Very slow computer, pop-ups - Spybot not effective

[griffy]

Hi sUBS,

I have done as instructed, but when I run it the DOS looking window flashs up and off too quickly to read what it says.

[sUBs]

Made you another one

[griffy]

Apologies, but it is still doing the same thing.

[sUBs]

No worries. I'm the persistent sort. Here's one more

[griffy]

Your persistence is appreciated! It seems to have worked this time.

Here is the content of the text file that was output:

"C:\Qoobox\Quarantine\C\Program Files\Java\jre1.6.0_03\bin\jusched .exe.vir"

[sUBs]

Please delete your existing copy of ComboFix. Grab a new copy from here

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Then post a fresh ComboFix log

[griffy]

See attached for combofix log. Still getting the error message (see attached "screenshot.doc" in previous posting) when I run combofix.


ComboFix 08-01-28.2 - User 2008-01-28 12:51:46.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.599 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-27 13:16 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 13:15 . 2008-01-27 13:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-27 09:28 . 2008-01-27 09:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-27 09:28 . 2008-01-27 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-26 08:18 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-26 08:18 . 2008-01-26 10:30 212 --a------ C:\Boot.bak
2008-01-21 19:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-21 19:31 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-21 19:31 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-21 19:31 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-19 11:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-19 10:51 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\uydvpvblrknu.sys
2008-01-15 23:03 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\sersjuqvkujg.sys
2008-01-15 23:01 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-01-15 21:47 . 2008-01-15 21:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-13 19:05 . 2008-01-13 19:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 23:16 . 2008-01-12 23:16 <DIR> d-------- C:\Deckard
2008-01-12 22:28 . 2008-01-12 22:28 <DIR> d-------- C:\ie-spyad_zo
2008-01-12 20:52 . 2008-01-19 10:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-10 20:50 . 2008-01-10 20:50 <DIR> d-------- C:\Program Files\AML Products
2008-01-10 20:50 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-01-08 19:21 . 2008-01-24 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 09:44 . 2008-01-05 10:19 1,814 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-04 12:22 . 2008-01-05 10:21 5,446,681 --a------ C:\WINDOWS\system32\SBSP.dat
2008-01-04 12:22 . 2008-01-05 10:21 443,765 --a------ C:\WINDOWS\system32\SBFC.dat
2008-01-01 16:16 . 2008-01-01 16:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Sunbelt Software
2008-01-01 16:16 . 2008-01-01 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 08:05 --------- d-----w C:\Program Files\QuickTime
2008-01-28 08:05 --------- d-----w C:\Program Files\iTunes
2008-01-27 17:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-27 16:58 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-01-27 13:16 --------- d-----w C:\Program Files\Java
2008-01-24 19:59 94,208 ----a-w C:\WINDOWS\system32\igfxtray.exe
2008-01-24 19:59 77,824 ----a-w C:\WINDOWS\system32\hkcmd.exe
2008-01-24 19:59 114,688 ----a-w C:\WINDOWS\system32\igfxpers.exe
2008-01-19 13:55 --------- d-----w C:\Program Files\Google
2008-01-08 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 10:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-04 02:08 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 02:08 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 02:08 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-04 02:08 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-12-04 02:08 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-12-04 02:08 118,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-02 18:09 --------- d-----w C:\Documents and Settings\User\Application Data\Snapfish
2007-11-30 21:19 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-11-25 23:43 245,408 ----a-w C:\WINDOWS\system32\unicows.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 07:07 44,632 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 19:59 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2008-01-24 19:59 472632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2008-01-24 19:59 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2008-01-24 19:59 69632]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-24 19:59 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-24 19:59 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-24 19:59 114688]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-24 19:59 39792]
"WD Button Manager"="WDBtnMgr.exe" [2007-08-11 08:59 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-24 19:22 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-24 19:59 267064]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2008-01-24 19:59 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 19:59 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-07 19:26:34 124912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-08-11 09:00:57 98304]

S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys []
S3 CAMFLT;%CAMFLT.SvcDesc%;C:\WINDOWS\system32\drivers\CAMFLT.sys []
S3 kwwalpgr;kwwalpgr;C:\DOCUME~1\User\LOCALS~1\Temp\kwwalpgr.sys []
S3 PolarUSB;Polar USB Interface;C:\WINDOWS\system32\DRIVERS\PolarUSB.sys [2001-07-12 15:49]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 10:27:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 12:54:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-28 12:56:16
ComboFix-quarantined-files.txt 2008-01-28 12:56:13
ComboFix2.txt 2008-01-27 09:20:21
ComboFix3.txt 2008-01-26 13:41:13
.
2008-01-10 08:31:01 --- E O F ---

[MoralTerror]

@sUBs thank you for the help

Hi griffy

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Quote:

File::
C:\WINDOWS\system32\drivers\uydvpvblrknu.sys
C:\WINDOWS\system32\drivers\sersjuqvkujg.sys
Folder::
C:\Program Files\Enigma Software Group
Driver::
kwwalpgr

Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-------------------------------
Required Logs

C:\ComboFix.txt
new HijackThis log


Please also provide an update on system behaviour

[griffy]

Hi MoralTerror,

I have followed your instructions as listed. When I drop the CFScript.txt file on the ComboFix.exe file, the blue ComboFix window flashes open only for a split second and does not produce a text file to attach/paste. I have still run the hijackthis log. see below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23:49, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7222 bytes

[sUBs]

Griffy, please get an updated copy of ComboFix. The previous copy had a slight bug with CFscripts.

[griffy]

ComboFix ran as expected, caused windows to reboot, and then produced the log copied below after start-up. I should note that after start-up iTunes opened up automatically at the same time that the ComboFix window said dont run any programs...preparing log. I immediatley shut iTunes down and ComboFix seemed to complete without any problem.

ComboFix Log:

ComboFix 08-01-29.3 - User 2008-01-29 21:05:21.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.667 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\drivers\sersjuqvkujg.sys
C:\WINDOWS\system32\drivers\uydvpvblrknu.sys
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\AXList.txt
C:\Program Files\Enigma Software Group\SpyHunter\batchrem.job
C:\Program Files\Enigma Software Group\SpyHunter\def.dat.bak
C:\Program Files\Enigma Software Group\SpyHunter\key.dat
C:\Program Files\Enigma Software Group\SpyHunter\pgdata.dat
C:\Program Files\Enigma Software Group\SpyHunter\rgdata.dat
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000001.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000002.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000004.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000005.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000006.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000007.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000008.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000009.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00000a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00000b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00000c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00000d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00000e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00000f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000010.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000011.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000012.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000013.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000014.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000015.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000016.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000017.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000018.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000019.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00001a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00001b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00001c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00001d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00001e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00001f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000020.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000021.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000022.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000023.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000024.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000025.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000026.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000027.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000028.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000029.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00002a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00002b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00002c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00002d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00002e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00002f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000030.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000031.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000032.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000033.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000034.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000035.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000036.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000037.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000038.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000039.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00003a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00003b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00003c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00003d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00003e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00003f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000040.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000041.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000042.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000043.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000044.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000045.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000046.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000047.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000048.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000049.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00004a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00004b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00004c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00004d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00004e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00004f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000050.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000051.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000052.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000053.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000054.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000055.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000056.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000057.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000058.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000059.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00005a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00005b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00005c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00005d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00005e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00005f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000060.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000061.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000062.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000063.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000064.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000065.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000066.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000067.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000068.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000069.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00006a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00006b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00006c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00006d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00006e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00006f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000070.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000071.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000072.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000073.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000074.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000075.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000076.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000077.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000078.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000079.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00007a.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00007b.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00007c.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00007d.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00007e.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\00007f.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000080.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000081.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000082.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000083.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\000084.ecd
C:\Program Files\Enigma Software Group\SpyHunter\Rollback\rollback.dat
C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.log
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\WINDOWS\system32\drivers\sersjuqvkujg.sys
C:\WINDOWS\system32\drivers\uydvpvblrknu.sys

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KWWALPGR
-------\kwwalpgr


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-29 07:56 . 2008-01-29 21:09 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-29 07:56 . 2008-01-29 07:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-27 13:16 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-27 13:15 . 2008-01-27 13:15 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-27 09:28 . 2008-01-27 09:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-27 09:28 . 2008-01-27 09:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-26 08:18 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-26 08:18 . 2008-01-26 10:30 212 --a------ C:\Boot.bak
2008-01-21 19:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-21 19:31 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-21 19:31 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-21 19:31 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-19 11:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-15 23:01 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-01-13 19:05 . 2008-01-13 19:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 23:16 . 2008-01-12 23:16 <DIR> d-------- C:\Deckard
2008-01-12 22:28 . 2008-01-12 22:28 <DIR> d-------- C:\ie-spyad_zo
2008-01-12 20:52 . 2008-01-19 10:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-10 20:50 . 2008-01-10 20:50 <DIR> d-------- C:\Program Files\AML Products
2008-01-10 20:50 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-01-08 19:21 . 2008-01-24 19:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-05 09:44 . 2008-01-05 10:19 1,814 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-04 12:22 . 2008-01-05 10:21 5,446,681 --a------ C:\WINDOWS\system32\SBSP.dat
2008-01-04 12:22 . 2008-01-05 10:21 443,765 --a------ C:\WINDOWS\system32\SBFC.dat
2008-01-01 16:16 . 2008-01-01 16:16 <DIR> d-------- C:\Documents and Settings\User\Application Data\Sunbelt Software
2008-01-01 16:16 . 2008-01-01 16:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 19:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-28 08:05 --------- d-----w C:\Program Files\QuickTime
2008-01-28 08:05 --------- d-----w C:\Program Files\iTunes
2008-01-27 16:58 --------- d-----w C:\Documents and Settings\User\Application Data\Skype
2008-01-27 13:16 --------- d-----w C:\Program Files\Java
2008-01-19 13:55 --------- d-----w C:\Program Files\Google
2008-01-08 19:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-01-05 10:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 10:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ulead Systems
2007-12-04 02:08 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 02:08 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 02:08 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-02 18:09 --------- d-----w C:\Documents and Settings\User\Application Data\Snapfish
2007-11-30 21:19 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-10-27 07:07 44,632 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 19:59 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [2008-01-24 19:59 472632]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [2008-01-24 19:59 143360]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [2008-01-24 19:59 69632]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2008-01-24 19:59 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2008-01-24 19:59 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2008-01-24 19:59 114688]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-24 19:59 39792]
"WD Button Manager"="WDBtnMgr.exe" [2007-08-11 08:59 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-24 19:22 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-24 19:59 267064]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [2008-01-24 19:59 61440]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" [2007-12-14 03:42 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-24 19:59 68856]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-07 19:26:34 124912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-08-11 09:00:57 98304]

S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys []
S3 CAMFLT;%CAMFLT.SvcDesc%;C:\WINDOWS\system32\drivers\CAMFLT.sys []
S3 PolarUSB;Polar USB Interface;C:\WINDOWS\system32\DRIVERS\PolarUSB.sys [2001-07-12 15:49]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-17 10:27:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 21:09:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 21:13:13 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-29 21:13:10
ComboFix2.txt 2008-01-28 12:56:17
ComboFix3.txt 2008-01-27 09:20:21
ComboFix4.txt 2008-01-26 13:41:13
.
2008-01-10 08:31:01 --- E O F ---


Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19:17, on 29/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 7183 bytes

[sUBs]

Please perform another Kaspersky Scan. Let's see if there's any stragglers

[griffy]

Hi, yes there are stragglers. I have attached the log. Thanks!!

[sUBs]

Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\freetransform.jar-c55510f-4fc79e7e.zip"
"C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\holomatix.jar-217b799d-6bbd9536.zip"
"C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\holomatix.jar-5ac043bc-13f9ee57.zip"
"C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\preload.jar-4503ade1-16645311.zip"
"C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\preload.jar-7ae273c0-54895417.zip"
"C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\rac_NTAND_EUROPE_en.zip-69bba523-3bef6faf.zip"
"C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\studioviewer-csa.jar-75e29b8e-2244d19e.zip"
) do (
del /a/f/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
for %%g in (
"%systemdrive%\VundoFix Backups"
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!
nircmd wait 7000
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says

[griffy]

It ran and said "Deleted successfully!!" and then the window closed itself.

[sUBs]

Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

1. Uninstall ComboFix ... do not skip this step
   This process will perform some post cleanup measures.
   Do this by going to to Start > Run & typing in ComboFix /u
   
   
2. ANTIVIRUS SOFTWARE
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
3. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
4. Microsoft Windows Update ? http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
5. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.

[griffy]

Thank you very much to both of you, MoralTerror and sUBs, for your persistence and hard work! I really appreciate all you have done.

griffy