Some Websites Won't Work

A couple of days ago some websites stopped working for me. Google, Yahoo and a few others stopped working (mostly search engines) including the BitDefender forum. I discovered that if I go to task manager & end process "explorer.exe" the websites all start working again. I can't keep doing this though as it leads to me being unable to access all of the files on my computer until i reboot, which leads to the problem recurring. I've done some searching around various forums and downloading and tried a few different things. I've also run a few different anti virus programs but have had no luck so far. I'm not sure if i have a virus or if the problem is something more simple.


Any help would be much appreciated

Comments

  • It seems like your browser has been hijacked. Download Hijackthis here and do a System Scan with log and post it here

  • Logfile of Trend Micro HijackThis v2.0.0 (BETA)


    Scan saved at 09:03, on 2008-04-15


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


    C:\Program Files\Hotspot Shield\bin\openvpnas.exe


    C:\WINDOWS\runservice.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\STOPzilla!\STOPzilla.exe


    C:\PROGRA~1\SYMANT~1\VPTray.exe


    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE


    C:\Program Files\Logitech\iTouch\iTouch.exe


    C:\Program Files\Picasa2\PicasaMediaDetector.exe


    C:\Program Files\Virgin Net Broadband\Dragdiag.exe


    C:\Program Files\PowerISO\PWRISOVM.EXE


    C:\Program Files\QuickTime\qttask.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\Rundll32.exe


    C:\Program Files\DAEMON Tools\daemon.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Documents and Settings\Robert Deacon\Desktop\Antivirus Stuff\HiJackThis_v2.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROBERT DEACON\Application Data\Mozilla\Profiles\default\el8jd9nm.slt\prefs.js)


    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll


    O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll


    O2 - BHO: {dff784b7-af74-f12a-2ea4-c58fd0e6c503} - {305c6e0d-f85c-4ae2-a21f-47fa7b487ffd} - C:\WINDOWS\system32\jforykui.dll


    O2 - BHO: (no name) - {6DAE37E1-D3DA-4AE7-BF92-58E867D5A276} - C:\WINDOWS\system32\byXOeBur.dll


    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll


    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll


    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll


    O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe


    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe


    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"


    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe


    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe


    O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon


    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [6ce8e251] rundll32.exe "C:\WINDOWS\system32\wkuyeyqe.dll",b


    O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s


    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe


    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm


    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm


    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm


    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000


    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe


    O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe


    O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe


    O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe


    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll


    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll


    O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)


    O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)


    O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\WINDOWS\system32\shdocvw.dll (HKCU)


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe


    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


    O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe


    O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


    --


    End of file - 8852 bytes

  • Hello,


    Check and fix this lines :


    O2 - BHO: {dff784b7-af74-f12a-2ea4-c58fd0e6c503} - {305c6e0d-f85c-4ae2-a21f-47fa7b487ffd} - C:\WINDOWS\system32\jforykui.dll


    O2 - BHO: (no name) - {6DAE37E1-D3DA-4AE7-BF92-58E867D5A276} - C:\WINDOWS\system32\byXOeBur.dll


    O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O4 - HKLM\..\Run: [6ce8e251] rundll32.exe "C:\WINDOWS\system32\wkuyeyqe.dll",b


    O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s


    O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)


    O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)


    O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe


    Regards

  • Thanks for your help robtap, sadly the the problem hasn't gone.


    Here is my new log:


    Logfile of Trend Micro HijackThis v2.0.0 (BETA)


    Scan saved at 21:14, on 2008-04-15


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\STOPzilla!\STOPzilla.exe


    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


    C:\PROGRA~1\SYMANT~1\VPTray.exe


    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE


    C:\Program Files\Logitech\iTouch\iTouch.exe


    C:\Program Files\Picasa2\PicasaMediaDetector.exe


    C:\Program Files\Virgin Net Broadband\Dragdiag.exe


    C:\Program Files\QuickTime\qttask.exe


    C:\WINDOWS\system32\msiexec.exe


    C:\WINDOWS\system32\Rundll32.exe


    C:\Program Files\DAEMON Tools\daemon.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe


    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE


    C:\Documents and Settings\Robert Deacon\Desktop\Antivirus Stuff\HiJackThis_v2.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROBERT DEACON\Application Data\Mozilla\Profiles\default\el8jd9nm.slt\prefs.js)


    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll


    O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll


    O2 - BHO: (no name) - {8749A023-E67A-4F81-85FF-0457231B9F57} - C:\WINDOWS\system32\byXOeBur.dll


    O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll


    O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll


    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll


    O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe


    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe


    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"


    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe


    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe


    O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s


    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe


    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm


    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm


    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm


    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000


    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe


    O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe


    O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe


    O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe


    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll


    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll


    O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\WINDOWS\system32\shdocvw.dll (HKCU)


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll


    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


    --


    End of file - 7622 bytes

  • robtap
    edited April 2008

    Download, install and run Spybot Search & Destroy and it will be fine.

  • Niels
    Niels
    edited April 2008

    Hello robtap and Chesda


    It's good that you help people but please if BitDefender doesn't detect the files that you let people fix in hijack this let them archive these files first before let them take any action. Otherwise BitDefender will not able to detect it in the future.


    By using an archive tool such as winrar,winzip. After that let the people upload these samples in this forum section.


    Thanks in advance.


    Best regards


    Niels


    Hello RobD,


    It's better that you use version 2.0.2 of Hijack This which is stable version. You can download it from the link that Chesda gave to you. I've moved your topic to the logs analysis section. I recommend that you download combo fix here.Follow these instructions and post the output of the scan.


    Best regards


    Niels

  • First, we need you to submit these following items to BitDefender for further analysis:


    byXOeBur.dll


    kmdxkvmh.dll


    Follow these steps:

    1. Open Windows Explorer
    2. Tools Menu -> Folder Options -> View Tab
    3. Click Show hidden files and folders, scroll down and untick Hide protected operating system files. Click Ok.
    4. Go to this location C:\WINDOWS\system32 and locate byXOeBur.dll and kmdxkvmh.dll
    5. Zip these files in a folder with the password infected and attatch it on your next reply


    Run Hijackthis again, check and fix the following entries:


    O2 - BHO: (no name) - {8749A023-E67A-4F81-85FF-0457231B9F57} - C:\WINDOWS\system32\byXOeBur.dll


    04 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s


    O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm


    O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm


    O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm


    O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm


    Also, post a fresh ComboFix and a Hijackthis log.

  • Hello Chesda,


    There is now a separate section where only samples need to be posted. And that location is here.


    Best regards


    Niels

  • I posted the two requested files in this topic:


    http://forum.bitdefender.com/index.php?showtopic=5251


    I had a problem running combofix, I followed the instructions in the link posted by Niels but once i got to the autoscan an hour passed without it completing a single stage and there was no evidence that the program was actually doing anything. I ended up closing the program manually and thankfully there were no problems but I'm cautious about running the program again in case something goes wrong.


    I did however follow Chesdas's advice and here's my updated Hijackthis log:


    Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 18:50, on 2008-04-16


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v7.00 (7.00.6000.16640)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


    C:\WINDOWS\System32\svchost.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\Explorer.EXE


    C:\Program Files\STOPzilla!\STOPzilla.exe


    C:\PROGRA~1\SYMANT~1\VPTray.exe


    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE


    C:\Program Files\Logitech\iTouch\iTouch.exe


    C:\Program Files\Picasa2\PicasaMediaDetector.exe


    C:\Program Files\Virgin Net Broadband\Dragdiag.exe


    C:\Program Files\QuickTime\qttask.exe


    C:\Program Files\DAEMON Tools\daemon.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Nikon\PictureProject\NkbMonitor.exe


    C:\WINDOWS\system32\NOTEPAD.EXE


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896


    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =


    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =


    N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROBERT DEACON\Application Data\Mozilla\Profiles\default\el8jd9nm.slt\prefs.js)


    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll


    O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe


    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe


    O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"


    O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe


    O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe


    O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon


    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [6ce8e251] rundll32.exe "C:\WINDOWS\system32\gdtfntev.dll",b


    O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s


    O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - HKUS\S-1-5-21-2876460898-2810476803-1168322895-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Martin Deacon')


    O4 - HKUS\S-1-5-21-2876460898-2810476803-1168322895-1007\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent (User 'Martin Deacon')


    O4 - HKUS\S-1-5-21-2876460898-2810476803-1168322895-1007\..\Run: [] (User 'Martin Deacon')


    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')


    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')


    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe


    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE


    O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe


    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000


    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe


    O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe


    O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe


    O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe


    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll


    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll


    O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\WINDOWS\system32\shdocvw.dll (HKCU)


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll


    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


    --


    End of file - 6647 bytes


    Thanks for all your help

  • RbRtD
    edited April 2008

    I decided to bite the bullet and try Combofix again and am i glad i did as it seems to have fixed the problem.


    Heres the log it produced:


    ComboFix 08-04-15.8 - Robert Deacon 2008-04-16 19:46:05.2 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1096 [GMT 1:00]


    Running from: C:\Documents and Settings\Robert Deacon\Desktop\ComboFix.exe


    Command switches used :: C:\Documents and Settings\Robert Deacon\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe


    * Created a new restore point


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\Documents and Settings\Robert Deacon\Application Data\CROSOF~1.NET


    C:\Documents and Settings\Robert Deacon\Application Data\macromedia\Flash Player\#SharedObjects\MGWAFQQV\www.broadcaster.com


    C:\Documents and Settings\Robert Deacon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com


    C:\Documents and Settings\Robert Deacon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol


    C:\Program Files\Common Files\companion wizard


    C:\Program Files\Common Files\racle~1


    C:\Program Files\ecurit~1


    C:\Program Files\fnts~1


    C:\Program Files\icroso~1.net


    C:\Program Files\smbols~1


    C:\WINDOWS\adaway.lic


    C:\WINDOWS\ppatch~1


    C:\WINDOWS\pskt.ini


    C:\WINDOWS\smdat32m.sys


    C:\WINDOWS\system32\byXOeBur.dll


    C:\WINDOWS\system32\drivers\npf.sys


    C:\WINDOWS\system32\eqyeyukw.ini


    C:\WINDOWS\system32\gdtfntev.dll


    C:\WINDOWS\system32\ineWc01


    C:\WINDOWS\system32\jforykui.dll


    C:\WINDOWS\system32\jnclgwvt.dll


    C:\WINDOWS\system32\kmd.exe


    C:\WINDOWS\system32\kmdxkvmh.dll


    C:\WINDOWS\system32\mcrh.tmp


    C:\WINDOWS\system32\nGpxx01


    C:\WINDOWS\system32\nkfcswfl.ini


    C:\WINDOWS\system32\packet.dll


    C:\WINDOWS\system32\pmxophqa.ini


    C:\WINDOWS\system32\ppatch~1


    C:\WINDOWS\system32\ruBeOXyb.ini


    C:\WINDOWS\system32\ruBeOXyb.ini2


    C:\WINDOWS\system32\sks~1


    C:\WINDOWS\system32\sks~1\??sks\


    C:\WINDOWS\system32\smante~1


    C:\WINDOWS\system32\smbols~1


    C:\WINDOWS\system32\ssembl~1


    C:\WINDOWS\system32\stera.log


    C:\WINDOWS\system32\sttss.ini


    C:\WINDOWS\system32\sttss.ini2


    C:\WINDOWS\system32\tvwglcnj.ini


    C:\WINDOWS\system32\vetnftdg.ini


    C:\WINDOWS\system32\wanpacket.dll


    C:\WINDOWS\system32\wkuyeyqe.dll


    C:\WINDOWS\system32\wnsapisv32.exe


    C:\WINDOWS\system32\wpcap.dll


    .


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    -------\Legacy_6TO4


    -------\Legacy_FOPN


    -------\Legacy_NPF


    -------\Legacy_SZKG5


    -------\Service_6to4


    -------\Service_NPF


    -------\Service_szkg5


    ((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))


    .


    2008-04-16 19:24 . 2008-04-16 19:24 230 --a------ C:\WINDOWS\system32\spupdsvc.inf


    2008-04-16 19:23 . 2007-08-13 19:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe


    2008-04-16 10:53 . 2008-04-16 10:53 <DIR> d-------- C:\Program Files\Trend Micro


    2008-04-15 14:00 . 2008-04-15 14:00 <DIR> d-------- C:\Program Files\InterMute


    2008-04-14 20:18 . 2008-04-14 20:18 <DIR> d-------- C:\BrownSW


    2008-04-14 18:47 . 2008-04-14 18:48 <DIR> d-------- C:\WINDOWS\system32\QVJGTGljZW5zZUluZm8=


    2008-04-14 18:47 . 2008-04-14 19:52 <DIR> d-------- C:\Program Files\Advanced Registry Fix


    2008-04-14 18:06 . 2008-04-14 20:22 <DIR> d-------- C:\Program Files\SpywareBlaster


    2008-04-13 18:24 . 2008-04-13 18:26 <DIR> d-------- C:\Documents and Settings\Robert Deacon\Application Data\Hide IP NG


    2008-04-13 18:22 . 2008-04-13 18:26 <DIR> d-------- C:\Documents and Settings\Robert Deacon\Application Data\HideIP


    2008-04-13 18:05 . 2008-04-13 18:05 32 --a------ C:\WINDOWS\go


    2008-04-12 20:03 . 2008-04-14 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{AAFF8BDC-4A49-493A-BD8D-80DFBB97EF64}


    2008-04-04 20:56 . 2008-04-04 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk


    2008-04-04 20:38 . 2008-04-04 20:38 87,608 --a------ C:\Documents and Settings\Robert Deacon\Application Data\inst.exe


    2008-04-04 20:38 . 2008-04-04 20:38 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys


    2008-04-04 20:38 . 2008-04-04 20:38 47,360 --a------ C:\Documents and Settings\Robert Deacon\Application Data\pcouffin.sys


    2008-04-04 20:37 . 2008-04-04 21:25 <DIR> d-------- C:\Program Files\MagicDVDCopier


    2008-04-02 13:58 . 2008-04-02 13:58 268 --ah----- C:\sqmdata01.sqm


    2008-04-02 13:58 . 2008-04-02 13:58 244 --ah----- C:\sqmnoopt01.sqm


    2008-03-28 14:06 . 2008-03-28 14:06 <DIR> d-------- C:\WINDOWS\Out of the Park Baseball


    2008-03-28 14:06 . 2008-03-28 14:06 <DIR> d-------- C:\Program Files\Out of the Park Developments


    2008-03-28 14:06 . 2008-03-28 14:06 <DIR> d-------- C:\Documents and Settings\Robert Deacon\Application Data\Out of the Park Developments


    2008-03-20 09:38 . 2008-03-20 09:38 268 --ah----- C:\sqmdata00.sqm


    2008-03-20 09:38 . 2008-03-20 09:38 244 --ah----- C:\sqmnoopt00.sqm


    2008-03-18 11:38 . 2008-04-14 19:30 <DIR> d-------- C:\Program Files\STOPzilla!


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-04-16 18:54 440 ----a-w C:\WINDOWS\system32\drivers\kgpfr2.cfg


    2008-04-16 18:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!


    2008-04-16 17:42 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\uTorrent


    2008-04-16 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard


    2008-04-16 10:18 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\Free Download Manager


    2008-04-15 10:55 --------- d-----w C:\Program Files\PokerStars


    2008-04-15 07:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP


    2008-04-15 07:56 3,825 --sha-w C:\WINDOWS\system32\mmf.sys


    2008-04-12 19:19 --------- d-----w C:\Program Files\Sports Mogul


    2008-04-08 12:59 --------- d-----w C:\Program Files\uTorrent


    2008-04-06 18:40 --------- d-----w C:\Program Files\Microsoft Silverlight


    2008-04-04 19:38 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\Vso


    2008-04-02 23:38 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS


    2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys


    2008-03-13 02:38 27,136 ----a-w C:\WINDOWS\system32\drivers\tapvpn.sys


    2008-03-10 09:11 --------- d-----w C:\Program Files\Warcraft III


    2008-03-10 09:06 81,984 ----a-w C:\WINDOWS\system32\bdod.bin


    2008-03-10 09:06 --------- d-----w C:\Program Files\Common Files\Softwin


    2008-03-10 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender


    2008-03-10 00:59 --------- d-----w C:\Program Files\Paint.NET


    2008-03-08 18:54 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL


    2008-03-08 18:29 --------- d-----w C:\Program Files\TVAnts


    2008-03-07 10:04 229,376 ----a-r C:\WINDOWS\system32\SZBase5.dll


    2008-03-03 14:16 33,920 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys


    2008-02-22 14:52 126,976 ----a-r C:\WINDOWS\system32\IS3HTUI5.dll


    2008-02-22 14:51 372,736 ----a-r C:\WINDOWS\system32\IS3UI5.dll


    2008-02-22 14:51 364,544 ----a-r C:\WINDOWS\system32\IS3DBA5.dll


    2008-02-22 14:50 61,440 ----a-r C:\WINDOWS\system32\IS3Hks5.dll


    2008-02-22 14:50 23,040 ----a-r C:\WINDOWS\system32\IS3XDat5.dll


    2008-02-22 14:50 192,512 ----a-r C:\WINDOWS\system32\IS3Win325.dll


    2008-02-22 14:49 94,208 ----a-r C:\WINDOWS\system32\IS3Inet5.dll


    2008-02-22 14:49 90,112 ----a-r C:\WINDOWS\system32\IS3Svc5.dll


    2008-02-22 14:45 708,608 ----a-r C:\WINDOWS\system32\IS3Base5.dll


    2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll


    2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll


    2008-02-18 10:25 --------- d-----w C:\Program Files\Symantec AntiVirus


    2008-02-18 09:46 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-02-18 09:46 --------- d-----w C:\Program Files\SpeedTouch


    2008-02-18 09:41 --------- d-----w C:\Program Files\Virgin Net Broadband


    2008-02-17 18:01 --------- d-----w C:\Program Files\Common Files\iS3


    2008-02-17 17:36 --------- d-----w C:\Program Files\XoftSpySE


    2008-02-17 15:57 4,388 ----a-w C:\WINDOWS\system32\tmp.reg


    2008-02-17 15:32 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\PrevxCSI


    2008-02-17 08:47 --------- d-----w C:\Program Files\Free Download Manager


    2008-02-17 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG


    2007-08-15 22:38 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT


    2007-04-25 00:36 14,764,808 ----a-w C:\Program Files\DivXInstaller.exe


    2007-03-01 21:29 67,432 ----a-w C:\Documents and Settings\Robert Deacon\Application Data\GDIPFONTCACHEV1.DAT


    2006-05-31 17:56 5,816 ----a-w C:\Documents and Settings\Robert Deacon\Application Data\wklnhst.dat


    2006-06-26 18:17 88 --sh--r C:\WINDOWS\system32\B57F95B843.sys


    2005-03-06 16:42 104 --sh--r C:\WINDOWS\system32\FF094E037D.sys


    2008-01-15 17:20 79,168 --sha-w C:\WINDOWS\system32\fhkmp.ini2


    2006-06-26 18:17 6,686 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


    .


    ------- Sigcheck -------


    2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys


    2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys


    2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys


    2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys


    2004-08-04 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys


    2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys


    2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys


    2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys


    2008-04-03 00:38 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\dllcache\TCPIP.SYS


    2008-04-03 00:38 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\drivers\TCPIP.SYS


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]


    "NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]


    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 20:36 124232]


    "EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 04:05 74752]


    "zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]


    "Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-16 00:07 421888]


    "SpeedTouch USB Diagnostics"="C:\Program Files\Virgin Net Broadband\Dragdiag.exe" [2004-01-26 12:38 866816]


    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]


    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]


    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]


    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]


    NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-10-30 15:04:17 118784]


    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6ce8e251]


    C:\WINDOWS\system32\wkuyeyqe.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6fdbd1cd]


    C:\WINDOWS\system32\kmdxkvmh.dll


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]


    --a------ 2004-06-09 21:31 66680 C:\Program Files\Common Files\Symantec Shared\ccApp.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]


    --a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]


    --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]


    --a------ 2007-01-20 08:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]


    --a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\qttask.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]


    --a------ 2007-07-14 15:14 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]


    "usnjsvc"=3 (0x3)


    "SavRoam"=3 (0x3)


    "rpcapd"=3 (0x3)


    "LicCtrlService"=2 (0x2)


    "IDriverT"=3 (0x3)


    "HotspotShieldService"=2 (0x2)


    "DomainService"=2 (0x2)


    "COM+ Messages"=2 (0x2)


    "Autodata Limited License Service"=2 (0x2)


    "Symantec AntiVirus"=2 (0x2)


    "SNDSrvc"=3 (0x3)


    "PnkBstrB"=2 (0x2)


    "PnkBstrA"=2 (0x2)


    "iPod Service"=3 (0x3)


    "DefWatch"=2 (0x2)


    "ccSetMgr"=2 (0x2)


    "Apple Mobile Device"=2 (0x2)


    "btwdins"=2 (0x2)


    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]


    "DisableMonitoring"=dword:00000001


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]


    "EnableFirewall"= 0 (0x0)


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "C:\\Program Files\\Xfire\\Xfire.exe"=


    "C:\\Program Files\\Valve\\Steam\\SteamApps\\martin156\\counter-strike source\\hl2.exe"=


    "C:\\Program Files\\Valve\\Steam\\Steam.exe"=


    "C:\\Program Files\\Mozilla Firefox\\firefox.exe"=


    "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=


    "C:\\Program Files\\BitLord\\BitLord.exe"=


    "C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=


    "C:\\Program Files\\uTorrent\\uTorrent.exe"=


    "C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=


    "C:\\Program Files\\SopCast\\SopCast.exe"=


    "C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"=


    "C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=


    "C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\TurbineLauncher.exe"=


    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=


    "C:\\Program Files\\MSN Messenger\\livecall.exe"=


    "C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=


    "C:\\Program Files\\iTunes\\iTunes.exe"=


    "C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=


    "C:\\Documents and Settings\\Robert Deacon\\Application Data\\SopCast\\adv\\SopAdver.exe"=


    "C:\\WINDOWS\\system32\\PnkBstrA.exe"=


    "C:\\Program Files\\mIRC\\mirc.exe"=


    "C:\\Program Files\\Internet Explorer\\iexplore.exe"=


    "C:\\Program Files\\Virgin Net Broadband\\stdialup.exe"=


    "C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe"=


    "C:\\Program Files\\STOPzilla!\\SZRegister.exe"=


    "C:\\WINDOWS\\system32\\PnkBstrB.exe"=


    "C:\\WINDOWS\\system32\\sessmgr.exe"=


    "C:\\Program Files\\TVAnts\\Tvants.exe"=


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009


    R0 szkg5;szkg5;C:\WINDOWS\system32\drivers\szkg.sys [2008-03-03 15:16]


    S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 09:50]


    S3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-03-13 03:38]


    S4 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2006-10-17 21:36]


    *Newly Created Service* - SZKG5


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-04-15 16:19:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"


    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe


    "2008-04-16 18:52:24 C:\WINDOWS\Tasks\XoftSpySE 2.job"


    - C:\Program Files\XoftSpySE\XoftSpy.exe


    "2008-04-12 02:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"


    - C:\Program Files\XoftSpySE\XoftSpy.exe


    .


    **************************************************************************


    catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-04-16 19:52:43


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe


    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe


    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe


    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe


    C:\WINDOWS\system32\msiexec.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\WINDOWS\system32\wscntfy.exe


    C:\Program Files\STOPzilla!\STOPzilla.exe


    .


    **************************************************************************


    .


    Completion time: 2008-04-16 19:57:57 - machine was rebooted [Robert Deacon]


    ComboFix-quarantined-files.txt 2008-04-16 18:57:53


    Pre-Run: 23,218,483,200 bytes free


    Post-Run: 23,270,281,216 bytes free


    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe


    [boot loader]


    timeout=2


    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS


    [operating systems]


    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons


    .


    2008-04-16 18:35:09 --- E O F ---


    Thanks for all your help, hopefully this will help others with similar problems.