Some Websites Won't Work
A couple of days ago some websites stopped working for me. Google, Yahoo and a few others stopped working (mostly search engines) including the BitDefender forum. I discovered that if I go to task manager & end process "explorer.exe" the websites all start working again. I can't keep doing this though as it leads to me being unable to access all of the files on my computer until i reboot, which leads to the problem recurring. I've done some searching around various forums and downloading and tried a few different things. I've also run a few different anti virus programs but have had no luck so far. I'm not sure if i have a virus or if the problem is something more simple.
Any help would be much appreciated
Comments
-
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 09:03, on 2008-04-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Virgin Net Broadband\Dragdiag.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Robert Deacon\Desktop\Antivirus Stuff\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROBERT DEACON\Application Data\Mozilla\Profiles\default\el8jd9nm.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: {dff784b7-af74-f12a-2ea4-c58fd0e6c503} - {305c6e0d-f85c-4ae2-a21f-47fa7b487ffd} - C:\WINDOWS\system32\jforykui.dll
O2 - BHO: (no name) - {6DAE37E1-D3DA-4AE7-BF92-58E867D5A276} - C:\WINDOWS\system32\byXOeBur.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [6ce8e251] rundll32.exe "C:\WINDOWS\system32\wkuyeyqe.dll",b
O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 8852 bytes0 -
Hello,
Check and fix this lines :
O2 - BHO: {dff784b7-af74-f12a-2ea4-c58fd0e6c503} - {305c6e0d-f85c-4ae2-a21f-47fa7b487ffd} - C:\WINDOWS\system32\jforykui.dll
O2 - BHO: (no name) - {6DAE37E1-D3DA-4AE7-BF92-58E867D5A276} - C:\WINDOWS\system32\byXOeBur.dll
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [6ce8e251] rundll32.exe "C:\WINDOWS\system32\wkuyeyqe.dll",b
O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s
O9 - Extra button: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O9 - Extra 'Tools' menuitem: WH GBP Casino - {37236812-C1A2-4529-A9CE-CFE04E3DF08A} - http://www.williamhillcasino.com (file missing) (HKCU)
O16 - DPF: {FF3F0F03-0F01-131A-A3F9-08F02B23E0CC} - http://66.117.37.13/dba2218.exe
Regards0 -
Thanks for your help robtap, sadly the the problem hasn't gone.
Here is my new log:
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:14, on 2008-04-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Virgin Net Broadband\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Robert Deacon\Desktop\Antivirus Stuff\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROBERT DEACON\Application Data\Mozilla\Profiles\default\el8jd9nm.slt\prefs.js)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: SITEguard BHO - {1827766B-9F49-4854-8034-F6EE26FCB1EC} - C:\Program Files\STOPzilla!\SZSG.dll
O2 - BHO: (no name) - {8749A023-E67A-4F81-85FF-0457231B9F57} - C:\WINDOWS\system32\byXOeBur.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Free Download Manager\iefdm2.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 7622 bytes0 -
Download, install and run Spybot Search & Destroy and it will be fine.
0 -
Hello robtap and Chesda
It's good that you help people but please if BitDefender doesn't detect the files that you let people fix in hijack this let them archive these files first before let them take any action. Otherwise BitDefender will not able to detect it in the future.
By using an archive tool such as winrar,winzip. After that let the people upload these samples in this forum section.
Thanks in advance.
Best regards
Niels
Hello RobD,
It's better that you use version 2.0.2 of Hijack This which is stable version. You can download it from the link that Chesda gave to you. I've moved your topic to the logs analysis section. I recommend that you download combo fix here.Follow these instructions and post the output of the scan.
Best regards
Niels0 -
First, we need you to submit these following items to BitDefender for further analysis:
byXOeBur.dll
kmdxkvmh.dll
Follow these steps:- Open Windows Explorer
- Tools Menu -> Folder Options -> View Tab
- Click Show hidden files and folders, scroll down and untick Hide protected operating system files. Click Ok.
- Go to this location C:\WINDOWS\system32 and locate byXOeBur.dll and kmdxkvmh.dll
- Zip these files in a folder with the password infected and attatch it on your next reply
Run Hijackthis again, check and fix the following entries:O2 - BHO: (no name) - {8749A023-E67A-4F81-85FF-0457231B9F57} - C:\WINDOWS\system32\byXOeBur.dll
04 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
Also, post a fresh ComboFix and a Hijackthis log.0 -
I posted the two requested files in this topic:
http://forum.bitdefender.com/index.php?showtopic=5251
I had a problem running combofix, I followed the instructions in the link posted by Niels but once i got to the autoscan an hour passed without it completing a single stage and there was no evidence that the program was actually doing anything. I ended up closing the program manually and thankfully there were no problems but I'm cautious about running the program again in case something goes wrong.
I did however follow Chesdas's advice and here's my updated Hijackthis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:50, on 2008-04-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Virgin Net Broadband\Dragdiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ROBERT DEACON\Application Data\Mozilla\Profiles\default\el8jd9nm.slt\prefs.js)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [EPSON Stylus C62 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C62 Series" /O5 "LPT1:" /M "Stylus C62"
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [speedTouch USB Diagnostics] "C:\Program Files\Virgin Net Broadband\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [6ce8e251] rundll32.exe "C:\WINDOWS\system32\gdtfntev.dll",b
O4 - HKLM\..\Run: [bM6fdbd1cd] Rundll32.exe "C:\WINDOWS\system32\kmdxkvmh.dll",s
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-2876460898-2810476803-1168322895-1007\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Martin Deacon')
O4 - HKUS\S-1-5-21-2876460898-2810476803-1168322895-1007\..\Run: [steam] "c:\program files\valve\steam\steam.exe" -silent (User 'Martin Deacon')
O4 - HKUS\S-1-5-21-2876460898-2810476803-1168322895-1007\..\Run: [] (User 'Martin Deacon')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - C:\PROGRA~1\PACIFI~1\pacificpoker.exe
O9 - Extra button: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyCasino - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunApp.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: CarbonPoker - {e4e8c758-34b4-44bb-8ef9-1f0786e81d2d} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
--
End of file - 6647 bytes
Thanks for all your help0 -
I decided to bite the bullet and try Combofix again and am i glad i did as it seems to have fixed the problem.
Heres the log it produced:
ComboFix 08-04-15.8 - Robert Deacon 2008-04-16 19:46:05.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1096 [GMT 1:00]
Running from: C:\Documents and Settings\Robert Deacon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Deacon\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Robert Deacon\Application Data\CROSOF~1.NET
C:\Documents and Settings\Robert Deacon\Application Data\macromedia\Flash Player\#SharedObjects\MGWAFQQV\www.broadcaster.com
C:\Documents and Settings\Robert Deacon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Robert Deacon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\racle~1
C:\Program Files\ecurit~1
C:\Program Files\fnts~1
C:\Program Files\icroso~1.net
C:\Program Files\smbols~1
C:\WINDOWS\adaway.lic
C:\WINDOWS\ppatch~1
C:\WINDOWS\pskt.ini
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\byXOeBur.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\eqyeyukw.ini
C:\WINDOWS\system32\gdtfntev.dll
C:\WINDOWS\system32\ineWc01
C:\WINDOWS\system32\jforykui.dll
C:\WINDOWS\system32\jnclgwvt.dll
C:\WINDOWS\system32\kmd.exe
C:\WINDOWS\system32\kmdxkvmh.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nkfcswfl.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pmxophqa.ini
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\ruBeOXyb.ini
C:\WINDOWS\system32\ruBeOXyb.ini2
C:\WINDOWS\system32\sks~1
C:\WINDOWS\system32\sks~1\??sks\
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\sttss.ini
C:\WINDOWS\system32\sttss.ini2
C:\WINDOWS\system32\tvwglcnj.ini
C:\WINDOWS\system32\vetnftdg.ini
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wkuyeyqe.dll
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\wpcap.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_6TO4
-------\Legacy_FOPN
-------\Legacy_NPF
-------\Legacy_SZKG5
-------\Service_6to4
-------\Service_NPF
-------\Service_szkg5
((((((((((((((((((((((((( Files Created from 2008-03-16 to 2008-04-16 )))))))))))))))))))))))))))))))
.
2008-04-16 19:24 . 2008-04-16 19:24 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-04-16 19:23 . 2007-08-13 19:52 66,048 --a------ C:\WINDOWS\ieResetIcons.exe
2008-04-16 10:53 . 2008-04-16 10:53 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-15 14:00 . 2008-04-15 14:00 <DIR> d-------- C:\Program Files\InterMute
2008-04-14 20:18 . 2008-04-14 20:18 <DIR> d-------- C:\BrownSW
2008-04-14 18:47 . 2008-04-14 18:48 <DIR> d-------- C:\WINDOWS\system32\QVJGTGljZW5zZUluZm8=
2008-04-14 18:47 . 2008-04-14 19:52 <DIR> d-------- C:\Program Files\Advanced Registry Fix
2008-04-14 18:06 . 2008-04-14 20:22 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-04-13 18:24 . 2008-04-13 18:26 <DIR> d-------- C:\Documents and Settings\Robert Deacon\Application Data\Hide IP NG
2008-04-13 18:22 . 2008-04-13 18:26 <DIR> d-------- C:\Documents and Settings\Robert Deacon\Application Data\HideIP
2008-04-13 18:05 . 2008-04-13 18:05 32 --a------ C:\WINDOWS\go
2008-04-12 20:03 . 2008-04-14 12:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\{AAFF8BDC-4A49-493A-BD8D-80DFBB97EF64}
2008-04-04 20:56 . 2008-04-04 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-04-04 20:38 . 2008-04-04 20:38 87,608 --a------ C:\Documents and Settings\Robert Deacon\Application Data\inst.exe
2008-04-04 20:38 . 2008-04-04 20:38 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-04-04 20:38 . 2008-04-04 20:38 47,360 --a------ C:\Documents and Settings\Robert Deacon\Application Data\pcouffin.sys
2008-04-04 20:37 . 2008-04-04 21:25 <DIR> d-------- C:\Program Files\MagicDVDCopier
2008-04-02 13:58 . 2008-04-02 13:58 268 --ah----- C:\sqmdata01.sqm
2008-04-02 13:58 . 2008-04-02 13:58 244 --ah----- C:\sqmnoopt01.sqm
2008-03-28 14:06 . 2008-03-28 14:06 <DIR> d-------- C:\WINDOWS\Out of the Park Baseball
2008-03-28 14:06 . 2008-03-28 14:06 <DIR> d-------- C:\Program Files\Out of the Park Developments
2008-03-28 14:06 . 2008-03-28 14:06 <DIR> d-------- C:\Documents and Settings\Robert Deacon\Application Data\Out of the Park Developments
2008-03-20 09:38 . 2008-03-20 09:38 268 --ah----- C:\sqmdata00.sqm
2008-03-20 09:38 . 2008-03-20 09:38 244 --ah----- C:\sqmnoopt00.sqm
2008-03-18 11:38 . 2008-04-14 19:30 <DIR> d-------- C:\Program Files\STOPzilla!
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-16 18:54 440 ----a-w C:\WINDOWS\system32\drivers\kgpfr2.cfg
2008-04-16 18:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\STOPzilla!
2008-04-16 17:42 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\uTorrent
2008-04-16 17:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\SITEguard
2008-04-16 10:18 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\Free Download Manager
2008-04-15 10:55 --------- d-----w C:\Program Files\PokerStars
2008-04-15 07:57 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-15 07:56 3,825 --sha-w C:\WINDOWS\system32\mmf.sys
2008-04-12 19:19 --------- d-----w C:\Program Files\Sports Mogul
2008-04-08 12:59 --------- d-----w C:\Program Files\uTorrent
2008-04-06 18:40 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-04 19:38 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\Vso
2008-04-02 23:38 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-13 02:38 27,136 ----a-w C:\WINDOWS\system32\drivers\tapvpn.sys
2008-03-10 09:11 --------- d-----w C:\Program Files\Warcraft III
2008-03-10 09:06 81,984 ----a-w C:\WINDOWS\system32\bdod.bin
2008-03-10 09:06 --------- d-----w C:\Program Files\Common Files\Softwin
2008-03-10 09:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\BitDefender
2008-03-10 00:59 --------- d-----w C:\Program Files\Paint.NET
2008-03-08 18:54 360,064 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2008-03-08 18:29 --------- d-----w C:\Program Files\TVAnts
2008-03-07 10:04 229,376 ----a-r C:\WINDOWS\system32\SZBase5.dll
2008-03-03 14:16 33,920 ----a-r C:\WINDOWS\system32\drivers\SZKG.sys
2008-02-22 14:52 126,976 ----a-r C:\WINDOWS\system32\IS3HTUI5.dll
2008-02-22 14:51 372,736 ----a-r C:\WINDOWS\system32\IS3UI5.dll
2008-02-22 14:51 364,544 ----a-r C:\WINDOWS\system32\IS3DBA5.dll
2008-02-22 14:50 61,440 ----a-r C:\WINDOWS\system32\IS3Hks5.dll
2008-02-22 14:50 23,040 ----a-r C:\WINDOWS\system32\IS3XDat5.dll
2008-02-22 14:50 192,512 ----a-r C:\WINDOWS\system32\IS3Win325.dll
2008-02-22 14:49 94,208 ----a-r C:\WINDOWS\system32\IS3Inet5.dll
2008-02-22 14:49 90,112 ----a-r C:\WINDOWS\system32\IS3Svc5.dll
2008-02-22 14:45 708,608 ----a-r C:\WINDOWS\system32\IS3Base5.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-18 10:25 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-18 09:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 09:46 --------- d-----w C:\Program Files\SpeedTouch
2008-02-18 09:41 --------- d-----w C:\Program Files\Virgin Net Broadband
2008-02-17 18:01 --------- d-----w C:\Program Files\Common Files\iS3
2008-02-17 17:36 --------- d-----w C:\Program Files\XoftSpySE
2008-02-17 15:57 4,388 ----a-w C:\WINDOWS\system32\tmp.reg
2008-02-17 15:32 --------- d-----w C:\Documents and Settings\Robert Deacon\Application Data\PrevxCSI
2008-02-17 08:47 --------- d-----w C:\Program Files\Free Download Manager
2008-02-17 08:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\FreeDownloadManager.ORG
2007-08-15 22:38 20 ---h--w C:\Documents and Settings\All Users\Application Data\PKP_DLec.DAT
2007-04-25 00:36 14,764,808 ----a-w C:\Program Files\DivXInstaller.exe
2007-03-01 21:29 67,432 ----a-w C:\Documents and Settings\Robert Deacon\Application Data\GDIPFONTCACHEV1.DAT
2006-05-31 17:56 5,816 ----a-w C:\Documents and Settings\Robert Deacon\Application Data\wklnhst.dat
2006-06-26 18:17 88 --sh--r C:\WINDOWS\system32\B57F95B843.sys
2005-03-06 16:42 104 --sh--r C:\WINDOWS\system32\FF094E037D.sys
2008-01-15 17:20 79,168 --sha-w C:\WINDOWS\system32\fhkmp.ini2
2006-06-26 18:17 6,686 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
------- Sigcheck -------
2005-05-25 20:07 359936 63fdfea54eb53de2d863ee454937ce1e C:\WINDOWS\$hf_mig$\KB893066\SP2QFE\tcpip.sys
2006-01-13 18:07 360448 5562cc0a47b2aef06d3417b733f3c195 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
2006-04-20 13:18 360576 b2220c618b42a2212a59d91ebd6fc4b4 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
2007-10-30 17:53 360832 64798ecfa43d78c7178375fcdd16d8c8 C:\WINDOWS\$hf_mig$\KB941644\SP2QFE\tcpip.sys
2004-08-04 13:00 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\$NtUninstallKB893066$\tcpip.sys
2005-05-25 20:04 359808 88763a98a4c26c409741b4aa162720c9 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
2006-01-13 03:28 359808 583e063fdc888ca30d05c2724b0d7ef4 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
2006-04-20 12:51 359808 1dbf125862891817f374f407626967f4 C:\WINDOWS\$NtUninstallKB941644$\tcpip.sys
2008-04-03 00:38 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\dllcache\TCPIP.SYS
2008-04-03 00:38 360064 8283a4d489b207991efdc8328733d0bc C:\WINDOWS\system32\drivers\TCPIP.SYS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-09-18 15:16 171464]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 20:36 124232]
"EPSON Stylus C62 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.exe" [2002-07-01 04:05 74752]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2004-03-18 09:33 892928]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2006-03-16 00:07 421888]
"SpeedTouch USB Diagnostics"="C:\Program Files\Virgin Net Broadband\Dragdiag.exe" [2004-01-26 12:38 866816]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-11-15 00:43 286720]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
NkbMonitor.exe.lnk - C:\Program Files\Nikon\PictureProject\NkbMonitor.exe [2006-10-30 15:04:17 118784]
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\6ce8e251]
C:\WINDOWS\system32\wkuyeyqe.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM6fdbd1cd]
C:\WINDOWS\system32\kmdxkvmh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2004-06-09 21:31 66680 C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
--a------ 2007-01-20 08:09 200704 C:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-11-15 00:43 286720 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2007-07-14 15:14 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"usnjsvc"=3 (0x3)
"SavRoam"=3 (0x3)
"rpcapd"=3 (0x3)
"LicCtrlService"=2 (0x2)
"IDriverT"=3 (0x3)
"HotspotShieldService"=2 (0x2)
"DomainService"=2 (0x2)
"COM+ Messages"=2 (0x2)
"Autodata Limited License Service"=2 (0x2)
"Symantec AntiVirus"=2 (0x2)
"SNDSrvc"=3 (0x3)
"PnkBstrB"=2 (0x2)
"PnkBstrA"=2 (0x2)
"iPod Service"=3 (0x3)
"DefWatch"=2 (0x2)
"ccSetMgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"btwdins"=2 (0x2)
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Xfire\\Xfire.exe"=
"C:\\Program Files\\Valve\\Steam\\SteamApps\\martin156\\counter-strike source\\hl2.exe"=
"C:\\Program Files\\Valve\\Steam\\Steam.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\Program Files\\BitLord\\BitLord.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\lotroclient.exe"=
"C:\\Program Files\\VideoLAN\\VLC\\vlc.exe"=
"C:\\Program Files\\Codemasters\\The Lord of the Rings Online\\TurbineLauncher.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Sports Interactive\\Football Manager 2008\\fm.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Documents and Settings\\Robert Deacon\\Application Data\\SopCast\\adv\\SopAdver.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Virgin Net Broadband\\stdialup.exe"=
"C:\\Program Files\\Lavasoft\\Ad-Aware 2007\\Ad-Aware2007.exe"=
"C:\\Program Files\\STOPzilla!\\SZRegister.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\TVAnts\\Tvants.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
R0 szkg5;szkg5;C:\WINDOWS\system32\drivers\szkg.sys [2008-03-03 15:16]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\system32\Drivers\LCcFltr.Sys [2004-03-03 09:50]
S3 tapvpn;TAP VPN Adapter;C:\WINDOWS\system32\DRIVERS\tapvpn.sys [2008-03-13 03:38]
S4 LicCtrlService;LicCtrl Service;C:\WINDOWS\runservice.exe [2006-10-17 21:36]
*Newly Created Service* - SZKG5
.
Contents of the 'Scheduled Tasks' folder
"2008-04-15 16:19:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-16 18:52:24 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-04-12 02:00:00 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
**************************************************************************
catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-16 19:52:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
.
**************************************************************************
.
Completion time: 2008-04-16 19:57:57 - machine was rebooted [Robert Deacon]
ComboFix-quarantined-files.txt 2008-04-16 18:57:53
Pre-Run: 23,218,483,200 bytes free
Post-Run: 23,270,281,216 bytes free
WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
.
2008-04-16 18:35:09 --- E O F ---
Thanks for all your help, hopefully this will help others with similar problems.0