Cousins infected PC

Hi All,

So i'm here for help, like most!! So my cousin's PC (XP) has been infected. I know this by the following

- PC is having issues opening IE and firefox, random crashing
- Clicking on links in google are being re-directed
- MS Updates havent been installed
- Can't fully clean system with AVG

My cousin has had his PC infrected for a while, he had limewire and a registry cleaner on, which i have now removed. I have tried to clean his PC using AVG but this has only removed a few infected files, around 5 could not be removed. My cousin had a registry cleaner installed, which i have removed as i have only heard bad things. I tried to run HijackThis log, which ran and then closed without outputting a log file, which also tells me there are virus/malware infections on the system. So my question is - where can i start even though i can't even post a hijack this log!!

Thanks,

P.S. No firewall as well on system, i installed AVAST and Zonelarm and Spybot a while ago on this PC (a year or so), but these have been since removed by my cousins brother in law for reasons i do not know!!!

Please download the current version of HijackThis from HERE

• Double click and run the installer.
  
• It will install to C:\Program Files\Trend Micro\HijackThis\hijackthis.exe
  
• After installing, you should get the user agreement, press accept and Hijack This will run.
  
• Select Do a system scan and save a log file. This will open a notepad file of everything Hijack This found, copy and paste it back here.
  

Hi Belahzur,

Tried what you suggested, again HijockThis installed and ran, but as it finished running the scan the program just closes and no log file is produced. This is what happened last night - any suggestions around it?

After i run the HJT again - i always get a permission denied error etc....tried renaming files and folders to get around this but still get same error.

Tried to install malwarebytes anti malware - but this does not run after installation...grrrr

Over to you!

Markhtar

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2

• Double-click SystemLook.exe to run it.
  
• Copy the content of the following codebox into the main textfield:
  

  Code:

  
:filefind
scecli.dll
netlogon.dll
eventlog.dll
cngaudit.dll

  
  
  
• Click the Look button to start the scan.
  
• When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
  

Note: The log can also be found on your Desktop entitled SystemLook.txt

Hi Belahzur

Please see below for the log file...

SystemLook v1.0 by jpshortstuff (29.08.09)
Log created at 17:38 on 30/09/2009 by navead bhatti (Administrator - Elevation successful)

========== filefind ==========

Searching for "scecli.dll"
C:\i386\scecli.dll --a--- 180224 bytes [20:03 05/05/2006] [04:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\$NtServicePackUninstall$\scecli.dll -----c 180224 bytes [22:21 29/10/2008] [04:00 04/08/2004] 0F78E27F563F2AAF74B91A49E2ABF19A
C:\WINDOWS\ServicePackFiles\i386\scecli.dll ------ 181248 bytes [17:47 22/10/2008] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084
C:\WINDOWS\system32\scecli.dll --a--- 181248 bytes [11:51 10/08/2004] [00:12 14/04/2008] A86BB5E61BF3E39B62AB4C7E7085A084

Searching for "netlogon.dll"
C:\i386\netlogon.dll --a--- 407040 bytes [20:00 05/05/2006] [04:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll -----c 407040 bytes [22:21 29/10/2008] [04:00 04/08/2004] 96353FCECBA774BB8DA74A1C6507015A
C:\WINDOWS\ServicePackFiles\i386\netlogon.dll ------ 407040 bytes [17:46 22/10/2008] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550
C:\WINDOWS\system32\netlogon.dll --a--- 407040 bytes [11:51 10/08/2004] [00:12 14/04/2008] 1B7F071C51B77C272875C3A23E1E4550

Searching for "eventlog.dll"
C:\i386\eventlog.dll --a--- 55808 bytes [19:59 05/05/2006] [04:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll -----c 55808 bytes [22:22 29/10/2008] [04:00 04/08/2004] 82B24CB70E5944E6E34662205A2A5B78
C:\WINDOWS\ServicePackFiles\i386\eventlog.dll ------ 56320 bytes [17:45 22/10/2008] [00:11 14/04/2008] 6D4FEB43EE538FC5428CC7F0565AA656
C:\WINDOWS\system32\eventlog.dll --a--- 61952 bytes [11:51 10/08/2004] [00:11 14/04/2008] (Unable to calculate MD5)

Searching for "cngaudit.dll"
No files found.

-=End Of File=-

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE

• Click on Avenger.zip to open the file
  
• Extract avenger.exe to your desktop
  

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to delete:
C:\WINDOWS\system32\eventlog.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.

• Under "Input script here:", paste in the script from the quote box above.
  
• Leave the ticked box "Scan for rootkit" ticked.
  
• Then tick "Disable any rootkits found"
  
• Now click on the Execute to begin execution of the script.
  
• Answer "Yes" twice when prompted.
  
  The Avenger will automatically do the following:
  
  
• It will Restart your computer.
  
• On reboot, it will briefly open a black command window on your desktop, this is normal.
  
• After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  
• The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
  

4. Please copy/paste the content of c:\avenger.txt into your reply.

Hey Belahzur

See below - guess that is a good start there is no rootkits right!

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

File "C:\WINDOWS\system32\eventlog.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  

Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

Post the contents of the MBAM Log.

Hi again,

thanks for your help so far.

Ok so i ran Malwarebytes (after renaming setup file, renaming, folder install, renaming exe file) eventually it ran and i updated software after re-enabling the network card.

Please see below for log files - just to let you know all the silly dll pop ups are not appearing at bootup now...but the system does not seem still that fast (could have been due to malwarebytes doing it stuff after first reboot) - any way...

Malwarebytes' Anti-Malware 1.41
Database version: 2895
Windows 5.1.2600 Service Pack 3

02/10/2009 18:25:57
mbam-log-2009-10-02 (18-25-57).txt

Scan type: Quick Scan
Objects scanned: 132670
Time elapsed: 6 minute(s), 54 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 19
Registry Values Infected: 8
Registry Data Items Infected: 10
Folders Infected: 4
Files Infected: 39

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
\\?\globalroot\systemroot\system32\SKYNETxueldlkd.dll (Trojan.FakeAlert) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{2d2bee6e-3c9a-4d58-b9ec-458edb28d0f6} (Rogue.DriveCleaner) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{b64f4a7c-97c9-11da-8bde-f66bad1e3f3a} (Rogue.WinAntiVirus) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{19127ad2-394b-70f5-c650-b97867baa1f7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{494e6cec-7483-a4ee-0938-895519a84bc7} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Monopod (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\NordBull (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\XML (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\antiviruspro2009 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sys32 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\net (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> Delete on reboot.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\scui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Control Panel\don't load\wscui.cpl (Hijack.SecurityCenter) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WINID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\Lsass Service (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: c:\windows\system32\sdra64.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.FakeAlert) -> Data: system32\sdra64.exe -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.hȋdden) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\pavuppad.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\navead bhatti\Application Data\NI.GSCNS (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\AntivirusPro2009 (Rogue.AntiVirus2008) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bookls (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec (Stolen.data) -> Delete on reboot.

Files Infected:
\\?\globalroot\systemroot\system32\SKYNETxueldlkd.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\hcel.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xa.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\4.tmp (Trojan.Zbot) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\8.tmp (Trojan.PWS) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\a.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\c.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\gnoxrrpcxy.exe (Trojan.Buzus) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\xpre.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Application Data\NI.GSCNS\dl.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Application Data\NI.GSCNS\settings.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bookls\dooi.poc (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bookls\orde.poc (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Delete on reboot.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Delete on reboot.
C:\Documents and Settings\All Users\Application Data\merubehu.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\ojuqy.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\vkywt.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Start Menu\Programs\Startup\ChkDisk.lnk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\autochk.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\str.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\sdra64.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\nsrbgxod.bak (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr2 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr3 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr4 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr5 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr6 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr7 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr8 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Local Settings\Temp\tmpwr9 (Rogue.Installer) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\NetworkService\protect.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\win32k.sys (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\navead bhatti\Desktop\winlogon.scr (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.

Please see below for DDS.txt


DDS (Ver_09-09-29.01) - NTFSx86
Run by navead bhatti at 20:03:44.85 on 03/10/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.529 [GMT 1:00]

AV: AVG Anti-Virus Free *On-access scanning enabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Trust_CR-1200_16-in-1_USB2_CARD_READER\shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\DrvMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\NclBTHandler.exe
C:\Documents and Settings\navead bhatti\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mDefault_Search_URL = hxxp://www.google.com/ie
mSearch Page = hxxp://www.google.com
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.hackerwatch.org/probe/
uSearchAssistant = hxxp://www.google.com
mSearchAssistant = hxxp://www.google.com
uURLSearchHooks: N/A: {4fbacd73-f67c-42ae-b46a-03960afe3dfb} - c:\progra~1\orange~1\TOOLBA~2.DLL
BHO: {02478D38-C3F9-4efb-9B51-7695ECA05670} - No File
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - No File
TB: Orange Toolbar: {e97b5f2e-ca8e-4d34-bda3-44eec4ed2b12} - c:\program files\orange toolbar uk\ToolbarContainer230.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
TB: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No File
EB: Orange Toolbar: {e97b5f2e-ca8e-4d34-bda3-44eec4ed2b12} - c:\program files\orange toolbar uk\ToolbarContainer230.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [DrvMon.exe] c:\windows\system32\DrvMon.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
uRun: [MsnMsgr] "c:\program files\windows live\messenger\MsnMsgr.Exe" /background
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [ATIPTA] "c:\program files\ati technologies\ati control panel\atiptaxx.exe"
mRun: [ISUSPM Startup] "c:\program files\common files\installshield\updateservice\isuspm.exe" -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [dlccmon.exe] "c:\program files\dell photo aio printer 924\dlccmon.exe"
mRun: [Sunkist2k] c:\program files\trust_cr-1200_16-in-1_usb2_card_reader\shwicon2k.exe
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AVFX Engine] c:\program files\creative\creative live! cam\videofx\StartFX.exe
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe"
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [MSKDetectorExe] c:\program files\mcafee\spamkiller\MSKDetct.exe /uninstall
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [DLCCCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\DLCCtime.dll,_RunDLLEntry@16
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\set\set.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adober~1.lnk - c:\program files\adobe\acrobat 7.0\reader\reader_sl.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\bttray.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
uPolicies-explorer: NoViewOnDrive = 0 (0x0)
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
IE: {CCA281CA-C863-46ef-9331-5C8D4460577F} - c:\program files\widcomm\bluetooth software\btsendto_ie.htm
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - {5F7B1267-94A9-47F5-98DB-E99415F33AEC} - c:\program files\windows live\writer\WriterBrowserExtension.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~3\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office12\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - hxxp://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_02-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} - hxxp://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\progra~1\micros~3\office12\GR99D3~1.DLL
Handler: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - c:\program files\avg\avg8\avgpp.dll
Handler: widimg - {EE7C2AFF-5742-44FF-BD0E-E521B0D3C3BA} - c:\windows\system32\BTXPPanel.dll
Notify: avgrsstarter - avgrsstx.dll
Notify: c00EF55C - c00EF55C.mat
AppInit_DLLs: cru629.dat
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\progra~1\micros~3\office12\GRA8E1~1.DLL

============= SERVICES / DRIVERS ===============

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [2009-6-19 335240]
R1 AvgMfx86;AVG Free On-access Scanner Minifilter Driver x86;c:\windows\system32\drivers\avgmfx86.sys [2009-6-19 27784]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [2009-6-19 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\avg\avg8\avgwdsvc.exe [2009-6-19 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-3-13 55152]
R2 SeaPort;SeaPort;c:\program files\microsoft\search enhancement pack\seaport\SeaPort.exe [2009-5-19 240512]
S2 dfbstc;dfbstc;\??\c:\windows\system32\drivers\zrxfjsbr.sys --> c:\windows\system32\drivers\zrxfjsbr.sys [?]
S2 eygzgw;Shell Driver;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 ksorc;Universal Monitor;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 lnuzuri;Manager Helper;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S2 nrshspexf;Boot Manager;c:\windows\system32\svchost.exe -k netsvcs [2004-8-10 14336]
S3 ExpressInvoiceService;Express Invoice;c:\program files\nch software\expressinvoice\expressinvoice.exe [2009-6-27 1105924]
S3 fsssvc;Windows Live Family Safety;c:\program files\windows live\family safety\fsssvc.exe [2009-2-6 533360]

=============== Created Last 30 ================

2009-10-02 18:13 --d----- c:\docume~1\navead~1\applic~1\Malwarebytes
2009-10-02 18:11 38,224 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 18:11 19,160 a------- c:\windows\system32\drivers\mbam.sys
2009-10-02 18:11 --d----- c:\program files\set
2009-10-02 18:11 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-09-29 18:44 --d----- c:\program files\TJH
2009-09-29 18:34 396,288 a------- C:\HijackThis.exe
2009-09-20 16:50 43 a------- c:\windows\system32\SKYNETyusiadul.dat
2009-09-09 22:46 206 a------- c:\windows\system32\MRT.INI
2009-09-09 11:06 153,088 -------- c:\windows\system32\dllcache\triedit.dll

==================== Find3M ====================

2009-10-02 18:23 551,983 a------- c:\windows\system32\SKYNETklwqggkr.dat
2009-09-20 16:51 74,240 a------- c:\windows\system32\UACchowxafnks.dll
2009-08-28 20:33 335,240 a------- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 20:33 11,952 a------- c:\windows\system32\avgrsstx.dll
2009-08-11 18:00 17,622 a------- c:\windows\imonihunuj.bin
2009-08-11 18:00 13,987 a------- c:\program files\common files\adodi.pif
2009-08-11 18:00 13,038 a------- c:\windows\system32\cexip.pif
2009-08-11 18:00 12,786 a------- c:\windows\system32\kejowaz.bin
2009-08-11 18:00 11,740 a------- c:\program files\common files\feguvalyh.dat
2009-08-11 18:00 10,728 a------- c:\windows\favukiwe.sys
2009-08-08 13:16 18,375 a------- c:\windows\riqeryvaw.scr
2009-08-08 13:16 16,109 a------- c:\docume~1\alluse~1\applic~1\kivifowiwa.vbs
2009-08-08 13:16 15,407 a------- c:\windows\system32\sopocem.dat
2009-08-08 13:16 14,252 a------- c:\program files\common files\axat.dll
2009-08-08 13:16 11,890 a------- c:\windows\xykyfen.vbs
2009-08-08 13:16 11,482 a------- c:\docume~1\alluse~1\applic~1\ufup.bat
2009-08-08 13:06 46 a------- C:\p2hhr.bat
2009-08-08 10:41 20,480 a------- c:\windows\system32\UACqnakijjwxb.dll
2009-08-08 10:41 54,784 a------- c:\windows\system32\drivers\UACvsbftkpjqw.sys
2009-08-08 10:41 18,432 a------- c:\windows\system32\UACxdbuxovanw.dll
2009-08-08 10:41 26,624 a------- c:\windows\system32\UACmcetrqqycb.dll
2009-08-08 10:41 30,208 a------- c:\windows\system32\UACasawfdbenb.dll
2009-08-08 10:39 20,480 -------- c:\windows\system32\SKYNETyrplnnkb.dll
2009-08-07 23:21 70,656 a------- c:\windows\system32\drivers\SKYNETtyqcbnat.sys
2009-08-07 23:21 44,544 a------- c:\windows\system32\SKYNETniddfoxw.dll
2009-08-05 10:01 204,800 a------- c:\windows\system32\mswebdvd.dll
2009-08-05 10:01 204,800 -------- c:\windows\system32\dllcache\mswebdvd.dll
2009-07-25 05:23 411,368 a------- c:\windows\system32\deploytk.dll
2009-07-19 18:48 11,067,392 a------- c:\windows\system32\dllcache\ieframe.dll
2009-07-19 14:18 5,937,152 a------- c:\windows\system32\dllcache\mshtml.dll
2009-07-17 20:01 58,880 a------- c:\windows\system32\atl.dll
2009-07-17 20:01 58,880 -------- c:\windows\system32\dllcache\atl.dll
2009-07-13 23:43 286,208 a------- c:\windows\system32\wmpdxm.dll
2009-07-13 23:43 10,841,088 -------- c:\windows\system32\dllcache\wmp.dll
2009-07-13 23:43 286,208 -------- c:\windows\system32\dllcache\wmpdxm.dll
2009-07-10 14:27 1,315,328 -------- c:\windows\system32\dllcache\msoe.dll
2008-04-05 23:10 262,144 a------- c:\program files\Uninstall Spy Blocker.dll
2007-07-04 20:24 787,968 a------- c:\program files\Copy of MultipleChoiceTemplate qwizdom.ppt
2007-07-01 13:52 329,128 a------- c:\program files\ripsetup.exe

============= FINISH: 20:04:08.35 ===============

Hello.

• Download combofix from here
  Link 1
  Link 2
  
  1. If you are using Firefox, make sure that your download settings are as follows:
  
  * Tools->Options->Main tab
  * Set to "Always ask me where to Save the files".
  
  2. During the download, rename Combofix to Combo-Fix as follows:
  
  
  
  
  
  3. It is important you rename Combofix during the download, but not after.
  4. Please do not rename Combofix to other names, but only to the one indicated.
  5. Close any open browsers.
  6. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  
  
• We need to disable your local AV (Anti-virus) before running Combofix.
  
• See HERE for how to disable your AV.
  
• Double click on ComboFix.exe.
  
• Follow the prompts. NOTE:
  
• ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
  ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***
  
  **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.
  
  
  
• The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.
  
  
  
  
• Allow ComboFix to download the Recovery Console.
  
• Accept the End-User License Agreement.
  
• The Recovery Console will be installed.
  
• You will then get this next prompt that asks if you want to continue the malware scan, select yes
  
  
  
  
• Allow combofix to run
  
• Post C:\combofix.txt back here.
  
  Note:
  Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  

Hi,

Ok - so i ran combofix...just so you know i ran combo fix without having a LAN cable plugged in as i was downloading/transferring using a USB stick, so before it was too late - windows recovery console couldnt be installed as i was not on the network...didn't want to interrupt the scan so i let it run without having WRC installed...anyway here is the log..let me know.

ComboFix 09-10-01.05 - navead bhatti 04/10/2009 10:46.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.450 [GMT 1:00]
Running from: c:\documents and settings\navead bhatti\Desktop\Combo-Fix.exe
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\equhaticof.inf
c:\documents and settings\All Users\Application Data\gibawy.reg
c:\documents and settings\All Users\Application Data\kivifowiwa.vbs
c:\documents and settings\All Users\Application Data\ufup.bat
c:\documents and settings\All Users\Application Data\ujyto.inf
c:\documents and settings\All Users\Documents\ovakezo.bat
c:\documents and settings\All Users\Documents\qenafibaxa.bat
c:\documents and settings\navead bhatti\Application Data\IUpd721
c:\documents and settings\navead bhatti\Application Data\IUpd721\Logs\scns.log
c:\documents and settings\navead bhatti\Cookies\ebulebozil.dat
c:\documents and settings\navead bhatti\Cookies\ejacy.dl
c:\documents and settings\navead bhatti\Cookies\lyrub._dl
c:\documents and settings\navead bhatti\Cookies\okirimo.scr
c:\documents and settings\navead bhatti\Cookies\sesery.pif
c:\documents and settings\navead bhatti\Local Settings\Application Data\egydunehat.inf
c:\documents and settings\navead bhatti\Local Settings\Application Data\eqofyqide.bat
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\jydafofu.bin
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\lisixige.reg
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\loterivalo.reg
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\miqyqik.vbs
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\muxifoci.bin
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\ociquz.pif
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\oturu._dl
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\ugihopak.scr
c:\documents and settings\navead bhatti\Local Settings\Temporary Internet Files\xore.db
C:\HijackThis.exe
C:\p2hhr.bat
c:\windows\evofin.bat
c:\windows\imapapeq.reg
c:\windows\noladapu.vbs
c:\windows\qecesege.reg
c:\windows\riqeryvaw.scr
c:\windows\run.log
c:\windows\system32\drivers\SKYNETtyqcbnat.sys
c:\windows\system32\drivers\UACvsbftkpjqw.sys
c:\windows\system32\SKYNETklwqggkr.dat
c:\windows\system32\SKYNETniddfoxw.dll
c:\windows\system32\SKYNETyrplnnkb.dll
c:\windows\system32\SKYNETyusiadul.dat
c:\windows\system32\UACasawfdbenb.dll
c:\windows\system32\UACchowxafnks.dll
c:\windows\system32\UACievxrsiwmv.dat
c:\windows\system32\UACmcetrqqycb.dll
c:\windows\system32\UACndbavhdmlp.db
c:\windows\system32\UACqnakijjwxb.dll
c:\windows\system32\UACrvtsapetqa.log
c:\windows\system32\UACxdbuxovanw.dll
c:\windows\UA000031.DLL
c:\windows\UA000035.DLL
c:\windows\xykyfen.vbs
c:\windows\ynh.dx

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SKYNETrpqkyodu
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226ED}
-------\Legacy_{79007602-0CDB-4405-9DBF-1257BB3226EE}
-------\Service_SKYNETrpqkyodu


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-02 17:13 . 2009-10-02 17:13 -------- d-----w- c:\documents and settings\navead bhatti\Application Data\Malwarebytes
2009-10-02 17:11 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 17:11 . 2009-10-02 17:13 -------- d-----w- c:\program files\set
2009-10-02 17:11 . 2009-10-02 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 17:11 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-29 17:44 . 2009-09-29 17:44 -------- d-----w- c:\program files\TJH
2009-09-09 10:06 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:10 . 2006-06-11 21:14 -------- d-----w- c:\documents and settings\navead bhatti\Application Data\Lavasoft
2009-09-28 21:06 . 2009-06-19 17:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-28 21:04 . 2006-05-05 18:36 -------- d-----w- c:\program files\Dl_cats
2009-09-17 12:03 . 2009-06-19 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-13 11:19 . 2006-05-02 20:26 -------- d-----w- c:\program files\Java
2009-09-09 21:54 . 2009-03-13 01:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-28 19:33 . 2009-06-19 17:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 19:33 . 2009-06-19 17:03 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 19:33 . 2009-06-19 17:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-11 17:00 . 2009-08-11 17:00 17622 ----a-w- c:\windows\imonihunuj.bin
2009-08-11 17:00 . 2009-08-11 17:00 13987 ----a-w- c:\program files\Common Files\adodi.pif
2009-08-11 17:00 . 2009-08-11 17:00 13038 ----a-w- c:\windows\system32\cexip.pif
2009-08-11 17:00 . 2009-08-11 17:00 12786 ----a-w- c:\windows\system32\kejowaz.bin
2009-08-11 17:00 . 2009-08-11 17:00 11740 ----a-w- c:\program files\Common Files\feguvalyh.dat
2009-08-11 17:00 . 2009-08-11 17:00 10728 ----a-w- c:\windows\favukiwe.sys
2009-08-10 16:13 . 2009-02-23 23:37 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-08-09 11:27 . 2009-08-09 11:27 18673 ----a-w- c:\documents and settings\All Users\Application Data\apinuga.com
2009-08-09 11:27 . 2009-08-09 11:27 17810 ----a-w- c:\documents and settings\All Users\Application Data\usolix.dat
2009-08-09 11:27 . 2009-08-09 11:27 17059 ----a-w- c:\windows\system32\dysadub.dat
2009-08-09 11:27 . 2009-08-09 11:27 16025 ----a-w- c:\program files\Common Files\emaq.dl
2009-08-09 11:27 . 2009-08-09 11:27 12471 ----a-w- c:\documents and settings\All Users\Application Data\gizuwox.dat
2009-08-09 11:27 . 2009-08-09 11:27 11899 ----a-w- c:\windows\system32\yzasim.com
2009-08-09 11:27 . 2009-08-09 11:27 11557 ----a-w- c:\windows\system32\olitah.bin
2009-08-09 11:27 . 2009-08-09 11:27 17929 ----a-w- c:\documents and settings\navead bhatti\Local Settings\Application Data\apux.dll
2009-08-09 11:27 . 2009-08-09 11:27 15326 ----a-w- c:\program files\Common Files\rokyceluc.pif
2009-08-09 11:27 . 2009-08-09 11:27 13878 ----a-w- c:\windows\edahedezeg.bin
2009-08-09 11:27 . 2009-08-09 11:27 13400 ----a-w- c:\documents and settings\All Users\Application Data\ekexe.sys
2009-08-09 11:15 . 2009-06-19 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-09 10:57 . 2006-05-05 18:21 95560 ----a-w- c:\documents and settings\navead bhatti\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-08 12:16 . 2009-08-08 12:16 15407 ----a-w- c:\windows\system32\sopocem.dat
2009-08-08 12:16 . 2009-08-08 12:16 14252 ----a-w- c:\program files\Common Files\axat.dll
2009-08-08 12:16 . 2009-08-08 12:16 12319 ----a-w- c:\documents and settings\navead bhatti\Local Settings\Application Data\umijo.scr
2009-08-06 23:21 . 2009-06-19 16:49 -------- d-----w- c:\program files\MSBuild
2009-08-06 23:21 . 2009-08-06 23:21 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 04:23 . 2008-12-09 22:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-10 11:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2008-04-05 22:10 . 2009-06-19 16:50 262144 ----a-w- c:\program files\Uninstall Spy Blocker.dll
2007-07-04 19:24 . 2007-07-04 19:25 787968 ----a-w- c:\program files\Copy of MultipleChoiceTemplate qwizdom.ppt
2007-07-01 12:52 . 2007-07-01 12:52 329128 ----a-w- c:\program files\ripsetup.exe
2006-11-17 00:13 . 2006-05-07 23:58 56 --sh--r- c:\windows\system32\184C950EED.sys
2008-03-15 15:01 . 2006-05-06 13:32 88 --sh--r- c:\windows\system32\ED0E954C18.sys
2008-03-15 15:01 . 2006-05-06 13:32 6424 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2004-11-29 53248]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"Sunkist2k"="c:\program files\Trust_CR-1200_16-in-1_USB2_CARD_READER\shwicon2k.exe" [2005-06-29 143360]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-18 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-13 73728]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\set\set.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 19:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"96:TCP"= 96:TCP:Express Invoice Web Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2009 18:03 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/06/2009 18:03 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [19/06/2009 18:02 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [13/03/2009 02:20 55152]
S2 dfbstc;dfbstc;\??\c:\windows\system32\drivers\zrxfjsbr.sys --> c:\windows\system32\drivers\zrxfjsbr.sys [?]
S2 eygzgw;Shell Driver;c:\windows\system32\svchost.exe -k netsvcs [10/08/2004 12:51 14336]
S2 ksorc;Universal Monitor;c:\windows\system32\svchost.exe -k netsvcs [10/08/2004 12:51 14336]
S2 lnuzuri;Manager Helper;c:\windows\system32\svchost.exe -k netsvcs [10/08/2004 12:51 14336]
S2 nrshspexf;Boot Manager;c:\windows\system32\svchost.exe -k netsvcs [10/08/2004 12:51 14336]
S3 ExpressInvoiceService;Express Invoice;c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [27/06/2009 17:56 1105924]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
eygzgw
ksorc
nrshspexf
lnuzuri

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.hackerwatch.org/probe/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.
- - - - ORPHANS REMOVED - - - -

Notify-c00EF55C - c00EF55C.mat



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 10:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...

scan completed successfully
hȋdden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\eygzgw]
"ServiceDll"="c:\windows\system32\imypx.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\ksorc]
"ServiceDll"="c:\windows\system32\imypx.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\lnuzuri]
"ServiceDll"="c:\windows\system32\imypx.dll"
--

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\nrshspexf]
"ServiceDll"="c:\program files\Internet Explorer\imypx.dll"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2456)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dlcccoms.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
.
**************************************************************************
.
Completion time: 2009-10-04 10:59 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 09:59

Pre-Run: 221,230,186,496 bytes free
Post-Run: 222,290,972,672 bytes free

266 --- E O F --- 2009-09-09 21:47

and here it is...

ComboFix 09-10-01.05 - navead bhatti 04/10/2009 19:54.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1022.546 [GMT 1:00]
Running from: c:\documents and settings\navead bhatti\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\navead bhatti\Desktop\CFScript.txt
AV: AVG Anti-Virus Free *On-access scanning disabled* (Outdated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}

FILE ::
"c:\documents and settings\All Users\Application Data\apinuga.com"
"c:\documents and settings\All Users\Application Data\ekexe.sys"
"c:\documents and settings\All Users\Application Data\gizuwox.dat"
"c:\documents and settings\All Users\Application Data\usolix.dat"
"c:\documents and settings\navead bhatti\Local Settings\Application Data\apux.dll"
"c:\documents and settings\navead bhatti\Local Settings\Application Data\umijo.scr"
"c:\program files\Common Files\adodi.pif"
"c:\program files\Common Files\axat.dll"
"c:\program files\Common Files\emaq.dl"
"c:\program files\Common Files\feguvalyh.dat"
"c:\program files\Common Files\rokyceluc.pif"
"c:\windows\edahedezeg.bin"
"c:\windows\favukiwe.sys"
"c:\windows\imonihunuj.bin"
"c:\windows\system32\cexip.pif"
"c:\windows\system32\dysadub.dat"
"c:\windows\system32\kejowaz.bin"
"c:\windows\system32\olitah.bin"
"c:\windows\system32\sopocem.dat"
"c:\windows\system32\yzasim.com"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\apinuga.com
c:\documents and settings\All Users\Application Data\ekexe.sys
c:\documents and settings\All Users\Application Data\gizuwox.dat
c:\documents and settings\All Users\Application Data\usolix.dat
c:\documents and settings\navead bhatti\Local Settings\Application Data\apux.dll
c:\documents and settings\navead bhatti\Local Settings\Application Data\umijo.scr
c:\program files\Common Files\adodi.pif
c:\program files\Common Files\axat.dll
c:\program files\Common Files\emaq.dl
c:\program files\Common Files\feguvalyh.dat
c:\program files\Common Files\rokyceluc.pif
c:\windows\edahedezeg.bin
c:\windows\favukiwe.sys
c:\windows\imonihunuj.bin
c:\windows\system32\cexip.pif
c:\windows\system32\dysadub.dat
c:\windows\system32\kejowaz.bin
c:\windows\system32\olitah.bin
c:\windows\system32\sopocem.dat
c:\windows\system32\yzasim.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DFBSTC
-------\Legacy_EYGZGW
-------\Legacy_KSORC
-------\Legacy_LNUZURI
-------\Legacy_NRSHSPEXF
-------\Service_dfbstc
-------\Service_eygzgw
-------\Service_ksorc
-------\Service_lnuzuri
-------\Service_nrshspexf


((((((((((((((((((((((((( Files Created from 2009-09-04 to 2009-10-04 )))))))))))))))))))))))))))))))
.

2009-10-02 17:13 . 2009-10-02 17:13 -------- d-----w- c:\documents and settings\navead bhatti\Application Data\Malwarebytes
2009-10-02 17:11 . 2009-09-10 13:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-02 17:11 . 2009-10-02 17:13 -------- d-----w- c:\program files\set
2009-10-02 17:11 . 2009-10-02 17:11 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-10-02 17:11 . 2009-09-10 13:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-29 17:44 . 2009-09-29 17:44 -------- d-----w- c:\program files\TJH
2009-09-09 10:06 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-28 21:10 . 2006-06-11 21:14 -------- d-----w- c:\documents and settings\navead bhatti\Application Data\Lavasoft
2009-09-28 21:06 . 2009-06-19 17:50 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-28 21:04 . 2006-05-05 18:36 -------- d-----w- c:\program files\Dl_cats
2009-09-17 12:03 . 2009-06-19 16:40 -------- d-----w- c:\documents and settings\All Users\Application Data\Microsoft Help
2009-09-13 11:19 . 2006-05-02 20:26 -------- d-----w- c:\program files\Java
2009-09-09 21:54 . 2009-03-13 01:20 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-28 19:33 . 2009-06-19 17:03 11952 ----a-w- c:\windows\system32\avgrsstx.dll
2009-08-28 19:33 . 2009-06-19 17:03 335240 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2009-08-28 19:33 . 2009-06-19 17:03 27784 ----a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-08-10 16:13 . 2009-02-23 23:37 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-08-09 11:15 . 2009-06-19 17:02 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-09 10:57 . 2006-05-05 18:21 95560 ----a-w- c:\documents and settings\navead bhatti\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-06 23:21 . 2009-06-19 16:49 -------- d-----w- c:\program files\MSBuild
2009-08-06 23:21 . 2009-08-06 23:21 -------- d-----w- c:\program files\Reference Assemblies
2009-08-05 09:01 . 2004-08-10 11:51 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-25 04:23 . 2008-12-09 22:30 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2004-08-10 11:50 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2004-08-10 11:51 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2008-04-05 22:10 . 2009-06-19 16:50 262144 ----a-w- c:\program files\Uninstall Spy Blocker.dll
2007-07-04 19:24 . 2007-07-04 19:25 787968 ----a-w- c:\program files\Copy of MultipleChoiceTemplate qwizdom.ppt
2007-07-01 12:52 . 2007-07-01 12:52 329128 ----a-w- c:\program files\ripsetup.exe
2006-11-17 00:13 . 2006-05-07 23:58 56 --sh--r- c:\windows\system32\184C950EED.sys
2008-03-15 15:01 . 2006-05-06 13:32 88 --sh--r- c:\windows\system32\ED0E954C18.sys
2008-03-15 15:01 . 2006-05-06 13:32 6424 --sha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-10-04_09.55.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-10-04 19:00 . 2009-10-04 19:00 16384 c:\windows\temp\Perflib_Perfdata_660.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DrvMon.exe"="c:\windows\system32\DrvMon.exe" [2004-11-29 53248]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 307200]
"MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2009-02-06 3885408]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 344064]
"ISUSPM Startup"="c:\program files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 249856]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 81920]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"dlccmon.exe"="c:\program files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-10-21 430080]
"Sunkist2k"="c:\program files\Trust_CR-1200_16-in-1_USB2_CARD_READER\shwicon2k.exe" [2005-06-29 143360]
"AVFX Engine"="c:\program files\Creative\Creative Live! Cam\VideoFX\StartFX.exe" [2006-08-16 24576]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"Adobe Photo Downloader"="c:\program files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
"MSKDetectorExe"="c:\program files\McAfee\SpamKiller\MSKDetct.exe" [2006-11-07 1121280]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-04-18 198160]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-26 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
"DLCCCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll" [2005-09-13 73728]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\set\set.exe" [2009-09-10 1312080]
"SigmatelSysTrayApp"="stsystra.exe" - c:\windows\stsystra.exe [2005-03-22 339968]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
BTTray.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2004-11-29 569405]
Windows Desktop Search.lnk - c:\program files\Windows Desktop Search\WindowsSearch.exe [2006-3-26 257752]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-03-13 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-08-28 19:33 11952 ----a-w- c:\windows\system32\avgrsstx.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\SightSpeed\\SightSpeed.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"96:TCP"= 96:TCP:Express Invoice Web Server

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [19/06/2009 18:03 335240]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [19/06/2009 18:03 108552]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [19/06/2009 18:02 297752]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [13/03/2009 02:20 55152]
S3 ExpressInvoiceService;Express Invoice;c:\program files\NCH Software\ExpressInvoice\expressinvoice.exe [27/06/2009 17:56 1105924]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [06/02/2009 19:08 533360]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = hxxp://www.google.com
uInternet Connection Wizard,ShellNext = hxxp://www.hackerwatch.org/probe/
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: Send To &Bluetooth - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-04 20:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hȋdden processes ...

scanning hȋdden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
DLCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hȋdden files ...


c:\windows\TEMP\SEP2.tmp 0 bytes

scan completed successfully
hȋdden files: 1

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1384)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\AVG\AVG8\avgrsx.exe
c:\progra~1\AVG\AVG8\avgnsx.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\dlcccoms.exe
c:\program files\Microsoft IntelliPoint\dpupdchk.exe
c:\program files\Windows Desktop Search\WindowsSearchIndexer.exe
.
**************************************************************************
.
Completion time: 2009-10-04 20:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-04 19:05
ComboFix2.txt 2009-10-04 09:59

Pre-Run: 222,257,401,856 bytes free
Post-Run: 222,209,122,304 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

232 --- E O F --- 2009-09-09 21:47

Click Start > Run and copy/paste the following bolded text into the Run box and click OK:

ComboFix /u



This will also reset your restore points.

How is the machine running now?

Hi again,

thanks for your help..the machine seems to be running ok (though i have not done any updates etc) but one thing is niggling at me, when i boot up the system and load the users profile it takes around 2/3 minutes to show the start bar....it shows the desktop background but nothing else then after 2/3 minutes you can access everything - any reason why?!?1

I did a full MBAM scan and it found nothing and only lasted 22 minutes which is great though...what do you think?!?

Hello.
Possibly the number of items loading at startup are causing slow downs.

Please post a new Hijack This log.

Here you go...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20:03, on 06/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\Program Files\Trust_CR-1200_16-in-1_USB2_CARD_READER\shwicon2k.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\DrvMon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\Windows Desktop Search\WindowsSearchIndexer.exe
C:\Documents and Settings\navead bhatti\Desktop\winlogon.scr

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hackerwatch.org/probe/
R3 - URLSearchHook: (no name) - {4FBACD73-F67C-42AE-B46A-03960AFE3DFB} - C:\PROGRA~1\ORANGE~1\TOOLBA~2.DLL
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: (no name) - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer230.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Trust_CR-1200_16-in-1_USB2_CARD_READER\shwicon2k.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\set\set.exe" /runcleanupscript
O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su2/CTL_V02002/ocx/15033/CTPID.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: dlcc_device - - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: Express Invoice (ExpressInvoiceService) - NCH Software - C:\Program Files\NCH Software\ExpressInvoice\expressinvoice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8980 bytes

Hello.

• Open HijackThis
  
• Choose "Do a system scan only"
  
• Check the boxes in front of these lines:
  
  
  O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
  O3 - Toolbar: (no name) - {119DBEDA-9c41-4F97-94B4-B6BCD01133CF} - (no file)
  O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
  O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
  O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
  O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
  O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
  O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
  O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Trust_CR-1200_16-in-1_USB2_CARD_READER\shwicon2k.exe
  O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
  O4 - HKLM\..\Run: [AVFX Engine] C:\Program Files\Creative\Creative Live! Cam\VideoFX\StartFX.exe
  O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
  O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
  O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
  O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
  O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
  O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\set\set.exe" /runcleanupscript
  O4 - HKCU\..\Run: [DrvMon.exe] C:\WINDOWS\system32\DrvMon.exe
  O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
  O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
  O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
  O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
  O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
  O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
  O4 - Global Startup: BTTray.lnk = ?
  
  
  
• Press "Fix Checked"
  
• Close Hijack This.
  

I recommend you remove the Java Quick Starter because it's not needed.
To do so, follow these instructions.

Go to Start > Control Panel > Java.
In the Java control panel, open the click the Advanced tab. Click the + in front of Miscellaneous and uncheck the Java Quick Starter box.

See here for more info.

Hi i did what you suggested but hasn't made much difference...hmmm

Oh well, i guess we're done here right though - machine all clean?!?!

I ran spybotsearch and destroy and this found a couple of trojans which i removed...and malware finds nothing...

Done all my updates now too...

Hi....just wanted to check if im all good to give the PC back to my cousin now - or is there anything else u advise me to do?!?!

This looks fine, I'd say it's okay to give back.

Below I have included a number of recommendations for how to protect your computer in order to prevent future malware infections. Please take these recommendations seriously; these few simple steps can stave off the vast majority of spyware problems. As happy as we are to help you, for your sake we would rather not have repeat customers.

1) Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.

Please either enable Automatic Updates under Start -> Control Panel -> Automatic Updates , or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

2) In order to protect yourself against spyware, you should consider installing and running the following free programs:

Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.

Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.

SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.

SpywareGuard
A tutorial on using SpywareGuard for realtime protection against spyware and hijackers may be found here.

Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

3) Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from here:
http://www.mozilla.org/products/firefox/
I also recommand the following add-ons for Firefox, they will help keep you safe from malicious scripts or activeX exploits.
https://addons.mozilla.org/en-US/firefox/addon/722
https://addons.mozilla.org/en-US/firefox/addon/1865
https://addons.mozilla.org/en-US/firefox/addon/433

4) Also make sure to run your antivirus software regularly, and to keep it up-to-date.

To help you keep your software updated, please considering using this free software program that will check for program updates.
Update Checker

5) Finally, consider maintaining a firewall. Some good free firewalls are Kerio, or
Outpost
A tutorial on understanding and using firewalls may be found here.

Please also read Tony Klein's excellent article: How I got Infected in the First Place

If you would take a moment to fill out our feedback form, we would appreciate it.
The link can be found here.

Hopefully this should take care of your problems! Good luck.

Hello,

i did a kaspersky scanner as one last check and found the following...I have updated my java and firefox so maybe these have been left over? Any advice

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 65872
Threats found: 2
Infected objects found: 2
Suspicious objects found: 0
Scan duration: 02:21:13


File name / Threat / Threats count
C:\Documents and Settings\navead bhatti\Application Data\Sun\Java\Deployment\cache\6.0\49\6b800f31-30162784 Infected: Trojan-Downloader.Java.OpenConnection.at 1
C:\Program Files\Mozilla Firefox\chrome\error.jar Infected: Trojan.Win32.Agent.aykf 1

Selected area has been scanned.

Download ATF Cleaner

• Double-click ATF-Cleaner.exe to run the program.
  
• Click Select All found at the bottom of the list.
  
• Click the Empty Selected button.
  

If you use Firefox browser, do this also:

• Click Firefox at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

If you use Opera browser, do this also:

• Click Opera at the top and choose Select All from the list.
  
• Click the Empty Selected button.
  
• NOTE : If you would like to keep your saved passwords, please click No at the prompt.
  

Click Exit on the Main menu to close the program.

Hi,

done what you requested...so i guess we are all good now?!?!