Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Security Warnings


  • Please log in to reply
12 replies to this topic

#1 dogs

dogs

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 01 November 2007 - 04:52 PM

Hi everyone, This is my first post and just to say good site. Im just about to launch my laptop through the window. For the last three days I have been trying to remove this bloody alert thingy that ive managed to get on my computer. I have tried all the usual removal tools. Then came across combofix I have run the program and I have the log file. Please can anyone help me before I go mad. Thanks in advance. Rob


C:\Documents and Settings\All Users\Application Data.\knmfsdsl.dll
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Rob\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Rob\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Rob\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\__c00E61F1.dat
C:\WINDOWS\system32\dcbay.bak1
C:\WINDOWS\system32\dcbay.bak2
C:\WINDOWS\system32\dcbay.ini
C:\WINDOWS\system32\fkqmynii.dllbox
C:\WINDOWS\system32\rrqvxdxw.dll
C:\WINDOWS\system32\yabcd.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.

2007-11-01 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 18:58 <DIR> d-------- C:\Documents and Settings\Rob\.housecall6.6
2007-11-01 00:28 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\iolo
2007-11-01 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2007-10-31 20:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 20:52 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-31 20:52 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-31 20:52 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-31 20:52 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-31 20:51 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-31 20:51 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PC Tools
2007-10-31 20:51 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 20:36 <DIR> d-------- C:\Program Files\Google
2007-10-31 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-31 19:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-31 18:18 1,212,928 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-10-31 18:18 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-10-31 18:18 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-10-31 18:18 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2007-10-31 18:17 <DIR> d-------- C:\Program Files\iolo
2007-10-31 17:08 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-31 17:08 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-31 17:08 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-31 17:08 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-31 17:08 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-30 22:20 <DIR> d-------- C:\Program Files\Webroot
2007-10-30 22:20 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-10-30 22:20 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Webroot
2007-10-30 22:20 487,936 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-10-30 22:20 57,344 --a------ C:\WINDOWS\Unwash6.exe
2007-10-30 20:26 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SpywareBot
2007-10-30 17:09 340,032 --a------ C:\WINDOWS\system32\fkqmynii.dll
2007-10-29 22:25 <DIR> d-------- C:\WINDOWS\system32\fkmdvbtn
2007-10-29 22:25 <DIR> d-------- C:\Program Files\Dlyasmsx
2007-10-29 22:19 <DIR> d-------- C:\Program Files\voxkhmxs
2007-10-29 21:55 815,480 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-29 21:55 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-29 21:55 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-29 21:55 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-29 21:55 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-29 21:55 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-29 21:55 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-22 21:41 <DIR> d-------- C:\Program Files\uTorrent
2007-10-22 21:41 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\uTorrent
2007-10-22 21:01 <DIR> d-------- C:\Program Files\Microsoft AutoRoute
2007-10-22 19:39 <DIR> d-------- C:\PNP
2007-10-22 18:48 384,512 --a------ C:\WINDOWS\system32\MFCO40.DLL
2007-10-22 18:48 358,400 --a------ C:\WINDOWS\system32\MFC30.DLL
2007-10-22 18:48 151,040 --a------ C:\WINDOWS\system32\MFCO30.DLL
2007-10-22 18:47 <DIR> d-------- C:\Program Files\Ulead Systems
2007-10-22 18:47 28,672 --a------ C:\WINDOWS\Photo Express 3.scr
2007-10-22 18:46 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-22 18:45 196,608 --a------ C:\WINDOWS\system32\PS1DMiniDrv.dll
2007-10-22 18:45 18,120 --a------ C:\WINDOWS\system32\drivers\gt680x.sys
2007-10-20 17:14 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-10-20 17:14 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-10-20 16:58 <DIR> d-------- C:\Program Files\Common Files\Labtec
2007-10-20 16:58 1,273,504 --a------ C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-20 16:58 527,136 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-10-20 16:58 348,160 --a------ C:\WINDOWS\system\msvcr71.dll
2007-10-20 16:58 264,992 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-10-20 16:58 215,840 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-10-20 16:58 129,824 --a------ C:\WINDOWS\system32\lvci1051.dll
2007-10-20 16:58 41,376 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-20 16:58 14,240 --a------ C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-20 16:58 13,398 --a------ C:\WINDOWS\system32\Repository.reg
2007-10-20 16:57 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2007-10-20 16:43 <DIR> d-------- C:\Program Files\Labtec
2007-10-10 21:15 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-03 18:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-02 17:42 <DIR> d-------- C:\Documents and Settings\Weeze\Application Data\AdobeUM
2007-10-01 20:40 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Leadertech
2007-10-01 20:19 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\AdobeAUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-01 20:40 --------- d-----w C:\Documents and Settings\Rob\Application Data\AdobeUM
2007-09-15 18:16 --------- d-----w C:\Program Files\EPSON
2007-09-15 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-09-15 18:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-13 19:19 --------- d-----w C:\Program Files\Far
2007-09-13 17:33 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-09-13 17:33 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2007-09-13 17:33 --------- d-----w C:\Program Files\Sony Ericsson
2007-09-13 16:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-12 19:11 19,424 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2007-09-12 19:11 1,419,232 ----a-w C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-09-08 20:53 --------- d-----w C:\Program Files\Widcomm
2007-09-07 14:00 --------- d-----w C:\Documents and Settings\Weeze\Application Data\Teleca
2007-09-06 20:21 --------- d-----w C:\Program Files\Disc2Phone
2007-09-06 20:10 --------- d-----w C:\Documents and Settings\Rob\Application Data\Apple Computer
2007-09-06 20:08 --------- d-----w C:\Program Files\QuickTime
2007-09-06 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-05 20:37 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-09-05 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-09-05 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-09-05 19:14 --------- d-----w C:\Documents and Settings\Rob\Application Data\Teleca
2007-09-02 13:00 --------- d-----w C:\Program Files\MSN Messenger
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
2007-10-29 22:25 106496 --a------ C:\Program Files\Dlyasmsx\twqvymzw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-30 17:09 340032 --a------ C:\WINDOWS\system32\fkqmynii.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\fkqmynii.dll [2007-10-30 17:09 340032]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 18:05]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 14:01 C:\WINDOWS\AGRSMMSG.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-06 20:08]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 03:00]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-03-06 16:48]
"LogitechQuickCamRibbon"="C:\Program Files\Labtec\WebCam10\WebCam10.exe" [2007-03-06 16:58]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 16:20]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-31 20:42]
"3c250d2f"="C:\WINDOWS\system32\egofthqw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe" [2006-05-03 16:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\F5D7011\Belkinwcui.exe [2007-08-30 20:28:13]
BTTray.lnk - C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe [2002-03-04 10:40:46]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-31 20:36:13]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [2007-10-22 18:47:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fkqmynii]
fkqmynii.dll 2007-10-30 17:09 340032 C:\WINDOWS\system32\fkqmynii.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\yabcd.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

S3 DIGIRPS;Digi PortServer Driver;C:\WINDOWS\system32\DRIVERS\digirlpt.sys
S3 gggen;Generic USB Flash Driver;C:\WINDOWS\system32\DRIVERS\gggen.sys
S3 GT680x;GrandTechICNameNT;C:\WINDOWS\system32\Drivers\gt680x.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d061dbf0-5738-11dc-9b17-00173f85fcf1}]
\Shell\AutoRun\command - setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 03:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 21:22:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-01 21:24:53 - machine was rebooted
.
--- E O F ---

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 AM

Posted 01 November 2007 - 06:39 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Click start > run and type: notepad, then hit enter.

File::
C:\WINDOWS\system32\fkqmynii.dll
C:\WINDOWS\system32\egofthqw.dll
C:\WINDOWS\system32\yabcd.dll

Folder::
C:\WINDOWS\system32\fkmdvbtn
C:\Program Files\Dlyasmsx
C:\Program Files\voxkhmxs

Click File > Save and call it "CFScript.txt" (without quotes).
Save it to your desktop.
Posted Image
Refering to the picture above, drag CFscript.txt into ComboFix.exe
Combofix will run, and a text file will open. Please post it back here.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"="msv1_0"

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt.
Please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Edited by D-Trojanator, 01 November 2007 - 06:40 PM.


#3 dogs

dogs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 02 November 2007 - 01:04 PM

Thanks David for such a quick reply. I have started doing the things you have said, but please bear with me as i'm not a wizz at these things. anyway i have re run combifix the way you said and this is the log file it produced. Really thnks again. rob


ComboFix 07-11-01.2 - Rob 2007-11-02 17:50:56.2 - NTFSx86
Running from: C:\Documents and Settings\Rob\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Rob\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\egofthqw.dll
C:\WINDOWS\system32\fkqmynii.dll
C:\WINDOWS\system32\yabcd.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Rob\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Rob\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Rob\Favorites\Online Security Guide.lnk
C:\Program Files\Dlyasmsx
C:\Program Files\Dlyasmsx\twqvymzw.dll
C:\Program Files\voxkhmxs
C:\Program Files\voxkhmxs\nsnwdujw.dll
C:\WINDOWS\system32\fkmdvbtn
C:\WINDOWS\system32\fkmdvbtn\bg1.gif
C:\WINDOWS\system32\fkmdvbtn\bgtop.gif
C:\WINDOWS\system32\fkmdvbtn\bottom1.gif
C:\WINDOWS\system32\fkmdvbtn\essentials.gif
C:\WINDOWS\system32\fkmdvbtn\icon1.ico
C:\WINDOWS\system32\fkmdvbtn\install1.gif
C:\WINDOWS\system32\fkmdvbtn\left1.gif
C:\WINDOWS\system32\fkmdvbtn\li.gif
C:\WINDOWS\system32\fkmdvbtn\logo.gif
C:\WINDOWS\system32\fkmdvbtn\main.htm
C:\WINDOWS\system32\fkmdvbtn\mainframe.htm
C:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
C:\WINDOWS\system32\fkmdvbtn\right1.gif
C:\WINDOWS\system32\fkmdvbtn\s1.htm
C:\WINDOWS\system32\fkmdvbtn\s2.htm
C:\WINDOWS\system32\fkmdvbtn\s3.htm
C:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
C:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
C:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
C:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
C:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
C:\WINDOWS\system32\fkmdvbtn\top1.gif
C:\WINDOWS\system32\fkmdvbtn\top2.gif
C:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
C:\WINDOWS\system32\fkmdvbtn\turnon1.gif
C:\WINDOWS\system32\fkqmynii.dll
C:\WINDOWS\system32\fkqmynii.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-02 to 2007-11-02 )))))))))))))))))))))))))))))))
.

2007-11-01 21:03 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 18:58 <DIR> d-------- C:\Documents and Settings\Rob\.housecall6.6
2007-11-01 00:28 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\iolo
2007-11-01 00:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\iolo
2007-10-31 20:52 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 20:52 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-31 20:52 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-31 20:52 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-31 20:52 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-31 20:51 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-31 20:51 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\PC Tools
2007-10-31 20:51 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-31 20:36 <DIR> d-------- C:\Program Files\Google
2007-10-31 20:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-31 19:05 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-10-31 18:18 1,212,928 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-10-31 18:18 41,472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-10-31 18:18 25,264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-10-31 18:18 9,341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys
2007-10-31 18:17 <DIR> d-------- C:\Program Files\iolo
2007-10-31 17:08 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-31 17:08 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-31 17:08 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-31 17:08 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-31 17:08 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-30 22:20 <DIR> d-------- C:\Program Files\Webroot
2007-10-30 22:20 <DIR> d-------- C:\Program Files\Common Files\Webroot Shared
2007-10-30 22:20 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\Webroot
2007-10-30 22:20 487,936 --a------ C:\WINDOWS\system32\wwSecure.exe
2007-10-30 22:20 57,344 --a------ C:\WINDOWS\Unwash6.exe
2007-10-30 20:26 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\SpywareBot
2007-10-29 21:55 815,480 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-10-29 21:55 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-10-29 21:55 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-10-29 21:55 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-10-29 21:55 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-10-29 21:55 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-10-29 21:55 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-10-22 21:41 <DIR> d-------- C:\Program Files\uTorrent
2007-10-22 21:41 <DIR> d-------- C:\Documents and Settings\Rob\Application Data\uTorrent
2007-10-22 21:01 <DIR> d-------- C:\Program Files\Microsoft AutoRoute
2007-10-22 19:39 <DIR> d-------- C:\PNP
2007-10-22 18:48 384,512 --a------ C:\WINDOWS\system32\MFCO40.DLL
2007-10-22 18:48 358,400 --a------ C:\WINDOWS\system32\MFC30.DLL
2007-10-22 18:48 151,040 --a------ C:\WINDOWS\system32\MFCO30.DLL
2007-10-22 18:47 <DIR> d-------- C:\Program Files\Ulead Systems
2007-10-22 18:47 28,672 --a------ C:\WINDOWS\Photo Express 3.scr
2007-10-22 18:46 306,688 --a------ C:\WINDOWS\IsUninst.exe
2007-10-22 18:45 196,608 --a------ C:\WINDOWS\system32\PS1DMiniDrv.dll
2007-10-22 18:45 18,120 --a------ C:\WINDOWS\system32\drivers\gt680x.sys
2007-10-20 17:14 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-10-20 17:14 53,760 --a--c--- C:\WINDOWS\system32\dllcache\vfwwdm32.dll
2007-10-20 16:58 <DIR> d-------- C:\Program Files\Common Files\Labtec
2007-10-20 16:58 1,273,504 --a------ C:\WINDOWS\system32\drivers\LV302V32.SYS
2007-10-20 16:58 527,136 --a------ C:\WINDOWS\system32\LVUI2RC.dll
2007-10-20 16:58 348,160 --a------ C:\WINDOWS\system\msvcr71.dll
2007-10-20 16:58 264,992 --a------ C:\WINDOWS\system32\lvcodec2.dll
2007-10-20 16:58 215,840 --a------ C:\WINDOWS\system32\LVUI2.dll
2007-10-20 16:58 129,824 --a------ C:\WINDOWS\system32\lvci1051.dll
2007-10-20 16:58 41,376 --a------ C:\WINDOWS\system32\drivers\LVUSBSta.sys
2007-10-20 16:58 14,240 --a------ C:\WINDOWS\system32\drivers\lv302af.sys
2007-10-20 16:58 13,398 --a------ C:\WINDOWS\system32\Repository.reg
2007-10-20 16:57 <DIR> d-------- C:\Program Files\Common Files\LogiShrd
2007-10-20 16:43 <DIR> d-------- C:\Program Files\Labtec
2007-10-10 21:15 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-03 18:03 <DIR> d-------- C:\Program Files\Common Files\Adobe
2007-10-02 17:42 <DIR> d-------- C:\Documents and Settings\Weeze\Application Data\AdobeUM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-01 20:40 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-01 20:40 --------- d-----w C:\Documents and Settings\Rob\Application Data\Leadertech
2007-10-01 20:40 --------- d-----w C:\Documents and Settings\Rob\Application Data\AdobeUM
2007-10-01 20:19 --------- d-----w C:\Documents and Settings\Rob\Application Data\AdobeAUM
2007-09-15 18:16 --------- d-----w C:\Program Files\EPSON
2007-09-15 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\UDL
2007-09-15 18:14 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-09-13 19:19 --------- d-----w C:\Program Files\Far
2007-09-13 17:33 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-09-13 17:33 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ggsemc_01005.Wdf
2007-09-13 17:33 --------- d-----w C:\Program Files\Sony Ericsson
2007-09-13 16:31 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-12 19:11 19,424 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2007-09-08 20:53 --------- d-----w C:\Program Files\Widcomm
2007-09-07 14:00 --------- d-----w C:\Documents and Settings\Weeze\Application Data\Teleca
2007-09-06 20:21 --------- d-----w C:\Program Files\Disc2Phone
2007-09-06 20:10 --------- d-----w C:\Documents and Settings\Rob\Application Data\Apple Computer
2007-09-06 20:08 --------- d-----w C:\Program Files\QuickTime
2007-09-06 20:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-09-05 20:37 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-09-05 20:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony Ericsson
2007-09-05 20:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Teleca
2007-09-05 19:14 --------- d-----w C:\Documents and Settings\Rob\Application Data\Teleca
2007-09-02 13:00 --------- d-----w C:\Program Files\MSN Messenger
.

((((((((((((((((((((((((((((( snapshot@2007-11-01_21.23.28.98 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-02 17:56:19 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 18:05]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-04 14:01 C:\WINDOWS\AGRSMMSG.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-09-06 20:08]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [2003-09-11 03:00]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-03-06 16:48]
"LogitechQuickCamRibbon"="C:\Program Files\Labtec\WebCam10\WebCam10.exe" [2007-03-06 16:58]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-10-25 16:20]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-31 20:42]
"3c250d2f"="C:\WINDOWS\system32\egofthqw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [2005-04-20 10:44]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe" [2006-05-03 16:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\F5D7011\Belkinwcui.exe [2007-08-30 20:28:13]
BTTray.lnk - C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe [2002-03-04 10:40:46]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-10-31 20:36:13]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [2007-10-22 18:47:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fkqmynii]
fkqmynii.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

S3 DIGIRPS;Digi PortServer Driver;C:\WINDOWS\system32\DRIVERS\digirlpt.sys
S3 gggen;Generic USB Flash Driver;C:\WINDOWS\system32\DRIVERS\gggen.sys
S3 GT680x;GrandTechICNameNT;C:\WINDOWS\system32\Drivers\gt680x.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d061dbf0-5738-11dc-9b17-00173f85fcf1}]
\Shell\AutoRun\command - setupSNK.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-01 03:00:00 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job"
- C:\Program Files\SpywareBot\SpywareBot.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 17:57:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-02 17:58:51 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-01 21:24
.
--- E O F ---

#4 dogs

dogs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 02 November 2007 - 01:15 PM

Hi David, This the main text from deckards notepad.
Deckard's System Scanner v20071014.68
Run by Rob on 2007-11-02 18:08:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
68: 2007-11-02 18:08:40 UTC - RP68 - Deckard's System Scanner Restore Point
67: 2007-11-02 17:49:31 UTC - RP67 - ComboFix created restore point
66: 2007-11-01 21:04:38 UTC - RP66 - ComboFix created restore point
65: 2007-11-01 18:25:16 UTC - RP65 - Spyware Doctor: Cleaning Threats
64: 2007-11-01 00:28:21 UTC - RP64 - Spyware Doctor: Cleaning Threats


-- First Restore Point --
1: 2007-10-29 22:25:20 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Rob.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:10:52, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Labtec\WebCam10\WebCam10.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webroot\Washer\wwDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Belkin\F5D7011\Belkinwcui.exe
C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Documents and Settings\Rob\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Rob.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Labtec\WebCam10\WebCam10.exe" /hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [3c250d2f] rundll32.exe "C:\WINDOWS\system32\egofthqw.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Window Washer] C:\Program Files\Webroot\Washer\wwDisp.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - Winlogon Notify: fkqmynii - fkqmynii.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Sygate Personal Firewall Pro (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 7789 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Teefer (Teefer for NT) - c:\windows\system32\drivers\teefer.sys <Not Verified; Sygate Technologies, Inc.; Sygate Teefer Driver>
R1 FileDisk - c:\windows\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
R1 wpsdrvnt - c:\windows\system32\drivers\wpsdrvnt.sys <Not Verified; Sygate Technologies, Inc.; wpsdrvnt>
R2 BTSERIAL (Bluetooth Serial Driver) - c:\windows\system32\drivers\btserial.sys
R2 BTSLBCSP (Bluetooth Port Client Driver) - c:\windows\system32\drivers\btslbcsp.sys <Not Verified; WIDCOMM Inc.; WIDCOMM Bluetooth Software 1.2.2.3>
R3 catchme - c:\docume~1\rob\locals~1\temp\catchme.sys (file missing)

S3 gggen (Generic USB Flash Driver) - c:\windows\system32\drivers\gggen.sys <Not Verified; Sony Ericsson Mobile Communications; Gordon's Gate>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Ati HotKey Poller - c:\windows\system32\ati2evxx.exe (file missing)
S2 wltrysvc (Broadcom Wireless LAN Tray Service) - c:\windows\system32\wltrysvc.exe c:\windows\system32\bcmwltry.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID:
Description: Ethernet Controller
Device ID: PCI\VEN_14E4&DEV_165D&SUBSYS_00580E11&REV_01\4&16793A72&0&70F0
Manufacturer:
Name: Ethernet Controller
PNP Device ID: PCI\VEN_14E4&DEV_165D&SUBSYS_00580E11&REV_01\4&16793A72&0&70F0
Service:

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Bluetooth LAN Access Server Driver
Device ID: ROOT\NET\0000
Manufacturer: Widcomm, Inc.
Name: Bluetooth LAN Access Server Driver
PNP Device ID: ROOT\NET\0000
Service: BTWDNDIS


-- Scheduled Tasks -------------------------------------------------------------

2007-11-01 03:00:00 484 --a------ C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job


-- Files created between 2007-10-02 and 2007-11-02 -----------------------------

2007-11-02 18:10:36 0 d-------- C:\Program Files\Trend Micro
2007-11-01 19:18:39 0 d-------- C:\!KillBox
2007-11-01 18:58:29 0 d-------- C:\Documents and Settings\Rob\.housecall6.6
2007-11-01 00:28:07 0 d-------- C:\Documents and Settings\Rob\Application Data\iolo
2007-11-01 00:28:07 0 d-------- C:\Documents and Settings\All Users\Application Data\iolo
2007-10-31 20:52:57 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-31 20:51:54 0 d-------- C:\Program Files\Spyware Doctor
2007-10-31 20:51:54 0 d-------- C:\Documents and Settings\Rob\Application Data\PC Tools
2007-10-31 20:36:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-31 20:36:05 0 d-------- C:\Program Files\Google
2007-10-31 19:05:15 0 d-------- C:\Program Files\Enigma Software Group
2007-10-31 18:18:26 9341 --a------ C:\WINDOWS\system32\drivers\filedisk.sys <Not Verified; iolo technologies, LLC (based on original work by Bo Brantén); filedisk (based on original work by Bo Brantén)>
2007-10-31 18:18:06 25264 --a------ C:\WINDOWS\system32\smrgdf.exe
2007-10-31 18:18:05 41472 --a------ C:\WINDOWS\system32\iolobtdfg.exe
2007-10-31 18:18:03 1212928 --a------ C:\WINDOWS\system32\Incinerator.dll
2007-10-31 18:17:55 0 d-------- C:\Program Files\iolo
2007-10-31 17:08:04 25600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-31 17:08:04 289144 --a------ C:\WINDOWS\system32\VCCLSID.exe <Not Verified; S!Ri; >
2007-10-31 17:08:03 288417 --a------ C:\WINDOWS\system32\SrchSTS.exe <Not Verified; S!Ri; SrchSTS>
2007-10-31 17:08:03 51200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-31 17:08:02 53248 --a------ C:\WINDOWS\system32\Process.exe <Not Verified; http://www.beyondlogic.org; Command Line Process Utility>
2007-10-30 22:20:41 0 d-------- C:\Documents and Settings\Rob\Application Data\Webroot
2007-10-30 22:20:39 0 d-------- C:\Program Files\Webroot
2007-10-30 22:20:39 0 d-------- C:\Program Files\Common Files\Webroot Shared
2007-10-30 22:20:12 57344 --a------ C:\WINDOWS\Unwash6.exe <Not Verified; Webroot Software, Inc.; >
2007-10-30 22:20:12 487936 --a------ C:\WINDOWS\system32\wwSecure.exe <Not Verified; Webroot Software, Inc.; >
2007-10-30 20:26:28 0 d-------- C:\Documents and Settings\Rob\Application Data\SpywareBot
2007-10-30 17:22:20 0 d-------- C:\Documents and Settings\NetworkService\Application Data\Macromedia
2007-10-30 17:21:43 0 dr------- C:\Documents and Settings\NetworkService\Favorites
2007-10-22 21:41:06 0 d-------- C:\Program Files\uTorrent
2007-10-22 21:41:00 0 d-------- C:\Documents and Settings\Rob\Application Data\uTorrent
2007-10-22 21:01:25 0 d-------- C:\Program Files\Microsoft AutoRoute
2007-10-22 19:39:08 0 d-------- C:\PNP
2007-10-22 18:47:58 28672 --a------ C:\WINDOWS\Photo Express 3.scr <Not Verified; Ulead Systems, Inc.; >
2007-10-22 18:47:27 0 d-------- C:\Program Files\Ulead Systems
2007-10-22 18:46:51 306688 --a------ C:\WINDOWS\IsUninst.exe <Not Verified; InstallShield Software Corporation; InstallShield® unInstaller>
2007-10-20 16:58:09 0 d-------- C:\Program Files\Common Files\Labtec
2007-10-20 16:57:20 0 d-------- C:\Program Files\Common Files\LogiShrd
2007-10-20 16:43:12 0 d-------- C:\Program Files\Labtec
2007-10-03 18:03:33 0 d-------- C:\Program Files\Common Files\Adobe
2007-10-02 17:42:03 0 d-------- C:\Documents and Settings\Weeze\Application Data\AdobeUM
2007-10-02 17:41:34 0 d-------- C:\Documents and Settings\Weeze\Application Data\Adobe


-- Find3M Report ---------------------------------------------------------------

2007-10-30 22:20:39 0 d-------- C:\Program Files\Common Files
2007-10-01 20:40:29 0 d-------- C:\Documents and Settings\Rob\Application Data\Leadertech
2007-10-01 20:40:21 0 d-------- C:\Documents and Settings\Rob\Application Data\AdobeUM
2007-10-01 20:40:13 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-10-01 20:19:29 0 d-------- C:\Documents and Settings\Rob\Application Data\AdobeAUM
2007-09-15 18:16:54 0 d-------- C:\Program Files\EPSON
2007-09-15 18:14:10 0 d-------- C:\Program Files\Common Files\InstallShield
2007-09-13 19:19:08 0 d-------- C:\Program Files\Far
2007-09-13 17:33:32 0 d-------- C:\Program Files\Sony Ericsson
2007-09-13 16:31:45 0 d-------- C:\Program Files\Windows Media Connect 2
2007-09-08 20:53:08 0 d-------- C:\Program Files\Widcomm
2007-09-08 18:19:22 0 d-------- C:\Documents and Settings\Rob\Application Data\Adobe
2007-09-06 20:21:29 0 d-------- C:\Program Files\Disc2Phone
2007-09-06 20:10:22 0 d-------- C:\Documents and Settings\Rob\Application Data\Apple Computer
2007-09-06 20:08:34 0 d-------- C:\Program Files\QuickTime
2007-09-05 20:37:34 0 d-------- C:\Program Files\Common Files\Teleca Shared
2007-09-05 19:14:09 0 d-------- C:\Documents and Settings\Rob\Application Data\Teleca
2007-09-03 21:27:47 0 d-------- C:\Program Files\messenger
2007-09-03 20:34:13 0 d-------- C:\Documents and Settings\Rob\Application Data\WinRAR
2007-09-02 13:00:50 0 d-------- C:\Program Files\MSN Messenger
2007-09-02 12:24:56 0 d-------- C:\Program Files\Movie Maker
2007-09-02 12:21:04 0 d-------- C:\Program Files\Windows NT
2007-08-30 21:07:12 62 --ahs---- C:\Documents and Settings\Rob\Application Data\desktop.ini
2007-08-30 20:18:26 0 -rahs---- C:\MSDOS.SYS
2007-08-30 20:18:26 0 -rahs---- C:\IO.SYS
2007-08-30 20:18:26 0 --a------ C:\CONFIG.SYS
2007-08-30 20:18:26 0 --a------ C:\AUTOEXEC.BAT
2007-08-30 20:15:30 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [13/08/2004 18:05]
"AGRSMMSG"="AGRSMMSG.exe" [04/03/2005 14:01 C:\WINDOWS\AGRSMMSG.exe]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 16:17]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06/09/2007 20:08]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 22:46]
"EPSON Stylus Photo R300 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.exe" [11/09/2003 03:00]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [06/03/2007 16:48]
"LogitechQuickCamRibbon"="C:\Program Files\Labtec\WebCam10\WebCam10.exe" [06/03/2007 16:58]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [25/10/2007 16:20]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [31/10/2007 20:42]
"3c250d2f"="C:\WINDOWS\system32\egofthqw.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 07:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 11:54]
"Window Washer"="C:\Program Files\Webroot\Washer\wwDisp.exe" [20/04/2005 10:44]
"SMSystemAnalyzer"="C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe" [03/05/2006 16:29]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 21:05:26]
Belkin Wireless Utility.lnk - C:\Program Files\Belkin\F5D7011\Belkinwcui.exe [30/08/2007 20:28:13]
BTTray.lnk - C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe [04/03/2002 10:40:46]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [31/10/2007 20:36:13]
Ulead Photo Express 3.0 SE Calendar Checker.lnk - C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe [22/10/2007 18:47:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fkqmynii]
fkqmynii.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d061dbf0-5738-11dc-9b17-00173f85fcf1}]
AutoRun\command- setupSNK.exe




-- End of Deckard's System Scanner: finished at 2007-11-02 18:11:22 ------------

And this the extra bit

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® M processor 1400MHz
Percentage of Memory in Use: 59%
Physical Memory (total/avail): 511.36 MiB / 208.57 MiB
Pagefile Memory (total/avail): 1248.9 MiB / 975.11 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1919.36 MiB

C: is Fixed (NTFS) - 37.25 GiB total, 27.31 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)

\\.\PHYSICALDRIVE0 - FUJITSU MHT2040AH - 37.26 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 37.25 GiB - C:

\\.\PHYSICALDRIVE1 - EPSON Stylus Storage USB Device



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.

AV: avast! antivirus 4.7.1074 [VPS 000734-2] v4.7.1074 (ALWIL Software) Outdated

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Rob\Application Data
CLASSPATH=C:\Program Files\QuickTime\QTSystem\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=HOME-L8UX5BCRVV
ComSpec=C:\WINDOWS\system32\cmd.exe
DEFAULT_CA_NR=CA6
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Rob
LOGONSERVER=\\HOME-L8UX5BCRVV
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\Program Files\Common Files\Teleca Shared;C:\Program Files\QuickTime\QTSystem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 9 Stepping 5, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0905
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\QuickTime\QTSystem\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
TMP=C:\DOCUME~1\Rob\LOCALS~1\Temp
USERDOMAIN=HOME-L8UX5BCRVV
USERNAME=Rob
USERPROFILE=C:\Documents and Settings\Rob
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Rob (admin)
Weeze (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\System32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Reader 7.0.9 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70900000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
Adobe® Photoshop® Album Starter Edition 3.0.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C9618743-1A5C-461E-91C4-E013A3D70F3C}\Setup.exe" -l0x9
Agere Systems AC'97 Modem --> agrsmdel
ATI Display Driver --> rundll32 C:\WINDOWS\System32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Belkin Wireless G Plus Notebook Card --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{D59CAED6-39AF-4F87-AD40-C10C3906B7A4}\setup.exe" -l0x9 -removeonly
Disc2Phone --> MsiExec.exe /I{FFAB5ABB-8AAB-42E2-847F-1743E51E01E9}
EPSON CardMonitor --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{109D28C7-FB38-483A-9C91-001CB59E2699}\SETUP.EXE" -l0x9 uninst
EPSON PhotoQuicker3.5 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{65F5B7AF-3363-11D7-BB6B-00018021113F}\SETUP.EXE" -l0x9 uninst
EPSON PhotoStarter3.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C48817E7-AA05-4151-A99D-1E1E550CE801}\SETUP.EXE" -l0x9 uninst
EPSON PRINT Image Framer Tool2.1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{23B59ED4-C360-11D7-875B-0090CC005647}\SETUP.EXE" -l0x9 anything
EPSON Printer Software --> C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\EPUPDATE.EXE /r
ESPR300 Software Guide --> C:\Program Files\EPSON\ESPR300\PQU_G\DOCUNINS.EXE
Far Manager v1.70 --> C:\Program Files\Far\uninstall.exe
Google Desktop --> C:\Program Files\Google\Google Desktop Search\GoogleDesktopSetup.exe -uninstall
Google Updater --> "C:\Program Files\Google\Google Updater\GoogleUpdater.exe" -uninstall
iolo technologies' System Mechanic Professional 6 --> "C:\Program Files\iolo\System Mechanic Professional 6\UninstallSMPro.exe"
Labtec WebCam --> MsiExec.exe /X{995BF1A7-30E5-49E5-A0E4-AD3213D9E330}
Labtec® Camera Driver --> "C:\Program Files\Common Files\Labtec\QCDRV\BIN\SETUP.EXE" UNINSTALL REMOVEPROMPT
Logitech Audio Echo Cancellation Component --> MsiExec.exe /X{BEF726DD-4037-4214-8C6A-E625C02D2870}
Logitech Video Enumerator --> MsiExec.exe /X{EA516024-D84D-41F1-814F-83175A6188F2}
Microsoft AutoRoute --> MsiExec.exe /I{19EF7619-CAC5-4A49-B44A-D620DB771E01}
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5 --> "C:\WINDOWS\$NtUninstallWdf01005$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
MVision --> MsiExec.exe /I{35725FBC-A136-4A46-9F29-091759D9BB93}
QuickTime --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\11\INTEL3~1\IDriver.exe /M{4E5E22C2-1386-47AE-8EDE-32DDCDCD6653} /l1033
ScanToWeb --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EBAE381B-60A6-4863-AA9F-FCAB755BC9E5}\SETUP.EXE" ADDREMOVEDLG
Sony Ericsson PC Suite 1.20.224 --> MsiExec.exe /I{7689CA7A-1270-425A-9959-EB4CB25EA29A}
Spyware Doctor 5.1 --> C:\Program Files\Spyware Doctor\unins000.exe /LOG
Sygate Personal Firewall Pro --> MsiExec.exe /X{BF448A52-C83E-455D-B5D3-FD9E964C9419}
Ulead Photo Express 3.0 SE --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\Uninst.isu" -c"C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\IS32Inst.dll"
Update Service --> C:\Program Files\Sony Ericsson\Update Service\uninst.exe
Widcomm Bluetooth Software 1.2.2.4 --> MsiExec.exe /X{0F51A262-1ADF-4914-B448-78AC58C4178A}
Window Washer --> C:\WINDOWS\Unwash6.exe
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{22B3CC30-77B8-419C-AA4B-F571FDF5D66D}
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type861 / Warning
Event Submitted/Written: 11/01/2007 06:40:18 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{995BF1A7-30E5-49E5-A0E4-AD3213D9E330}', feature 'QuickCam' failed during request for component '{C207503F-9631-4AF6-8CD2-D11260DBA3C5}'

Event Record #/Type860 / Warning
Event Submitted/Written: 11/01/2007 06:40:18 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{995BF1A7-30E5-49E5-A0E4-AD3213D9E330}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Labtec\QuickCam10\DesktopShortcutKey' does not exist.

Event Record #/Type859 / Warning
Event Submitted/Written: 11/01/2007 06:40:12 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{995BF1A7-30E5-49E5-A0E4-AD3213D9E330}', feature 'QuickCam' failed during request for component '{C207503F-9631-4AF6-8CD2-D11260DBA3C5}'

Event Record #/Type858 / Warning
Event Submitted/Written: 11/01/2007 06:40:12 PM
Event ID/Source: 1004 / MsiInstaller
Event Description:
Detection of product '{995BF1A7-30E5-49E5-A0E4-AD3213D9E330}', feature 'QuickCam', component '{B52C7B4D-F46F-438C-ADF2-05A138C57757}' failed. The resource 'HKEY_CURRENT_USER\Software\Labtec\QuickCam10\DesktopShortcutKey' does not exist.

Event Record #/Type857 / Warning
Event Submitted/Written: 11/01/2007 06:40:04 PM
Event ID/Source: 1001 / MsiInstaller
Event Description:
Detection of product '{995BF1A7-30E5-49E5-A0E4-AD3213D9E330}', feature 'QuickCam' failed during request for component '{C207503F-9631-4AF6-8CD2-D11260DBA3C5}'



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type4235 / Error
Event Submitted/Written: 11/02/2007 05:57:01 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Broadcom Wireless LAN Tray Service service failed to start due to the following error:
%%2

Event Record #/Type4234 / Error
Event Submitted/Written: 11/02/2007 05:57:01 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Ati HotKey Poller service failed to start due to the following error:
%%2

Event Record #/Type4229 / Error
Event Submitted/Written: 11/02/2007 05:55:01 PM
Event ID/Source: 10010 / DCOM
Event Description:
The server {82A531AA-B7F6-4F5F-AB26-8F6E462E27CE} did not register with DCOM within the required timeout.

Event Record #/Type4228 / Error
Event Submitted/Written: 11/02/2007 05:54:06 PM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type4227 / Error
Event Submitted/Written: 11/02/2007 05:54:06 PM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.



-- End of Deckard's System Scanner: finished at 2007-11-02 18:11:22 ------------

Thankyou and I hpoe Ive done it all ok

Rob

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 AM

Posted 02 November 2007 - 02:56 PM

Hiya Rob, looks like you're doing great at the moment!

It is a good idea to print off these instructions. There is a possibility some of the instructions will need to be carried out where internet access is not available. It is important that you complete the instructions in the right order, and that you don't miss out any steps.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Start HijackThis (start > run > type: Hijackthis), close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [3c250d2f] rundll32.exe "C:\WINDOWS\system32\egofthqw.dll",b
O20 - Winlogon Notify: fkqmynii - fkqmynii.dll (file missing)

Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Please perform this online scan: Kaspersky Webscan
Note that this scanner will only work on Internet Explorer, so please use this browser for the scan.
Read the Requirements and Privacy statement, then select "Accept"
A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
Select "Install" to download the ActiveX controls that allows ActiveScan to run.

When the download is complete it will say ready, click "Next"
Select a target to scan: Click on "My Computer"
When the scan is complete choose to save the results as "Save as Text"
Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

#6 dogs

dogs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 02 November 2007 - 05:56 PM

:thumbsup: Thanks again David, Ive done all that you have said apart from running Kaspersky it wont load even though I have administrator rights and security is set to medium. But here is the log from Hijackthis. Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:20:18, on 02/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exeA
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Labtec\WebCam10\WebCam10.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Belkin\F5D7011\Belkinwcui.exe
C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Labtec\WebCam10\WebCam10.exe" /hide
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [3c250d2f] rundll32.exe "C:\WINDOWS\system32\egofthqw.dll",b
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O20 - Winlogon Notify: fkqmynii - fkqmynii.dll (file missing)
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 5303 bytes

#7 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 AM

Posted 03 November 2007 - 05:22 AM

OK, don't worry about the Kaspersky scan, it really is a lottery whether they run or not.
We can try another similar scanner, let me know how you get on with this.
Don't forget you have to be using internet explorer, firefox or another browser may not work..

Please visit Panda Online to carry out a virus scan.
Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your personal details.
Click the big Scan Now button.
It will ask to install various content - please allow this.
It will start downloading the files it requires for the scan, which may take a while.

When download is complete, click on Local Disks to start the scan.
When the scan completes, click the See Report button.
Click Save Report and save the file to your desktop.
Post the contents of the report in your next reply, along with a new Hijackthis log.

#8 dogs

dogs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 03 November 2007 - 11:14 AM

Hi david, That panda scan won't run either so i'm pretty stuck.

Rob

#9 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 AM

Posted 04 November 2007 - 10:35 AM

Let's try and configure activex
Start Internet Explorer.
From the Internet Explorer Tools menu, choose Internet Options.
Click the Security tab, and then click the Internet icon.
Click the Custom Level button and verify the settings as follows:

Scroll to the Active X controls and plug-ins and verify that the options are set to Enable or Prompt.
Scroll to the Scripting Section and verify that Active Scripting is set to Enable or Prompt.
Note: Clicking a checked box removes the checkmark and disables the feature.
If you see checkmarks in the Enable or Prompt boxes, do not click on the checked boxes.
Click OK.

Reboot the PC and try wither Panda or Kaspersky again.

#10 dogs

dogs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 05 November 2007 - 05:33 PM

Hi David thanks mate that did the trick. Ok i've ran kaspersky scan and a new hijack this so here are the results.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 05, 2007 10:23:37 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/11/2007
Kaspersky Anti-Virus database records: 451964
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 48972
Number of viruses found: 11
Number of infected objects: 41
Number of suspicious objects: 0
Duration of the scan process: 01:00:44

Infected Object Name / Virus Name / Last Action
C:\!KillBox\pvgrfbpq.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\!KillBox\yubnrhbs.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Application Data\Teleca\Telecalib\Logging\Application logs\SpecificUSB_log.txt Object is locked skipped
C:\Documents and Settings\Rob\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Rob\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Rob\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Rob\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temp\~DF14A4.tmp Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temp\~DF6C91.tmp Object is locked skipped
C:\Documents and Settings\Rob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Rob\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Rob\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Zone Labs\ZoneAlarm\MailFrontier\MailBuddy.log Object is locked skipped
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\knmfsdsl.dll.vir Infected: Trojan.Win32.Obfuscated.jx skipped
C:\qoobox\Quarantine\C\Program Files\Dlyasmsx\twqvymzw.dll.vir Infected: Trojan.Win32.Obfuscated.jx skipped
C:\qoobox\Quarantine\C\Program Files\voxkhmxs\nsnwdujw.dll.vir Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\fkqmynii.dll.vir Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\rrqvxdxw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
C:\qoobox\Quarantine\catchme2007-11-01_212123.98.zip/__c00E61F1.dat Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\qoobox\Quarantine\catchme2007-11-01_212123.98.zip ZIP: infected - 1 skipped
C:\qoobox\Quarantine\catchme2007-11-02_175634.12.zip/fkqmynii.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\qoobox\Quarantine\catchme2007-11-02_175634.12.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP58\A0010439.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0010469.exe Infected: not-virus:Hoax.Win32.Renos.hx skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0010480.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0010493.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0010497.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0010498.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0010499.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0011479.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0011576.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0011584.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP60\A0012647.exe Infected: not-a-virus:FraudTool.Win32.SpywareBot.c skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP61\A0012681.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013782.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013804.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013805.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013806.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013808.exe/file1 Infected: not-a-virus:FraudTool.Win32.SpywareBot.c skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013808.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013809.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013810.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP65\A0013812.dll Infected: Trojan-Downloader.Win32.ConHook.hl skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP66\A0013846.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP67\A0013919.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP67\A0013920.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP67\A0013925.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP67\A0013931.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{9626B4C6-5285-498A-837C-C2F01866F54B}\RP69\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\HOME-L8UX5BCRVV.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9D96F534-4FE0-4C3D-A6CD-A075DC1510B4}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ZLT05e68.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT05ed1.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


And the new Hijack this scan

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:27:12, on 05/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe
C:\Program Files\Labtec\WebCam10\WebCam10.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\LVComSX.exe
C:\Program Files\Belkin\F5D7011\Belkinwcui.exe
C:\Program Files\Widcomm\Bluetooth Software\BTTray.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Common Files\Teleca Shared\Generic.exe
C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R300 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Labtec\WebCam10\WebCam10.exe" /hide
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SMSystemAnalyzer] "C:\Program Files\iolo\System Mechanic Professional 6\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = ?
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Ulead Photo Express 3.0 SE Calendar Checker.lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 3.0 SE\CalCheck.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LVSrvLauncher - Labtec Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe (file missing)

--
End of file - 5313 bytes


Hope you can make something of these. Thanks again in advance

Rob

#11 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 AM

Posted 06 November 2007 - 11:42 AM

Hiya Rob, not much more to do now..

Please find and delete these folders:
C:\!KillBox
C:\qoobox

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Please reboot a final time and let me know how the PC is running.
I see a clean Hijackthis log now! :thumbsup:

#12 dogs

dogs
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:07:15 PM

Posted 06 November 2007 - 01:03 PM

:blink: Hi David I have done all what you have said and judgeing by everything else you told me, my computer must be clean. The thing is I think well, I know that it is now running slower. I have installed zone alarn security suite do you think that could be useing to much ram or something? Can you recomend a good firewall and antivirus that don't use alot of ram. Thankyou again for all your help you are a computer god :thumbsup: Rob

#13 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:01:15 AM

Posted 06 November 2007 - 02:58 PM

The Zone Alarm Security Suite is well known for being a resource hog.

There are several free packages available for antivirus programs,
These will be less of a resource hog on your memory:
Two of the most popular are here:
Antivir: http://www.free-av.com/
AVG Antivirus: http://free.grisoft.com/doc/1

As far as firewalls are concerned, I would recommend Comodo Free:
http://www.personalfirewall.comodo.com/

Glad I could help! :thumbsup:
The latest log is looking clean!
Follow this list and your potential for being infected again will be reduced dramatically.

Use an Anti Virus Software -
* It is very important that your computer has an anti-virus software running on your machine.
* This alone can save you a lot of trouble with malware in the future. See this link for a listing of some on line & their stand-alone anti virus programs:
* Click here for more information on -> Computer Safety On line - Anti-Virus
* I would recommend Grisoft's AVG or AVAST.
* These are the more secure and better ones.

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

Use a Firewall -
* I can not stress how important it is that you use a Firewall on your computer.
* Without a firewall your computer is susceptible to being hacked and taken over.
* Simply using a Firewall in its default configuration can lower your risk greatly.
* For an article on Firewalls and a listing of some available ones see the link below:
* Click here for more information on -> Computer Safety On line - Software Firewalls

Visit Microsoft's Windows Update Site Frequently -
* It is important that you visit http://www.windowsupdate.com regularly.
* This will ensure your computer has always the latest security updates available installed on your computer.
* If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Next, if they're not already present, I would recommend the download and installation of some or all of the following programs (all free), and the updating of them regularly

Install Spybot© - Search and Destroy- Install and download Spybot - Search and Destroy with its TeaTimer option.
* This will provide real-time spyware & hijacker protection on your computer alongside your virus protection.
* You should also scan your computer with program on a regular basis just as you would an anti virus software.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Lavasofts© Ad-Aware - Install and download Ad-Aware.
* You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot.
* A tutorial on installing & using this product can be found here:
* Click here for more info -->Instructions for - Spybot S & D and Ad-aware

Install Javacools© SpywareBlaster -
* SpywareBlaster will added a large list of programs and sites into your Internet Explorer and Firefox settings and that will protect you from running and downloading known malicious programs.
* A article on anti-malware products with links for this program and others can be found here:
* Click here for more info -->Computer Safety on line - Anti-Malware

Update all these programs regularly - Make sure you update all the programs I have listed regularly.
Without regular updates you WILL NOT be protected when new malicious programs are released.
:blink: If you wish to learn how to use HijackThis to remove malware, you might like to join the Malware Removal Training Program!

If you have any addition questions just ask...
David

Edited by D-Trojanator, 06 November 2007 - 02:59 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users