Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Board index Malware Removal ForumsInfected? Virus, malware, adware, ransomware, oh my!

PC playing up

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.
Topic locked

PC playing up

Unread postby lost » May 20th, 2008, 9:50 am

Ok well my sisters PC is running very slow and spybot and winpatrol keep asking to change the startup global entries in the system32 file and sometimes when she tries to log out of the internet she gets porn pop ups and the system freezes

here is the HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:50:19, on 20/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\LVComS.exe
C:\WINDOWS\YWRtaW4\command.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BTHomeHub\Help\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\COMPAN~1\Installs\cpn0\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe
O4 - HKLM\..\Run: [TrayStartup] C:\Program Files\BT Auto Backup\VaultClientTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [BMe3f7093c] Rundll32.exe "C:\WINDOWS\system32\luktjswd.dll",s
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMIN\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BTHomeHub\Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2145347093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2145337421
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\YWRtaW4\command.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - Unknown owner - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9296 bytes


Many thanks
lost
Active Member
 
Posts: 2
Joined: May 20th, 2008, 9:45 am
Top
Advertisement
Register to Remove

Re: PC playing up

Unread postby mz30 » May 20th, 2008, 9:54 am

Hi
I'm Mz30
I will be helping you with your malware issue's.
I am currently reviewing your hjt log and will post back soon with instructions.
As I am still in training, everything that I post to you, must be checked by an Admin or Moderator. Therefore there could be a delay between posts, but it shouldn't be too long.

  • The fixes i post, are for fixing your issues only and by no means should be used on another computer.
  • Continue to respond to this thread until I give you the All Clean,as even if you appear clean the chances are you are not.
  • Please bookmark or favourite this page. In case you need it as reference.
  • Please remember that all the staff here are volunteers and help in our free time and you will sometimes have to wait for a reply.

    Important
  • Please do not attempt to remove anything or fix anything unless i ask,This includes running any sort of anti-virus/spyware programs as they may make thing's harder to remove.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool
Top

Re: PC playing up

Unread postby mz30 » May 21st, 2008, 4:57 am

RENAME HIJACKTHIS

There is some infection hiding in your log.

Using Windows Explore by right-clicking the Start button and left clicking Explore navigate to: C:\Program Files\HijackThis\HijackThis.exe

Right-click on HijackThis.exe & select Rename to scanner.exe .



Please visit this webpage for instructions for downloading ComboFix at your DESKTOP :
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Please ensure you read this guide carefully and install the Recovery Console first.

Additional links to download the tool:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.forospyware.com/sUBs/ComboFix.exe
http://subs.geekstogo.com/ComboFix.exe

Note: The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
  • When the tool is finished, it will produce a report for you.
  • Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool
Top

Re: PC playing up

Unread postby lost » May 21st, 2008, 9:18 am

Ok here's the combofix log

ComboFix 08-05-20.5 - ADMIN 2008-05-21 13:40:37.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.150 [GMT 1:00]
Running from: C:\Documents and Settings\ADMIN\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\ADMIN\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\xx--Tasha y jose--xx\Start Menu\Programs\Outerinfo
C:\Documents and Settings\xx--Tasha y jose--xx\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\xx--Tasha y jose--xx\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\racle~1
C:\Program Files\Messenger\labu272.dll
C:\Program Files\Messenger\labu620.dll
C:\Program Files\network monitor
C:\Program Files\network monitor\netmon.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\RABCO
C:\Program Files\RABCO\ExecutionDll.dll
C:\Program Files\RABCO\RABCO.dll
C:\Program Files\RABCO\RABCO.dll.intermediate.manifest
C:\Program Files\RABCO\RABCOse.exe
C:\Program Files\RABCO\RABCOse.info
C:\Program Files\RABCO\RABCOse.original
C:\Program Files\RABCO\Setup.log
C:\Program Files\RABCO\un_RABCOSetup_16230.exe
C:\Program Files\RABCO\un_RABCOSetup_16230.txt
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\RABCO\X_RABCOse.log
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\WINDOWS\BMe3f7093c.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aelqiihv.dll
C:\WINDOWS\system32\atqroxff.dll
C:\WINDOWS\system32\avcvgapd.ini
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\awxppkof.dll
C:\WINDOWS\system32\bdlbjhdj.dll
C:\WINDOWS\system32\besethsd.ini
C:\WINDOWS\system32\besetmky.dll
C:\WINDOWS\system32\bfsvamqp.dll
C:\WINDOWS\system32\blghmbhv.ini
C:\WINDOWS\system32\brusovan.dll
C:\WINDOWS\system32\buchfvru.dll
C:\WINDOWS\system32\buqgsjya.dll
C:\WINDOWS\system32\bvcoqtff.dll
C:\WINDOWS\system32\cdsvmccv.ini
C:\WINDOWS\system32\ciyrwaie.ini
C:\WINDOWS\system32\ctjixaqh.dll
C:\WINDOWS\system32\ctvjhnkk.dll
C:\WINDOWS\system32\cvnvurbo.dll
C:\WINDOWS\system32\dlnxqfsj.ini
C:\WINDOWS\system32\dmbldqwr.dll
C:\WINDOWS\system32\dpagvcva.dll
C:\WINDOWS\system32\dshteseb.dll
C:\WINDOWS\system32\dtefsxtd.dll
C:\WINDOWS\system32\duonaknq.dll
C:\WINDOWS\system32\eaytpbmu.dll
C:\WINDOWS\system32\edarughw.ini
C:\WINDOWS\system32\edpddpeo.dll
C:\WINDOWS\system32\eokquuhy.dll
C:\WINDOWS\system32\esjewvjw.ini
C:\WINDOWS\system32\exorbdeu.dll
C:\WINDOWS\system32\fadfqtlp.dll
C:\WINDOWS\system32\fccyvts.dll
C:\WINDOWS\system32\fftqocvb.ini
C:\WINDOWS\system32\fhkmp.ini
C:\WINDOWS\system32\fhkmp.ini2
C:\WINDOWS\system32\fvcofjrl.dll
C:\WINDOWS\system32\fvfdkyoq.dll
C:\WINDOWS\system32\fynynufi.dll
C:\WINDOWS\system32\gihkulwh.dll
C:\WINDOWS\system32\gqvifotn.dll
C:\WINDOWS\system32\gtkbixnj.dll
C:\WINDOWS\system32\gxmkpvhv.dll
C:\WINDOWS\system32\gxrchjlv.dll
C:\WINDOWS\system32\hjpwrnbe.dll
C:\WINDOWS\system32\hqmbqkqw.dll
C:\WINDOWS\system32\iakymlwb.dll
C:\WINDOWS\system32\ifcttami.dll
C:\WINDOWS\system32\iidqssms.dll
C:\WINDOWS\system32\ikgpimey.dll
C:\WINDOWS\system32\ikkgdktv.dll
C:\WINDOWS\system32\iuglhosx.dll
C:\WINDOWS\system32\iyvmnmbt.dll
C:\WINDOWS\system32\jdhjbldb.ini
C:\WINDOWS\system32\jgouvhgv.dll
C:\WINDOWS\system32\jgwypjlf.dll
C:\WINDOWS\system32\jkkiijk.dll
C:\WINDOWS\system32\jnxibktg.ini
C:\WINDOWS\system32\jpmtfiak.dll
C:\WINDOWS\system32\jteokygl.dll
C:\WINDOWS\system32\judknkhx.dll
C:\WINDOWS\system32\kaiftmpj.ini
C:\WINDOWS\system32\kattcxmp.dll
C:\WINDOWS\system32\khornseo.dll
C:\WINDOWS\system32\kptrhxfw.ini
C:\WINDOWS\system32\kqluscey.ini
C:\WINDOWS\system32\ktasnpub.dll
C:\WINDOWS\system32\kusopadl.dll
C:\WINDOWS\system32\lbctrlbp.dll
C:\WINDOWS\system32\lcjfelpd.dll
C:\WINDOWS\system32\lefqecpo.dll
C:\WINDOWS\system32\lgykoetj.ini
C:\WINDOWS\system32\lkxfyomr.dll
C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\system32\llnmp.ini2
C:\WINDOWS\system32\lrjfocvf.ini
C:\WINDOWS\system32\lubcorby.dll
C:\WINDOWS\system32\luktjswd.dll
C:\WINDOWS\system32\luusuloj.dll
C:\WINDOWS\system32\metksbse.dll
C:\WINDOWS\system32\mgsdiqfn.dll
C:\WINDOWS\system32\mkwvglhd.dll
C:\WINDOWS\system32\mljkiif.dll
C:\WINDOWS\system32\mllmm.dll
C:\WINDOWS\system32\mmllm.ini
C:\WINDOWS\system32\mmllm.ini2
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\mwvstrdy.dll
C:\WINDOWS\system32\mycatthq.dll
C:\WINDOWS\system32\navosurb.ini
C:\WINDOWS\system32\nctncbcv.dll
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\nkacpobo.ini
C:\WINDOWS\system32\nkhposat.dll
C:\WINDOWS\system32\npkicxdq.dll
C:\WINDOWS\system32\obopcakn.dll
C:\WINDOWS\system32\obruvnvc.ini
C:\WINDOWS\system32\oerdoexx.dll
C:\WINDOWS\system32\oesnrohk.ini
C:\WINDOWS\system32\ogpdipux.dll
C:\WINDOWS\system32\opceqfel.ini
C:\WINDOWS\system32\oyjtkkph.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\paiwnjqs.dll
C:\WINDOWS\system32\pfuvoeos.dll
C:\WINDOWS\system32\pkpxhlyy.dll
C:\WINDOWS\system32\pmkhf.dll
C:\WINDOWS\system32\pmlpitma.exe
C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pppatc~1\?ti2evxx.exe
C:\WINDOWS\system32\pqmavsfb.ini
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\pqtwa.ini2
C:\WINDOWS\system32\prfaxomf.dll
C:\WINDOWS\system32\puqprfsc.dll
C:\WINDOWS\system32\qgvqmplr.dll
C:\WINDOWS\system32\qjkwjakn.dll
C:\WINDOWS\system32\qnkanoud.ini
C:\WINDOWS\system32\qtcdhtjy.ini
C:\WINDOWS\system32\qtqchkum.dll
C:\WINDOWS\system32\qvncyusv.dll
C:\WINDOWS\system32\rbstnnpj.dll
C:\WINDOWS\system32\rdkixmye.dll
C:\WINDOWS\system32\rediudco.dll
C:\WINDOWS\system32\rlpmqvgq.ini
C:\WINDOWS\system32\rmoyfxkl.ini
C:\WINDOWS\system32\rowmlhjs.dll
C:\WINDOWS\system32\rpoklcgt.dll
C:\WINDOWS\system32\scxgdigy.dll
C:\WINDOWS\system32\sdrjhxtf.dll
C:\WINDOWS\system32\stem~1
C:\WINDOWS\system32\stem~1\??stem\
C:\WINDOWS\system32\stem~1\netdde.exe
C:\WINDOWS\system32\sxaeglxe.dll
C:\WINDOWS\system32\tdrpduyn.dll
C:\WINDOWS\system32\telvuaul.exe
C:\WINDOWS\system32\tjrekdfp.dll
C:\WINDOWS\system32\tjvqocxt.ini
C:\WINDOWS\system32\tqgpgdux.dll
C:\WINDOWS\system32\trimbcha.dll
C:\WINDOWS\system32\tvkwkuyv.dll
C:\WINDOWS\system32\txcoqvjt.dll
C:\WINDOWS\system32\ubuoleji.dll
C:\WINDOWS\system32\uchixccw.dll
C:\WINDOWS\system32\uepg.dll
C:\WINDOWS\system32\umbptyae.ini
C:\WINDOWS\system32\uqxnixrw.dll
C:\WINDOWS\system32\urvfhcub.ini
C:\WINDOWS\system32\vbolqakn.dll
C:\WINDOWS\system32\vcbcntcn.ini
C:\WINDOWS\system32\vccmvsdc.dll
C:\WINDOWS\system32\vdwkswiq.dll
C:\WINDOWS\system32\vhbmhglb.dll
C:\WINDOWS\system32\vhiiqlea.ini
C:\WINDOWS\system32\vjmebbgo.dll
C:\WINDOWS\system32\vldjupol.dll
C:\WINDOWS\system32\vmqtsevo.dll
C:\WINDOWS\system32\vuiiakjm.dll
C:\WINDOWS\system32\wccxihcu.ini
C:\WINDOWS\system32\weeumrbf.dll
C:\WINDOWS\system32\wfxhrtpk.dll
C:\WINDOWS\system32\whgurade.dll
C:\WINDOWS\system32\wjvwejse.dll
C:\WINDOWS\system32\wonthrxf.exe
C:\WINDOWS\system32\wqqntmhs.dll
C:\WINDOWS\system32\wtxrdlef.ini
C:\WINDOWS\system32\xcdhtunp.dll
C:\WINDOWS\system32\xjhwxfef.dll
C:\WINDOWS\system32\xkqpoolp.dll
C:\WINDOWS\system32\xrubkuoa.ini
C:\WINDOWS\system32\xupidpgo.ini
C:\WINDOWS\system32\xvlhtfwe.ini
C:\WINDOWS\system32\ycqtvojw.dll
C:\WINDOWS\system32\ydrtsvwm.ini
C:\WINDOWS\system32\yecsulqk.dll
C:\WINDOWS\system32\yemipgki.ini
C:\WINDOWS\system32\yjthdctq.dll
C:\WINDOWS\system32\ykmakqur.ini
C:\WINDOWS\system32\yqmymdjj.dll
C:\WINDOWS\system32\yvjqtkah.dll
C:\WINDOWS\tk58.exe
C:\windows\xpupdate.exe
C:\WINDOWS\YWRtaW4\
C:\WINDOWS\YWRtaW4\\asappsrv.dll
C:\WINDOWS\YWRtaW4\\command.exe
C:\WINDOWS\YWRtaW4\\sqlQuqb.vbs
C:\WINDOWS\YWRtaW4\command.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Service_cmdService
-------\Service_Network Monitor


((((((((((((((((((((((((( Files Created from 2008-04-21 to 2008-05-21 )))))))))))))))))))))))))))))))
.

2008-05-20 14:52 . 2008-05-20 14:52 <DIR> d-------- C:\Program Files\Common Files\SystemErrorFixer
2008-05-20 14:52 . 2008-05-20 14:52 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\systemerrorfixer
2008-05-20 14:51 . 2008-05-20 14:52 <DIR> d-------- C:\Program Files\SystemErrorFixer
2008-05-20 14:23 . 2008-05-20 14:23 2,624 --a------ C:\WINDOWS\system32\cceklhrj.exe
2008-05-20 14:10 . 2008-05-20 14:10 92,224 --a------ C:\WINDOWS\system32\bmfxraqe.dll
2008-05-19 14:37 . 2008-05-19 14:37 53,312 --a------ C:\WINDOWS\system32\vnnsegus.dll
2008-05-14 15:31 . 2008-05-14 15:31 2,112 --a------ C:\WINDOWS\system32\okvfqhvd.exe
2008-05-14 15:16 . 2008-05-14 15:16 3,648 --a------ C:\WINDOWS\system32\ncwvsjuw.dll
2008-05-14 15:13 . 2008-05-14 15:13 53,312 --a------ C:\WINDOWS\system32\rpwlqtie.dll
2008-05-13 00:02 . 2008-05-13 00:02 53,312 --a------ C:\WINDOWS\system32\cybirqbv.dll
2008-05-12 18:37 . 2008-05-12 18:37 53,312 --a------ C:\WINDOWS\system32\ylxhphei.dll
2008-05-06 20:08 . 2008-05-06 20:08 53,312 --a------ C:\WINDOWS\system32\oofbrwlx.dll
2008-05-05 19:08 . 2008-05-05 19:08 53,312 --a------ C:\WINDOWS\system32\hekivgen.dll
2008-05-04 01:28 . 2008-05-04 01:28 53,312 --a------ C:\WINDOWS\system32\hfcbqjyf.dll
2008-04-30 00:05 . 2008-04-30 00:05 53,312 --a------ C:\WINDOWS\system32\pbbcdkyo.dll
2008-04-29 00:06 . 2008-04-29 00:06 53,312 --a------ C:\WINDOWS\system32\clkhkumx.dll
2008-04-28 23:09 . 2008-04-28 23:09 53,312 --a------ C:\WINDOWS\system32\ejaqdtag.dll
2008-04-28 21:34 . 2008-04-28 21:34 53,312 --a------ C:\WINDOWS\system32\sdcaenkh.dll
2008-04-27 15:03 . 2008-04-27 15:03 53,312 --a------ C:\WINDOWS\system32\vqsxcqav.dll
2008-04-26 21:17 . 2008-04-26 21:17 53,312 --a------ C:\WINDOWS\system32\unwnhajs.dll
2008-04-24 15:31 . 2008-04-24 15:31 53,312 --a------ C:\WINDOWS\system32\pxvrxqco.dll
2008-04-23 18:33 . 2008-04-23 18:33 53,312 --a------ C:\WINDOWS\system32\ocisktkx.dll
2008-04-23 18:15 . 2008-04-23 18:15 <DIR> d---s---- C:\Documents and Settings\Guest\UserData
2008-04-22 21:21 . 2008-04-22 21:21 53,312 --a------ C:\WINDOWS\system32\jxqxfbbv.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-19 20:44 53,312 ----a-w C:\WINDOWS\system32\arkkqejc.dll
2008-04-18 15:31 53,312 ----a-w C:\WINDOWS\system32\pnpiqaii.dll
2008-04-12 12:35 3,648 ----a-w C:\WINDOWS\system32\ehxakqwa.dll
2008-04-12 12:30 53,312 ----a-w C:\WINDOWS\system32\fmwmbqhs.dll
2008-04-06 19:52 53,312 ----a-w C:\WINDOWS\system32\mjoryenv.dll
2008-04-03 22:26 --------- d--h--r C:\Documents and Settings\Guest\Application Data\yahoo!
2008-03-27 14:53 --------- d-----w C:\Program Files\SUPERAntiSpyware
2008-03-25 12:05 --------- d-----w C:\Program Files\SpyShredder
2008-03-25 10:47 53,312 ----a-w C:\WINDOWS\system32\tpgthybt.dll
2008-03-05 22:47 205,576 ----a-w C:\Documents and Settings\xx--Tasha y jose--xx\Application Data\installer_en[1].exe
2008-02-18 00:26 41,723 --sh--w C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
2008-01-15 21:52 140,800 --sh--w C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F70DF85-84B1-46DD-998B-932CE37EF3BD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{174910C4-0DE5-4921-9E3B-79F309649134}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75C1E1F3-BB3C-4008-BFB8-A5EC6361204B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B113865-12EC-427B-8573-B8C6AD5B445A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2008-02-18 17:55 163904 --a------ C:\WINDOWS\system32\duictgoo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8E9D96B-C1F5-4648-AEBA-05C75769D533}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0D9EB76-788B-458B-9FFD-8F44E9567E44}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D85530E8-D39D-49D0-9F36-300D594556D2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA42FD9-95B2-430A-AC14-810F379C781A}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 01:06 1667584]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 19:11 4670968]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 17:46 1460560]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-03-27 15:53 1481968]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 10:39 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-01-27 06:38 316728]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"wextract_cleanup0"="C:\WINDOWS\system32\advpack.dll" [2004-08-04 13:00 99840]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\xx--Tasha y jose--xx\Start Menu\Programs\Startup\
LimeWire On Startup.lnk - C:\Program Files\LimeWire\LimeWire.exe [2008-01-22 23:03:55 147456]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-05-22 19:50:12 113664]
BT Broadband Desktop Help.lnk - C:\Program Files\BTHomeHub\Help\bin\matcli.exe [2008-02-04 18:09:15 217088]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2006-07-06 15:29:03 266240]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 14:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 14:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\duictgoo]
duictgoo.dll 2008-02-18 17:55 163904 C:\WINDOWS\system32\duictgoo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.enc"= ITIG726.acm

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2007-07-04 22:01]
S3 FXDRV;FXDRV;D:\Fxdrv.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9e18db90-0cfd-11db-8558-0015581ce282}]
\Shell\AutoRun\command - E:\setupSNK.exe

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-21 14:03:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\duictgoo.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\BTHomeHub\Help\bin\mpbtn.exe
.
**************************************************************************
.
Completion time: 2008-05-21 14:09:02 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-21 13:08:58

Pre-Run: 146,938,208,256 bytes free
Post-Run: 148,293,754,880 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

382


and here's the HJT log


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:17:49, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BTHomeHub\Help\bin\mpbtn.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Yahoo!\browser\ybrowser.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bt.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\duictgoo.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\RunOnce: [wextract_cleanup0] rundll32.exe C:\WINDOWS\system32\advpack.dll,DelNodeRunDLL32 "C:\DOCUME~1\ADMIN\LOCALS~1\Temp\IXP000.TMP\"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BTHomeHub\Help\bin\matcli.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microso ... 2145347093
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2145337421
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: duictgoo - C:\WINDOWS\SYSTEM32\duictgoo.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - Unknown owner - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 8017 bytes



Thanks
lost
Active Member
 
Posts: 2
Joined: May 20th, 2008, 9:45 am
Top

Re: PC playing up

Unread postby mz30 » May 21st, 2008, 11:15 am

COMBOFIX-Script


  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Code: Select all
    http://malwareremoval.com/forum/viewtopic.php?f=11&p=300848#p300848


File::
C:\WINDOWS\system32\bmfxraqe.dll
C:\WINDOWS\system32\vnnsegus.dll
C:\WINDOWS\system32\ncwvsjuw.dll
C:\WINDOWS\system32\rpwlqtie.dll 
C:\WINDOWS\system32\cybirqbv.dll
C:\WINDOWS\system32\ylxhphei.dll
C:\WINDOWS\system32\oofbrwlx.dll
C:\WINDOWS\system32\hekivgen.dll
C:\WINDOWS\system32\hfcbqjyf.dll
C:\WINDOWS\system32\pbbcdkyo.dll
C:\WINDOWS\system32\clkhkumx.dll
C:\WINDOWS\system32\ejaqdtag.dll
C:\WINDOWS\system32\sdcaenkh.dll
C:\WINDOWS\system32\vqsxcqav.dll
C:\WINDOWS\system32\unwnhajs.dll
C:\WINDOWS\system32\pxvrxqco.dll
C:\WINDOWS\system32\ocisktkx.dll
C:\WINDOWS\system32\jxqxfbbv.dll
C:\WINDOWS\system32\arkkqejc.dll
C:\WINDOWS\system32\pnpiqaii.dll
C:\WINDOWS\system32\ehxakqwa.dll
C:\WINDOWS\system32\fmwmbqhs.dll
C:\WINDOWS\system32\mjoryenv.dll
C:\WINDOWS\system32\tpgthybt.dll
C:\Documents and Settings\xx--Tasha y jose--xx\Application Data\installer_en[1].exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe

Folder::
C:\Program Files\Common Files\SystemErrorFixer
C:\Documents and Settings\All Users\Application Data\systemerrorfixer
C:\Program Files\SystemErrorFixer
C:\Program Files\SpyShredder


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F70DF85-84B1-46DD-998B-932CE37EF3BD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{174910C4-0DE5-4921-9E3B-79F309649134}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAB59B4-55A3-4737-9FD5-B93C6430BF75}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75C1E1F3-BB3C-4008-BFB8-A5EC6361204B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B113865-12EC-427B-8573-B8C6AD5B445A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8E9D96B-C1F5-4648-AEBA-05C75769D533}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D0D9EB76-788B-458B-9FFD-8F44E9567E44}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D85530E8-D39D-49D0-9F36-300D594556D2}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DEA42FD9-95B2-430A-AC14-810F379C781A}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\duictgoo]

Suspect::
C:\WINDOWS\system32\cceklhrj.exe
C:\WINDOWS\system32\okvfqhvd.exe

  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Open up Hijackthis.
Click on do a system scan only.
Place a checkmark next to these lines(if still present).

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/cust ... .yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/cust ... _side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/cust ... yahoo.com/
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\duictgoo.dll
O20 - Winlogon Notify: duictgoo - C:\WINDOWS\SYSTEM32\duictgoo.dll


Then close all windows except Hijackthis and click Fix Checked
Close HijackThis.

Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply.
  • If you accidently close it, the log file is saved here and will be named like this: C:\Documents and Settings\<your username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

In your next reply please post combofix.txt ,malwarebytes log and a fresh hjt log.
User avatar
mz30
Regular Member
 
Posts: 1683
Joined: June 23rd, 2007, 9:39 am
Location: liverpool
Top

Re: PC playing up

Unread postby Gary R » May 30th, 2008, 12:00 pm

Due to lack of response this topic is now closed.

If you still need help open a new thread in the Malware Removal forum and wait for a new helper.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Gary R
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Top
Advertisement
Register to Remove
Topic locked

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 201 guests

The teamDelete all board cookiesAll times are UTC - 5 hours [ DST ]

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware

Board index