Solved help removing backsma

hanqba1 · 2008/06/21

[Resolved] help removing backsma

Am runnining on xp and my anti virus tells me I have a trojan called backsma but can not remove it. If I remove or deleat it keeps comming back. als will not let me turn on my windows updater. only a beginer so hope someone will help me thanks.

noahdfear · 2008/06/21

Welcome to WindowsBBS hanqba1

Please read this topic, install the latest version of Hijackthis, run a scan and save the log (you can close it for now). Then, download and run Deckard's System Scanner and post BOTH the main.txt and extra.txt logs. You may be required to put them in separate posts due to character count limitations.

hanqba1 · 2008/06/22

hijack log thanks for helpLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:05:26, on 22/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe "
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [142dd08b] rundll32.exe "C:\WINDOWS\system32\leishult.dll ",b
O4 - HKLM\..\Run: [BM171ee317] Rundll32.exe "C:\WINDOWS\system32\xmdntmpr.dll ",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm102YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.1837online.com/downloads/windows/DjVuControl_en_US.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://games-uk.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 9753 bytes

hanqba1 · 2008/06/22

here is dexters log hope it is ri-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
15: 2008-06-22 16:28:32 UTC - RP772 - Deckard's System Scanner Restore Point
14: 2008-06-22 06:30:16 UTC - RP771 - Removed ErrorSmart
13: 2008-06-22 05:45:17 UTC - RP770 - Last known good configuration
12: 2008-06-22 05:44:30 UTC - RP769 - Removed Windows Live Toolbar
11: 2008-06-22 05:44:28 UTC - RP768 - Removed Google Toolbar for Internet Explorer

-- First Restore Point --
1: 2008-06-22 05:43:48 UTC - RP758 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 254 MiB (512 MiB recommended).

-- HijackThis (run as joyce hanquinioux.exe) -----------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:33:08, on 22/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\joyce hanquinioux\Local Settings\Temporary Internet Files\Content.IE5\GLICK82T\dss[1].exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\joyce hanquinioux.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by blueyonder
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)
O2 - BHO: (no name) - {514A5C49-0C7D-42c3-A71B-38864A269B7A} - C:\WINDOWS\system32\uknmcpbn.dll
O2 - BHO: (no name) - {67DCE4A1-D523-47F8-8E1A-30156D245A41} - C:\WINDOWS\system32\geBtTJAS.dll
O2 - BHO: {16d413fb-3492-00b9-6304-3ebb8dd6f58a} - {a85f6dd8-bbe3-4036-9b00-2943bf314d61} - C:\WINDOWS\system32\nopbivsj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe "
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKLM\..\Run: [BM171ee317] Rundll32.exe "C:\WINDOWS\system32\hpdsnlrb.dll ",s
O4 - HKLM\..\Run: [142dd08b] rundll32.exe "C:\WINDOWS\system32\rpickouh.dll ",b
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm102YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.1837online.com/downloads/windows/DjVuControl_en_US.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/stg_drm.ocx
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://games-uk.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 10104 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 StarOpen - c:\windows\system32\drivers\staropen.sys
R3 DSproct - c:\program files\dellsupport\gtaction\triggers\dsproct.sys <Not Verified; Gteko Ltd.; processt>

S3 SymIM (Symantec Network Security Intermediate Filter Service) - c:\windows\system32\drivers\symim.sys (file missing)
S3 SymIMMP - c:\windows\system32\drivers\symim.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2008-06-20 19:10:18 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-06-17 16:51:54 426 --a------ C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
2008-06-16 21:51:06 520 --a------ C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job

-- Files created between 2008-05-22 and 2008-06-22 -----------------------------

2008-06-22 17:14:12 86528 --a------ C:\WINDOWS\system32\rpickouh.dll
2008-06-22 17:11:26 101888 --a------ C:\WINDOWS\system32\nopbivsj.dll
2008-06-22 17:11:09 92160 --a------ C:\WINDOWS\system32\uknmcpbn.dll
2008-06-22 17:08:09 95232 --a------ C:\WINDOWS\system32\hpdsnlrb.dll
2008-06-22 17:03:44 0 d-------- C:\Program Files\Trend Micro
2008-06-22 07:14:14 0 d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-06-21 17:13:55 101888 --a------ C:\WINDOWS\system32\vofyktmm.dll
2008-06-21 17:10:27 86528 -----n--- C:\WINDOWS\system32\leishult.dll
2008-06-21 17:07:17 94208 --a------ C:\WINDOWS\system32\xmdntmpr.dll
2008-06-21 16:55:27 0 d-------- C:\WINDOWS\SxsCaPendDel
2008-06-20 20:20:14 0 d--hs---- C:\TrustedAntivirus
2008-06-20 20:16:40 0 d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\TrustedAntivirus
2008-06-20 20:15:47 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-06-20 20:02:42 0 d-------- C:\Program Files\Common Files\TrustedAntivirus
2008-06-20 20:02:41 0 d-------- C:\Program Files\TrustedAntivirus
2008-06-20 17:38:32 0 d-------- C:\Program Files\AntiSpywareExpert
2008-06-20 17:12:12 101888 --a------ C:\WINDOWS\system32\llvwhvaq.dll
2008-06-17 20:09:06 0 d-------- C:\WINDOWS\Prefetch
2008-06-17 19:18:30 0 d-------- C:\WINDOWS\system32\scripting
2008-06-17 19:18:28 0 d-------- C:\WINDOWS\l2schemas
2008-06-17 19:18:26 0 d-------- C:\WINDOWS\system32\en
2008-06-17 19:18:25 0 d-------- C:\WINDOWS\system32\bits
2008-06-17 18:58:28 1845248 --a------ C:\WINDOWS\system32\win32k.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-06-17 18:45:56 0 d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-17 18:36:34 0 d-------- C:\ae0ca8aced70bfd6e7d8cfb0691562
2008-06-17 07:07:30 0 d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart
2008-06-16 18:32:06 0 d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender
2008-06-16 17:46:34 0 d-------- C:\VundoFix Backups
2008-06-16 00:34:06 0 d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert
2008-06-15 20:27:30 0 d-------- C:\Documents and Settings\joyce hanquinioux\.housecall6.6
2008-06-15 19:53:44 0 d-------- C:\Program Files\Common Files\Oberon Media
2008-06-15 19:53:34 0 d-------- C:\Program Files\Symantec
2008-06-15 19:53:32 0 d-------- C:\Program Files\bigmaq
2008-06-15 19:53:25 0 d-------- C:\New Folder
2008-06-07 17:37:25 0 d-------- C:\Program Files\Conduit
2008-06-07 17:37:16 656597 --ahs---- C:\WINDOWS\system32\SAJTtBeg.ini2
2008-06-07 17:37:09 281088 --a------ C:\WINDOWS\system32\geBtTJAS.dll

-- Find3M Report ---------------------------------------------------------------

2008-06-22 07:44:03 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-22 07:09:33 0 d-------- C:\Program Files\Common Files
2008-06-21 18:06:54 0 d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\Symantec
2008-06-21 07:52:40 0 d-------- C:\Program Files\Windows Live Toolbar
2008-06-21 07:44:56 0 d-------- C:\Program Files\Google
2008-06-17 19:54:43 0 d-------- C:\Program Files\Messenger
2008-06-17 19:50:44 0 d-------- C:\Program Files\Windows NT
2008-06-17 19:50:38 0 d-------- C:\Program Files\Movie Maker
2008-06-17 00:46:20 0 d-------- C:\Program Files\MyWebSearch
2008-06-15 20:25:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-06-14 20:06:11 0 d-------- C:\Program Files\Virgin Media Games
2008-06-13 21:08:54 0 d-------- C:\Program Files\Common Files\Scanner

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{514A5C49-0C7D-42c3-A71B-38864A269B7A}]
22/06/2008 17:11 92160 --a------ C:\WINDOWS\system32\uknmcpbn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67DCE4A1-D523-47F8-8E1A-30156D245A41}]
07/06/2008 17:37 281088 --a------ C:\WINDOWS\system32\geBtTJAS.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a85f6dd8-bbe3-4036-9b00-2943bf314d61}]
22/06/2008 17:11 101888 --a------ C:\WINDOWS\system32\nopbivsj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [14/10/2004 19:42]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [19/11/2003 17:48]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [20/09/2005 10:35]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [20/09/2005 10:32]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [20/09/2005 10:36]
"RecoverFromReboot "= "C:\WINDOWS\Temp\RecoverFromReboot.exe" []
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [14/09/2007 20:04]
"Broadbandadvisor.exe "= "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [07/08/2007 19:49]
"PCguard "= "C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [05/09/2007 15:10]
"-FreedomNeedsReboot "= "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [05/09/2007 15:10]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [01/02/2008 00:13]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 14:10]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"BM171ee317 "= "C:\WINDOWS\system32\hpdsnlrb.dll" [22/06/2008 17:08]
"142dd08b "= "C:\WINDOWS\system32\rpickouh.dll" [22/06/2008 17:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [15/03/2007 11:09]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:00]
"AdobeUpdater "= "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [01/03/2007 10:37]
"TrustedAntivirus "= "C:\Program Files\TrustedAntivirus\pgs.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [29/08/2005 12:04:20]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [01/09/2005 15:18:07]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages "= msv1_0 C:\WINDOWS\system32\geBtTJAS
"Notification Packages "= scecli

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

-- End of Deckard's System Scanner: finished at 2008-06-22 17:39:15 ------------

ght thanks

noahdfear · 2008/06/22

You've got a number of infections there. First download Malwarebytes' Anti-Malware (MBAM) from here or here and save the file to your desktop.

Double click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.

If an update is found, it will download and install the latest version.

Once the program has loaded, select 'Perform Quick Scan', then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Post the entire report in your next reply.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Then, download ComboFix by sUBs from here, saving the file to your desktop.

Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in another reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

hanqba1 · 2008/06/22

here is my mbam kog Malwarebytes' Anti-Malware 1.18
Database version: 878

21:10:48 22/06/2008
mbam-log-6-22-2008 (21-10-48).txt

Scan type: Quick Scan
Objects scanned: 50547
Time elapsed: 29 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 22
Registry Values Infected: 5
Registry Data Items Infected: 2
Folders Infected: 44
Files Infected: 81

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\geBtTJAS.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{0896a6d5-3d19-4638-a62b-dde26ed45083} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{0896a6d5-3d19-4638-a62b-dde26ed45083} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{514a5c49-0c7d-42c3-a71b-38864a269b7a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{514a5c49-0c7d-42c3-a71b-38864a269b7a} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a4730ebe-43a6-443e-9776-36915d323ad3} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ugac (Rogue.PCSecureSystem) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\FocusInteractive (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\142dd08b (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{00a6faf6-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\{07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM171ee317 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebttjas -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\gebttjas -> Delete on reboot.

Folders Infected:
C:\Program Files\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\ScreenSaver\Images (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\FunWebProducts\Shared (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\Common Files\TrustedAntivirus (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Config (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\AWBase (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\AWBase\database (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\PGBase (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UpDate (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\LA (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Tools (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Up (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Up\Download (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\TrustedAntivirus (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\TrustedAntivirus\AVQuar (Rogue.TrustedProtection) -> Quarantined and deleted successfully.
C:\Program Files\AntiSpywareExpert (Rogue.AntiSpywareExpert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert\Log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert\Settings (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\TrustedAntivirus (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\TrustedAntivirus\Logs (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\BrowserObjects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\geBtTJAS.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\SAJTtBeg.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\SAJTtBeg.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rpickouh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\huokcipr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uknmcpbn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\History\search2 (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\settings.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\al.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\FWSettings.bin (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\history.db (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\main.log (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\ResErrors.log (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\scnkrnl.dll (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\settings.ini (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\sr.log (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\unins000.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Config\pgs.xml (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Dat\Activate.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Dat\bnlink.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Dat\cd.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Dat\incmp.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Dat\index.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Dat\pv.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\AWBase\vbpv.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\AWBase\database\enemies.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\BORLNDMM.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANADWR.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANBCDR.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANDLDR.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANDOS1.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANEMUL.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANFUNC.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANMCR1.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANOTHR.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANSCR.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANTOOL.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANTROJ.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\SCANWIN1.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UNMIME.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UNPACKS.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UNPACKS2.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UNPEPACK.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\vbpv.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27601.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27602.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27603.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UA27604.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Engines\plugins\UpDate\UADAILY.DLL (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\cross.gif (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\ga6p.gif (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\kb.url (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\main.ico (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\mini.ico (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\Online.url (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\rm.url (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\support.ico (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\Support.url (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Graphics\uninstall.ico (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\LA\lapv.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\LA\License.rtf (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Up\ASupdater.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Up\PGupdater.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Up\UBupdater.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Up\up.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\TrustedAntivirus\Up\updater.dat (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert\rs.dat (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert\Log\2008 Jun 16 - 08_00_46 PM_015.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert\Log\2008 Jun 16 - 08_13_03 PM_359.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert\Log\2008 Jun 16 - 09_50_59 PM_468.log (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\AdwareAlert\Settings\ScanResults.pie (Rogue.AdwareAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\TrustedAntivirus\Logs\threats.log (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\joyce hanquinioux\Application Data\TrustedAntivirus\Logs\update.log (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\Contact Customer Support.lnk (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\TrustedAntivirus.lnk (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\TrustedAntivirus\Uninstall TrustedAntivirus.lnk (Rogue.TrustedAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hpdsnlrb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.

hanqba1 · 2008/06/22

here is the combofix log ComboFix 08-06-20.4 - joyce hanquinioux 2008-06-22 22:13:44.1 - NTFSx86
Running from: C:\Documents and Settings\joyce hanquinioux\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM171ee317.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\geBtTJAS.dll
C:\WINDOWS\system32\hqqpmeic.ini
C:\WINDOWS\system32\jidiiqls.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\rientcht.ini
C:\WINDOWS\system32\SAJTtBeg.ini
C:\WINDOWS\system32\SAJTtBeg.ini2
C:\WINDOWS\system32\tluhsiel.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_DHLP

((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-22 20:34 . 2008-06-22 20:34 <DIR> d-------- C:\Documents and Settings\george hanquinioux\Application Data\Malwarebytes
2008-06-22 18:26 . 2008-06-22 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 18:26 . 2008-06-22 18:26 <DIR> d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\Malwarebytes
2008-06-22 18:26 . 2008-06-22 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-22 18:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-22 18:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 17:27 . 2008-06-22 17:27 <DIR> d-------- C:\Deckard
2008-06-22 17:11 . 2008-06-22 17:11 101,888 --a------ C:\WINDOWS\system32\nopbivsj.dll
2008-06-22 17:03 . 2008-06-22 17:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 07:14 . 2008-06-22 07:14 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-06-21 17:13 . 2008-06-21 17:13 101,888 --a------ C:\WINDOWS\system32\vofyktmm.dll
2008-06-21 17:07 . 2008-06-21 17:07 94,208 --a------ C:\WINDOWS\system32\xmdntmpr.dll
2008-06-21 16:55 . 2008-06-21 17:00 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-06-20 20:15 . 2008-06-20 20:15 <DIR> dr------- C:\Documents and Settings\All Users\Application Data\SalesMon
2008-06-20 18:29 . 2008-06-15 20:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-20 17:12 . 2008-06-20 17:12 101,888 --a------ C:\WINDOWS\system32\llvwhvaq.dll
2008-06-17 20:13 . 2008-06-17 20:13 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-06-17 20:13 . 2008-06-17 20:13 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-06-17 19:18 . 2008-06-17 19:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-17 19:18 . 2008-06-17 19:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-17 19:18 . 2008-06-17 19:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-17 19:18 . 2008-06-17 19:25 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-17 19:07 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-06-17 19:04 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\002988_.tmp
2008-06-17 19:00 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-06-17 18:59 . 2007-04-18 17:12 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2008-06-17 18:45 . 2008-06-17 18:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-17 18:36 . 2008-06-17 18:44 <DIR> d-------- C:\ae0ca8aced70bfd6e7d8cfb0691562
2008-06-17 07:07 . 2008-06-17 07:14 <DIR> d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart
2008-06-16 17:46 . 2008-06-16 17:46 <DIR> d-------- C:\VundoFix Backups
2008-06-15 20:27 . 2008-06-16 00:20 <DIR> d-------- C:\Documents and Settings\joyce hanquinioux\.housecall6.6
2008-06-15 19:53 . 2008-06-22 07:14 <DIR> d-------- C:\Program Files\Symantec
2008-06-15 19:53 . 2008-06-15 19:54 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-06-15 19:53 . 2008-06-15 19:54 <DIR> d-------- C:\Program Files\bigmaq
2008-06-15 19:53 . 2008-06-15 19:53 <DIR> d-------- C:\New Folder
2008-06-07 17:37 . 2008-06-07 17:37 <DIR> d-------- C:\Program Files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 06:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-22 06:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-21 17:06 --------- d-----w C:\Documents and Settings\joyce hanquinioux\Application Data\Symantec
2008-06-21 06:52 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-21 06:44 --------- d-----w C:\Program Files\Google
2008-06-16 18:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-15 19:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-14 19:06 --------- d-----w C:\Program Files\Virgin Media Games
2008-06-13 20:08 --------- d-----w C:\Program Files\Common Files\Scanner
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a85f6dd8-bbe3-4036-9b00-2943bf314d61}]
2008-06-22 17:11 101888 --a------ C:\WINDOWS\system32\nopbivsj.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"AdobeUpdater "= "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]
"TrustedAntivirus "= "C:\Program Files\TrustedAntivirus\pgs.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-14 20:04 185632]
"Broadbandadvisor.exe "= "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552]
"PCguard "= "C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 15:10 310000]
"-FreedomNeedsReboot "= "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-29 12:04:20 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-09-01 15:18:07 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]

.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 20:51:06 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job "
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2008-06-20 18:10:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-17 15:51:54 C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job "
- C:\Program Files\ErrorSmart\ErrorSmart.ex
- C:\Program Files\ErrorSmart
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 22:28:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterr.exe
.
**************************************************************************
.
Completion time: 2008-06-22 22:47:05 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-22 21:45:26

Pre-Run: 19,327,041,536 bytes free
Post-Run: 19,342,479,360 bytes free

168 --- E O F --- 2008-06-07 11:40:47

hanqba1 · 2008/06/22

here is my hyjack log . have not problems while sending this so it seems to have worked thanksLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:59:35, on 22/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)
O2 - BHO: {16d413fb-3492-00b9-6304-3ebb8dd6f58a} - {a85f6dd8-bbe3-4036-9b00-2943bf314d61} - C:\WINDOWS\system32\nopbivsj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe "
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU\..\Run: [TrustedAntivirus] C:\Program Files\TrustedAntivirus\pgs.exe /min
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm102YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.1837online.com/downloads/windows/DjVuControl_en_US.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://games-uk.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 9231 bytes
for all your help.

noahdfear · 2008/06/22

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)
Code:
http://www.windowsbbs.com/showthread.php?t=74509

Collect::
C:\WINDOWS\system32\nopbivsj.dll
C:\WINDOWS\system32\vofyktmm.dll
C:\WINDOWS\system32\xmdntmpr.dll
C:\WINDOWS\system32\llvwhvaq.dll
File::
C:\WINDOWS\002988_.tmp
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
Folder::
C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart
C:\Documents and Settings\All Users\Application Data\SalesMon
DirLook::
C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
C:\WINDOWS\system32\scripting
C:\WINDOWS\system32\en
C:\WINDOWS\system32\bits
C:\WINDOWS\l2schemas
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a85f6dd8-bbe3-4036-9b00-2943bf314d61}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "TrustedAntivirus "=-
 [HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar]
 "{507b6c0e-eb65-440a-ba6f-5e7e3988a921} "=-
Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Please note that I have instructed CFScript to collect some files. This means that at some point, likely after reboot when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created on your desktop. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send. This will assist the author in adding the files for removal in future updates. Thanks!

hanqba1 · 2008/06/23

hi have sent file here is my combi logComboFix 08-06-20.4 - joyce hanquinioux 2008-06-23 14:05:26.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.68 [GMT 1:00]
Running from: C:\Documents and Settings\joyce hanquinioux\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\joyce hanquinioux\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\002988_.tmp
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\SalesMon
C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart
C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart\Log\2008 Jun 22 - 06_33_37 AM_140.log
C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart\Registry Backups\2008-06-17_07-14-40.reg
C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart\Registry Backups\2008-06-17_18-00-26.reg
C:\Documents and Settings\joyce hanquinioux\Application Data\ErrorSmart\Registry Backups\2008-06-20_18-09-21.reg
C:\Documents and Settings\joyce hanquinioux\Local Settings\Temporary Internet Files\temp.cab
C:\Documents and Settings\joyce hanquinioux\ResErrors.log
C:\WINDOWS\002988_.tmp
C:\WINDOWS\system32\llvwhvaq.dll
C:\WINDOWS\system32\nopbivsj.dll
C:\WINDOWS\system32\vofyktmm.dll
C:\WINDOWS\system32\xmdntmpr.dll
C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job
C:\WINDOWS\Tasks\ErrorSmart Scheduled Scan.job

.
((((((((((((((((((((((((( Files Created from 2008-05-23 to 2008-06-23 )))))))))))))))))))))))))))))))
.

2008-06-22 20:34 . 2008-06-22 20:34 <DIR> d-------- C:\Documents and Settings\george hanquinioux\Application Data\Malwarebytes
2008-06-22 18:26 . 2008-06-22 18:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 18:26 . 2008-06-22 18:26 <DIR> d-------- C:\Documents and Settings\joyce hanquinioux\Application Data\Malwarebytes
2008-06-22 18:26 . 2008-06-22 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-22 18:26 . 2008-06-19 17:48 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-22 18:26 . 2008-06-19 17:47 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-22 17:27 . 2008-06-22 17:27 <DIR> d-------- C:\Deckard
2008-06-22 17:03 . 2008-06-22 17:03 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-22 07:14 . 2008-06-22 07:14 <DIR> d-------- C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP
2008-06-21 16:55 . 2008-06-21 17:00 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2008-06-20 18:29 . 2008-06-15 20:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-17 20:13 . 2008-06-17 20:13 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-06-17 20:13 . 2008-06-17 20:13 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-06-17 19:18 . 2008-06-17 19:18 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-17 19:18 . 2008-06-17 19:18 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-17 19:18 . 2008-06-17 19:26 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-17 19:18 . 2008-06-17 19:25 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-17 19:07 . 2007-08-10 20:46 33,656 --a------ C:\WINDOWS\system32\sprecovr.exe
2008-06-17 19:00 . 2004-08-04 00:56 4,274,816 --a------ C:\WINDOWS\system32\nv4_disp.dll
2008-06-17 18:59 . 2007-04-18 17:12 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2008-06-17 18:45 . 2008-06-17 18:49 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak
2008-06-17 18:36 . 2008-06-17 18:44 <DIR> d-------- C:\ae0ca8aced70bfd6e7d8cfb0691562
2008-06-16 17:46 . 2008-06-16 17:46 <DIR> d-------- C:\VundoFix Backups
2008-06-15 20:27 . 2008-06-16 00:20 <DIR> d-------- C:\Documents and Settings\joyce hanquinioux\.housecall6.6
2008-06-15 19:53 . 2008-06-22 07:14 <DIR> d-------- C:\Program Files\Symantec
2008-06-15 19:53 . 2008-06-15 19:54 <DIR> d-------- C:\Program Files\Common Files\Oberon Media
2008-06-15 19:53 . 2008-06-15 19:54 <DIR> d-------- C:\Program Files\bigmaq
2008-06-15 19:53 . 2008-06-15 19:53 <DIR> d-------- C:\New Folder
2008-06-07 17:37 . 2008-06-07 17:37 <DIR> d-------- C:\Program Files\Conduit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-22 06:44 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-22 06:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-21 17:06 --------- d-----w C:\Documents and Settings\joyce hanquinioux\Application Data\Symantec
2008-06-21 06:52 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-06-21 06:44 --------- d-----w C:\Program Files\Google
2008-06-16 18:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-15 19:25 --------- d-----w C:\Program Files\Common Files\Adobe
2008-06-14 19:06 --------- d-----w C:\Program Files\Virgin Media Games
2008-06-13 20:08 --------- d-----w C:\Program Files\Common Files\Scanner
2008-04-14 04:42 7,680 ----a-w C:\WINDOWS\system32\spdwnwxp.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\dllcache\msjint40.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP ----

2008-06-22 07:14 22016 --a------ C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP\WiseCustomCall.dll

---- Directory of C:\WINDOWS\l2schemas ----

---- Directory of C:\WINDOWS\system32\bits ----

---- Directory of C:\WINDOWS\system32\en ----

---- Directory of C:\WINDOWS\system32\scripting ----

((((((((((((((((((((((((((((( snapshot@2008-06-22_22.44.21.46 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-01-19 20:55:20 88,776 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll
+ 2008-06-22 23:44:00 91,488 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath.Xml\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.Xml.dll
- 2007-01-19 20:55:18 101,064 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.dll
+ 2008-06-22 23:43:58 103,776 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.InfoPath\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.InfoPath.dll
- 2005-09-06 12:43:44 64,088 -c--a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-06-22 23:43:14 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
- 2005-09-06 12:43:43 223,800 -c--a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2008-06-22 23:43:06 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
- 2008-06-22 21:26:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-23 12:55:11 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2003-07-14 21:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-14 21:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-14 21:56:54 14,904 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DSITF.DLL
+ 2003-07-14 21:57:14 98,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\DSSM.EXE
+ 2003-07-14 21:41:44 13,368 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FINDER.EXE
+ 2002-10-07 09:49:36 192,573 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FORM.DLL
+ 2003-07-14 21:40:12 179,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPERSON.DLL
+ 2003-07-14 21:40:12 165,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\FPLACE.DLL
+ 2003-07-14 21:45:14 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\INLAUNCH.DLL
+ 2003-06-18 16:31:10 252,928 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MDIINK.DLL
+ 2003-07-14 21:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2003-07-14 21:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-07-14 21:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2003-07-14 21:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-14 21:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2003-07-11 01:15:48 1,292,872 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSONSEXT.DLL
+ 2003-07-15 02:18:52 376,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSORUN.DLL
+ 2003-07-14 21:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-14 21:52:52 35,896 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSV.DLL
+ 2003-07-14 21:53:20 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOSVFBR.DLL
+ 2003-07-14 21:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-14 21:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-14 21:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-06-18 17:31:54 788,480 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPFILT.DLL
+ 2003-06-18 16:31:50 16,384 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPGIMME.DLL
+ 2003-06-19 16:05:52 128,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPSCAN.EXE
+ 2003-06-19 15:05:50 364,648 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSPVIEW.EXE
+ 2003-07-14 21:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-07-14 22:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-14 21:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-14 21:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2003-06-18 17:31:58 6,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OCRPS.DLL
+ 2005-09-06 12:43:43 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL
+ 2003-07-15 02:14:26 242,240 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OISGRAPH.DLL
+ 2003-07-14 22:05:24 1,054,264 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OMFC.DLL
+ 2003-07-14 21:44:34 102,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLCTL.DLL
+ 2003-07-14 21:43:16 49,208 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLWAB.DLL
+ 2003-07-15 02:18:44 93,752 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PP7X32.DLL
+ 2002-10-07 10:11:00 167,997 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PSOM.DLL
+ 2003-07-14 21:40:16 51,256 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\PUBTRAP.DLL
+ 2003-05-08 20:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-14 21:57:08 40,512 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REFIEBAR.DLL
+ 2002-10-07 09:49:42 81,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\REVERSE.DLL
+ 2003-07-21 10:46:38 390,712 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\RTFHTML.DLL
+ 2003-07-14 21:44:16 66,616 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SENDTO.DLL
+ 2003-07-14 21:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2003-07-14 21:53:14 11,848 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\SMARTTAGINSTALL.EXE
+ 2002-10-07 09:53:04 106,561 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\THOCRAPI.DLL
+ 2002-10-07 09:50:44 241,729 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWCUTCHR.DLL
+ 2002-10-07 09:51:04 180,289 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWCUTLIN.DLL
+ 2002-10-07 09:51:14 147,520 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWLAY32.DLL
+ 2002-10-07 09:51:20 102,467 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWORIENT.DLL
+ 2002-10-07 09:50:04 118,847 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWRECE.DLL
+ 2002-10-07 09:49:56 81,983 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWRECS.DLL
+ 2002-10-07 09:51:44 221,252 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\TWSTRUCT.DLL
+ 2005-09-06 12:43:44 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL
+ 2002-10-07 10:03:34 1,794,113 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\XIMAGE3B.DLL
+ 2003-04-30 11:52:32 1,581,120 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\XPAGE3C.DLL
+ 2003-01-17 14:03:34 59,466 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\XSCAN32.DAT
+ 2001-06-05 08:13:22 289,926 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ENGDIC.DAT
+ 2001-06-05 08:13:22 34,168 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\ENGIDX.DAT
+ 2001-06-05 08:13:24 18,844 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\JFONT.DAT
+ 2001-06-05 08:13:26 65,536 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\LOOKUP.DAT
+ 2005-05-04 00:06:28 465,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSDMENG.DLL
+ 2005-05-04 00:06:32 1,411,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSDMINE.DLL
+ 2005-05-04 00:06:26 199,408 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\MSMDUN80.DLL
+ 2001-10-23 00:13:42 53,260 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OCRHC.DAT
+ 2001-06-05 08:13:26 40,972 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.8173\OCRVC.DAT
- 2008-05-15 16:09:18 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2008-06-22 23:44:26 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2008-05-15 16:09:18 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2008-06-22 23:44:26 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2008-05-15 16:09:18 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2008-06-22 23:44:26 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2008-05-15 16:09:18 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-06-22 23:44:25 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-05-15 16:09:18 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2008-06-22 23:44:26 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2008-05-15 16:09:18 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2008-06-22 23:44:26 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2008-05-15 16:09:18 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-06-22 23:44:26 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-05-15 16:09:18 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2008-06-22 23:44:26 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2008-05-15 16:09:18 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2008-06-22 23:44:26 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2008-05-15 16:09:18 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2008-06-22 23:44:25 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2008-05-15 16:09:18 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2008-06-22 23:44:26 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2008-05-15 16:09:18 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2008-06-22 23:44:25 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2008-05-15 16:09:18 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2008-06-22 23:44:25 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2004-07-15 00:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_aspnet_isapi.dll
+ 2004-07-14 23:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_CORPerfMonExt.dll
+ 2004-07-14 23:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_fusion.dll
+ 2004-07-14 23:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_mscorjit.dll
+ 2004-07-15 13:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_mscorlib.dll
+ 2003-02-20 18:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_mscorsn.dll
+ 2008-01-29 09:32:18 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_mscorsvr.dll
+ 2004-07-14 23:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_mscorwks.dll
+ 2003-02-21 03:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_msvcr71.dll
+ 2004-07-14 23:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW2932\_PerfCounter.dll
+ 2004-07-15 00:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_aspnet_isapi.dll
+ 2004-07-14 23:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_CORPerfMonExt.dll
+ 2004-07-14 23:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_fusion.dll
+ 2004-07-14 23:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_mscorjit.dll
+ 2004-07-15 13:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_mscorlib.dll
+ 2003-02-20 18:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_mscorsn.dll
+ 2008-01-29 09:32:18 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_mscorsvr.dll
+ 2004-07-14 23:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_mscorwks.dll
+ 2003-02-21 03:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_msvcr71.dll
+ 2004-07-14 23:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3484\_PerfCounter.dll
+ 2004-07-15 00:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_aspnet_isapi.dll
+ 2004-07-14 23:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_CORPerfMonExt.dll
+ 2004-07-14 23:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_fusion.dll
+ 2004-07-14 23:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_mscorjit.dll
+ 2004-07-15 13:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_mscorlib.dll
+ 2003-02-20 18:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_mscorsn.dll
+ 2008-01-29 09:32:18 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_mscorsvr.dll
+ 2004-07-14 23:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_mscorwks.dll
+ 2003-02-21 03:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_msvcr71.dll
+ 2004-07-14 23:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW572\_PerfCounter.dll
+ 2008-06-23 12:31:40 5,598 ----a-w C:\WINDOWS\SoftwareDistribution\EventCache\{2F02D2D2-FFAC-4AB6-A38B-F41AECD39951}.bin
- 2005-03-17 14:39:58 1,146,320 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-06-06 09:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2003-07-14 21:57:04 32,584 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
+ 2007-03-22 18:17:04 35,440 ----a-w C:\WINDOWS\system32\FM20ENU.DLL
- 2008-06-17 18:30:17 198,552 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-06-23 07:05:21 198,552 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
- 2004-03-22 15:17:06 24,816 ----a-w C:\WINDOWS\system32\mdimon.dll
+ 2007-04-09 12:23:54 28,040 ----a-w C:\WINDOWS\system32\mdimon.dll
- 2004-03-22 15:17:04 765,680 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
+ 2007-04-09 12:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdigraph.dll
- 2004-03-22 15:17:10 42,224 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
+ 2007-04-09 12:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\mdiui.dll
- 2004-03-22 15:17:04 765,680 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
+ 2007-04-09 12:24:04 758,664 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdigraph.dll
- 2004-03-22 15:17:10 42,224 -c--a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
+ 2007-04-09 12:23:58 46,472 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\mdiui.dll
- 2004-03-22 15:17:08 25,840 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
+ 2007-04-09 12:23:54 28,552 ----a-w C:\WINDOWS\system32\spool\prtprocs\w32x86\mdippr.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport "= "C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00 15360]
"AdobeUpdater "= "C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 10:37 2321600]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP "= "C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 19:42 1404928]
"SunJavaUpdateSched "= "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48 32881]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2005-09-20 10:35 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2005-09-20 10:32 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2005-09-20 10:36 114688]
"TkBellExe "= "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-14 20:04 185632]
"Broadbandadvisor.exe "= "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552]
"PCguard "= "C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 15:10 310000]
"-FreedomNeedsReboot "= "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-02-01 00:13 385024]
"iTunesHelper "= "C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"Adobe Reader Speed Launcher "= "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-08-29 12:04:20 24576]
dlbcserv.lnk - C:\Program Files\Dell Photo Printer 720\dlbcserv.exe [2005-09-01 15:18:07 315392]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"AntiVirusOverride "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=

S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-04 05:00]
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys [2005-08-30 18:57]
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys [2005-08-30 18:58]
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys [2005-08-30 18:59]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-06-20 18:10:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job "
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-23 14:09:48
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-23 14:17:18
ComboFix-quarantined-files.txt 2008-06-23 13:16:19
ComboFix2.txt 2008-06-22 21:47:09

Pre-Run: 18,726,985,728 bytes free
Post-Run: 18,729,938,944 bytes free

314 --- E O F --- 2008-06-23 07:24:27

hanqba1 · 2008/06/23

her is my hyjack fileLogfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:57:19, on 23/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\internet explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe "
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm102YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.1837online.com/downloads/windows/DjVuControl_en_US.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://games-uk.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 9162 bytes

noahdfear · 2008/06/23

Looks good. Scan again with HijackThis and place a check next to the following entry then click Fix Checked.

R3 - URLSearchHook: (no name) - {507b6c0e-eb65-440a-ba6f-5e7e3988a921} - (no file)

Close HijackThis.

Navigate to C:\WINDOWS\E80F62FF5D3C4A1984099721F2928206.TMP and right click the file WiseCustomCall.dll, then select Properties. See if you can find any company and/or version information. It appears to possibly be a Lavasoft (Ad-aware) file.

Next, download ATF Cleaner by Atribune and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.

Check the boxes to the left of:

Windows Temp

Current User Temp

All Users Temp

Temporary Internet Files

Prefetch

Java Cache

Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".

Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

Finally, please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

Click Run at the Security prompt.

The program will then begin downloading and installing and will also update the database.

Please be patient as this can take several minutes.

Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.

Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.

Click View scan report at the bottom.

Click the Save Report As... button.

Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

Close any open programs.

Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Post the Kaspersky log and one more fresh HijackThis log.
Let me know how your computer is behaving.

hanqba1 · 2008/06/24

computer seems alringt but kapersky report shows trojan win 32 monder. no information of wise custom call fill all it said was:
application extention
unknown application heres my kaperskKASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 24, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 24, 2008 17:28:04
Records in database: 881342
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 66147
Threat name: 2
Infected objects: 4
Suspicious objects: 0
Duration of the scan: 01:49:09

File name / Threat name / Threats count
C:\Deckard\System Scanner\backup\DOCUME~1\JOYCEH~1\LOCALS~1\Temp\ICD1.tmp\UGA6P_0001_N122M2802NetInstaller.exe Infected: not-a-virusownloader.Win32.WinFixer.au 1
C:\Deckard\System Scanner\backup\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2802NetInstaller.exe Infected: not-a-virusownloader.Win32.WinFixer.au 1
C:\Documents and Settings\joyce hanquinioux\.housecall6.6\Quarantine\geBtTJAS.dll.bac_a02308 Infected: Trojan.Win32.Monder.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\geBtTJAS.dll.vir Infected: Trojan.Win32.Monder.gen 1

The selected area was scanned.
y report

hanqba1 · 2008/06/24

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:43:10, on 24/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://v4.windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe "
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe "
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe "
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm102YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.1837online.com/downloads/windows/DjVuControl_en_US.cab
O16 - DPF: {149E45D8-163E-4189-86FC-45022AB2B6C9} (SpinTop DRM Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/stg_drm.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcinsctl/en-us/4,0,0,84/mcinsctl.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B7D07999-2ADB-4AEB-997E-F61CB7B2E2CD} (TSEasyInstallX Control) - http://www.trendsecure.com/easy_install/_activex/en-US/TSEasyInstallX.CAB
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.av.aolsvc.co.uk/molbin/shared/mcgdmgr/en-us/1,0,0,21/mcgdmgr.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest.co.uk/motive/files/MotivePreQual.cab
O16 - DPF: {CC450D71-CC90-424C-8638-1F2DBAC87A54} (ArmHelper Control) - file:///C:/Program%20Files/Hotel%20Mahjong/Images/armhelper.ocx
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712...amai.com/6712/player/install3.5/installer.exe
O16 - DPF: {EF148DBB-5B6D-4130-B2A1-661571E86260} (Playtime Games Launcher) - http://games-uk.pogo.com/online2/pogo/mahjong_escape_ancient/PTGameLauncher.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe

--
End of file - 9444 bytes here is my hyjack log

noahdfear · 2008/06/25

You're in good shape. 1 last step to finish up. Click Start>Run and type ComboFix /u then hit Enter to uninstall ComboFix and remove the files it has quarantined. This action will also reset the System Restore points, removing the infected files there as well. The C:\Deckard's folder will also be removed. You can delete any logs that were created/saved too.

That's it! How's it running now?

hanqba1 · 2008/06/26

seams fine thanks for all your help

noahdfear · 2008/06/27

You're welcome. Happy to help.

Geri has posted some very helpful information and recommendations regarding future protection in the following link.

http://www.windowsbbs.com/showthread.php?t=67958

Surf safe!

Log in or Sign up

Solved help removing backsma

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

noahdfear Inactive

Share This Page

Log in or Sign up

Solved help removing backsma

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

hanqba1 Inactive Thread Starter

noahdfear Inactive

hanqba1 Inactive Thread Starter

noahdfear Inactive

Share This Page

Useful Searches