Win 32 Cryto Virus

Hi,
I did a google search for this virus and saw that you had killed it for another person and would like the same help please. The virus prevents any update of virus software including going to the windowsupdate page required when you first join and the trend micro site.
I also have 3 files which play adverts for Shell and two other companies randomly which would also be good to get rid of pronto.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:35:00, on 15/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Documents and Settings\Peter\Desktop\hijackgpthis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.hp.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 6354 bytes
:hmm:

Ooops, Crypto virus, missed the p!

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

ComboFix 09-06-18.02 - Peter 18/06/2009 19:35.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.502.269 [GMT 1:00]
Running from: c:\documents and settings\Peter\Desktop\Combo-Fix.exe
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003
c:\recycler\S-1-5-21-3605647500-711795431-3262067142-1003
c:\documents and settings\Peter\Application Data\Google\afuya1119762.exe
c:\documents and settings\Peter\Application Data\Google\Shell32.dll
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003\desktop.ini
c:\recycler\S-1-5-21-1708537768-308236825-839522115-1003\INFO2
c:\recycler\S-1-5-21-3605647500-711795431-3262067142-1003\desktop.ini
c:\recycler\S-1-5-21-3605647500-711795431-3262067142-1003\INFO2
c:\windows\IE4 Error Log.txt
c:\windows\ieocx.dll
c:\windows\system32\drivers\UACoruiiurqxeppfao.sys
c:\windows\system32\UACeejvrciultsevko.log
c:\windows\system32\UACfiyhvjbroydkgsh.log
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjdknkdqokiqfpgm.dll
c:\windows\system32\UACkyilotwsftguugs.log
c:\windows\system32\UACmqltputoijnbmql.dat
c:\windows\system32\UACnbghoqktfjydbsx.dll
c:\windows\system32\UACqrsvktpqysxwnox.dll
c:\windows\system32\UACrjbabrfqmqdulqp.dll
c:\windows\system32\UACtewwatroobwyllr.dll

----- BITS: Possible infected sites -----

hxxp://softwaredownloadcentercom.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\system32\scripting
2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\l2schemas
2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\system32\en
2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\system32\bits
2009-06-14 09:48 . 2009-06-14 09:51 -------- d-----w- c:\windows\ServicePackFiles
2009-06-14 09:41 . 2009-06-14 09:41 -------- d-----w- c:\windows\EHome
2009-06-14 09:27 . 2009-06-14 09:27 71620 ---ha-w- c:\windows\system32\mlfcache.dat
2009-06-08 18:24 . 2009-06-08 18:24 422 ----a-w- c:\documents and settings\Peter\Application Data\Apple Computer\socks1.exe
2009-06-08 18:24 . 2009-06-08 18:24 16141 ----a-w- c:\documents and settings\Peter\Application Data\Canon\lego.exe
2009-06-08 18:24 . 2009-06-08 18:24 13221 ----a-w- c:\documents and settings\Peter\Application Data\AdobeUM\rengo.dll
2009-06-08 18:24 . 2009-06-08 18:24 11410 ----a-w- c:\documents and settings\Peter\Application Data\Identities\msgdi.dll
2009-06-08 18:24 . 2009-06-08 18:24 11232 ----a-w- c:\documents and settings\Peter\Application Data\Adobe\shalom.exe
2009-06-08 18:24 . 2009-06-08 18:24 10121 ----a-w- c:\documents and settings\Peter\Application Data\InterVideo\kern.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 18:45 . 2008-03-19 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-15 18:30 . 2006-02-13 17:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-15 18:25 . 2005-08-04 07:47 -------- d-----w- c:\program files\Java
2009-06-15 18:21 . 2009-06-15 18:22 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 11:01 . 2009-06-14 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-06-14 10:43 . 2009-06-14 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-06-14 10:36 . 2009-06-14 10:36 -------- d-----w- c:\program files\Common Files\iS3
2009-06-14 10:18 . 2004-08-04 08:00 14336 ----a-w- c:\windows\system32\svchost.exe
2009-06-14 09:53 . 2004-08-07 13:10 79443 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-14 09:23 . 2006-08-10 19:37 -------- d-----w- c:\documents and settings\Martina\Application Data\Apple Computer
2009-06-14 08:42 . 2005-08-04 08:17 -------- d-----w- c:\program files\Google
2009-05-18 16:24 . 2009-05-18 16:24 180 ----a-w- c:\documents and settings\Brian\Application Data\asd.bat
2009-05-18 16:24 . 2009-05-18 16:24 180 ----a-w- c:\documents and settings\Brian\Application Data\asd.bat
2009-05-17 20:01 . 2009-05-17 20:01 1095680 ----a-w- c:\documents and settings\Brian\Application Data\winav.exe
2009-05-17 20:01 . 2009-05-17 20:01 1095680 ----a-w- c:\documents and settings\Brian\Application Data\winav.exe
2009-04-25 10:23 . 2006-10-20 15:42 -------- d-----w- c:\documents and settings\Peter\Application Data\HP
2009-04-17 18:05 . 2009-04-17 18:05 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-21 14:18 . 2004-08-04 08:00 165988 --sha-r- c:\windows\system32\srqhxhqf.dll
2009-03-16 20:04 . 2006-09-28 11:16 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-16 20:04 . 2006-09-28 11:16 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-16 20:04 . 2007-07-05 18:49 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-16 20:05 . 2007-07-05 18:49 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-16 20:05 . 2006-09-28 11:16 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-05 67128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Help.lnk
backup=c:\windows\pss\BT Broadband Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"="1"
"UpdatesDisableNotify"="1"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8669:TCP"= 8669:TCP:lxqkbj

S2 ekmplyam;Support Manager;c:\windows\system32\svchost.exe -k netsvcs [8/4/2004 9:00 AM 14336]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
ekmplyam
.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-swg - c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 19:45
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekmplyam]
"ServiceDll"="c:\windows\system32\srqhxhqf.dll"
.
Completion time: 2009-06-18 19:47
ComboFix-quarantined-files.txt 2009-06-18 18:47

Pre-Run: 4,820,504,576 bytes free
Post-Run: 5,775,204,352 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

182 --- E O F --- 2009-06-14 10:00

Now open a new notepad file.
Input this into the notepad file:

KILLALL::

Driver::
ekmplyam

File::
c:\documents and settings\Peter\Application Data\Apple Computer\socks1.exe
c:\documents and settings\Peter\Application Data\Canon\lego.exe
c:\documents and settings\Peter\Application Data\AdobeUM\rengo.dll
c:\documents and settings\Peter\Application Data\Identities\msgdi.dll
c:\documents and settings\Peter\Application Data\Adobe\shalom.exe
c:\documents and settings\Peter\Application Data\InterVideo\kern.dll
c:\documents and settings\Brian\Application Data\asd.bat
c:\documents and settings\Brian\Application Data\asd.bat
c:\documents and settings\Brian\Application Data\winav.exe
c:\documents and settings\Brian\Application Data\winav.exe
c:\windows\system32\srqhxhqf.dll

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=-
"UpdatesDisableNotify"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8669:TCP"=-
[-HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ekmplyam]

NetSvc::
ekmplyam

Save this as CFScript.txt, save it to your desktop also.
Then drag and drop CFScript.txt into combofix as seen below:


This will open combofix again, agree to it's terms and allow it to run.
It may want to reboot after it's done. (It will warn you if it wants to)
Post the resulting log back here.

ComboFix 09-06-18.02 - Peter 18/06/2009 21:24.2 - NTFSx86
Running from: c:\documents and settings\Peter\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Peter\Desktop\CFScript.txt

FILE ::
"c:\documents and settings\Brian\Application Data\asd.bat"
"c:\documents and settings\Brian\Application Data\winav.exe"
"c:\documents and settings\Peter\Application Data\Adobe\shalom.exe"
"c:\documents and settings\Peter\Application Data\AdobeUM\rengo.dll"
"c:\documents and settings\Peter\Application Data\Apple Computer\socks1.exe"
"c:\documents and settings\Peter\Application Data\Canon\lego.exe"
"c:\documents and settings\Peter\Application Data\Identities\msgdi.dll"
"c:\documents and settings\Peter\Application Data\InterVideo\kern.dll"
"c:\windows\system32\srqhxhqf.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\srqhxhqf.dll
c:\documents and settings\Brian\Application Data\asd.bat
c:\documents and settings\Brian\Application Data\winav.exe
c:\documents and settings\Peter\Application Data\Adobe\shalom.exe
c:\documents and settings\Peter\Application Data\AdobeUM\rengo.dll
c:\documents and settings\Peter\Application Data\Apple Computer\socks1.exe
c:\documents and settings\Peter\Application Data\Canon\lego.exe
c:\documents and settings\Peter\Application Data\Identities\msgdi.dll
c:\documents and settings\Peter\Application Data\InterVideo\kern.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_EKMPLYAM
-------\Service_ekmplyam


((((((((((((((((((((((((( Files Created from 2009-05-18 to 2009-06-18 )))))))))))))))))))))))))))))))
.

2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\system32\scripting
2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\l2schemas
2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\system32\en
2009-06-14 09:50 . 2009-06-14 09:50 -------- d-----w- c:\windows\system32\bits
2009-06-14 09:48 . 2009-06-14 09:51 -------- d-----w- c:\windows\ServicePackFiles
2009-06-14 09:41 . 2009-06-14 09:41 -------- d-----w- c:\windows\EHome
2009-06-14 09:27 . 2009-06-14 09:27 71620 ---ha-w- c:\windows\system32\mlfcache.dat

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-18 20:34 . 2008-03-19 20:10 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-06-18 20:24 . 2008-09-02 16:27 -------- d-----w- c:\documents and settings\Peter\Application Data\InterVideo
2009-06-18 20:24 . 2009-01-31 18:00 -------- d-----w- c:\documents and settings\Peter\Application Data\Canon
2009-06-18 20:24 . 2006-02-12 16:05 -------- d-----w- c:\documents and settings\Peter\Application Data\Apple Computer
2009-06-18 20:24 . 2006-09-23 10:19 -------- d-----w- c:\documents and settings\Peter\Application Data\AdobeUM
2009-06-15 18:30 . 2006-02-13 17:24 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-15 18:25 . 2005-08-04 07:47 -------- d-----w- c:\program files\Java
2009-06-15 18:21 . 2009-06-15 18:22 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 11:01 . 2009-06-14 10:36 -------- d-----w- c:\documents and settings\All Users\Application Data\STOPzilla!
2009-06-14 10:43 . 2009-06-14 10:37 -------- d-----w- c:\documents and settings\All Users\Application Data\SITEguard
2009-06-14 10:36 . 2009-06-14 10:36 -------- d-----w- c:\program files\Common Files\iS3
2009-06-14 10:18 . 2004-08-04 08:00 14336 ----a-w- c:\windows\system32\svchost.exe
2009-06-14 09:53 . 2004-08-07 13:10 79443 ----a-w- c:\windows\pchealth\helpctr\OfflineCache\index.dat
2009-06-14 09:23 . 2006-08-10 19:37 -------- d-----w- c:\documents and settings\Martina\Application Data\Apple Computer
2009-06-14 08:42 . 2005-08-04 08:17 -------- d-----w- c:\program files\Google
2009-04-25 10:23 . 2006-10-20 15:42 -------- d-----w- c:\documents and settings\Peter\Application Data\HP
2009-04-17 18:05 . 2009-04-17 18:05 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-03-16 20:04 . 2006-09-28 11:16 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2009-03-16 20:04 . 2006-09-28 11:16 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2009-03-16 20:04 . 2007-07-05 18:49 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2009-03-16 20:05 . 2007-07-05 18:49 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2009-03-16 20:05 . 2006-09-28 11:16 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-06-18_18.45.38 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-06-18 20:33 . 2009-06-18 20:33 16384 c:\windows\temp\Perflib_Perfdata_e0.dat
+ 2009-06-18 20:33 . 2009-06-18 20:33 16384 c:\windows\temp\Perflib_Perfdata_724.dat
+ 2004-08-07 13:10 . 2009-06-18 18:58 54460 c:\windows\system32\perfc009.dat
- 2004-08-07 13:10 . 2009-06-18 18:38 54460 c:\windows\system32\perfc009.dat
+ 2004-08-07 13:10 . 2009-06-18 18:58 384464 c:\windows\system32\perfh009.dat
- 2004-08-07 13:10 . 2009-06-18 18:38 384464 c:\windows\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"LDM"="c:\program files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe" [2007-03-05 67128]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-06-15 148888]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Help.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\BT Broadband Help.lnk
backup=c:\windows\pss\BT Broadband Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=c:\windows\pss\HP Digital Imaging Monitor.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Image Zone Fast Start.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\HP Image Zone Fast Start.lnk
backup=c:\windows\pss\HP Image Zone Fast Start.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
backup=c:\windows\pss\Logitech Desktop Messenger.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Logitech SetPoint.lnk
backup=c:\windows\pss\Logitech SetPoint.lnkCommon Startup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpfccopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpoews01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpofxm08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposfx08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hposid01.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqCopy.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqkygrp.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqscnvw.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpqste08.exe"=
"c:\\Program Files\\Hp\\Digital Imaging\\bin\\hpzwiz01.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=

.
Contents of the 'Scheduled Tasks' folder

2009-06-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.hp.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://www.hp.com/
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
Handler: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - c:\program files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-18 21:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\HPZipm12.exe
c:\windows\system32\snmp.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\wbem\wmiadap.exe
c:\windows\SoftwareDistribution\Download\15fdc8419110b73ae498d2bf87f8bd8a\update\update.exe
.
**************************************************************************
.
Completion time: 2009-06-18 21:38 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-18 20:38
ComboFix2.txt 2009-06-18 18:47

Pre-Run: 5,775,400,960 bytes free
Post-Run: 5,652,516,864 bytes free

178 --- E O F --- 2009-06-14 10:00

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hi,

The machine seems to be running perfectly so much obliged. Any advice on how to prevent such malware etc infecting again? Shall I re-download AVG or TREND?

Thanks again, off to Glastonbury so will donate on my return!

You aren't running Anti Virus Software

Please install Avira antivirus otherwise you won't be protected.

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.

It is strongly recommended that you run only one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts and false virus alerts.

Hi, all done but windows keeps telling me I have no firewall switched on, on your previous post you mention not to have two antivirus programmes running, i take it that also means firewalls? Thanks.

Yes.
Try this.

• Now open a new notepad file.
  
• Input this into the notepad file:
  

  
  Windows Registry Editor Version 5.00
  
  [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
  "EnableFirewall"=dword:00000001
  
  

  
  
• Save this as fix.reg, save it to your desktop.
  
• Double click fix.reg to run it.
  
• Select yes to the registry merge prompt.
  

Done, thanks, is that it then?
You really are a genious!

Yes, that should be it.

Hi, It still says each time i turn on the computer that there is no firewall turned on, shall I just ignore this? THanks.

Try turning it on manually.

Hi, ive turned the windows one on! I take it this is ok or does Avira have on I should turn on? Thanks.

The free Avira doesn't come with firewall, so this should be fine now.