Member Panel

drakem126

Hello if anyone could help me out it would be much appreciated. I am a basic computer user and and understand the purpose of Hijack this but do not have a clue which entries are harmful ? My sister stupidly downloaded a keygen onto the computer last night and along with it lots of virus and so on. I am getting pop ups every few minutes adn it has slowed my computer right down.
I have attached a Hijack this log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 18:47:43, on 10/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Documents and Settings\User\Desktop\HiJackThis_v2.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {f64c8044-72a8-6478-b594-4fc9ba1363c4} - {4c3631ab-9cf4-495b-8746-8a274408c46f} - C:\WINDOWS\system32\woffutlr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7A48E3AF-33CE-46B9-B8BD-D0A21E35B505} - C:\WINDOWS\system32\ssttr.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qutvauvt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qutvauvt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [e89cf492] rundll32.exe "C:\WINDOWS\system32\hulwgqnh.dll",b
O4 - HKLM\..\Run: [DrWebScheduler] C:\Program Files\DrWeb\DRWEBSCD.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - https://3msource.3m.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DA91C8-CCA1-4B7F-B530-1B262CA5ADBD}: NameServer = 192.168.0.1
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00E372D.dat
O20 - Winlogon Notify: qutvauvt - C:\WINDOWS\SYSTEM32\qutvauvt.dll
O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe

--
End of file - 8477 bytes

Pancake

You have a few nasties in here....

Please download Combofix from HERE or HERE

Save ComboFix to the desktop.
1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Copy and Paste the contents of that log in your next reply with a new hijackthis log. Do not use Code or html unless asked for.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.

drakem126

Combo fix log :

ComboFix 07-11-08.1 - User 2007-11-11 18:36:07.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.94 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\User\Desktop\Live Safety Center.lnk
C:\Documents and Settings\User\Desktop\Online Security Guide.lnk
C:\Documents and Settings\User\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\__c00955EC.dat
C:\WINDOWS\system32\__c00E372D.dat
C:\WINDOWS\system32\dmugkchj.dll
C:\WINDOWS\system32\hunrwfqf.dll
C:\WINDOWS\system32\ljjgecd.dll
C:\WINDOWS\system32\qutvauvt.dllbox
C:\WINDOWS\system32\rtkmedrw.dll
C:\WINDOWS\system32\rttss.bak1
C:\WINDOWS\system32\rttss.bak2
C:\WINDOWS\system32\rttss.ini
C:\WINDOWS\system32\ssqnkki.dll
C:\WINDOWS\system32\ssttr.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-10-11 to 2007-11-11 )))))))))))))))))))))))))))))))
.

2007-11-11 18:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-11 17:40 79,936 --a------ C:\WINDOWS\system32\hcjbqrxk.dll
2007-11-11 17:34 88,128 --a------ C:\WINDOWS\system32\xpdxkayh.dll
2007-11-10 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 18:52 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-10 18:52 <DIR> d-------- C:\Program Files\CCleaner
2007-11-10 10:27 <DIR> d-------- C:\Documents and Settings\User\DoctorWeb
2007-11-10 10:26 <DIR> d-------- C:\Program Files\DrWeb
2007-11-10 10:26 73,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2007-11-10 10:25 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield
2007-11-10 10:07 81,472 --a------ C:\WINDOWS\system32\woffutlr.dll
2007-11-10 10:04 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-10 09:57 145,984 --a------ C:\WINDOWS\system32\ysualagh.dll
2007-11-10 09:57 145,984 --a------ C:\WINDOWS\system32\qutvauvt.dll
2007-10-25 20:44 <DIR> d-------- C:\Documents and Settings\User\Application Data\Autograph
2007-10-25 20:05 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-18 17:21 <DIR> d-------- C:\Program Files\AimAtFile
2007-10-17 19:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-17 19:57 <DIR> d-------- C:\Program Files\Real
2007-10-17 19:57 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-17 17:07 <DIR> d-------- C:\Program Files\iTunes
2007-10-17 17:07 <DIR> d-------- C:\Program Files\iPod
2007-10-17 17:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-17 16:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-17 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-17 13:50 <DIR> d-------- C:\Program Files\DivX
2007-10-17 13:50 854 --a------ C:\WINDOWS\mozver.dat
2007-10-11 07:12 <DIR> d-------- C:\Program Files\Autograph 30-day

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-11 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 18:29 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2007-11-10 10:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 22:08 --------- d-----w C:\Documents and Settings\Louisa\Application Data\OpenOffice.org2
2007-10-20 23:32 --------- d-----w C:\Documents and Settings\User\Application Data\Azureus
2007-10-20 15:15 --------- d-----w C:\Program Files\Azureus
2007-10-17 17:07 --------- d-----w C:\Documents and Settings\User\Application Data\Apple Computer
2007-10-17 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-03 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-03 17:52 --------- d-----w C:\Program Files\Bonjour
2007-10-03 17:51 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-03 17:41 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-09-28 18:53 --------- d-----w C:\Program Files\MSN Messenger
2007-09-27 21:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-27 21:09 --------- d-----w C:\Program Files\ZAR
2007-09-24 19:52 --------- d-----w C:\Program Files\XemiComputers
2007-09-24 19:52 --------- d-----w C:\Documents and Settings\User\Application Data\XemiComputers
2007-09-24 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers
2007-09-24 19:50 --------- d-----w C:\Program Files\Rainlendar2
2007-09-23 21:14 --------- d-----w C:\Documents and Settings\User\Application Data\Ahead
2007-09-20 16:42 --------- d-----w C:\Program Files\AudioLabel
2007-09-18 15:10 --------- d-----w C:\Program Files\QuickTime
2007-09-14 19:42 2,003 ----a-w C:\cwrsync.bat
2007-09-12 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-12 20:42 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-12 20:39 --------- d-----w C:\Program Files\Nero
2007-09-12 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-09-12 20:30 --------- d-----w C:\Program Files\Cucusoft
2007-09-11 20:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1989d14d-d967-4809-b369-fc778010f041}]
2007-11-11 17:40 79936 --a------ C:\WINDOWS\system32\hcjbqrxk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c3631ab-9cf4-495b-8746-8a274408c46f}]
2007-11-10 10:07 81472 --a------ C:\WINDOWS\system32\woffutlr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-10 09:57 145984 --a------ C:\WINDOWS\system32\qutvauvt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\qutvauvt.dll [2007-11-10 09:57 145984]

[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_S10IC2.exe" [2002-07-01 02:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-17 19:57]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-09-06 11:06]
"DrWebScheduler"="C:\Program Files\DrWeb\DRWEBSCD.EXE" [2007-09-19 16:04]
"e89cf492"="C:\WINDOWS\system32\xpdxkayh.dll" [2007-11-11 17:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-07-22 12:32]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Louisa\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qutvauvt]
qutvauvt.dll 2007-11-10 09:57 145984 C:\WINDOWS\system32\qutvauvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwim32]
winwim32.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssttr.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX3 2.sys
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys
R2 HWiNFO32;HWiNFO32 Kernel Driver;\??\C:\Program Files\HWiNFO32\HWiNFO32.SYS
R2 SPIDER;SpIDer Guard File System Monitor;\??\C:\PROGRA~1\DrWeb\spider.sys
R2 SPIDERNT;SpIDer Guard for Windows;C:\PROGRA~1\DrWeb\spidernt.exe
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 17:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-11 18:44:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-11 18:46:48 - machine was rebooted
.
--- E O F ---

Hijack This log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:19:50, on 11/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {140f0108-77cf-963b-9084-769dd41d9891} - {1989d14d-d967-4809-b369-fc778010f041} - C:\WINDOWS\system32\hcjbqrxk.dll
O2 - BHO: (no name) - {4c3631ab-9cf4-495b-8746-8a274408c46f} - C:\WINDOWS\system32\woffutlr.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\qutvauvt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\qutvauvt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKLM\..\Run: [e89cf492] rundll32.exe "C:\WINDOWS\system32\xpdxkayh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - https://3msource.3m.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DA91C8-CCA1-4B7F-B530-1B262CA5ADBD}: NameServer = 192.168.0.1
O20 - Winlogon Notify: qutvauvt - C:\WINDOWS\SYSTEM32\qutvauvt.dll
O20 - Winlogon Notify: winwim32 - winwim32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe

--
End of file - 8735 bytes

Thanks!

Pancake · 10:45 PM

Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.
It's IMPORTANT to carry out the instructions in the sequence listed below.

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

KillAll::
File::
C:\WINDOWS\system32\hcjbqrxk.dll
C:\WINDOWS\system32\xpdxkayh.dll
C:\WINDOWS\system32\woffutlr.dll
C:\WINDOWS\system32\ysualagh.dll
C:\WINDOWS\system32\qutvauvt.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1989d14d-d967-4809-b369-fc778010f041}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4c3631ab-9cf4-495b-8746-8a274408c46f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"=-
[-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"e89cf492"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qutvauvt]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwim32]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\contro l\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssttr.dll

Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Restart your computer.
When finished, it shall produce a log for you at C:\ComboFix.txt
Please copy and paste the ComboFix.txt along with a fresh HijackThis log in your next reply please.

*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

drakem126

Combofix log:
ComboFix 07-11-08.1 - User 2007-11-12 9:54:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.175 [GMT 0:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\hcjbqrxk.dll
C:\WINDOWS\system32\qutvauvt.dll
C:\WINDOWS\system32\woffutlr.dll
C:\WINDOWS\system32\xpdxkayh.dll
C:\WINDOWS\system32\ysualagh.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\User\Desktop\Live Safety Center.lnk
C:\Documents and Settings\User\Desktop\Online Security Guide.lnk
C:\Documents and Settings\User\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\hcjbqrxk.dll
C:\WINDOWS\system32\qutvauvt.dll
C:\WINDOWS\system32\qutvauvt.dllbox
C:\WINDOWS\system32\woffutlr.dll
C:\WINDOWS\system32\xpdxkayh.dll
C:\WINDOWS\system32\ysualagh.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.

2007-11-11 18:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-10 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-10 18:52 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-10 18:52 <DIR> d-------- C:\Program Files\CCleaner
2007-11-10 10:27 <DIR> d-------- C:\Documents and Settings\User\DoctorWeb
2007-11-10 10:26 <DIR> d-------- C:\Program Files\DrWeb
2007-11-10 10:26 73,728 --a----t- C:\WINDOWS\system32\DRWEBSP.DLL
2007-11-10 10:25 <DIR> d-------- C:\Documents and Settings\User\Application Data\InstallShield
2007-11-10 10:04 <DIR> d-------- C:\Program Files\Alwil Software
2007-10-25 20:44 <DIR> d-------- C:\Documents and Settings\User\Application Data\Autograph
2007-10-25 20:05 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-18 17:21 <DIR> d-------- C:\Program Files\AimAtFile
2007-10-17 19:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-17 19:57 <DIR> d-------- C:\Program Files\Real
2007-10-17 19:57 <DIR> d-------- C:\Program Files\Common Files\Real
2007-10-17 17:07 <DIR> d-------- C:\Program Files\iTunes
2007-10-17 17:07 <DIR> d-------- C:\Program Files\iPod
2007-10-17 17:06 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-10-17 16:45 <DIR> d-------- C:\Program Files\Apple Software Update
2007-10-17 16:45 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-10-17 13:50 <DIR> d-------- C:\Program Files\DivX
2007-10-17 13:50 854 --a------ C:\WINDOWS\mozver.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-11-11 21:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-11 20:51 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2007-11-10 10:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-22 22:08 --------- d-----w C:\Documents and Settings\Louisa\Application Data\OpenOffice.org2
2007-10-20 23:32 --------- d-----w C:\Documents and Settings\User\Application Data\Azureus
2007-10-20 15:15 --------- d-----w C:\Program Files\Azureus
2007-10-17 17:07 --------- d-----w C:\Documents and Settings\User\Application Data\Apple Computer
2007-10-17 17:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-11 07:13 --------- d-----w C:\Program Files\Autograph 30-day
2007-10-03 17:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-03 17:52 --------- d-----w C:\Program Files\Bonjour
2007-10-03 17:51 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-03 17:41 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-09-28 18:53 --------- d-----w C:\Program Files\MSN Messenger
2007-09-27 21:39 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-09-27 21:09 --------- d-----w C:\Program Files\ZAR
2007-09-24 19:52 --------- d-----w C:\Program Files\XemiComputers
2007-09-24 19:52 --------- d-----w C:\Documents and Settings\User\Application Data\XemiComputers
2007-09-24 19:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\XemiComputers
2007-09-24 19:50 --------- d-----w C:\Program Files\Rainlendar2
2007-09-23 21:14 --------- d-----w C:\Documents and Settings\User\Application Data\Ahead
2007-09-20 16:42 --------- d-----w C:\Program Files\AudioLabel
2007-09-18 15:10 --------- d-----w C:\Program Files\QuickTime
2007-09-14 19:42 2,003 ----a-w C:\cwrsync.bat
2007-09-12 20:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-09-12 20:42 --------- d-----w C:\Program Files\Common Files\Ahead
2007-09-12 20:39 --------- d-----w C:\Program Files\Nero
2007-09-12 20:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2007-09-12 20:30 --------- d-----w C:\Program Files\Cucusoft
2007-09-06 11:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 11:00 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
.

((((((((((((((((((((((((((((( snapshot@2007-11-11_18.45.48.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-12 10:00:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_63c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"EPSON Stylus CX3200"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\ 3\E_S10IC2.exe" [2002-07-01 02:05]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-17 19:57]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp. exe" [2007-09-06 11:06]
"DrWebScheduler"="C:\Program Files\DrWeb\DRWEBSCD.EXE" [2007-09-19 16:04]
"e89cf492"="C:\WINDOWS\system32\xpdxkayh.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2007-07-22 12:32]

[HKEY_USERS\.default\software\microsoft\windows\cur rentversion\runonce]
"ShowDeskFix"=regsvr32 /s /n /i:u shell32

C:\Documents and Settings\Louisa\Start Menu\Programs\Startup\
OpenOffice.org 2.2.lnk - C:\Program Files\OpenOffice.org 2.2\program\quickstart.exe [2007-02-02 16:54:56]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

R0 ViBus;ViBus;C:\WINDOWS\system32\DRIVERS\ViBus.sys
R0 videX32;videX32;C:\WINDOWS\system32\DRIVERS\videX3 2.sys
R0 ViPrt;VIA SATA IDE Device Driver;C:\WINDOWS\system32\DRIVERS\ViPrt.sys
R2 HWiNFO32;HWiNFO32 Kernel Driver;\??\C:\Program Files\HWiNFO32\HWiNFO32.SYS
R2 SPIDER;SpIDer Guard File System Monitor;\??\C:\PROGRA~1\DrWeb\spider.sys
R2 SPIDERNT;SpIDer Guard for Windows;C:\PROGRA~1\DrWeb\spidernt.exe
R3 FET5X86V;VIA Rhine-Family Fast-Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 17:45:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
************************************************** ************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 10:00:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

************************************************** ************************
.
Completion time: 2007-11-12 10:01:51 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-11 18:46
.
--- E O F ---

Hijack this:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:05:19, on 12/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\PROGRA~1\DrWeb\spidernt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\DrWeb\DRWEBSCD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\User\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = MSN.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Live Search
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Live Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = MSN.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [EPSON Stylus CX3200] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC 2.EXE /P19 "EPSON Stylus CX3200" /O6 "USB001" /M "Stylus CX3200"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [DrWebScheduler] "C:\Program Files\DrWeb\DRWEBSCD.EXE"
O4 - HKLM\..\Run: [e89cf492] rundll32.exe "C:\WINDOWS\system32\xpdxkayh.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [ShowDeskFix] regsvr32 /s /n /i:u shell32 (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4CC35DAD-40EA-4640-ACC2-A1A3B6FB3E06} - https://3msource.3m.com/dana-cached/...niperSetup.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0DA91C8-CCA1-4B7F-B530-1B262CA5ADBD}: NameServer = 192.168.0.1
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762# # (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - Unknown owner - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SpIDer Guard for Windows (SPIDERNT) - Doctor Web, Ltd. - C:\PROGRA~1\DrWeb\spidernt.exe

--
End of file - 8159 bytes

Thanks

Pancake

Ok.Just need to tidy these up and you are all done

Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.
O4 - HKLM\..\Run: [e89cf492] rundll32.exe "C:\WINDOWS\system32\xpdxkayh.dll",b

==================================

This will clear away any of the files and folders that were created by ComboFix.
Go to :
Start > Run then copy and paste the following highlighted text below and click OK.

ComboFix /u

=====================

Now that you are clean,and If you wish to do so, here are a few things that you can do that will help keep your computer a bit more clean and secure..they can be done at your leisure.

Download and scan with CCleaner
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
3. Then select the items you wish to clean up.
In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

=========================================
Is your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version if required.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u3 (Java SE Downloads).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.
Click the
Download
button to the right.
Check the box that says:
Accept License Agreement.
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versi

Member Panel

Sponsors and Ads

Live Tag Cloud