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123686694019
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7215 bytes

-- Files created between 2007-12-10 and 2008-01-10 -----------------------------

2008-01-09 19:56:05 1495667 --a------ C:\desktop
2008-01-09 19:55:35 1495667 --a------ C:\Documents and Settings\Dave\ComboFix.exe
2008-01-09 19:54:51 1495667 --a------ C:\ComboFix.exe
2008-01-09 18:22:53 3584 --a------ C:\WINDOWS\system32\pmkjh.exe
2007-12-31 01:04:51 0 d-------- C:\Program Files\Trend Micro
2007-12-31 00:46:55 0 d-------- C:\Program Files\SpywareBlaster
2007-12-31 00:17:18 3584 --a------ C:\WINDOWS\system32\pmkji.exe
2007-12-30 20:27:07 10624 --a------ C:\WINDOWS\system32\drivers\pxark.sys <Not Verified; ; Prevx CSI>
2007-12-30 20:26:47 0 d-------- C:\Program Files\PrevxCSI
2007-12-30 20:17:24 3584 --a------ C:\WINDOWS\system32\ddccb.exe
2007-12-30 19:28:31 0 d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 19:28:20 0 d-------- C:\Documents and Settings\Dave\Application Data\PrevxCSI
2007-12-30 18:49:01 0 d-------- C:\Documents and Settings\Dave\Application Data\Windows Desktop Search
2007-12-30 18:13:37 3584 --a------ C:\WINDOWS\system32\mllmm.exe
2007-12-30 10:56:03 0 dr-h----- C:\$VAULT$.AVG
2007-12-30 08:45:29 0 d-------- C:\Program Files\PixiePack Codec Pack
2007-12-30 08:43:51 0 d-------- C:\Documents and Settings\Dave\Application Data\Tunebite
2007-12-30 08:43:19 0 d-------- C:\Program Files\RapidSolution
2007-12-30 08:43:19 0 d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2007-12-30 01:45:35 0 d-------- C:\Documents and Settings\Dave\Videos
2007-12-30 01:45:35 0 d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-12-29 21:28:42 0 d-------- C:\Program Files\Kontiki
2007-12-18 19:09:10 0 d-------- C:\Documents and Settings\Yvonne\Application Data\Snapfish
2007-12-14 19:56:45 0 d-------- C:\Program Files\iPod
2007-12-14 19:56:32 0 d-------- C:\Program Files\iTunes
2007-12-14 19:55:07 0 d-------- C:\Program Files\QuickTime
2007-12-14 19:54:05 0 d-------- C:\Program Files\Apple Software Update
2007-12-14 19:53:37 0 d-------- C:\Program Files\Common Files\Apple
2007-12-14 19:53:36 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-14 19:46:22 0 d-------- C:\Program Files\Windows Media Connect 2
2007-12-14 19:43:53 0 d-------- C:\WINDOWS\system32\drivers\UMDF


-- Find3M Report ---------------------------------------------------------------

2008-01-10 00:11:20 0 --a------ C:\WINDOWS\TempFile
2008-01-09 18:32:40 0 d-------- C:\Documents and Settings\Dave\Application Data\AVG7
2007-12-30 19:25:19 0 d-------- C:\Program Files\MSN Messenger
2007-12-30 11:27:29 0 d-------- C:\Program Files\Napster
2007-12-30 11:27:27 0 d-------- C:\Program Files\Microsoft ActiveSync
2007-12-30 01:39:36 0 d-------- C:\Program Files\blueyonder IST
2007-12-30 01:39:31 0 d-------- C:\Program Files\Motive
2007-12-14 19:53:37 0 d-------- C:\Program Files\Common Files
2007-12-14 19:42:52 0 d-------- C:\Program Files\Windows Media Connect
2007-12-14 09:09:47 2516 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-14 09:09:10 88 -r-hs---- C:\WINDOWS\system32\3B6DF67A15.sys
2007-12-07 17:43:29 0 d-------- C:\Documents and Settings\Dave\Application Data\Adobe
2007-12-06 13:24:21 0 d-------- C:\Program Files\Picasa2
2007-12-05 2250 0 d-------- C:\Program Files\Windows Live Toolbar
2007-11-28 20:33:56 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-16 20:55:06 0 d-------- C:\Documents and Settings\Dave\Application Data\uTorrent
2007-11-16 20:15:41 0 d-------- C:\Program Files\uTorrent


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [22/03/2004 14:23 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" []
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [10/01/2008 00:03]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [13/03/2006 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1060284298-1482476501-839522115-32116\Scripts\Logon\0\0]
"Script"=jhnew.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Usnsvc usnsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe



-- End of Deckard's System Scanner: finished at 2008-01-10 00:24:41 ------------




Regards

Davy

[Glaswegian]

Hi again

I don’t need Deckards System Scanner next time – just HijackThis.


Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Code:

File::
C:\WINDOWS\system32\pmkjh.exe
C:\WINDOWS\system32\pmkji.exe
C:\WINDOWS\system32\mllmm.exe
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up re-installing Windows!


Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

Also let me know how your system is performing now.

[DavyCampbell]

Hi Iain

I have copied the CFScript.txt file onto my desktop but I can't drag it onto the combofix.exe icon. I assume that the malware is proventing this from happening.

Also, I can copy files, text etc. but I can't paste anything in any application or on the desktop so I couldn't copy and paste the CFScript.txt into the combofix.exe icon.

Regards

Dave

[Glaswegian]

OK - try this and let's see if we can find anything.

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky WebScanner

Next Click on Kaspersky Online Scanner


A Welcome screen will appear - click 'Accept' at the bottom. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:

Scan using the following Anti-Virus database:

• Extended

Scan Options:

• Scan Archives
• Scan Mail Bases

Click OK

Now under select a target to scan: Select My Computer

• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.

Now click on the Save as Text button:

• Save the file to your desktop.
• Copy and paste that information in your next post.

Take note of the name(s) and location(s) of any file(s) it detects but fails to clean.

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

[DavyCampbell]

Hi

Unfortunately Internet Explorer is not running.
When I click on the icon to run it (or try to run it from C:\Program Files\Internet Explorer\iexplorer.exe) the Windows Installer pops up and says "Preparing to Install".
After about 10 seconds this message disappears and Internet Explorer does not install.

Firefox is still running OK, can I use it to run Kaspersky?

Regards

Dave

[Glaswegian]

Hi again

Please delete your current version of combofix (just drag it to the Recycle Bin) and we’ll try an updated version.


Download from any of these links

http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe


**Note: It is important that it is saved directly to your desktop**

CAUTION! Combofix should not be run without supervision - we cannot be held responsible if you end up re-installing Windows!

1. Close any open browsers and physically disconnect from the Internet.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
See here for a guide to disabling AV, Firewall and Anti-malware programmes.

• Double click on combofix.exe & follow the prompts.
• When finished, it will produce a report for you.
• Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

[DavyCampbell]

Hi Iain

Combofix log.txt as follows:

ComboFix 08-01-13.1 - Dave 2003-05-07 1:13:43.2 - NTFSx86
Running from: C:\Documents and Settings\Dave\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-10 00:00 . 2000-08-31 07:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 19:56 . 2008-01-09 18:20 1,495,667 --a------ C:\desktop
2008-01-09 19:55 . 2008-01-09 18:20 1,495,667 --a------ C:\Documents and Settings\Dave\ComboFix.exe
2008-01-09 19:54 . 2008-01-09 18:20 1,495,667 --a------ C:\ComboFix.exe
2008-01-09 18:22 . 2008-01-09 18:22 3,584 --a------ C:\WINDOWS\system32\pmkjh.exe
2007-12-31 01:04 . 2007-12-31 01:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 01:02 . 2007-12-31 01:02 <DIR> d-------- C:\Deckard
2007-12-31 00:46 . 2007-12-31 00:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-31 00:46 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-31 00:17 . 2007-12-31 00:17 3,584 --a------ C:\WINDOWS\system32\pmkji.exe
2007-12-30 20:27 . 2007-12-31 00:21 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2007-12-30 20:26 . 2008-01-10 00:03 <DIR> d-------- C:\Program Files\PrevxCSI
2007-12-30 20:17 . 2007-12-30 20:17 3,584 --a------ C:\WINDOWS\system32\ddccb.exe
2007-12-30 19:28 . 2007-12-31 00:21 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\PrevxCSI
2007-12-30 19:28 . 2007-12-30 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 18:49 . 2007-12-30 18:49 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Windows Desktop Search
2007-12-30 18:13 . 2007-12-30 18:13 3,584 --a------ C:\WINDOWS\system32\mllmm.exe
2007-12-30 17:34 . 2007-12-30 18:02 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-30 17:34 . 2007-12-30 18:02 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-30 17:19 . 2007-12-30 17:19 23,825,067 --a------ C:\Documents and Settings\Dave\2007-04-29_DRM_FIX.zip
2007-12-30 08:45 . 2007-12-30 08:45 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2007-12-30 08:43 . 2007-12-30 08:43 <DIR> d-------- C:\Program Files\RapidSolution
2007-12-30 08:43 . 2007-12-30 09:15 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Tunebite
2007-12-30 08:43 . 2007-12-30 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2007-12-30 08:43 . 2007-12-11 09:52 26,784 --a------ C:\WINDOWS\system32\drivers\tbhsd.sys
2007-12-30 01:45 . 2007-12-30 01:45 <DIR> d-------- C:\Documents and Settings\Dave\Videos
2007-12-30 01:45 . 2007-12-30 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-12-29 21:28 . 2007-12-30 19:25 <DIR> d-------- C:\Program Files\Kontiki
2007-12-18 19:09 . 2007-12-18 19:09 <DIR> d-------- C:\Documents and Settings\Yvonne\Application Data\Snapfish
2007-12-14 19:57 . 2007-12-30 02:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-14 19:57 . 2007-12-14 19:57 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-14 19:56 . 2007-12-30 11:27 <DIR> d-------- C:\Program Files\iTunes
2007-12-14 19:56 . 2007-12-14 19:56 <DIR> d-------- C:\Program Files\iPod
2007-12-14 19:55 . 2007-12-30 11:27 <DIR> d-------- C:\Program Files\QuickTime
2007-12-14 19:54 . 2007-12-14 19:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-14 19:53 . 2007-12-14 19:53 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-14 19:53 . 2007-12-14 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-14 19:46 . 2007-12-30 17:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-14 19:43 . 2007-12-14 19:45 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 18:32 --------- d-----w C:\Documents and Settings\Dave\Application Data\AVG7
2007-12-30 19:25 --------- d-----w C:\Program Files\MSN Messenger
2007-12-30 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 11:27 --------- d-----w C:\Program Files\Napster
2007-12-30 11:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-30 04:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-30 01:39 --------- d-----w C:\Program Files\Motive
2007-12-30 01:39 --------- d-----w C:\Program Files\blueyonder IST
2007-12-14 19:42 --------- d-----w C:\Program Files\Windows Media Connect
2007-12-10 13:06 --------- d-----w C:\Documents and Settings\Yvonne\Application Data\Corel
2007-12-06 13:24 --------- d-----w C:\Program Files\Picasa2
2007-12-05 22:06 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-28 20:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-16 20:55 --------- d-----w C:\Documents and Settings\Dave\Application Data\uTorrent
2007-11-16 20:15 --------- d-----w C:\Program Files\uTorrent
2007-11-14 19:23 --------- d-----w C:\Documents and Settings\Yvonne\Application Data\AVG7
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_ 0.15.45.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2008-01-10 00:01:02 4,472,832 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2003-05-07 00:13:27 4,481,024 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 00:01:02 16,384 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2003-05-07 00:13:27 16,384 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2000-08-31 08:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 07:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-03-22 14:23 30208 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-10 00:03 457728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-09 19:29 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1060284298-1482476501-839522115-32116\Scripts\Logon\0\0]
"Script"=jhnew.vbs


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 14:51:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 17:03:33 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 01:17:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2008-01-13 1:17:37
ComboFix-quarantined-files.txt 2008-01-13 01:17:23
ComboFix2.txt 2008-01-10 00:15:58
.
2007-12-07 13:39:44 --- E O F ---

HijackThis.log as follows:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:20:25, on 13/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\PSIService.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Logitech\SetPoint\kem.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://www-config.strath.ac.uk/proxy.config
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: dsWebAllowBHO Class - {2F85D76C-0569-466F-A488-493E6BD0E955} - C:\Program Files\Windows Desktop Search\dsWebAllow.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [PrevxCSI] "C:\Program Files\PrevxCSI\prevxcsi.exe" -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-21-2549592396-362823445-1022436175-1014\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User '?')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Logitech SetPoint.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.strath.ac.uk/
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1123689417140
O16 - DPF: {6BEA1C48-1850-486C-8F58-C7354BA3165E} (Install Class) - http://updates.lifescapeinc.com/inst...l/pinstall.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1123686694019
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {CAFECAFE-0013-0001-0017-ABCDEFABCDEF} (JInitiator 1.3.1.17) -
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe

--
End of file - 7183 bytes

Regards

Davy

[Glaswegian]

Right, let’s try this again, with the updated version.

Please read these instructions carefully and then print out or copy this page to Notepad in order to assist you when carrying out the fix. You should not have any open browsers or live internet connections when you are following the procedures below.


Combofix

• Close any open browsers.
  
• Open notepad and copy/paste the text in the box below into it:

Code:

KillAll::

File::
C:\WINDOWS\system32\pmkjh.exe
C:\WINDOWS\system32\pmkji.exe
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\mllmm.exe

Looking at the image below as an example

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it will produce a log for you at "C:\ComboFix.txt"

Do not mouseclick combofix's window whilst it's running. This may cause it to stall.

CAUTION! Anyone else thinking of using the above script does so at their own risk - you may end up re-installing Windows!


Please post the log C:\ComboFix.txt along with a fresh HijackThis Log for further review.

Please also let me know how your system is performing now.

[DavyCampbell]

Hi Iain

Unfortunately the problem persists.
I am unable to drag any of icons on the desktop so I can't drag CFScript into ComboFix.exe
I have also tried in windows explorer but I can't drag files or folders in that application either.
The ability to paste files and folders appears to have been disabled.

Regards

Davy

[Glaswegian]

Davy

Try doing CFScript in Safe Mode.

[DavyCampbell]

Hi Iain

Even in safe mode I can't drag the icons (or copy and paste)
Can I use dos commands to do this instead?

Davy

[Glaswegian]

Davy

I'll need to investigate this and I'll get back to you - probably tomorrow.

[Glaswegian]

Hi

Go to Start > Run and type in this line

"C:\Documents and Settings\Dave\Desktop\ComboFix.exe" "C:\Documents and Settings\Dave\Desktop\CFScript"

include the quotation marks and click 'OK'.



Open notepad and type the text in the quotebox below into it:

Quote:

vfind -ltf "%systemdrive%\svchost.exe" >log.txt
notepad log.txt

Save this as peek.bat Choose to "Save type as - All Files"

Double click on peek.bat & allow it to run. A notepad file will open. Copy that information into your next reply, please.

[DavyCampbell]

Hi Iain

The following was generated by running peek.bat

----a-w 14,336 2004-08-03 23:56:58 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
----a-w 14,336 2004-08-03 23:56:58 C:\WINDOWS\system32\svchost.exe
-c--a-w 14,336 2004-08-03 23:56:58 C:\WINDOWS\system32\dllcache\svchost.exe

Entries: 3 (3)
Directories: 0 Files: 3
Bytes: 43,008 Blocks: 84

I don't know if you needed the combofix log file but I have listed it below just in case:

ComboFix 08-01-13.1 - Dave 2003-05-07 1:42:20.3 - NTFSx86
Running from: C:\Documents and Settings\Dave\Desktop\Combofix.exe
Command switches used :: C:\Documents and Settings\Dave\Desktop\CFScript

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-13 to 2008-01-13 )))))))))))))))))))))))))))))))
.

2008-01-10 00:00 . 2000-08-31 07:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-09 19:56 . 2008-01-09 18:20 1,495,667 --a------ C:\desktop
2008-01-09 19:55 . 2008-01-09 18:20 1,495,667 --a------ C:\Documents and Settings\Dave\ComboFix.exe
2008-01-09 19:54 . 2008-01-09 18:20 1,495,667 --a------ C:\ComboFix.exe
2008-01-09 18:22 . 2008-01-09 18:22 3,584 --a------ C:\WINDOWS\system32\pmkjh.exe
2007-12-31 01:04 . 2007-12-31 01:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-31 01:02 . 2007-12-31 01:02 <DIR> d-------- C:\Deckard
2007-12-31 00:46 . 2007-12-31 00:48 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-31 00:46 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2007-12-31 00:17 . 2007-12-31 00:17 3,584 --a------ C:\WINDOWS\system32\pmkji.exe
2007-12-30 20:27 . 2007-12-31 00:21 10,624 --a------ C:\WINDOWS\system32\drivers\pxark.sys
2007-12-30 20:26 . 2008-01-10 00:03 <DIR> d-------- C:\Program Files\PrevxCSI
2007-12-30 20:17 . 2007-12-30 20:17 3,584 --a------ C:\WINDOWS\system32\ddccb.exe
2007-12-30 19:28 . 2007-12-31 00:21 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\PrevxCSI
2007-12-30 19:28 . 2007-12-30 19:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2007-12-30 18:49 . 2007-12-30 18:49 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Windows Desktop Search
2007-12-30 18:13 . 2007-12-30 18:13 3,584 --a------ C:\WINDOWS\system32\mllmm.exe
2007-12-30 17:34 . 2007-12-30 18:02 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-30 17:34 . 2007-12-30 18:02 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-30 17:19 . 2007-12-30 17:19 23,825,067 --a------ C:\Documents and Settings\Dave\2007-04-29_DRM_FIX.zip
2007-12-30 08:45 . 2007-12-30 08:45 <DIR> d-------- C:\Program Files\PixiePack Codec Pack
2007-12-30 08:43 . 2007-12-30 08:43 <DIR> d-------- C:\Program Files\RapidSolution
2007-12-30 08:43 . 2007-12-30 09:15 <DIR> d-------- C:\Documents and Settings\Dave\Application Data\Tunebite
2007-12-30 08:43 . 2007-12-30 08:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\RapidSolution
2007-12-30 08:43 . 2007-12-11 09:52 26,784 --a------ C:\WINDOWS\system32\drivers\tbhsd.sys
2007-12-30 01:45 . 2007-12-30 01:45 <DIR> d-------- C:\Documents and Settings\Dave\Videos
2007-12-30 01:45 . 2007-12-30 18:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-12-29 21:28 . 2007-12-30 19:25 <DIR> d-------- C:\Program Files\Kontiki
2007-12-18 19:09 . 2007-12-18 19:09 <DIR> d-------- C:\Documents and Settings\Yvonne\Application Data\Snapfish
2007-12-14 19:57 . 2007-12-30 02:03 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-14 19:57 . 2007-12-14 19:57 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-14 19:56 . 2007-12-30 11:27 <DIR> d-------- C:\Program Files\iTunes
2007-12-14 19:56 . 2007-12-14 19:56 <DIR> d-------- C:\Program Files\iPod
2007-12-14 19:55 . 2007-12-30 11:27 <DIR> d-------- C:\Program Files\QuickTime
2007-12-14 19:54 . 2007-12-14 19:54 <DIR> d-------- C:\Program Files\Apple Software Update
2007-12-14 19:53 . 2007-12-14 19:53 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-12-14 19:53 . 2007-12-14 19:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-12-14 19:46 . 2007-12-30 17:57 <DIR> d-------- C:\Program Files\Windows Media Connect 2
2007-12-14 19:43 . 2007-12-14 19:45 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-09 18:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-09 18:32 --------- d-----w C:\Documents and Settings\Dave\Application Data\AVG7
2007-12-30 19:25 --------- d-----w C:\Program Files\MSN Messenger
2007-12-30 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2007-12-30 11:27 --------- d-----w C:\Program Files\Napster
2007-12-30 11:27 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-12-30 04:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-12-30 01:39 --------- d-----w C:\Program Files\Motive
2007-12-30 01:39 --------- d-----w C:\Program Files\blueyonder IST
2007-12-14 19:42 --------- d-----w C:\Program Files\Windows Media Connect
2007-12-10 13:06 --------- d-----w C:\Documents and Settings\Yvonne\Application Data\Corel
2007-12-06 13:24 --------- d-----w C:\Program Files\Picasa2
2007-12-05 22:06 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-28 20:33 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-16 20:55 --------- d-----w C:\Documents and Settings\Dave\Application Data\uTorrent
2007-11-16 20:15 --------- d-----w C:\Program Files\uTorrent
2007-11-14 19:23 --------- d-----w C:\Documents and Settings\Yvonne\Application Data\AVG7
.

((((((((((((((((((((((((((((( snapshot@2008-01-10_ 0.15.45.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\ERDNT.EXE
- 2008-01-10 00:01:02 4,472,832 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2003-05-07 00:42:13 4,554,752 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-10 00:01:02 16,384 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2003-05-07 00:42:13 16,384 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2000-08-31 08:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 07:00:00 156,160 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2004-03-22 14:23 30208 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"PrevxCSI"="C:\Program Files\PrevxCSI\prevxcsi.exe" [2008-01-10 00:03 457728]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-09 19:29 219136]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1060284298-1482476501-839522115-32116\Scripts\Logon\0\0]
"Script"=jhnew.vbs


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{621FCD24-4498-4324-A81E-07D331376EDF}]
C:\Program Files\PixiePack Codec Pack\InstallerHelper.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-12-27 14:51:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-30 17:03:33 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-13 01:45:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe [6.00.2900.3156]
-> C:\Program Files\Logitech\SetPoint\lgscroll.dll
.
Completion time: 2008-01-13 1:46:06
ComboFix-quarantined-files.txt 2008-01-13 01:45:51
ComboFix2.txt 2008-01-13 01:17:38
ComboFix3.txt 2008-01-10 00:15:58
.
2007-12-07 13:39:44 --- E O F ---


Regards

Dave