AVG reporting trojan horse BHO.CVX - Help please

**chrisleech11** · #1 18th Dec 2007

[FONT=Verdana]Good afternoon,

Have been running the computer now fine for about 2 years and now it seems like we have a trojan horse. It isn't a genuine original windows XP as far as i'm aware but i do have a registry key to make it think it is if this helps at all.

Basically the problems are as follows

AVG Antivirus brings up 2 popups every 5 minutes or so:

1: C:WINDOWSsystem32clbcatexf.dll - Trojan Horse BHO.CVX
2: C:WINDOWSsystem32dsoundl.dll - Virus identified obfustat.ABXY

I wonder if anyone would be kind enough to help me

Here is my hijackthislog:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:01:39, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:WINDOWSSystem32smss.exe
C:WINDOWSsystem32winlogon.exe
C:WINDOWSsystem32services.exe
C:WINDOWSsystem32lsass.exe
C:WINDOWSsystem32svchost.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSsystem32spoolsv.exe
C:Program FilesCommon FilesAutodata Limited SharedServiceADCDLicSvc.exe
C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe
C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
C:PROGRA~1GrisoftAVGFRE~1avgemc.exe
C:Program FilesIVT CorporationBlueSoleilBTNtService.exe
C:Program FilesEsetnod32krn.exe
C:WINDOWSsystem32nvsvc32.exe
C:WINDOWSSystem32svchost.exe
C:WINDOWSExplorer.EXE
C:Program FilesJavajre1.6.0_03binjusched.exe
C:WINDOWSsystem32RunDLL32.exe
C:Program FilesCommon FilesRealUpdate_OBrealsched.exe
C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe
C:Program FilesHPHP Software UpdateHPWuSchd2.exe
C:WINDOWSSystem32svchost.exe
C:Program FilesThomsonSpeedTouch USBDragdiag.exe
C:Program FilesEsetnod32kui.exe
C:Program FilesGrisoftAVG Anti-Spyware 7.5avgas.exe
C:PROGRA~1GrisoftAVGFRE~1avgcc.exe
C:WINDOWSsystem32ctfmon.exe
C:Program FilesIVT CorporationBlueSoleilBlueSoleil.exe
C:Program FilesHPDigital Imagingbinhpqtra08.exe
C:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe
C:Program FilesHPDigital ImagingbinhpqSTE08.exe
C:WINDOWSsystem32wuauclt.exe
C:Program FilesHPDigital ImagingProduct Assistantbinhprblog.exe
C:Program FilesInternet Exploreriexplore.exe
C:Program FilesMicrosoft OfficeOffice10WINWORD.EXE
C:WINDOWSmsagentAgentSvr.exe
C:Documents and SettingsHijackThis.exe

R0 - HKCUSoftwareMicrosoftInternet ExplorerMain,Start Page = http://www.google.co.uk/
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLMSoftwareMicrosoftInternet ExplorerMain,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLMSoftwareMicrosoftInternet ExplorerMain,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCUSoftwareMicrosoftInternet ExplorerMain,Window Title = Microsoft Internet Explorer provided by Orange UK
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 http://www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 http://www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 http://www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 http://www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 http://www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 http://www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 http://www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 http://www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 http://www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 http://www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: (no name) - {005A9000-A346-4076-B457-8F91C0080B3B} - c:windowssystem32dsoundl.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:Program FilesCommon FilesAdobeAcrobatActiveXAcroIEHelper.dll
O2 - BHO: (no name) - {10A9841C-E345-4855-A8CC-5B225E196B7D} - C:WINDOWSsystem32clbcatexf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:Program FilesJavajre1.6.0_03binssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:Program FilesCommon FilesMicrosoft SharedWindows LiveWindowsLiveLogin.dll
O4 - HKLM..Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM..Run: [SunJavaUpdateSched] "C:Program FilesJavajre1.6.0_03binjusched.exe"
O4 - HKLM..Run: [NvCplDaemon] RUNDLL32.EXE C:WINDOWSsystem32NvCpl.dll,NvStartup
O4 - HKLM..Run: [nwiz] nwiz.exe /install
O4 - HKLM..Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..Run: [TkBellExe] "C:Program FilesCommon FilesRealUpdate_OBrealsched.exe" -osboot
O4 - HKLM..Run: [ISUSPM Startup] C:PROGRA~1COMMON~1INSTAL~1UPDATE~1ISUSPM.exe -startup
O4 - HKLM..Run: [ISUSScheduler] "C:Program FilesCommon FilesInstallShieldUpdateServiceissch.exe" -start
O4 - HKLM..Run: [HP Software Update] C:Program FilesHPHP Software UpdateHPWuSchd2.exe
O4 - HKLM..Run: [Adobe Reader Speed Launcher] "C:Program FilesAdobeReader 8.0ReaderReader_sl.exe"
O4 - HKLM..Run: [QuickTime Task] "C:Program FilesQuickTimeqttask.exe" -atboottime
O4 - HKLM..Run: [iTunesHelper] "C:Program FilesiTunesiTunesHelper.exe"
O4 - HKLM..Run: [SpeedTouch USB Diagnostics] "C:Program FilesThomsonSpeedTouch USBDragdiag.exe" /icon
O4 - HKLM..Run: [nod32kui] "C:Program FilesEsetnod32kui.exe" /WAITSERVICE
O4 - HKLM..Run: [!AVG Anti-Spyware] "C:Program FilesGrisoftAVG Anti-Spyware 7.5avgas.exe" /minimized
O4 - HKLM..Run: [AVG7_CC] C:PROGRA~1GrisoftAVGFRE~1avgcc.exe /STARTUP
O4 - HKCU..Run: [ctfmon.exe] C:WINDOWSsystem32ctfmon.exe
O4 - HKCU..Run: [Uniblue RegistryBooster 2] C:Program FilesUniblueRegistryBooster 2RegistryBooster.exe /S
O4 - HKUSS-1-5-19..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-19..Run: [AVG7_Run] C:PROGRA~1GrisoftAVGFRE~1avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUSS-1-5-20..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUSS-1-5-18..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'SYSTEM')
O4 - HKUS.DEFAULT..Run: [CTFMON.EXE] C:WINDOWSSystem32CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:Program FilesSonySony Picture UtilityVolumeWatcherSPUVolumeWatcher.exe
O4 - Startup: Port Monster.LNK = C:Program FilesZing SoftwarePort Monsterpm.exe
O4 - Startup: services.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:Program FilesHPDigital Imagingbinhpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:Program FilesMicrosoft OfficeOffice10OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:PROGRA~1MICROS~2Office10EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:Program FilesJavajre1.6.0_03binssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:WINDOWSNetwork Diagnosticxpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:Program FilesMessengermsmsgs.exe
O12 - Plugin for .spop: C:Program FilesInternet ExplorerPluginsNPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:Program FilesYahoo!Commonyinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196445892705
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196446231492
O17 - HKLMSystemCCSServicesTcpip..{F4AA6754-7EFA-4385-948A-1B893576E14C}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: utgircju - C:WINDOWSSYSTEM32dsoundl.dll
O23 - Service: Autodata Limited License Service - Autodata Limited - C:Program FilesCommon FilesAutodata Limited SharedServiceADCDLicSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:Program FilesGrisoftAVG Anti-Spyware 7.5guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:PROGRA~1GrisoftAVGFRE~1avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:Program FilesIVT CorporationBlueSoleilBTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:Program FilesCommon FilesInstallShieldDriver1050Intel 32IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:Program FilesEsetnod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:WINDOWSsystem32nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:WINDOWSsystem32HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://home.as-netz.de/herbert.fisch...-welpen-09.jpg

--
End of file - 10436 bytes

Thank you, Chris Leech [/FONT]

**evilfantasy** · #2 18th Dec 2007

Run another scan and copy then paste the log directly from notepad.

Everything is reading like this > C:WINDOWSSystem32smss.exe

It should be like this > C:\WINDOWS\System32\smss.exe

All of the forward slash \ symbols are missing.

**chrisleech11** · #3 18th Dec 2007

Oh yes, sorry about that. I shall do it as soon as i'm able to go back on that specific computer around 5.30pm UK time.

Thanks for your reply
Chris

**chrisleech11** · #4 18th Dec 2007

I've managed to have someone send me the text that came up, hopefully after using notepad to copy and paste from/to this should be more useful

AVG Antivirus brings up 2 popups every 5 minutes or so:
1: C:\WINDOWS\system32\clbcatexf.dll - Trojan Horse BHO.CVX
2: C:\WINDOWS\system32\dsoundl.dll - Virus identified obfustat.ABXY
I wonder if anyone would be kind enough to help me
Here is my hijackthislog:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:01:39, on 17/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Documents and Settings\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 1.1.1.1 free.grisoft.com
O1 - Hosts: 1.1.1.1 housecall.trendmicro.com
O1 - Hosts: 1.1.1.1 usa.kaspersky.com
O1 - Hosts: 1.1.1.1 ewido.net
O1 - Hosts: 1.1.1.1 www.ewido.net
O1 - Hosts: 1.1.1.1 zonelabs.com
O1 - Hosts: 1.1.1.1 www.zonelabs.com
O1 - Hosts: 1.1.1.1 bitdefender.com
O1 - Hosts: 1.1.1.1 www.bitdefender.com
O1 - Hosts: 1.1.1.1 download.bitdefender.com
O1 - Hosts: 1.1.1.1 upgrade.bitdefender.com
O1 - Hosts: 1.1.1.1 spywareinfo.com
O1 - Hosts: 1.1.1.1 www.spywareinfo.com
O1 - Hosts: 1.1.1.1 merijn.org
O1 - Hosts: 1.1.1.1 www.merijn.org
O1 - Hosts: 1.1.1.1 sysinternals.com
O1 - Hosts: 1.1.1.1 www.sysinternals.com
O1 - Hosts: 1.1.1.1 onguardonline.gov
O1 - Hosts: 1.1.1.1 www.onguardonline.gov
O1 - Hosts: 1.1.1.1 avast.com
O1 - Hosts: 1.1.1.1 www.avast.com
O1 - Hosts: 1.1.1.1 safety.live.com
O1 - Hosts: 1.1.1.1 www.paretologic.com
O1 - Hosts: 1.1.1.1 paretologic.com
O1 - Hosts: 1.1.1.1 services.google.com
O1 - Hosts: 1.1.1.1 www.webroot.com
O1 - Hosts: 1.1.1.1 webroot.com
O2 - BHO: (no name) - {005A9000-A346-4076-B457-8F91C0080B3B} - c:\windows\system32\dsoundl.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {10A9841C-E345-4855-A8CC-5B225E196B7D} - C:\WINDOWS\system32\clbcatexf.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O4 - Startup: services.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196445892705
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196446231492
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4AA6754-7EFA-4385-948A-1B893576E14C}: NameServer = 195.92.195.94 195.92.195.95
O20 - Winlogon Notify: utgircju - C:\WINDOWS\SYSTEM32\dsoundl.dll
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://home.as-netz.de/herbert.fisch...-welpen-09.jpg
--
End of file - 10436 bytes

**evilfantasy** · #5 18th Dec 2007

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post.

----------

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter)
When finished, it will produce a log for you.
Post that log in your next reply.

Do not mouseclick combofix's window while it's running. That may cause your computer to stall----------

Next post please add:
SDFix log
combofix log
New HijackThis log

**chrisleech11** · #6 18th Dec 2007

SD Fix log

SDFix: Version 1.118
Run by Administrator on 18/12/2007 at 18:11
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\ADMINI~1\Desktop\SDFix
Safe Mode:
Checking Services:
Name:
kprof
poof
Path:
\??\C:\WINDOWS\system32\kprof
\??\C:\WINDOWS\system32\poof
kprof - Deleted
poof - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\uninstall.exe - Deleted

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 18:36:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...
scanning hidden registry entries ...
scanning hidden files ...
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\jimmy.meek@hotmail.co.uk\DFSR\Stagin g\CS{636A3F84-7C12-2D3E-441D-E0ABDD79F326}\01\16-{636A3F84-7C12-2D3E-441D-E0ABDD79F326}-v1-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\01\12-{7444E8EC-F248-F4B3-8842-4B6AA383DD52}-v1-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\13\13-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v13-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 33960 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\13\13-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v13-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 2568 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\13\13-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v13-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3776 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\14\14-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v14-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 42420 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\14\14-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v14-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 3054 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\14\14-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v14-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v14-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 4752 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\15\15-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v15-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 34302 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\15\15-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v15-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2 2550 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\15\15-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v15-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3800 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\21\21-{AA5C2047-F00C-47CF-9ABD-CDE8C483D2BB}-v21-{AA5C2047-F00C-47CF-9ABD-CDE8C483D2BB}-v21-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 3072 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\22\22-{AA5C2047-F00C-47CF-9ABD-CDE8C483D2BB}-v22-{AA5C2047-F00C-47CF-9ABD-CDE8C483D2BB}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1 2892 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\mental_biker@hotmail.com\DFSR\Stagin g\CS{7444E8EC-F248-F4B3-8842-4B6AA383DD52}\22\22-{AA5C2047-F00C-47CF-9ABD-CDE8C483D2BB}-v22-{AA5C2047-F00C-47CF-9ABD-CDE8C483D2BB}-v22-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 328 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\xx.-miss-pink-.xx@hotmail.co.uk\DFSR\Staging\CS{0222B4DB-DCC4-48B5-2798-D9DBBACAD643}\01\17-{0222B4DB-DCC4-48B5-2798-D9DBBACAD643}-v1-{6BFE53D6-68BD-4673-82DE-D4C3FE75C5B9}-v17-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Messenger\emoguy11@hotmail.co.uk\Sh aringMetadata\xx.-miss-pink-.xx@hotmail.co.uk\DFSR\Staging\CS{0222B4DB-DCC4-48B5-2798-D9DBBACAD643}\42\42-{B6D32105-1D15-4247-B435-50888B47C8CC}-v42-{B6D32105-1D15-4247-B435-50888B47C8CC}-v42-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 224 bytes hidden from API
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 16

Remaining Services:
------------------

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\standard profile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Zing Software\\Port Monster\\pm.exe"="C:\\Program Files\\Zing Software\\Port Monster\\pm.exe:*:Enabled:Port monitor, connection detector, and firewall."
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:E nabled:LimeWire swarmed installer"
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Prog ram Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled: BlueSoleil"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Progra m Files\\Real\\RealPlayer\\realplay.exe:*:Disabled:R ealPlayer"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr .exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\h elpctr.exe:*:Enabled:Remote Assistance - Windows Messenger and Voice"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\ \Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Ena bled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Progra m Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Ya hoo! FT Server"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe:*:Enabled:hpqste08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe:*:Enabled:hpofxm08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe:*:Enabled:hposfx08.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe:*:Enabled:hposid01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe:*:Enabled:hpqscnvw.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe:*:Enabled:hpqkygrp.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe:*:Enabled:hpqcopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe:*:Enabled:hpfccopy.exe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe:*:Enabled:hpzwiz01.exe"
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"="C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe:*:Enabled:hpqphunl.e xe"
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"="C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe:*:Enabled:hpoews01.exe"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer .exe:*:Enabled:Windows Explorer"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\servic es\sharedaccess\parameters\firewallpolicy\domainpr ofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\syste m32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
Remaining Files:
---------------
File Backups: - C:\DOCUME~1\ADMINI~1\Desktop\SDFix\backups\backups .zip
Files with Hidden Attributes:
Wed 26 Oct 2005 4,348 A..H. --- "C:\My Music\License Backup\drmv1key.bak"
Tue 29 Aug 2006 401 A..H. --- "C:\My Music\License Backup\drmv1lic.bak"
Sat 18 Feb 2006 400 A.SH. --- "C:\My Music\License Backup\drmv2key.bak"
Wed 26 Oct 2005 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 26 Oct 2005 401 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv19.bak"
Fri 15 Dec 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 30 Nov 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\19938f3d 235fc96f3e6aaed1e5e7a74c\BIT12.tmp"
Finished!

Combofix Log

ComboFix 07-12-18.1 - Administrator 2007-12-18 18:56:56.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.143 [GMT 0:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\internet explorer\msimg32.dll
C:\WINDOWS\system32\clbcatexf.dll
C:\WINDOWS\system32\drivers\tlzxlskl.dat
C:\WINDOWS\system32\dsoundl.dll
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\Tasks.\At1.job
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_AFEBECBQ
-------\LEGACY_POOF
-------\LEGACY_WLIPOBUR
-------\afebecbq
-------\wlipobur

((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))
.
2007-12-18 18:10 . 2007-12-18 18:10 <DIR> d-------- C:\WINDOWS\ERUNT
2007-12-16 23:09 . 2007-12-16 23:09 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Uniblue
2007-12-16 22:51 . 2007-12-16 22:51 12,297,985 -----c--- C:\AVG7QT.DAT
2007-12-16 22:35 . 2007-12-16 22:35 244 --ah-c--- C:\sqmnoopt00.sqm
2007-12-16 22:35 . 2007-12-16 22:35 232 --ah-c--- C:\sqmdata00.sqm
2007-12-16 22:34 . 2007-12-16 22:34 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-12-16 22:34 . 2007-12-16 22:51 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-12-16 22:18 . 2007-12-17 18:12 <DIR> d-------- C:\Program Files\RogueRemover FREE
2007-12-16 20:43 . 2007-12-16 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-12-16 20:43 . 2007-12-16 20:43 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-12-16 20:43 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-16 18:25 . 2007-12-16 18:25 <DIR> d----c--- C:\Documents and Settings\Administrator\Application Data\AdwareAlert
2007-12-16 15:14 . 2007-12-16 22:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2007-12-16 15:03 . 2007-12-16 15:03 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-14 00:15 . 2007-12-14 00:14 502,368 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-12-14 00:15 . 2007-12-14 00:14 274,432 --a------ C:\WINDOWS\system32\imon.dll
2007-12-13 21:03 . 2007-08-01 22:47 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-12-13 19:38 . 2007-12-13 21:18 <DIR> d----c--- C:\Documents and Settings\Administrator\.housecall6.6
2007-12-09 13:10 . 2007-12-09 13:10 1,188,375 --a------ C:\WINDOWS\system32\libeay32.dll
2007-12-09 13:10 . 2007-12-09 13:10 741,632 --a------ C:\WINDOWS\system32\iqgykyaa.dat
2007-12-09 13:10 . 2007-12-09 13:10 246,545 --a------ C:\WINDOWS\system32\libssl32.dll
2007-12-09 13:10 . 2007-12-09 13:10 119,552 --a------ C:\WINDOWS\system32\ykwdkmmd.dat
2007-12-09 13:10 . 2007-12-09 13:10 42,240 --a------ C:\WINDOWS\system32\emnfzyvj.dat
2007-12-09 13:10 . 2007-12-09 13:10 36,096 --a------ C:\WINDOWS\system32\ummdeqvk.dat
2007-12-09 13:10 . 2007-12-09 13:10 35,072 --a------ C:\WINDOWS\system32\zrsghjgh.dat
2007-12-09 13:02 . 2004-08-04 07:56 84,992 --a--c--- C:\WINDOWS\system32\dsoundl.dll.bak
2007-12-03 20:06 . 2004-08-04 08:56 159,232 --a------ C:\WINDOWS\system32\ptpusd.dll
2007-12-03 20:06 . 2001-08-17 22:36 5,632 --a------ C:\WINDOWS\system32\ptpusb.dll
2007-11-30 19:14 . 2007-10-10 23:55 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-30 19:14 . 2007-04-17 09:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-30 19:14 . 2007-03-08 05:10 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-30 19:14 . 2007-10-10 23:55 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-30 19:14 . 2007-10-10 23:55 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-30 19:14 . 2007-10-10 23:55 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-30 19:14 . 2007-10-10 23:55 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-30 19:14 . 2007-10-10 23:55 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-30 19:14 . 2007-10-10 10:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-30 18:52 . 2007-11-30 18:52 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-11-30 18:46 . 2006-08-21 09:14 128,896 -----c--- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-11-30 18:46 . 2006-08-21 09:14 23,040 -----c--- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-11-30 18:46 . 2006-08-21 12:21 16,896 -----c--- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-11-30 18:42 . 2007-11-30 18:42 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-30 18:31 . 2007-07-09 13:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-30 18:11 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-30 18:11 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-30 18:06 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-30 18:06 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-30 18:06 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-30 18:06 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-30 18:01 . 2007-11-30 18:01 704 --a------ C:\WINDOWS\Shortcut to Microsoft Windows XP Genuine Advantage Validation.lnk
2007-11-29 19:00 . 2007-11-29 19:00 <DIR> d-------- C:\Program Files\CCleaner
2007-11-29 18:18 . 2007-04-03 18:21 2,308 --a------ C:\WINDOWS\Microsoft Windows XP Genuine Advantage Validation.reg
2007-11-20 20:52 . 2005-08-30 17:59 94,000 --a------ C:\WINDOWS\system32\drivers\ss_mdm.sys
2007-11-20 20:52 . 2005-08-30 17:57 58,320 --a------ C:\WINDOWS\system32\drivers\ss_bus.sys
2007-11-20 20:52 . 2005-08-30 17:58 8,304 --a------ C:\WINDOWS\system32\drivers\ss_mdfl.sys
2007-11-20 20:52 . 2005-08-30 17:58 6,144 --a------ C:\WINDOWS\system32\drivers\ss_cmnt.sys
2007-11-20 20:52 . 2005-08-30 17:58 6,144 --a------ C:\WINDOWS\system32\drivers\ss_cm.sys
2007-11-20 20:52 . 2005-08-30 17:57 5,808 --a------ C:\WINDOWS\system32\drivers\ss_whnt.sys
2007-11-20 20:52 . 2005-08-30 17:57 5,808 --a------ C:\WINDOWS\system32\drivers\ss_wh.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))
.
2007-12-16 19:38 --------- d-----w C:\Program Files\Lavasoft
2007-12-16 16:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 19:00 --------- d-----w C:\Program Files\Yahoo!
2007-11-25 10:36 --------- d-----w C:\Program Files\RegVac Registry Cleaner
2007-11-20 20:55 --------- dc----w C:\Documents and Settings\Administrator\Application Data\Samsung
2007-11-20 20:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-20 20:52 --------- d-----w C:\Program Files\Samsung
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 22:11 --------- d-----w C:\Program Files\Thomson
2007-11-07 21:27 --------- d-----w C:\Program Files\Orange
2007-11-07 18:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-10-31 20:57 --------- d-----w C:\Program Files\Sony
2007-10-20 10:31 --------- d-----w C:\Program Files\HP
2007-10-20 10:31 --------- d-----w C:\Program Files\Common Files\HP
2007-10-18 17:03 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2007-07-01 14:43 19,000 -c--a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"Cmaudio"="RunDll32 cmicnfg.cpl" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 07:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-12-28 09:01 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 07:56 C:\WINDOWS\system32\rundll32.exe]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-29 12:16]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\I SUSPM.exe" [2004-08-09 05:03]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-08-09 05:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 13:42]
"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 11:38]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-12-14 00:14]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [2007-12-16 22:50]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\Cur rentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 07:56]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgw. exe" [2007-12-16 22:50]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BlueSoleil.lnk - C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe [2007-11-07 17:49:57]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]
[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\system]
"DisableRegistryTools"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
2001-08-06 18:03 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\services]
2007-09-26 13:42 267064 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YeppStudioAgent]
2005-08-30 17:21 40960 --a------ C:\Program Files\Samsung\Samsung Media Studio\SamsungMediaStudioAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RegVacService"=3 (0x3)
"iPod Service"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
R2 CdaD10BA;CdaD10BA;C:\WINDOWS\system32\drivers\CdaD 10BA.SYS [2007-01-21 14:29]
S3 BTNetFilter;Bluetooth Network Filter;C:\WINDOWS\system32\drivers\BTNetFilter.sys [2004-12-16 16:32]
S3 s3m;s3m;C:\WINDOWS\system32\DRIVERS\s3m.sys [2001-08-17 12:50]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 17:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 17:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 17:59]
S3 wanusb;Fujitsu USB ADSL WAN Modem;C:\WINDOWS\system32\DRIVERS\gwausb.sys []
.
Contents of the 'Scheduled Tasks' folder
"2007-12-16 18:25:12 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-11-21 17:56:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-16 18:33:00 C:\WINDOWS\Tasks\WebReg psc 1500 series.job"
- C:\Program Files\HP\Digital Imaging\bin\hpqwrg.exe
.
************************************************** ************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 19:07:23
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
************************************************** ************************
.
Completion time: 2007-12-18 19:11:01 - machine was rebooted
.
2007-12-11 20:38:04 --- E O F ---
HTJ Log to follow

**chrisleech11** · #7 18th Dec 2007

New HJT Log (Looks alot better)

HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23:25, on 18/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: Port Monster.LNK = C:\Program Files\Zing Software\Port Monster\pm.exe
O4 - Startup: services.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/...oUploader3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1196445892705
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn...tDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1196446231492
O17 - HKLM\System\CCS\Services\Tcpip\..\{F4AA6754-7EFA-4385-948A-1B893576E14C}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Autodata Limited License Service - Autodata Limited - C:\Program Files\Common Files\Autodata Limited Shared\Service\ADCDLicSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - http://home.as-netz.de/herbert.fisch...-welpen-09.jpg
--
End of file - 8922 bytes

Many Thanks, Chris

**evilfantasy** · #8 18th Dec 2007

You are running two antivirus, this is unnecessary and can cause problems. Pick one and uninstall the other.

--------------------

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Folder::
C:sqmnoopt00.sqm
C:sqmdata00.sqm

File::
C:WINDOWSsystem32iqgykyaa.dat
C:WINDOWSsystem32ykwdkmmd.dat
C:WINDOWSsystem32emnfzyvj.dat
C:WINDOWSsystem32ummdeqvk.dat
C:WINDOWSsystem32zrsghjgh.dat
C:WINDOWSsystem32dsoundl.dll.bak

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang

--------------------

Open hijackThis and click Do a system scan only then place a check mark next to:

O4 - Startup: services.lnk = ?
O4 - Global Startup: BlueSoleil.lnk = ?

Next click Fix checked

--------------------

Download SUPERAntispyware Free Edition (SAS)

Double-click the icon on your desktop to run the installer.
When asked to Update the program definitions, click Yes
Next click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure only the following are checked:
- Close browsers before scanning
- Scan for tracking cookies
- Terminate memory threats before quarantining
- Please leave the others unchecked.
- Click the Close button to leave the control center screen.
Click the Close button to leave the control center screen.
On the main screen click Scan your computer
On the left check C:\Fixed D