Very slow computer, pop-ups - Spybot not effective

griffy · 01-19-2008, 10:26 AM

My computer is extremely slow, both on an offline. When online I often get the same weather site pop-up. The computer continually blacks out and freezes for periods of about one minute.

I have run Spybot Seach and Destroy and it keeps saying that some items cannot be removed because they are running. cmdservice is continually mentioned. I would be very appreciative if you could help.

I have successfully been through your recommended 5 steps and have posted the following logs below:

DSS Scan
Hijackthis Scan

I have been unable paste the Panda Scan Log as I am apparentl limited to 100,000 characters in each posting. I will attach it in a follow-up thread response.

For some reason I cannot find & attach the extra.txt file from the DSS scan.

Here are the requested logs:

DSS:

Deckard's System Scanner v20071014.68
Run by User on 2008-01-19 15:24:12
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- HijackThis (run as User.exe) ------------------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone ------------------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-01-19 15:27:16
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SG9tZQ\command.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray .exe
C:\WINDOWS\system32\igfxtray .exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe
C:\Program Files\Words\Words.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\kernel\kernel .exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Router\Router .exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\system32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\Z5J06TWD\dss[1].exe
C:\Program Files\Trend Micro\HijackThis\User.exe
C:\WINDOWS\system32\ssmypics.scr
C:\WINDOWS\system32\s?curity\mmc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
F0 - win.ini: load=C:\WINDOWS\system32\awtqr.exe
F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - C:\WINDOWS\system32\byxuvss.dll
O2 - BHO: (no name) - {2BBC3B13-C0E3-4517-9769-2D454B4E8371} - C:\Program Files\Outlook Express\hokesotuhC:\WINDOWS\system32\vmi4\parreo83122.exe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67881D2D-AA89-4781-9F78-4CC7E9CDC3DD} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {9a3888ca-3b7b-b41b-0184-9f3880d08ef7} - {7fe80d08-83f9-4810-b14b-b7b3ac8883a9} - C:\WINDOWS\system32\rsumkvhq.dll
O2 - BHO: (no name) - {90C4CC1B-B2C0-4296-BD07-097ED3C02ADB} - C:\WINDOWS\system32\awtqr.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\adpvuvfe.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {BFFFA93A-44DB-3B23-8B27-3CE602880A9A} - C:\WINDOWS\system32\weej.dll
O2 - BHO: (no name) - {C1C4AB2E-C331-4011-9A32-634F345EBEA2} - (no file)
O2 - BHO: (no name) - {F8B53648-C576-4B01-B66C-6EB716249DBD} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [a0131fc2] rundll32.exe "C:\WINDOWS\system32\foyskita.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Tsue] "C:\WINDOWS\system32\SCURIT~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = ?
O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O20 - Winlogon Notify: adpvuvfe - C:\WINDOWS\system32\adpvuvfe.dll
O20 - Winlogon Notify: byxuvss - C:\WINDOWS\system32\byxuvss.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component 0: - C:\Program Files\ComPlus Applications\profsyb.html

--
End of file - 12798 bytes

-- Files created between 2007-12-19 and 2008-01-19 -----------------------------

2008-01-19 11:45:43 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-01-19 10:51:59 8576 --a------ C:\WINDOWS\system32\drivers\uydvpvblrknu.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-17 16:03:30 323072 --a------ C:\WINDOWS\system32\awtqr.dll
2008-01-17 08:41:13 338432 --a------ C:\WINDOWS\system32\awtsr.exe
2008-01-17 08:41:01 334848 -----n--- C:\WINDOWS\system32\awtsr.dll
2008-01-15 23:03:22 8576 --a------ C:\WINDOWS\system32\drivers\sersjuqvkujg.sys <Not Verified; Panda Software International; RKPavProc Driver>
2008-01-15 23:01:49 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware>
2008-01-15 21:47:49 0 d-------- C:\Program Files\Enigma Software Group
2008-01-13 19:05:06 0 d-------- C:\Program Files\Trend Micro
2008-01-12 22:28:23 0 d-------- C:\ie-spyad_zo
2008-01-12 21:29:29 0 d-------- C:\Program Files\SpywareBlaster
2008-01-12 20:51:56 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-01-11 20:43:25 90176 --a------ C:\WINDOWS\system32\foyskita.dll
2008-01-11 20:40:54 163904 -----n--- C:\WINDOWS\system32\adpvuvfe.dll
2008-01-11 20:40:52 163904 --a------ C:\WINDOWS\system32\huvotvka.dll
2008-01-11 20:40:48 76864 --a------ C:\WINDOWS\system32\rsumkvhq.dll
2008-01-10 20:50:08 0 d-------- C:\Program Files\AML Products
2008-01-10 08:25:17 337408 --a------ C:\WINDOWS\system32\ssttq.exe
2008-01-08 19:21:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-08 08:18:35 37888 --a------ C:\WINDOWS\system32\byxvvvv.dll
2008-01-07 23:32:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia
2008-01-07 22:10:31 0 d-------- C:\Program Files\Words
2008-01-07 08:24:14 40960 --a------ C:\WINDOWS\system32\khfdbba.dll
2008-01-06 15:30:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2008-01-06 15:30:10 0 dr------- C:\Documents and Settings\LocalService\Favorites
2008-01-06 11:22:34 0 d-------- C:\Program Files\Router
2008-01-06 11:17:35 0 d--hs---- C:\WINDOWS\SG9tZQ
2008-01-06 11:12:43 0 d-------- C:\Documents and Settings\User\Application Data\??stem32
2008-01-06 11:12:42 60928 --a------ C:\WINDOWS\system32\weej.dll
2008-01-06 11:12:33 0 d-------- C:\WINDOWS\system32\s?curity
2008-01-05 10:59:18 0 d-------- C:\Program Files\Temporary
2008-01-05 10:59:18 0 d-------- C:\Program Files\kernel
2008-01-05 10:55:46 40960 --a------ C:\WINDOWS\system32\gebbxwu.dll
2008-01-05 09:44:52 1814 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-04 12:22:20 5446681 --a------ C:\WINDOWS\system32\SBSP.dat
2008-01-04 12:22:12 443765 --a------ C:\WINDOWS\system32\SBFC.dat
2008-01-01 16:16:33 0 d-------- C:\Documents and Settings\User\Application Data\Sunbelt Software
2008-01-01 16:16:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2008-01-01 08:46:01 40960 --a------ C:\WINDOWS\system32\fccbyxv.dll
2007-12-31 10:54:24 40960 --a------ C:\WINDOWS\system32\jkklmji.dll
2007-12-30 19:33:50 69632 --a------ C:\WINDOWS\b143.exe
2007-12-30 09:02:19 35328 --a------ C:\WINDOWS\system32\jkkhedb.dll
2007-12-29 00:04:04 77888 --a------ C:\WINDOWS\system32\yykwotei.dll
2007-12-28 12:03:15 35328 --a------ C:\WINDOWS\system32\vtursqp.dll
2007-12-27 14:45:22 35328 --a------ C:\WINDOWS\system32\vtutsqr.dll
2007-12-26 11:22:50 35328 --a------ C:\WINDOWS\system32\opnllki.dll
2007-12-25 16:22:55 326656 --a------ C:\WINDOWS\system32\awtqr.exe
2007-12-25 16:22:50 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-12-25 16:22:36 21893 --ahs---- C:\WINDOWS\system32\rqtwa.ini2
2007-12-25 16:12:02 0 d-------- C:\WINDOWS\system32\vmi4
2007-12-25 16:12:00 0 d-------- C:\WINDOWS\system32\jab2
2007-12-25 16:11:50 0 d-------- C:\WINDOWS\system32\elmo1
2007-12-25 16:11:48 172032 --a------ C:\winlogon.exe
2007-12-25 16:11:46 0 d-------- C:\WINDOWS\system32\ardCo18
2007-12-25 16:11:33 35328 --a------ C:\WINDOWS\system32\byxuvss.dll

-- Find3M Report ---------------------------------------------------------------

2008-01-19 13:57:19 0 d-------- C:\Program Files\iTunes
2008-01-19 13:55:24 0 d-------- C:\Program Files\Google
2008-01-19 09:33:23 0 d-------- C:\Program Files\QuickTime
2008-01-19 09:32:45 454144 --a------ C:\WINDOWS\system32\igfxpers.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-19 09:32:43 417280 --a------ C:\WINDOWS\system32\hkcmd.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-19 09:32:42 433664 --a------ C:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface>
2008-01-16 07:26:13 0 d-------- C:\Documents and Settings\User\Application Data\??stem32
2008-01-08 22:00:53 0 d-------- C:\Program Files\Common Files
2008-01-05 10:51:29 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-12-25 16:25:51 0 d-------- C:\Documents and Settings\User\Application Data\Adobe
2007-12-11 12:11:43 96256 --a------ C:\WINDOWS\b151.exe
2007-12-09 01:27:06 0 d-------- C:\Documents and Settings\User\Application Data\Skype
2007-12-02 18:09:23 0 d-------- C:\Documents and Settings\User\Application Data\Snapfish
2007-11-19 10:37:18 173568 --a------ C:\WINDOWS\b149.exe
2007-10-27 07:07:42 44632 --a------ C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}]
25/12/2007 16:11 35328 --a------ C:\WINDOWS\system32\byxuvss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BBC3B13-C0E3-4517-9769-2D454B4E8371}]
C:\Program Files\Outlook Express\hokesotuhC:\WINDOWS\system32\vmi4\parreo83122.exe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67881D2D-AA89-4781-9F78-4CC7E9CDC3DD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7fe80d08-83f9-4810-b14b-b7b3ac8883a9}]
11/01/2008 20:40 76864 --a------ C:\WINDOWS\system32\rsumkvhq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90C4CC1B-B2C0-4296-BD07-097ED3C02ADB}]
17/01/2008 16:03 323072 --a------ C:\WINDOWS\system32\awtqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
16/01/2008 21:16 163904 --------- C:\WINDOWS\system32\adpvuvfe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFFFA93A-44DB-3B23-8B27-3CE602880A9A}]
01/11/2007 13:44 60928 --a------ C:\WINDOWS\system32\weej.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C4AB2E-C331-4011-9A32-634F345EBEA2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8B53648-C576-4B01-B66C-6EB716249DBD}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [19/01/2008 09:32]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [19/01/2008 09:32]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [19/01/2008 09:32]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [19/01/2008 09:32]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [19/01/2008 09:32]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [19/01/2008 09:32]
"WD Button Manager"="WDBtnMgr.exe" [11/08/2007 08:59 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [19/01/2008 09:32]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [19/01/2008 09:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/01/2008 09:32]
"Host Process"="C:\WINDOWS\Fonts\svchost.exe" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [19/01/2008 09:32]
"RegistryMechanic"="" []
"a0131fc2"="C:\WINDOWS\system32\foyskita.dll" [11/01/2008 20:43]
"SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [19/01/2008 09:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [19/01/2008 09:32]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [19/01/2008 09:32]
"Tsue"="C:\WINDOWS\system32\SCURIT~1\mmc.exe" [07/01/2008 16:51]
"Router"="C:\Program Files\Router\Router.exe" [19/01/2008 09:32]
"Words"="C:\Program Files\Words\Words.exe" [19/01/2008 09:32]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [19/01/2008 09:32]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

C:\Documents and Settings\User\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 19:16:50]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [07/12/2006 19:26:34]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 00:01:04]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [11/08/2007 09:00:57]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\ComPlus Applications\profsyb.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}"= C:\WINDOWS\system32\byxuvss.dll [25/12/2007 16:11 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\adpvuvfe]
adpvuvfe.dll 16/01/2008 21:16 163904 C:\WINDOWS\system32\adpvuvfe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuvss]
byxuvss.dll 25/12/2007 16:11 35328 C:\WINDOWS\system32\byxuvss.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqr

*Newly Created Service* - SDTHOOK
*Newly Created Service* - UYDVPVBLRKNU

-- End of Deckard's System Scanner: finished at 2008-01-19 15:38:26 ------------

Here is the Highjackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:05:22, on 19/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\SG9tZQ\command.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray .exe
C:\WINDOWS\system32\igfxtray .exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\igfxpers .exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe
C:\Program Files\Words\Words.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\kernel\kernel .exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Router\Router .exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\ssmypics.scr
C:\WINDOWS\system32\SCURIT~1\mmc.exe
C:\WINDOWS\system32\SCURIT~1\mmc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqr.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [a0131fc2] rundll32.exe "C:\WINDOWS\system32\foyskita.dll",b
O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Tsue] "C:\WINDOWS\system32\SCURIT~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\profsyb.html

--
End of file - 9835 bytes

griffy · 01-19-2008, 01:48 PM

The thread wont allow me to post the Panda Scan Log because it is 107k characters which is greater than the allowable 100k.

I have attached a text file of the Panda Scan Log.
h

griffy · 01-22-2008, 12:57 PM

Bump please

MoralTerror · 01-24-2008, 03:56 AM

Hi griffy and welcome to TSF

Sorry for the delay in getting to you, the forum has been really busy lately and all our helpers are volunteers.

You are quite heavily infected so cleaning will take several posts. Please continue until you are told you are clear. Please also follow instructions in the exact order stated.

I see a large number of infected crack files have been disinfected by Panda

Not only are cracks illegal but they are most likely the cause of your current problems.

Empty the contents of the following Folders (DO NOT delete the folder)

C:\Documents and Settings\LocalService\Cookies
C:\Documents and Settings\User\Cookies

----------------------------

Download Combofix from any of the links below, and save it to your desktop.

Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

griffy · 01-25-2008, 02:10 AM

Hi, thanks very much. Below is the Hijack text. I had to attach the combat txt file because it was too big to paste.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:47, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2BBC3B13-C0E3-4517-9769-2D454B4E8371} - C:\Program Files\Outlook Express\hokesotuhC:\WINDOWS\system32\vmi4\parreo83122.exe.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKCU\..\Run: [Tsue] "C:\WINDOWS\system32\SCURIT~1\mmc.exe" -vt yazb
O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6921 bytes

MoralTerror · 01-25-2008, 07:39 PM

Hi griffy

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System

Download the file & save it as its originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

griffy · 01-26-2008, 01:24 AM

Hi Moral Terror

Thank you for persisting with helping me to fix this despite the ignorant actions that got me here in the first place with the cracks. I am very appreciative.

Here is the CF-RC.txt log:

WinXP_EN_HOM_BF.EXE
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

I will make sure not to reboot until further notice.

MoralTerror · 01-26-2008, 02:39 AM

Hi griffy

You appear to have downloaded the XP Home version but are running XP Professional. Please follow these steps before repeating the previous instructions.

Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK.

Open C:\boot.ini with Notepad and delete the following line *NOTE be careful not to delete anything else from the file

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Click File > Save then close the file.

Delete the following Folder

C:\CMDCONS

Reboot the PC then repeat the previous instructions making sure you download the XP Professional SP2 version.

griffy · 01-26-2008, 03:38 AM

here is the new log, ran as instructed:

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

MoralTerror · 01-26-2008, 04:02 AM

Hi griff

Thats fine now. You now have the Recovery Console installed as a precaution, it will help us recover the system should it become unbootable. It will now appear as a new option when the PC boots. Do not select the Recovery Console unless asked to do so.

----------------------------

Scan with HijackThis and check the following entries (If they still exist) (make sure not to miss any)

F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win
F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win

Remember to close all other windows and click Fix Checked

--------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code:

File::
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\tdgdehhw.ini
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\system32\RCX18F.tmp
C:\WINDOWS\system32\RCX1AAB.tmp
C:\WINDOWS\system32\RCX1C6D.tmp
C:\WINDOWS\system32\RCX220F.tmp
C:\WINDOWS\system32\RCX3948.tmp
C:\WINDOWS\system32\RCX40F3.tmp
C:\WINDOWS\system32\winmgd.win
C:\WINDOWS\system32\mouse_configurator.win
Folder::
C:\WINDOWS\SG9tZQ
C:\temp\cEeer12
C:\WINDOWS\system32\ardCo18
C:\WINDOWS\system32\elmo1
C:\WINDOWS\system32\jab2
C:\WINDOWS\system32\vmi4
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BBC3B13-C0E3-4517-9769-2D454B4E8371}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Tsue"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Router"=-
RenV::
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

-------------------------
Required Logs

C:\ComboFix.txt
a new HijackThis log

griffy · 01-26-2008, 06:07 AM

Performed all steps as instructed. After running the ComboFix log by dropping the CFScript.txt file on top of it the computer froze on an empty desktop. I eventually restarted in order to rerun Hijackthis and send these logs.

ComboFix log attached as too big to post.

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:04, on 2008-01-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6439 bytes

MoralTerror · 01-26-2008, 06:31 AM

Hi griffy

Please delete your copy of ComboFix.exe and download a fresh copy from here

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing.

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

griffy · 01-26-2008, 06:50 AM

See attached for the log that was created. Cant find the C:/combofix.txt. The only thing in the C:/combofix folder is a file called "kmd.exe".

-------------

ComboFix 08-01-26.2 - User 2008-01-26 13:36:55.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.705 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.

Code:

C:\Documents and Settings\User\Application Data\STEM32~1
C:\Documents and Settings\User\My Documents\pos1000.tmp
C:\Documents and Settings\User\My Documents\pos1001.tmp
C:\Documents and Settings\User\My Documents\pos1002.tmp
C:\Documents and Settings\User\My Documents\pos1003.tmp
C:\Documents and Settings\User\My Documents\pos1004.tmp
C:\Documents and Settings\User\My Documents\pos1005.tmp
C:\Documents and Settings\User\My Documents\pos1006.tmp
C:\Documents and Settings\User\My Documents\pos1007.tm

    < SNIPPED >

C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray .exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\ComPlus Applications\profsyb.html
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\kernel
C:\Program Files\kernel\kernel .exe
C:\Program Files\kernel\kernel.exe
C:\Program Files\Outlook Express\hokesotuh24418.dll
C:\Program Files\QuickTime\qttask                                                    .exe
C:\Program Files\QuickTime\qttask                                                  .exe
C:\Program Files\QuickTime\qttask                                                 .exe
C:\Program Files\QuickTime\qttask                                                .exe
C:\Program Files\QuickTime\qttask                                               .exe
C:\Program Files\QuickTime\qttask                                              .exe
C:\Program Files\QuickTime\qttask                                             .exe
C:\Program Files\QuickTime\qttask                                            .exe
C:\Program Files\QuickTime\qttask                                           .exe
C:\Program Files\QuickTime\qttask                                          .exe
C:\Program Files\QuickTime\qttask                                         .exe
C:\Program Files\QuickTime\qttask                                        .exe
C:\Program Files\QuickTime\qttask                                       .exe
C:\Program Files\QuickTime\qttask                                      .exe
C:\Program Files\QuickTime\qttask                                     .exe
C:\Program Files\QuickTime\qttask                                    .exe
C:\Program Files\QuickTime\qttask                                   .exe
C:\Program Files\QuickTime\qttask                                  .exe
C:\Program Files\QuickTime\qttask                                 .exe
C:\Program Files\QuickTime\qttask                                .exe
C:\Program Files\QuickTime\qttask                               .exe
C:\Program Files\QuickTime\qttask                              .exe
C:\Program Files\QuickTime\qttask                             .exe
C:\Program Files\QuickTime\qttask                            .exe
C:\Program Files\QuickTime\qttask                           .exe
C:\Program Files\QuickTime\qttask                          .exe
C:\Program Files\QuickTime\qttask                         .exe
C:\Program Files\QuickTime\qttask                        .exe
C:\Program Files\QuickTime\qttask                       .exe
C:\Program Files\QuickTime\qttask                      .exe
C:\Program Files\QuickTime\qttask                     .exe
C:\Program Files\QuickTime\qttask                    .exe
C:\Program Files\QuickTime\qttask                   .exe
C:\Program Files\QuickTime\qttask                  .exe
C:\Program Files\QuickTime\qttask                 .exe
C:\Program Files\QuickTime\qttask                .exe
C:\Program Files\QuickTime\qttask               .exe
C:\Program Files\QuickTime\qttask              .exe
C:\Program Files\QuickTime\qttask             .exe
C:\Program Files\QuickTime\qttask            .exe
C:\Program Files\QuickTime\qttask           .exe
C:\Program Files\QuickTime\qttask          .exe
C:\Program Files\QuickTime\qttask         .exe
C:\Program Files\QuickTime\qttask        .exe
C:\Program Files\QuickTime\qttask       .exe
C:\Program Files\QuickTime\qttask      .exe
C:\Program Files\QuickTime\qttask     .exe
C:\Program Files\QuickTime\qttask    .exe
C:\Program Files\QuickTime\qttask   .exe
C:\Program Files\QuickTime\qttask  .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Router
C:\Program Files\Router\Router .exe
C:\Program Files\Router\Router.exe
C:\Program Files\Router\UnInstall.exe
C:\Program Files\Sony\SonicStage\SsAAD .exe
C:\Program Files\Sony\SonicStage\SsAAD.exe
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInstall.exe
C:\Program Files\Words
C:\Program Files\Words\list.txt
C:\Program Files\Words\script.txt
C:\Program Files\Words\UnInstall.exe
C:\Program Files\Words\Words .exe
C:\Program Files\Words\Words.exe
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\cEeer12
C:\temp\cEeer12\skAt.log
C:\WINDOWS\b143.exe
C:\WINDOWS\b149.exe
C:\WINDOWS\b151.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\mrofinu1188.exe.tmp
C:\WINDOWS\SG9tZQ
C:\WINDOWS\SG9tZQ\asappsrv.dll
C:\WINDOWS\SG9tZQ\command.exe
C:\WINDOWS\SG9tZQ\m36Qtk.vbs
C:\WINDOWS\system32\adpvuvfe.dll
C:\WINDOWS\system32\adpvuvfe.dllbox
C:\WINDOWS\system32\ardCo18
C:\WINDOWS\system32\atiksyof.ini
C:\WINDOWS\system32\awtqr.dll
C:\WINDOWS\system32\awtqr.exe
C:\WINDOWS\system32\awtsr.dll
C:\WINDOWS\system32\awtsr.exe
C:\WINDOWS\system32\byxuvss.dll
C:\WINDOWS\system32\byxvvvv.dll
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\elmo1
C:\WINDOWS\system32\fccbyxv.dll
C:\WINDOWS\system32\foyskita.dll
C:\WINDOWS\system32\gebbxwu.dll
C:\WINDOWS\system32\hkcmd .exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\huvotvka.dll
C:\WINDOWS\system32\igfxpers .exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxtray .exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\jab2
C:\WINDOWS\system32\jkkhedb.dll
C:\WINDOWS\system32\jkklmji.dll
C:\WINDOWS\system32\khfdbba.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\opnllki.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\RCX18F.tmp
C:\WINDOWS\system32\RCX1AAB.tmp
C:\WINDOWS\system32\RCX1C6D.tmp
C:\WINDOWS\system32\RCX220F.tmp
C:\WINDOWS\system32\RCX36.tmp
C:\WINDOWS\system32\RCX3948.tmp
C:\WINDOWS\system32\RCX40F3.tmp
C:\WINDOWS\system32\rqtwa.ini
C:\WINDOWS\system32\rqtwa.ini2
C:\WINDOWS\system32\rsumkvhq.dll
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\scurit~1\mmc .exe
C:\WINDOWS\system32\scurit~1\mmc.exe
C:\WINDOWS\system32\scurit~1\s?curity\
C:\WINDOWS\system32\ssttq.exe
C:\WINDOWS\system32\tdgdehhw.ini
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vmi4
C:\WINDOWS\system32\vmi4\parreo83122.exe
C:\WINDOWS\system32\vtursqp.dll
C:\WINDOWS\system32\vtutsqr.dll
C:\WINDOWS\system32\weej.dll
C:\WINDOWS\system32\yykwotei.dll
C:\winlogon.exe
F:\Autorun.inf

Code:

 <pre>
C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe ---> QooBox
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe ---> QooBox
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe ---> QooBox
C:\Program Files\Analog Devices\SoundMAX\SMTray .exe ---> QooBox
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe ---> QooBox
C:\Program Files\iTunes\iTunesHelper .exe ---> QooBox
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe ---> QooBox
C:\Program Files\kernel\kernel .exe ---> QooBox
C:\Program Files\QuickTime\qttask                                                    .exe ---> QooBox
C:\Program Files\QuickTime\qttask                                                   .exe ---> qttask.exe
C:\Program Files\Router\Router .exe ---> QooBox
C:\Program Files\Sony\SonicStage\SsAAD .exe ---> QooBox
C:\Program Files\Words\Words .exe ---> QooBox
C:\WINDOWS\system32\ctfmon .exe ---> QooBox
C:\WINDOWS\system32\hkcmd .exe ---> QooBox
C:\WINDOWS\system32\igfxpers .exe ---> QooBox
C:\WINDOWS\system32\igfxtray .exe ---> QooBox
</pre>

.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService

((((((((((((((((((((((((( Files Created from 2007-12-26 to 2008-01-26 )))))))))))))))))))))))))))))))
.

2008-01-26 08:18 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-26 08:18 . 2008-01-26 10:30 212 --a------ C:\Boot.bak
2008-01-24 15:25 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 19:31 . 2004-08-04 00:56 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2008-01-21 19:31 . 2004-08-04 00:56 21,504 --a--c--- C:\WINDOWS\system32\dllcache\hidserv.dll
2008-01-21 19:31 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-01-21 19:31 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-01-19 11:45 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS
2008-01-19 10:51 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\uydvpvblrknu.sys
2008-01-15 23:03 . 2007-06-08 09:44 8,576 --a------ C:\WINDOWS\system32\drivers\sersjuqvkujg.sys
2008-01-15 23:01 . 2006-06-30 14:13 8,704 --a------ C:\WINDOWS\system32\pfdnnt.exe
2008-01-15 21:47 . 2008-01-15 21:47 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-01-13 19:05 . 2008-01-13 19:05 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-12 23:16 . 2008-01-12 23:16 <DIR> d-------- C:\Deckard
2008-01-12 22:28 . 2008-01-12 22:28 <DIR> d-------- C:\ie-spyad_zo
2008-01-12 20:52 . 2008-01-19 10:43 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-01-10 20:50 . 2008-01-10 20:50 <DIR> d-------- C:\Program Files\AML Products
2008-01-10 20:50 . 2000-05-22 16:58 608,448 --a------ C:\WINDOWS\system32\comctl32.ocx
2008-01-05 09:44 . 2008-01-05 10:19 1,814 --a------ C:\WINDOWS\system32\SBRC.dat
2008-01-05 09:39 . 2008-01-24 20:00 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-05 09:39 . 2008-01-05 09:39 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-04 12:22 . 2008-01-05 10:21 5,446,681 --a------ C:\WINDOWS\system32\SBSP.dat
2008-01-04 12:22 . 2008-01-05 10:21 443,765 --a------ C:\WINDOWS\system32\SBFC.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 23:42 --------- d-----w C:\Program Files\QuickTime
2008-01-24 23:38 --------- d-----w C:\Program Files\iTunes
2008-01-19 13:55 --------- d-----w C:\Program Files\Google
2008-01-05 10:51 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-04 02:08 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2007-12-04 02:08 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-12-04 02:08 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2007-12-04 02:08 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-12-04 02:08 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-12-04 02:08 118,056 ----a-w C:\WINDOWS\system32\pxcpyi64.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
.

((((((((((((((((((((((((((((( snapshot@2008-01-24_23.47.11.29 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-24 15:49:14 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-26 13:36:44 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-24 15:49:14 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-26 13:36:44 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-24 15:49:17 9,039,872 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-26 13:36:44 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-24 15:49:18 151,552 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-26 13:36:44 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-24 15:49:19 1,413,120 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-26 13:36:45 9,039,872 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-24 15:49:19 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-26 13:36:45 151,552 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]
"SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [ ]
"DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [ ]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [ ]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [ ]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"WD Button Manager"="WDBtnMgr.exe" [2007-08-11 08:59 364544 C:\WINDOWS\system32\WDBtnMgr.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 12:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [ ]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2006-12-07 19:26:34 124912]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04 83360]
WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [2007-08-11 09:00:57 98304]

S3 CamAv;SAMSUNG Video Capture;C:\WINDOWS\system32\Drivers\CamAv.sys []
S3 CAMFLT;%CAMFLT.SvcDesc%;C:\WINDOWS\system32\drivers\CAMFLT.sys []
S3 kwwalpgr;kwwalpgr;C:\DOCUME~1\User\LOCALS~1\Temp\kwwalpgr.sys []
S3 PolarUSB;Polar USB Interface;C:\WINDOWS\system32\DRIVERS\PolarUSB.sys [2001-07-12 15:49]

Contents of the 'Scheduled Tasks' folder
"2008-01-17 10:27:13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-26 13:39:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-26 13:41:12
ComboFix-quarantined-files.txt 2008-01-26 13:41:10
.
2008-01-10 08:31:01 --- E O F ---

MoralTerror · 01-27-2008, 12:51 AM

Hi griffy

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u4.
Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
In the pull down menu next to Platform select Windows
Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
Click Continue
Click on the link to download Windows Offline Installation and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version.

------------------------------------------

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code:

RenV::
C:\qoobox\Quarantine\C\WINDOWS\system32\igfxtray .exe
C:\qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe
C:\qoobox\Quarantine\C\Program Files\Sony\SonicStage\SsAAD .exe
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\SMTray .exe
C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe
C:\qoobox\Quarantine\C\WINDOWS\system32\hkcmd .exe
C:\qoobox\Quarantine\C\WINDOWS\system32\igfxpers .exe
C:\qoobox\Quarantine\C\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask                                                    .exe
C:\qoobox\Quarantine\C\Program Files\iTunes\iTunesHelper .exe
C:\qoobox\Quarantine\C\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe

Save this as CFScript.txt, in the same location as ComboFix.exe

Refering to the picture above, drag CFScript into ComboFix.exe

Please allow ComboFix time to repair the damaged programs. When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

------------------------------------------

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
  - Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

------------------------------------------
Required Logs

C:\ComboFix.txt
Kaspersky report
new HijackThis log <<< taken after the online scan

Please also provide an update on system behaviour

griffy · 01-27-2008, 05:10 AM

See below for copied & pasted highjackthis log. Attached are the combofix log and the kaspersky log.

I also wanted to tell you that when i run the combofix.exe by dropping the CFScript.txt file on top of it, I get a pop up (see attached screenshot.doc file). I then click the "X" before combofix run as intended.

hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:02:10, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WDBtnMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\My Book\WD Backup\uBBMonitor.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe
O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing)
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

--
End of file - 6825 bytes

MoralTerror · 01-27-2008, 05:58 AM

Hi griffy

I am going to consult with ComboFix's author about the error and those damaged programs which haven't been replaced. Please be patient while I wait for a reply but in the meantime do the following:

Delete the following file

C:\temp\mxrma0122.exe

--------------------------

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.

Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 Checked

Downloaded Applets
Downloaded Applications
Other Files

Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

griffy · 01-27-2008, 06:21 AM

Hi MoralTerror,

I have now done as instructed and will await a response after you hear back from the combofix author.

thanks

sUBs · 01-27-2008, 10:11 AM

Please post the contents of this log - C:\QooBox\ComboFix-quarantined-files.txt

griffy · 01-27-2008, 02:52 PM

Zipped and attached as file is 3.7mb.

thx
a

sUBs · 01-27-2008, 03:26 PM

Please download the file that's attach.

From within it, double click on Restore.bat

Post back to tell me what it says

01-19-2008, 10:26 AM	#1 (permalink)
griffy Registered User Join Date: Jan 2008 Posts: 22 OS: windows XP	Very slow computer, pop-ups - Spybot not effective My computer is extremely slow, both on an offline. When online I often get the same weather site pop-up. The computer continually blacks out and freezes for periods of about one minute. I have run Spybot Seach and Destroy and it keeps saying that some items cannot be removed because they are running. cmdservice is continually mentioned. I would be very appreciative if you could help. I have successfully been through your recommended 5 steps and have posted the following logs below: DSS Scan Hijackthis Scan I have been unable paste the Panda Scan Log as I am apparentl limited to 100,000 characters in each posting. I will attach it in a follow-up thread response. For some reason I cannot find & attach the extra.txt file from the DSS scan. Here are the requested logs: DSS: Deckard's System Scanner v20071014.68 Run by User on 2008-01-19 15:24:12 Computer is in Normal Mode. -------------------------------------------------------------------------------- -- HijackThis (run as User.exe) ------------------------------------------------ Unable to find log (file not found); running clone. -- HijackThis Clone ------------------------------------------------------------ Emulating logfile of Trend Micro HijackThis v2.0.2 Scan saved at 2008-01-19 15:27:16 Platform: Windows XP Service Pack 2 (5.01.2600) MSIE: Internet Explorer (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\system32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\SG9tZQ\command.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\ctfmon .exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe C:\Program Files\Analog Devices\SoundMAX\SMTray .exe C:\WINDOWS\system32\igfxtray .exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe C:\WINDOWS\system32\hkcmd .exe C:\WINDOWS\system32\igfxpers .exe C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe C:\Program Files\iTunes\iTunesHelper .exe C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe C:\Program Files\Router\Router.exe C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe C:\Program Files\Words\Words.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\kernel\kernel .exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Words\Words .exe C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe C:\Program Files\Router\Router .exe C:\Program Files\My Book\WD Backup\uBBMonitor.exe C:\WINDOWS\system32\alg.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\Z5J06TWD\dss[1].exe C:\Program Files\Trend Micro\HijackThis\User.exe C:\WINDOWS\system32\ssmypics.scr C:\WINDOWS\system32\s?curity\mmc.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/ R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/search?q=%s R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie F0 - win.ini: load=C:\WINDOWS\system32\awtqr.exe F3 - REG:win.ini: Load=C:\WINDOWS\system32\userinit.exe, O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917} - C:\WINDOWS\system32\byxuvss.dll O2 - BHO: (no name) - {2BBC3B13-C0E3-4517-9769-2D454B4E8371} - C:\Program Files\Outlook Express\hokesotuhC:\WINDOWS\system32\vmi4\parreo83122.exe.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {67881D2D-AA89-4781-9F78-4CC7E9CDC3DD} - (no file) O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O2 - BHO: {9a3888ca-3b7b-b41b-0184-9f3880d08ef7} - {7fe80d08-83f9-4810-b14b-b7b3ac8883a9} - C:\WINDOWS\system32\rsumkvhq.dll O2 - BHO: (no name) - {90C4CC1B-B2C0-4296-BD07-097ED3C02ADB} - C:\WINDOWS\system32\awtqr.dll O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\adpvuvfe.dll O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\GoogleToolbar2.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll O2 - BHO: (no name) - {BFFFA93A-44DB-3B23-8B27-3CE602880A9A} - C:\WINDOWS\system32\weej.dll O2 - BHO: (no name) - {C1C4AB2E-C331-4011-9A32-634F345EBEA2} - (no file) O2 - BHO: (no name) - {F8B53648-C576-4B01-B66C-6EB716249DBD} - (no file) O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\GoogleToolbar2.dll O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" O4 - HKLM\..\Run: [a0131fc2] rundll32.exe "C:\WINDOWS\system32\foyskita.dll",b O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKCU\..\Run: [Tsue] "C:\WINDOWS\system32\SCURIT~1\mmc.exe" -vt yazb O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WD Backup Monitor.lnk = ? O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\network diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Plug-in 1.6.0_03) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.macromedia.com/pub...sh/swflash.cab O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - C:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL O20 - Winlogon Notify: adpvuvfe - C:\WINDOWS\system32\adpvuvfe.dll O20 - Winlogon Notify: byxuvss - C:\WINDOWS\system32\byxuvss.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O24 - Desktop Component 0: - C:\Program Files\ComPlus Applications\profsyb.html -- End of file - 12798 bytes -- Files created between 2007-12-19 and 2008-01-19 ----------------------------- 2008-01-19 11:45:43 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus> 2008-01-19 10:51:59 8576 --a------ C:\WINDOWS\system32\drivers\uydvpvblrknu.sys <Not Verified; Panda Software International; RKPavProc Driver> 2008-01-17 16:03:30 323072 --a------ C:\WINDOWS\system32\awtqr.dll 2008-01-17 08:41:13 338432 --a------ C:\WINDOWS\system32\awtsr.exe 2008-01-17 08:41:01 334848 -----n--- C:\WINDOWS\system32\awtsr.dll 2008-01-15 23:03:22 8576 --a------ C:\WINDOWS\system32\drivers\sersjuqvkujg.sys <Not Verified; Panda Software International; RKPavProc Driver> 2008-01-15 23:01:49 8704 --a------ C:\WINDOWS\system32\pfdnnt.exe <Not Verified; Panda Software International; Panda Anti-malware> 2008-01-15 21:47:49 0 d-------- C:\Program Files\Enigma Software Group 2008-01-13 19:05:06 0 d-------- C:\Program Files\Trend Micro 2008-01-12 22:28:23 0 d-------- C:\ie-spyad_zo 2008-01-12 21:29:29 0 d-------- C:\Program Files\SpywareBlaster 2008-01-12 20:51:56 0 d-------- C:\WINDOWS\system32\ActiveScan 2008-01-11 20:43:25 90176 --a------ C:\WINDOWS\system32\foyskita.dll 2008-01-11 20:40:54 163904 -----n--- C:\WINDOWS\system32\adpvuvfe.dll 2008-01-11 20:40:52 163904 --a------ C:\WINDOWS\system32\huvotvka.dll 2008-01-11 20:40:48 76864 --a------ C:\WINDOWS\system32\rsumkvhq.dll 2008-01-10 20:50:08 0 d-------- C:\Program Files\AML Products 2008-01-10 08:25:17 337408 --a------ C:\WINDOWS\system32\ssttq.exe 2008-01-08 19:21:23 0 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-01-08 08:18:35 37888 --a------ C:\WINDOWS\system32\byxvvvv.dll 2008-01-07 23:32:44 0 d-------- C:\Documents and Settings\LocalService\Application Data\Macromedia 2008-01-07 22:10:31 0 d-------- C:\Program Files\Words 2008-01-07 08:24:14 40960 --a------ C:\WINDOWS\system32\khfdbba.dll 2008-01-06 15:30:14 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google 2008-01-06 15:30:10 0 dr------- C:\Documents and Settings\LocalService\Favorites 2008-01-06 11:22:34 0 d-------- C:\Program Files\Router 2008-01-06 11:17:35 0 d--hs---- C:\WINDOWS\SG9tZQ 2008-01-06 11:12:43 0 d-------- C:\Documents and Settings\User\Application Data\??stem32 2008-01-06 11:12:42 60928 --a------ C:\WINDOWS\system32\weej.dll 2008-01-06 11:12:33 0 d-------- C:\WINDOWS\system32\s?curity 2008-01-05 10:59:18 0 d-------- C:\Program Files\Temporary 2008-01-05 10:59:18 0 d-------- C:\Program Files\kernel 2008-01-05 10:55:46 40960 --a------ C:\WINDOWS\system32\gebbxwu.dll 2008-01-05 09:44:52 1814 --a------ C:\WINDOWS\system32\SBRC.dat 2008-01-04 12:22:20 5446681 --a------ C:\WINDOWS\system32\SBSP.dat 2008-01-04 12:22:12 443765 --a------ C:\WINDOWS\system32\SBFC.dat 2008-01-01 16:16:33 0 d-------- C:\Documents and Settings\User\Application Data\Sunbelt Software 2008-01-01 16:16:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software 2008-01-01 08:46:01 40960 --a------ C:\WINDOWS\system32\fccbyxv.dll 2007-12-31 10:54:24 40960 --a------ C:\WINDOWS\system32\jkklmji.dll 2007-12-30 19:33:50 69632 --a------ C:\WINDOWS\b143.exe 2007-12-30 09:02:19 35328 --a------ C:\WINDOWS\system32\jkkhedb.dll 2007-12-29 00:04:04 77888 --a------ C:\WINDOWS\system32\yykwotei.dll 2007-12-28 12:03:15 35328 --a------ C:\WINDOWS\system32\vtursqp.dll 2007-12-27 14:45:22 35328 --a------ C:\WINDOWS\system32\vtutsqr.dll 2007-12-26 11:22:50 35328 --a------ C:\WINDOWS\system32\opnllki.dll 2007-12-25 16:22:55 326656 --a------ C:\WINDOWS\system32\awtqr.exe 2007-12-25 16:22:50 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ> 2007-12-25 16:22:36 21893 --ahs---- C:\WINDOWS\system32\rqtwa.ini2 2007-12-25 16:12:02 0 d-------- C:\WINDOWS\system32\vmi4 2007-12-25 16:12:00 0 d-------- C:\WINDOWS\system32\jab2 2007-12-25 16:11:50 0 d-------- C:\WINDOWS\system32\elmo1 2007-12-25 16:11:48 172032 --a------ C:\winlogon.exe 2007-12-25 16:11:46 0 d-------- C:\WINDOWS\system32\ardCo18 2007-12-25 16:11:33 35328 --a------ C:\WINDOWS\system32\byxuvss.dll -- Find3M Report --------------------------------------------------------------- 2008-01-19 13:57:19 0 d-------- C:\Program Files\iTunes 2008-01-19 13:55:24 0 d-------- C:\Program Files\Google 2008-01-19 09:33:23 0 d-------- C:\Program Files\QuickTime 2008-01-19 09:32:45 454144 --a------ C:\WINDOWS\system32\igfxpers.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface> 2008-01-19 09:32:43 417280 --a------ C:\WINDOWS\system32\hkcmd.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface> 2008-01-19 09:32:42 433664 --a------ C:\WINDOWS\system32\igfxtray.exe <Not Verified; Intel Corporation; Intel(R) Common User Interface> 2008-01-16 07:26:13 0 d-------- C:\Documents and Settings\User\Application Data\??stem32 2008-01-08 22:00:53 0 d-------- C:\Program Files\Common Files 2008-01-05 10:51:29 0 d--h----- C:\Program Files\InstallShield Installation Information 2007-12-25 16:25:51 0 d-------- C:\Documents and Settings\User\Application Data\Adobe 2007-12-11 12:11:43 96256 --a------ C:\WINDOWS\b151.exe 2007-12-09 01:27:06 0 d-------- C:\Documents and Settings\User\Application Data\Skype 2007-12-02 18:09:23 0 d-------- C:\Documents and Settings\User\Application Data\Snapfish 2007-11-19 10:37:18 173568 --a------ C:\WINDOWS\b149.exe 2007-10-27 07:07:42 44632 --a------ C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT -- Registry Dump --------------------------------------------------------------- Note empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}] 25/12/2007 16:11 35328 --a------ C:\WINDOWS\system32\byxuvss.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BBC3B13-C0E3-4517-9769-2D454B4E8371}] C:\Program Files\Outlook Express\hokesotuhC:\WINDOWS\system32\vmi4\parreo83122.exe.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67881D2D-AA89-4781-9F78-4CC7E9CDC3DD}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7fe80d08-83f9-4810-b14b-b7b3ac8883a9}] 11/01/2008 20:40 76864 --a------ C:\WINDOWS\system32\rsumkvhq.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{90C4CC1B-B2C0-4296-BD07-097ED3C02ADB}] 17/01/2008 16:03 323072 --a------ C:\WINDOWS\system32\awtqr.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] 16/01/2008 21:16 163904 --------- C:\WINDOWS\system32\adpvuvfe.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BFFFA93A-44DB-3B23-8B27-3CE602880A9A}] 01/11/2007 13:44 60928 --a------ C:\WINDOWS\system32\weej.dll [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C1C4AB2E-C331-4011-9A32-634F345EBEA2}] [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F8B53648-C576-4B01-B66C-6EB716249DBD}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Smapp"="C:\Program Files\Analog Devices\SoundMAX\SMTray.exe" [19/01/2008 09:32] "DrvLsnr"="C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe" [19/01/2008 09:32] "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [19/01/2008 09:32] "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [19/01/2008 09:32] "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [19/01/2008 09:32] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [19/01/2008 09:32] "WD Button Manager"="WDBtnMgr.exe" [11/08/2007 08:59 C:\WINDOWS\system32\WDBtnMgr.exe] "QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [19/01/2008 09:32] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [19/01/2008 09:32] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/01/2008 09:32] "Host Process"="C:\WINDOWS\Fonts\svchost.exe" [] "Adobe Photo Downloader"="C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" [19/01/2008 09:32] "RegistryMechanic"="" [] "a0131fc2"="C:\WINDOWS\system32\foyskita.dll" [11/01/2008 20:43] "SpyHunter Security Suite"="C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe" [19/01/2008 09:32] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [19/01/2008 09:32] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:00] "SsAAD.exe"="C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe" [19/01/2008 09:32] "Tsue"="C:\WINDOWS\system32\SCURIT~1\mmc.exe" [07/01/2008 16:51] "Router"="C:\Program Files\Router\Router.exe" [19/01/2008 09:32] "Words"="C:\Program Files\Words\Words.exe" [19/01/2008 09:32] "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [19/01/2008 09:32] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe C:\Documents and Settings\User\Start Menu\Programs\Startup\ Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [16/03/2005 19:16:50] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [07/12/2006 19:26:34] Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 00:01:04] WD Backup Monitor.lnk - C:\Program Files\My Book\WD Backup\uBBMonitor.exe [11/08/2007 09:00:57] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system] "DisableRegistryTools"=0 (0x0) [HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0] Source= C:\Program Files\ComPlus Applications\profsyb.html FriendlyName= [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks] "{2B3CBDC2-8AB6-45B1-B59E-7B0DEE595917}"= C:\WINDOWS\system32\byxuvss.dll [25/12/2007 16:11 35328] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\adpvuvfe] adpvuvfe.dll 16/01/2008 21:16 163904 C:\WINDOWS\system32\adpvuvfe.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxuvss] byxuvss.dll 25/12/2007 16:11 35328 C:\WINDOWS\system32\byxuvss.dll [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa] "Authentication Packages"= msv1_0 C:\WINDOWS\system32\awtqr Newly Created Service - SDTHOOK Newly Created Service - UYDVPVBLRKNU -- End of Deckard's System Scanner: finished at 2008-01-19 15:38:26 ------------ Here is the Highjackthis Log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 15:05:22, on 19/01/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16574) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\WINDOWS\SG9tZQ\command.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe C:\WINDOWS\system32\ctfmon .exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe C:\WINDOWS\system32\igfxtray.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\WDBtnMgr.exe C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe C:\Program Files\Analog Devices\SoundMAX\SMTray .exe C:\WINDOWS\system32\igfxtray .exe C:\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe C:\WINDOWS\system32\hkcmd .exe C:\WINDOWS\system32\igfxpers .exe C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe C:\Program Files\iTunes\iTunesHelper .exe C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe C:\Program Files\Router\Router.exe C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe C:\Program Files\Words\Words.exe C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe C:\Program Files\Google\Google Updater\GoogleUpdater.exe C:\Program Files\kernel\kernel .exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Words\Words .exe C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe C:\Program Files\Router\Router .exe C:\Program Files\My Book\WD Backup\uBBMonitor.exe C:\WINDOWS\System32\alg.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\ssmypics.scr C:\WINDOWS\system32\SCURIT~1\mmc.exe C:\WINDOWS\system32\SCURIT~1\mmc.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.skybroadband.com R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://news.bbc.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win F3 - REG:win.ini: load=C:\WINDOWS\system32\awtqr.exe O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy.exe" O4 - HKLM\..\Run: [a0131fc2] rundll32.exe "C:\WINDOWS\system32\foyskita.dll",b O4 - HKLM\..\Run: [SpyHunter Security Suite] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe O4 - HKCU\..\Run: [Tsue] "C:\WINDOWS\system32\SCURIT~1\mmc.exe" -vt yazb O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe O4 - HKCU\..\Run: [Words] C:\Program Files\Words\Words.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE O4 - Global Startup: WD Backup Monitor.lnk = C:\Program Files\My Book\WD Backup\uBBMonitor.exe O8 - Extra context menu item: &Search - ?p=zuzed004YYGB_ZZzer000 O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing) O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.co.uk/SnapfishUKActivia.cab O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab O16 - DPF: {C946EF6D-296D-4907-A6E1-ED0E8E5AF024} (LycosMail Upload Control) - http://mail.lycos.com/hanmail-ax/AttachMail.cab O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: Process Monitor (LVPrcSrv) - Unknown owner - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe (file missing) O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe O24 - Desktop Component 0: (no name) - C:\Program Files\ComPlus Applications\profsyb.html -- End of file - 9835 bytes

01-22-2008, 12:57 PM	#3 (permalink)
griffy Registered User Join Date: Jan 2008 Posts: 22 OS: windows XP	Re: Very slow computer, pop-ups - Spybot not effective Bump please

01-24-2008, 03:56 AM	#4 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Re: Very slow computer, pop-ups - Spybot not effective Hi griffy and welcome to TSF Sorry for the delay in getting to you, the forum has been really busy lately and all our helpers are volunteers. You are quite heavily infected so cleaning will take several posts. Please continue until you are told you are clear. Please also follow instructions in the exact order stated. I see a large number of infected crack files have been disinfected by Panda Not only are cracks illegal but they are most likely the cause of your current problems. Empty the contents of the following Folders (DO NOT delete the folder) C:\Documents and Settings\LocalService\Cookies C:\Documents and Settings\User\Cookies ---------------------------- Download Combofix from any of the links below, and save it to your desktop. Link 1 Link 2 Link 3 Note: It is important that it is saved directly to your desktop -------------------------------------------------------------------- 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ Proud member of ASAP since 2007 Proud member of UNITE since 2008 Our help is completely free but please consider donating to the site to help keep it running

01-25-2008, 07:39 PM	#6 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Re: Very slow computer, pop-ups - Spybot not effective Hi griffy Go to Microsoft's website => http://support.microsoft.com/kb/310994 Select the download that's appropriate for your Operating System Download the file & save it as its originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log. Please do not reboot your machine until we have reviewed the log. __________________ Proud member of ASAP since 2007 Proud member of UNITE since 2008 Our help is completely free but please consider donating to the site to help keep it running

01-26-2008, 01:24 AM	#7 (permalink)
griffy Registered User Join Date: Jan 2008 Posts: 22 OS: windows XP	Re: Very slow computer, pop-ups - Spybot not effective Hi Moral Terror Thank you for persisting with helping me to fix this despite the ignorant actions that got me here in the first place with the cracks. I am very appreciative. Here is the CF-RC.txt log: WinXP_EN_HOM_BF.EXE [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons I will make sure not to reboot until further notice.

01-26-2008, 02:39 AM	#8 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Re: Very slow computer, pop-ups - Spybot not effective Hi griffy You appear to have downloaded the XP Home version but are running XP Professional. Please follow these steps before repeating the previous instructions. Go to My Computer >Tools >Folder Options >View tab and select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Also make sure there is no checkmark beside Hide file extensions for known file types. Click OK. Open C:\boot.ini with Notepad and delete the following line NOTE be careful not to delete anything else from the file C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons* Click File > Save then close the file. Delete the following Folder C:\CMDCONS Reboot the PC then repeat the previous instructions making sure you download the XP Professional SP2 version. __________________ Proud member of ASAP since 2007 Proud member of UNITE since 2008 Our help is completely free but please consider donating to the site to help keep it running Last edited by MoralTerror; 01-26-2008 at 02:43 AM.

01-26-2008, 03:38 AM	#9 (permalink)
griffy Registered User Join Date: Jan 2008 Posts: 22 OS: windows XP	Re: Very slow computer, pop-ups - Spybot not effective here is the new log, ran as instructed: WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

01-26-2008, 04:02 AM	#10 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Re: Very slow computer, pop-ups - Spybot not effective Hi griff Thats fine now. You now have the Recovery Console installed as a precaution, it will help us recover the system should it become unbootable. It will now appear as a new option when the PC boots. Do not select the Recovery Console unless asked to do so. ---------------------------- Scan with HijackThis and check the following entries (If they still exist) (make sure not to miss any) F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\system32\winmgd.win F1 - win.ini: run=C:\WINDOWS\system32\mouse_configurator.win Remember to close all other windows and click Fix Checked -------------------------------------------- 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: Code: File:: C:\WINDOWS\system32\vbzip10.dll C:\WINDOWS\system32\tdgdehhw.ini C:\WINDOWS\mrofinu1188.exe.tmp C:\WINDOWS\system32\RCX18F.tmp C:\WINDOWS\system32\RCX1AAB.tmp C:\WINDOWS\system32\RCX1C6D.tmp C:\WINDOWS\system32\RCX220F.tmp C:\WINDOWS\system32\RCX3948.tmp C:\WINDOWS\system32\RCX40F3.tmp C:\WINDOWS\system32\winmgd.win C:\WINDOWS\system32\mouse_configurator.win Folder:: C:\WINDOWS\SG9tZQ C:\temp\cEeer12 C:\WINDOWS\system32\ardCo18 C:\WINDOWS\system32\elmo1 C:\WINDOWS\system32\jab2 C:\WINDOWS\system32\vmi4 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BBC3B13-C0E3-4517-9769-2D454B4E8371}] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Tsue"=- [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Router"=- RenV:: C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3 .exe C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ------------------------- Required Logs C:\ComboFix.txt a new HijackThis log __________________ Proud member of ASAP since 2007 Proud member of UNITE since 2008 Our help is completely free but please consider donating to the site to help keep it running

01-26-2008, 06:31 AM	#12 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Re: Very slow computer, pop-ups - Spybot not effective Hi griffy Please delete your copy of ComboFix.exe and download a fresh copy from here 1. Close any open browsers. 2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. If your not sure how to disable them then double-check against the list found >>>HERE<<< This list is not all inclusive, if your programs are not listed and you are unsure then please ask before continuing. -------------------------------------------------------------------- Double click on combofix.exe & follow the prompts. When finished, it will produce a report for you. Please post the "C:\ComboFix.txt" Note: Do not mouseclick combofix's window while it's running. That may cause it to stall __________________ Proud member of ASAP since 2007 Proud member of UNITE since 2008 Our help is completely free but please consider donating to the site to help keep it running

01-27-2008, 12:51 AM	#14 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Re: Very slow computer, pop-ups - Spybot not effective Hi griffy Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update. Updating Java: Download the latest version of Java Runtime Environment (JRE) 6u4. Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications". Click the "Download" button to the right. In the pull down menu next to Platform select Windows Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement" Click Continue Click on the link to download Windows Offline Installation and save to your desktop. Close any programs you may have running - especially your web browser. Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions. Reboot your computer once all Java components are removed. Then from your desktop double-click on jre-6u4-windowsi586-p.exe to install the newest version. ------------------------------------------ 1. Close any open browsers. 2. Open notepad and copy/paste the text in the quotebox below into it: Code: RenV:: C:\qoobox\Quarantine\C\WINDOWS\system32\igfxtray .exe C:\qoobox\Quarantine\C\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier .exe C:\qoobox\Quarantine\C\Program Files\Sony\SonicStage\SsAAD .exe C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\SMTray .exe C:\qoobox\Quarantine\C\Program Files\Analog Devices\SoundMAX\DrvLsnr .exe C:\qoobox\Quarantine\C\WINDOWS\system32\hkcmd .exe C:\qoobox\Quarantine\C\WINDOWS\system32\igfxpers .exe C:\qoobox\Quarantine\C\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe C:\qoobox\Quarantine\C\Program Files\QuickTime\qttask .exe C:\qoobox\Quarantine\C\Program Files\iTunes\iTunesHelper .exe C:\qoobox\Quarantine\C\Program Files\Adobe\Adobe Photoshop Lightroom 1.3\apdproxy .exe Save this as CFScript.txt, in the same location as ComboFix.exe Refering to the picture above, drag CFScript into ComboFix.exe Please allow ComboFix time to repair the damaged programs. When finished, it shall produce a log for you at "C:\ComboFix.txt" Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ------------------------------------------ Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Answer Yes, when prompted to install an ActiveX component. The program will then begin downloading the latest definition files. Once the files have been downloaded click on NEXT Locate the Scan Settings button & configure to: Scan using the following Anti-Virus database: Extended Scan Options: Scan Archives Scan Mail Bases Click OK & have it scan My Computer Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it. Click the Save as Text button to save the file to your desktop so that you may post it in your next reply * Turn off the real time scanner of any existing antivirus program while performing the online scan Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%. ------------------------------------------ Required Logs C:\ComboFix.txt Kaspersky report new HijackThis log <<< taken after the online scan Please also provide an update on system behaviour __________________ Proud member of ASAP since 2007 Proud member of UNITE since 2008 Our help is completely free but please consider donating to the site to help keep it running

01-27-2008, 05:58 AM	#16 (permalink)
MoralTerror Analyst, Security Team Join Date: Nov 2005 Location: UK Posts: 1,968 OS: xp	Re: Very slow computer, pop-ups - Spybot not effective Hi griffy I am going to consult with ComboFix's author about the error and those damaged programs which haven't been replaced. Please be patient while I wait for a reply but in the meantime do the following: Delete the following file C:\temp\mxrma0122.exe -------------------------- Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel. Under Temporary Internet Files, click the Delete Files button. There are three options in the window to clear the cache - Leave ALL 3 Checked Downloaded Applets Downloaded Applications Other Files Click OK on Delete Temporary Files Window Note: This deletes ALL the Downloaded Applications and Applets from the CACHE. Click OK to leave the Java Control Panel. __________________ Proud member of ASAP since 2007 Proud member of UNITE since 2008 Our help is completely free but please consider donating to the site to help keep it running Last edited by MoralTerror; 01-27-2008 at 06:06 AM.

01-27-2008, 06:21 AM	#17 (permalink)
griffy Registered User Join Date: Jan 2008 Posts: 22 OS: windows XP	Re: Very slow computer, pop-ups - Spybot not effective Hi MoralTerror, I have now done as instructed and will await a response after you hear back from the combofix author. thanks

01-27-2008, 10:11 AM	#18 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Re: Very slow computer, pop-ups - Spybot not effective Please post the contents of this log - C:\QooBox\ComboFix-quarantined-files.txt __________________ Question - what have you done for the community today?

01-27-2008, 03:26 PM	#20 (permalink)
sUBs Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy Join Date: May 2005 Posts: 24,353 OS: N/A	Re: Very slow computer, pop-ups - Spybot not effective Please download the file that's attach. From within it, double click on Restore.bat Post back to tell me what it says __________________ Question - what have you done for the community today? Last edited by sUBs; 01-28-2008 at 02:29 AM.