What the Tech logo
Welcome! Register for a free account (or login) > How does it work?
  1. Quickly register. It will only take 60 seconds.
  2. Start a new topic. Ask your question. Wait for an email reply.
  3. Is your system infected? Begin reading the malware removal guide.
 register button
Closed TopicStart new topic
> [Resolved] Win32 TrojanTDSS, uacinit.dll infections
monisb
post Jul 6 2009, 10:17 AM
Post #1


New Member
*

Group: Authentic Member
Posts: 7
Joined: 6-July 09
Member No.: 86,575
Operating System: windows xp
Hi, I have been infected by Win32 TrojanTDSS and uacinit.dll.

Ad-aware picks up the Win32TrojanTDSS in the following files and processes, \\?\globalroot\systemroot\system32\uacvudlwwwjuhnoijm.dll, C:\WINDOWS\system32\UACuamwmaltosobqye.dll and C:\WINDOWS\system32\UACvudlwwwjuhnoijm.dll.

I've been able to open up Malwarebytes by renaming it, it finds a trojan, C:\WINDOWS\system32\uacinit.dll (Trojan.Agent), and a rootkit HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace).

Both programs say they will remove the infections on reboot, but all the infections return. I've used AVG 8.5 in safe mode to delete other parts of the infection.

Below is my Malwarebytes log:

06/07/2009 16:57:48
mbam-log-2009-07-06 (16-57-43).txt

Scan type: Quick Scan
Objects scanned: 109677
Time elapsed: 15 minute(s), 32 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Rootkit.Trace) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\uacinit.dll (Trojan.Agent) -> No action taken.

Below is my HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:12:18, on 06/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\Program Files\Malwarebytes' Anti-Malware\tgfdrj.scr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Lavasoft\Ad-Aware\Ad-Aware.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\BINDI BHAMBRA\Desktop\HJTInstall.exe
C:\Documents and Settings\BINDI BHAMBRA\Desktop\kol.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Internet Explorer\Iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://portal.uwe.ac.uk/proxy.pac
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/binary/MJSS.cab69309.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lionhart.webex.com/client/T25L/support/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACTIVdriver Control (ActivDRVcontrol) - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: ME Repository Service (ME_CRS) - Mastereye LTD - C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10614 bytes


Thank you in advance for your help.
Go to the top of the page
 
+Quote Post
 
 Start new topic
Replies (1 - 14)
oldman960
post Jul 6 2009, 11:08 AM
Post #2


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi , welcome to the forum.

To make cleaning this machine easier
  • Please do not uninstall/install any programs unless asked to
    It is more difficult when files/programs are appearing in/disappearing from the logs.
  • Please do not run any scans other than those requested
  • Please follow all instructions in the order posted
  • All logs/reports, etc.. must be posted in Notepad. Please ensure that word wrap is unchecked. In notepad click format, uncheck word wrap if it is checked.
  • Do not attach any logs/reports, etc.. unless specifically requested to do so.
  • If you have problems with or do not understand the instructions, Please ask before continuing.
  • Please stay with this thread until given the All Clear. A absence of symptoms does not mean a clean machine.


Please read through these instructions to familiarize yourself with what to expect

It is vitally important that combofix is renamed before it is even started to download


Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  • If you are using Firefox, make sure that your download settings are as follows:
    -Tools->Options->Main tab
    -Set to "Always ask me where to Save the files".
  • During the download, rename Combofix to Combo-Fix as follows:






  • It is important you rename Combofix during the download, but not after.
  • Please do not rename Combofix to other names, but only to the one indicated.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix


-----------------------------------------------------------

  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    -----------------------------------------------------------
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.


**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.



Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:





Next

Please make an uninstall list
  • Start HijackThis
  • Click the Config button
  • Click the Misc Tools button
  • Click the Open Uninstall Manager button.
  • Click the Save list button and save it to your desktop.
When you press Save, a notepad will open with the contents. Copy/paste the contents of the notepad file in your next reply.



Please post back with the combofix log, the uninnstall list and a new HJT log.

How's the computer?

Thanks
Go to the top of the page
 
+Quote Post
monisb
post Jul 6 2009, 05:08 PM
Post #3


New Member
*

Group: Authentic Member
Posts: 7
Joined: 6-July 09
Member No.: 86,575
Operating System: windows xp
Hi,
Here are the lists that you requested, combofix was unable to install the windows recovery console.

Combofix:

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Updated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *enabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\Installer\10abd2.msi
c:\windows\Installer\10abd3.msp
c:\windows\Installer\10abd4.msp
c:\windows\Installer\10abd5.msp
c:\windows\Installer\10abd6.msp
c:\windows\Installer\10abd7.msp
c:\windows\Installer\10abd8.msp
c:\windows\Installer\10abd9.msp
c:\windows\Installer\10abda.msp
c:\windows\Installer\10abdb.msp
c:\windows\Installer\10ac89.msi
c:\windows\Installer\10ac8a.msp
c:\windows\Installer\10ac8b.msp
c:\windows\Installer\10ac8c.msp
c:\windows\Installer\10ac8d.msp
c:\windows\Installer\10ac8e.msp
c:\windows\Installer\10ac8f.msp
c:\windows\Installer\10ac90.msp
c:\windows\Installer\10ac91.msp
c:\windows\Installer\10ac92.msp
c:\windows\Installer\cbfd7f.msi
c:\windows\system32\drivers\UACcqswwhkhmapwvnu.sys
c:\windows\system32\Drivers\wpsijm.sys
c:\windows\system32\UACcbtpcrnbtaalvml.log
c:\windows\system32\UACcveidgwkntulqgt.dll
c:\windows\system32\UACelrhaoalxesdgyk.dll
c:\windows\system32\UACgjunkbdaunkrghc.db
c:\windows\system32\uacinit.dll
c:\windows\system32\UACkfrhkaeiryoxwbh.dll
c:\windows\system32\UACktmxkqfeufrvlwg.log
c:\windows\system32\UACkwdylgfkkvgekki.log
c:\windows\system32\UACtcutcphrxddowkr.dll
c:\windows\system32\uactmp.db
c:\windows\system32\UACuamwmaltosobqye.dll
c:\windows\system32\UACuvjmxysjvmoiknx.dat
c:\windows\system32\UACvudlwwwjuhnoijm.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_UACd.sys


((((((((((((((((((((((((( Files Created from 2009-06-06 to 2009-07-06 )))))))))))))))))))))))))))))))
.

2009-07-06 16:11 . 2009-07-06 16:11 -------- dc----w- c:\program files\Trend Micro
2009-07-06 02:19 . 2009-07-06 02:19 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-06 01:54 . 2009-07-06 01:54 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Application Data\Malwarebytes
2009-07-06 01:17 . 2009-06-17 10:27 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 01:17 . 2009-07-06 01:54 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 01:17 . 2009-07-06 01:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 01:17 . 2009-06-17 10:27 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 20:46 . 2009-07-05 20:46 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-07-05 20:42 . 2009-07-05 20:42 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-05 15:22 . 2009-07-05 15:22 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-07-05 15:21 . 2009-07-05 15:21 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-07-05 15:17 . 2009-07-05 15:17 -------- dc----w- c:\windows\ie8updates
2009-07-05 14:55 . 2009-07-06 14:39 -------- dc----w- c:\program files\XoftSpySE
2009-07-05 14:34 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-05 14:34 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-05 14:08 . 2009-07-05 14:07 64160 -c--a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-05 14:08 . 2009-07-05 14:08 314712 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-05 14:08 . 2009-07-05 14:08 348496 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-05 14:08 . 2009-07-05 14:08 25440 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-05 14:08 . 2009-07-05 14:08 169312 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-05 14:08 . 2009-07-05 14:08 15688 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-07-05 14:04 . 2009-07-05 14:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-05 14:04 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-05 13:28 . 2009-07-05 13:40 -------- dcsh--w- c:\documents and settings\BINDI BHAMBRA\PrivacIE
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Local Settings\Application Data\Symantec
2009-07-05 11:25 . 2009-07-05 11:23 83208 -c--a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-05 11:25 . 2009-07-05 11:23 73496 -c--a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\program files\Symantec
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\program files\Common Files\Symantec Shared
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\program files\Symantec_Client_Security
2009-07-05 11:05 . 2009-07-05 16:16 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 23:42 . 2009-07-05 13:36 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-04 23:20 . 2009-07-04 23:23 -------- dc-h--w- c:\windows\ie8
2009-07-04 21:46 . 2009-07-04 21:46 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Application Data\WinPatrol
2009-07-04 21:46 . 2004-08-10 12:04 0 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\WinPatrol\Config.sys
2009-07-04 21:46 . 2004-08-10 12:04 0 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\WinPatrol\Autoexec.bat
2009-07-04 21:46 . 2009-07-04 21:46 -------- dc----w- c:\program files\BillP Studios
2009-07-04 21:44 . 2009-07-04 21:44 -------- dc----w- c:\program files\CleanUp!
2009-07-04 19:06 . 2009-06-14 15:07 1004800 -c--a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-04 17:22 . 2009-07-04 17:22 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Local Settings\Application Data\AVG Security Toolbar
2009-07-04 17:14 . 2009-07-04 17:12 832144 -c--a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-07-04 17:13 . 2009-07-05 13:27 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-04 17:13 . 2009-07-04 17:13 -------- dc----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-30 23:59 . 2009-06-30 23:59 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 17:40 . 2009-06-22 17:40 -------- dc----w- c:\documents and settings\All Users\Application Data\RegCure
2009-06-22 17:40 . 2009-06-22 18:55 -------- dc----w- c:\program files\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-06 22:44 . 2007-10-09 21:37 -------- dc----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-07-05 14:08 . 2007-04-13 14:19 15688 -c--a-w- c:\windows\system32\lsdelete.exe
2009-07-05 14:04 . 2007-06-10 20:33 -------- dc----w- c:\program files\Lavasoft
2009-07-04 23:31 . 2009-07-04 23:31 -------- dc----w- c:\program files\MSBuild
2009-07-04 23:31 . 2009-07-04 23:31 -------- dc----w- c:\program files\Reference Assemblies
2009-07-04 21:49 . 2006-12-09 01:40 -------- dc----w- c:\documents and settings\Guest\Application Data\LimeWire
2009-07-04 17:12 . 2009-05-11 02:05 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-07-04 17:12 . 2009-05-11 02:05 327688 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-04 17:12 . 2007-02-25 11:37 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-04 05:49 . 2009-06-04 05:49 390664 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-30 17:01 . 2009-05-11 02:05 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Application Data\AVGTOOLBAR
2009-05-13 05:15 . 2004-08-10 11:51 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-11 02:05 . 2009-05-11 02:05 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-11 02:04 . 2009-05-11 02:04 -------- dc----w- c:\program files\AVG
2009-05-11 02:04 . 2009-05-11 02:04 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-07 15:32 . 2004-08-10 11:51 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-03 00:44 . 2009-05-03 00:45 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-05-03 00:37 . 2009-05-03 00:37 152576 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2004-08-10 11:51 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 11:51 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2008-05-31 02:13 . 2006-08-21 22:11 56 -csh--r- c:\windows\system32\28D49B535A.sys
2008-03-23 10:54 . 2006-05-18 12:46 88 -csh--r- c:\windows\system32\5A539BD428.sys
2008-05-31 02:13 . 2006-05-18 12:46 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 -c--a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-03 148888]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-08 337216]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\mcupdate.exe" [2006-01-11 212992]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-05 520024]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-04 17:12 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\MeSuAx.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [12/02/2004 17:37 67424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [05/07/2009 15:08 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/05/2009 03:05 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/05/2009 03:05 108552]
R1 MENET;MENET;c:\windows\system32\drivers\MeNet.sys [28/04/2007 09:33 40960]
R2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [18/06/2003 20:40 408064]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/05/2009 03:04 298776]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [24/04/2007 18:50 7072]
R2 ME_CRS;ME Repository Service;c:\program files\ACTIV Software\ACTIVise\CRS\RepSvc.exe [28/04/2007 09:32 176128]
R2 meddconf;meddconf;c:\windows\system32\drivers\meddconf.sys [28/04/2007 09:33 3632]
R2 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [19/04/2007 06:42 759312]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [18/03/2009 01:03 92008]
R3 meddmrr;meddmrr;c:\windows\system32\drivers\meddmrr.sys [28/04/2007 09:33 4809]
R3 mekbd;mekbd;c:\windows\system32\drivers\mekbd.sys [28/04/2007 09:33 9919]
R3 memice;memice;c:\windows\system32\drivers\memice.sys [28/04/2007 09:33 8656]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [20/01/2003 02:14 17232]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [06/07/2009 02:17 38160]
S4 meddinit;meddinit;c:\windows\system32\drivers\meddinit.sys [28/04/2007 09:33 7248]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 14:07]

2009-07-04 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (BINDI-BINDI BHAMBRA).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-11 17:18]

2009-07-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 15:16]

2009-07-06 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\nio.exe [2009-06-24 18:02]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = www.google.co.uk
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: antimalwareguard.com
Trusted Zone: eteach.com\www
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
FF - ProfilePath - c:\documents and settings\BINDI BHAMBRA\Application Data\Mozilla\Firefox\Profiles\otcuntwf.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\BINDI BHAMBRA\Application Data\Mozilla\Firefox\Profiles\otcuntwf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-06 23:42
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\sccfg.sys 720 bytes

scan completed successfully
hidden files: 1

**************************************************************************
.
Completion time: 2009-07-06 23:46
ComboFix-quarantined-files.txt 2009-07-06 22:46

Pre-Run: 21,391,421,440 bytes free
Post-Run: 21,420,355,584 bytes free

265 --- E O F --- 2009-07-05 15:18

Uninstall list:

4oD
ABBYY FineReader 6.0 Sprint
ACTIVdriver v2.5.6
ACTIVise 5 (Master Module)
ACTIVstudio 2 Professional Edition v2.0.278
ACTIVstudio 2 Resources v2.0.2
ACTIVstudio 2 Student Edition v2.0.262
Ad-Aware
Ad-Aware
Ad-Aware 2007
Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Flash Player Plugin
Adobe Reader 6.0.1
Apple Software Update
ARTEuro
Avery Wizard 3.1
AVG Free 8.5
BitTorrent 5.0.9
Broadcom Management Programs
Championship Manager 2008
CleanUp!
Compatibility Pack for the 2007 Office system
Conexant HDA D110 MDC V.92 Modem
Critical Update for Windows Media Player 11 (KB959772)
Dell Media Experience
Dell Support 5.0.0 (630)
Digital Line Detect
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DynGate
EPSON Attach To Email
EPSON Copy Utility 3
EPSON Easy Photo Print
EPSON File Manager
EPSON Printer Software
EPSON Scan
EPSON Scan Assistant
EPSON Web-To-Page
ESDX6000_CX5900 User's Guide
Free YouTube to Mp3 Converter version 3.1
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB961118)
ICT skills tests
Intel® Graphics Media Accelerator Driver
Intel® PROSet/Wireless Software
InterActual Player
Internal Network Card Power Management
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 8
Java 2 Runtime Environment, SE v1.4.2_03
Java™ 6 Update 13
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 7
Learn2 Player (Uninstall Only)
LimeWire 4.16.6
Literacy Benchmark Test
LiveUpdate 1.80 (Symantec Corporation)
Logitech QuickCam Software
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MalwareRemovalBot
McAfee Uninstaller
mCore
MCU
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
mIWA
mLogView
mMHouse
Modem Helper
Mozilla Firefox (3.0.11)
MP3 Player Utilities
mPfMgr
mPfWiz
mProSafe
mSSO
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
mWlsSafe
mWMI
mXML
mZConfig
NetWaiting
PIF DESIGNER
PowerDVD 5.7
QTS skills tests - Numeracy Practice Test 1
QuickSet
QuickTime
RealPlayer
RegCure 1.5.2.7
Rivers - Digital Photopack
SAMSUNG CDMA Modem Driver Set
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Shockwave
SMART Board Software
SMART Essentials for Educators
Sonic DLA
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SopCast 2.0.4
Symantec AntiVirus Client
Synaptics Pointing Device Driver
TeamViewer
TomTom HOME 2.6.1.1549
TomTom HOME Visual Studio Merge Modules
TVAnts 1.0
Uninstall 1.0.0.1
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Veoh Web Player
Viewpoint Media Player
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
Vodafone 804SS USB driver Software
WebEx
Winamp
Windows Internet Explorer 8
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Firefox Plugin
Windows XP Service Pack 3
WinPatrol 2009
WinRAR archiver
XoftSpySE

Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:00:21, on 07/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgnsx.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://portal.uwe.ac.uk/proxy.pac
R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: McAfee AntiPhishing Filter - {41D68ED8-4CFF-4115-88A6-6EBB8AF19000} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AVG Security Toolbar BHO - {A3BC75A2-1F87-4686-AA43-5347D756017C} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - C:\Program Files\AVG\AVG8\Toolbar\IEToolbar.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra 'Tools' menuitem: McAfee AntiPhishing Filter - {39FD89BF-D3F1-45b6-BB56-3582CCF489E1} - c:\program files\mcafee\spamkiller\mcapfbho.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/binary/MJSS.cab69309.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lionhart.webex.com/client/T25L/support/ieatgpc.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACTIVdriver Control (ActivDRVcontrol) - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - McAfee Inc. - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: ME Repository Service (ME_CRS) - Mastereye LTD - C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MpfService.exe
O23 - Service: McAfee SpamKiller Server (MskService) - McAfee Inc. - C:\PROGRA~1\McAfee\SPAMKI~1\MSKSrvr.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 10015 bytes

Cheers
Go to the top of the page
 
+Quote Post
oldman960
post Jul 6 2009, 07:45 PM
Post #4


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi monisb,

You currently have 3 antivirus programs installed. This will not give you better protection. Due to conflicts between them it will lead to system slowdowns and possible lockups.

AVG
McAfee
Symantec AntiVirus Client

Please advise me of which one you plan to keep and I'll assist with the removal of the other 2.



QUOTE
combofix was unable to install the windows recovery console.


CODE
FW: McAfee Personal Firewall Plus *enabled*


Your firewall blocked it. We will install the Recovery Console before we continue with the cleaning.



Please follow these instructions for disabling McAfee Antivirus and the Firewall

Open the McAfee Console near the clock

. To disable the scanner
  • Click Advanced Menu (lower left)
  • Click Configure (left)
  • Click Computer & Files (upper left)
  • VirusScan can be disabled on the right, and set when it should resume (30 minutes should be sufficient) or you choose Never, and re-enable manually after ComboFix has completed it's tasks.
Firewall is disabled from the Internet and Network link on the left.

Please follow all previous instructions regarding security programs.

Double click combofix.exe and follow the prompts.

Please post back with the combofix log.

Thanks
Go to the top of the page
 
+Quote Post
monisb
post Jul 7 2009, 07:26 AM
Post #5


New Member
*

Group: Authentic Member
Posts: 7
Joined: 6-July 09
Member No.: 86,575
Operating System: windows xp
Hi,

I would like to keep the symantec antivirus. I've disabled the firewall and installed the recovery console.

New Combofix log:

AV: AVG Anti-Virus Free *On-access scanning disabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
AV: McAfee VirusScan *On-access scanning disabled* (Outdated) {84B5EE75-6421-4CDE-A33A-DD43BA9FAD83}
FW: McAfee Personal Firewall Plus *disabled* {94894B63-8C7F-4050-BDA4-813CA00DA3E8}
.

((((((((((((((((((((((((( Files Created from 2009-06-07 to 2009-07-07 )))))))))))))))))))))))))))))))
.

2009-07-06 16:11 . 2009-07-06 16:11 -------- dc----w- c:\program files\Trend Micro
2009-07-06 02:19 . 2009-07-06 02:19 -------- dc----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-07-06 01:54 . 2009-07-06 01:54 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Application Data\Malwarebytes
2009-07-06 01:17 . 2009-06-17 10:27 38160 -c--a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-07-06 01:17 . 2009-07-06 01:54 -------- dc----w- c:\program files\Malwarebytes' Anti-Malware
2009-07-06 01:17 . 2009-07-06 01:17 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-07-06 01:17 . 2009-06-17 10:27 19096 -c--a-w- c:\windows\system32\drivers\mbam.sys
2009-07-05 20:46 . 2009-07-05 20:46 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\AVG Security Toolbar
2009-07-05 20:42 . 2009-07-05 20:42 -------- dc----w- c:\documents and settings\Administrator\Local Settings\Application Data\Mozilla
2009-07-05 15:22 . 2009-07-05 15:22 -------- dcsh--w- c:\documents and settings\Administrator\PrivacIE
2009-07-05 15:21 . 2009-07-05 15:21 -------- dcsh--w- c:\documents and settings\Administrator\IETldCache
2009-07-05 15:17 . 2009-07-05 15:17 -------- dc----w- c:\windows\ie8updates
2009-07-05 14:55 . 2009-07-06 14:39 -------- dc----w- c:\program files\XoftSpySE
2009-07-05 14:34 . 2009-04-30 21:22 12800 -c----w- c:\windows\system32\dllcache\xpshims.dll
2009-07-05 14:34 . 2009-04-30 21:22 246272 -c----w- c:\windows\system32\dllcache\ieproxy.dll
2009-07-05 14:08 . 2009-07-05 14:07 64160 -c--a-w- c:\windows\system32\drivers\Lbd.sys
2009-07-05 14:08 . 2009-07-05 14:08 314712 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-07-05 14:08 . 2009-07-05 14:08 348496 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-07-05 14:08 . 2009-07-05 14:08 25440 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-07-05 14:08 . 2009-07-05 14:08 169312 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-07-05 14:08 . 2009-07-05 14:08 15688 -c--a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-07-05 14:04 . 2009-07-05 14:05 -------- dc-h--w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-07-05 14:04 . 2009-03-12 08:17 2902048 -c--a-w- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe
2009-07-05 13:28 . 2009-07-05 13:40 -------- dcsh--w- c:\documents and settings\BINDI BHAMBRA\PrivacIE
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Local Settings\Application Data\Symantec
2009-07-05 11:25 . 2009-07-05 11:23 83208 -c--a-w- c:\windows\system32\S32EVNT1.DLL
2009-07-05 11:25 . 2009-07-05 11:23 73496 -c--a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\program files\Symantec
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\documents and settings\All Users\Application Data\Symantec
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\program files\Common Files\Symantec Shared
2009-07-05 11:25 . 2009-07-05 11:25 -------- dc----w- c:\program files\Symantec_Client_Security
2009-07-05 11:05 . 2009-07-05 16:16 -------- dcsh--w- c:\documents and settings\LocalService\IETldCache
2009-07-04 23:42 . 2009-07-05 13:36 -------- dcsh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-07-04 23:20 . 2009-07-04 23:23 -------- dc-h--w- c:\windows\ie8
2009-07-04 21:46 . 2009-07-04 21:46 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Application Data\WinPatrol
2009-07-04 21:46 . 2004-08-10 12:04 0 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\WinPatrol\Config.sys
2009-07-04 21:46 . 2004-08-10 12:04 0 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\WinPatrol\Autoexec.bat
2009-07-04 21:46 . 2009-07-04 21:46 -------- dc----w- c:\program files\BillP Studios
2009-07-04 21:44 . 2009-07-04 21:44 -------- dc----w- c:\program files\CleanUp!
2009-07-04 19:06 . 2009-06-14 15:07 1004800 -c--a-w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar\IEToolbar.dll
2009-07-04 17:22 . 2009-07-04 17:22 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Local Settings\Application Data\AVG Security Toolbar
2009-07-04 17:14 . 2009-07-04 17:12 832144 -c--a-w- c:\documents and settings\All Users\Application Data\avg8\update\backup\AVGToolbarInstall.exe
2009-07-04 17:13 . 2009-07-05 13:27 -------- dc----w- c:\documents and settings\All Users\Application Data\AVG Security Toolbar
2009-07-04 17:13 . 2009-07-04 17:13 -------- dc----w- c:\documents and settings\LocalService\Application Data\AVGTOOLBAR
2009-06-30 23:59 . 2009-06-30 23:59 -------- dc--a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-06-22 17:40 . 2009-06-22 17:40 -------- dc----w- c:\documents and settings\All Users\Application Data\RegCure
2009-06-22 17:40 . 2009-06-22 18:55 -------- dc----w- c:\program files\RegCure

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-07-07 13:05 . 2007-10-09 21:37 -------- dc----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-07-05 14:08 . 2007-04-13 14:19 15688 -c--a-w- c:\windows\system32\lsdelete.exe
2009-07-05 14:04 . 2007-06-10 20:33 -------- dc----w- c:\program files\Lavasoft
2009-07-04 23:31 . 2009-07-04 23:31 -------- dc----w- c:\program files\MSBuild
2009-07-04 23:31 . 2009-07-04 23:31 -------- dc----w- c:\program files\Reference Assemblies
2009-07-04 21:49 . 2006-12-09 01:40 -------- dc----w- c:\documents and settings\Guest\Application Data\LimeWire
2009-07-04 17:12 . 2009-05-11 02:05 11952 -c--a-w- c:\windows\system32\avgrsstx.dll
2009-07-04 17:12 . 2009-05-11 02:05 327688 -c--a-w- c:\windows\system32\drivers\avgldx86.sys
2009-07-04 17:12 . 2007-02-25 11:37 27784 -c--a-w- c:\windows\system32\drivers\avgmfx86.sys
2009-06-04 05:49 . 2009-06-04 05:49 390664 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\Real\RealPlayer\Update\RealPlayer11.exe
2009-05-30 17:01 . 2009-05-11 02:05 -------- dc----w- c:\documents and settings\BINDI BHAMBRA\Application Data\AVGTOOLBAR
2009-05-13 05:15 . 2004-08-10 11:51 915456 -c--a-w- c:\windows\system32\wininet.dll
2009-05-11 02:05 . 2009-05-11 02:05 108552 -c--a-w- c:\windows\system32\drivers\avgtdix.sys
2009-05-11 02:04 . 2009-05-11 02:04 -------- dc----w- c:\program files\AVG
2009-05-11 02:04 . 2009-05-11 02:04 -------- dc----w- c:\documents and settings\All Users\Application Data\avg8
2009-05-07 15:32 . 2004-08-10 11:51 345600 -c--a-w- c:\windows\system32\localspl.dll
2009-05-03 00:44 . 2009-05-03 00:45 410984 -c--a-w- c:\windows\system32\deploytk.dll
2009-05-03 00:37 . 2009-05-03 00:37 152576 -c--a-w- c:\documents and settings\BINDI BHAMBRA\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-04-17 12:26 . 2004-08-10 11:51 1847168 -c--a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2004-08-10 11:51 585216 -c--a-w- c:\windows\system32\rpcrt4.dll
2008-05-31 02:13 . 2006-08-21 22:11 56 -csh--r- c:\windows\system32\28D49B535A.sys
2008-03-23 10:54 . 2006-05-18 12:46 88 -csh--r- c:\windows\system32\5A539BD428.sys
2008-05-31 02:13 . 2006-05-18 12:46 6580 -csha-w- c:\windows\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3BC75A2-1F87-4686-AA43-5347D756017C}]
2009-06-14 15:07 1004800 -c--a-w- c:\program files\AVG\AVG8\Toolbar\IEToolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2005-12-13 98304]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2005-12-13 77824]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-05-03 148888]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2009-03-08 337216]
"MCUpdateExe"="c:\progra~1\mcafee.com\agent\McUpdate.exe" [2006-01-11 212992]
"vptray"="c:\progra~1\SYMANT~1\SYMANT~1\vptray.exe" [2003-05-21 90112]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-07-05 520024]
"MCAgentExe"="c:\progra~1\mcafee.com\agent\McAgent.exe" [2005-09-22 303104]
"MSKAGENTEXE"="c:\progra~1\mcafee\SPAMKI~1\mskagent.exe" [2005-09-26 110592]
"MPFEXE"="c:\program files\McAfee.com\Personal Firewall\MPFTray.exe" [2005-11-11 1005096]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avgrsstarter]
2009-07-04 17:12 11952 -c--a-w- c:\windows\system32\avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SMART Board Tools.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\SMART Board Tools.lnk
backup=c:\windows\pss\SMART Board Tools.lnkCommon Startup








[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\MeSuAx.exe"=
"c:\\Program Files\\SopCast\\SopCast.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\TVAnts\\Tvants.exe"=
"c:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"c:\\Program Files\\Veoh Networks\\VeohWebPlayer\\veohwebplayer.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"c:\\Program Files\\AVG\\AVG8\\avgnsx.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12001:UDP"= 12001:UDP:SMART WebServer Handshake Multicast Port

R0 ACTIVdrv;ACTIV Device Pen Driver;c:\windows\system32\drivers\ActivDrv.sys [12/02/2004 17:37 67424]
R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [05/07/2009 15:08 64160]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\drivers\avgldx86.sys [11/05/2009 03:05 327688]
R1 AvgTdiX;AVG Free8 Network Redirector;c:\windows\system32\drivers\avgtdix.sys [11/05/2009 03:05 108552]
R1 MENET;MENET;c:\windows\system32\drivers\MeNet.sys [28/04/2007 09:33 40960]
R2 ActivDRVcontrol;ACTIVdriver Control;c:\program files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe [18/06/2003 20:40 408064]
R2 avg8wd;AVG Free8 WatchDog;c:\progra~1\AVG\AVG8\avgwdsvc.exe [11/05/2009 03:04 298776]
R2 ddnt;ddnt;c:\windows\system32\drivers\ddnt.sys [24/04/2007 18:50 7072]
R2 ME_CRS;ME Repository Service;c:\program files\ACTIV Software\ACTIVise\CRS\RepSvc.exe [28/04/2007 09:32 176128]
R2 meddconf;meddconf;c:\windows\system32\drivers\meddconf.sys [28/04/2007 09:33 3632]
R2 SMART Web Server;SMART Web Server;c:\program files\SMART Technologies Inc\SMART Board Software\WebServer.exe [19/04/2007 06:42 759312]
R2 TomTomHOMEService;TomTomHOMEService;c:\program files\TomTom HOME 2\TomTomHOMEService.exe [18/03/2009 01:03 92008]
R3 meddmrr;meddmrr;c:\windows\system32\drivers\meddmrr.sys [28/04/2007 09:33 4809]
R3 mekbd;mekbd;c:\windows\system32\drivers\mekbd.sys [28/04/2007 09:33 9919]
R3 memice;memice;c:\windows\system32\drivers\memice.sys [28/04/2007 09:33 8656]
S3 ActivDRV_USB;ActivDRV_USB.Sys USB ACTIVboard;c:\windows\system32\drivers\ActivDRV_USB.sys [20/01/2003 02:14 17232]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 20:06 1029456]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [06/07/2009 02:17 38160]
S4 meddinit;meddinit;c:\windows\system32\drivers\meddinit.sys [28/04/2007 09:33 7248]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-07-05 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 14:07]

2009-07-04 c:\windows\Tasks\McAfee.com Scan for Viruses - My Computer (BINDI-BINDI BHAMBRA).job
- c:\program files\mcafee.com\vso\mcmnhdlr.exe [2006-05-11 17:18]

2009-07-06 c:\windows\Tasks\RegCure Program Check.job
- c:\program files\RegCure\RegCure.exe [2008-12-29 15:16]

2009-07-06 c:\windows\Tasks\XoftSpySE 2.job
- c:\program files\XoftSpySE\nio.exe [2009-06-24 18:02]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
mStart Page = www.google.co.uk
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
Trusted Zone: antimalwareguard.com
Trusted Zone: eteach.com\www
Trusted Zone: gomyhit.com
Trusted Zone: antimalwareguard.com
Trusted Zone: gomyhit.com
FF - ProfilePath - c:\documents and settings\BINDI BHAMBRA\Application Data\Mozilla\Firefox\Profiles\otcuntwf.default\
FF - prefs.js: browser.startup.homepage - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - component: c:\program files\AVG\AVG8\Firefox\components\avgssff.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils2.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils3.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\IGeared_tavgp_xputils35.dll
FF - component: c:\program files\AVG\AVG8\Toolbar\Firefox\avg@igeared\components\xpavgtbapi.dll
FF - plugin: c:\documents and settings\BINDI BHAMBRA\Application Data\Mozilla\Firefox\Profiles\otcuntwf.default\extensions\moveplayer@movenetworks.com\platform\WINNT_x86-msvc\plugins\npmnqmp07076007.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\NPVeohTVPlugin.dll
FF - plugin: c:\program files\Veoh Networks\VeohWebPlayer\npWebPlayerVideoPluginATL.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA}
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-07 14:05
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
MPFEXE = "c:\program files\McAfee.com\Personal Firewall\MPFTray.exe"????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\TEMP\8152ff08-719c-491b-9aba-6f3fb39a505d.tmp 28529 bytes
C:\sccfg.sys 720 bytes

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2524)
c:\windows\system32\WININET.dll
c:\program files\mcafee\spamkiller\mskoeplg.dll
c:\progra~1\mcafee.com\vso\McVSSkt.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-07-07 14:10
ComboFix-quarantined-files.txt 2009-07-07 13:10
ComboFix2.txt 2009-07-06 22:46

Pre-Run: 21,378,015,232 bytes free
Post-Run: 21,372,702,720 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

246 --- E O F --- 2009-07-05 15:18
Go to the top of the page
 
+Quote Post
oldman960
post Jul 7 2009, 08:53 PM
Post #6


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi monisb,

[quote]I would like to keep the symantec antivirus[ /quote]
That's fine. After you uninstall McAfee and AVG, please test Symantec to ensure it's working.

Click your Start button>Control Panel>Add/remove programs and uninstall these programs if present

AVG Free 8.5
Java 2 Runtime Environment, SE v1.4.2_03
J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
Java™ 6 Update 2
Java™ 6 Update 3
Java™ 6 Update 7
MalwareRemovalBot
McAfee Uninstaller

Do Not uninstall Java™ 6 Update 13


Next

Ensure the Windows Firewall is enabled.

  • Click the start button, click control panel
  • Open the Security Center
  • At the bottom, click Windows Firewall
  • On the Windows firewall box, check On (Recommended)
  • Click OK



Next, download this tool MCPR

  • Click Save and save the file to your desktop.
  • Make sure all McAfee windows are closed.
  • Double-click MCPR.exe to run the removal tool
Restart your computer after receiving the message CleanUp Successful.


Next


Open hijackthis, do a system scan only and checkmark these lines, if present

R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O15 - Trusted Zone: *.antimalwareguard.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.antimalwareguard.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)

Close ALL other windows/browsers and click Fix Checked. Answer Yes if prompted. Close HJT.

Reboot and obtain a new Hijackthis log.

Please post the HJT log and tell us how your computer is.

Thanks

This post has been edited by oldman960: Jul 8 2009, 07:27 AM
Reason for edit: bbc correction
Go to the top of the page
 
+Quote Post
monisb
post Jul 8 2009, 06:56 AM
Post #7


New Member
*

Group: Authentic Member
Posts: 7
Joined: 6-July 09
Member No.: 86,575
Operating System: windows xp
Hi,
I've uninstalled all the programs you asked me to. Symantec still works fine and must of ran itself in the background yesterday because it had a load of files in quarantine, a few days ago Symantec couldn't find anything. I've permanantly deleted the files in quarantine as they were trojans and backdoor files.

The computer seems to be running a lot better, it starts up fine (before it would only start up after trying 3-4 times) and also hasn't been crashing.

I've followed the rest of your instructions and here is the new hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:42:33, on 08/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://portal.uwe.ac.uk/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/binary/MJSS.cab69309.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lionhart.webex.com/client/T25L/support/ieatgpc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACTIVdriver Control (ActivDRVcontrol) - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ME Repository Service (ME_CRS) - Mastereye LTD - C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7950 bytes


Thanks
Go to the top of the page
 
+Quote Post
oldman960
post Jul 8 2009, 07:30 AM
Post #8


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi monisb,

Good, we are making progress.


BitTorrent and LimeWire
You have BitTorrent and LimeWire, P2P/file sharing programs installed on your computer. P2P applications like it are the largest source of malware we see. You'll be doing yourself a favor by removing it.

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx

http://www.internetworldstats.com/articles...cles/art053.htm

I would recommend that you uninstall BitTorrent and LimeWire, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.



You have this program installed, Malwarebytes' Anti-Malware (MBAM). Please update it and run a scan.

Open MBAM

  • Click the Update tab
  • Click Check for Updates
  • If an update is found, it will download and install the latest version.
  • The program will close to update and reopen.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.



One more scan to ensure we didn't miss anything.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and it will speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable your antivirus along with your antispyware programs.


Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions.
  • You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computerr under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Change the Files of type to Text file (.txt)
  • Set the Save In to Desktop
  • click the Save button.
  • Please post this log in your next reply along with a new HijackThis log.


Please post back with
  • MBAM log
  • Kaspersk log
  • new HJT log taken last


Thanks
Go to the top of the page
 
+Quote Post
monisb
post Jul 8 2009, 11:28 AM
Post #9


New Member
*

Group: Authentic Member
Posts: 7
Joined: 6-July 09
Member No.: 86,575
Operating System: windows xp
Hi,

I've uninstalled limewire as I don't use it but kept bittorrent. There is a bittorrent file that is infected but I downloaded it last year so I don't think it was infected when I downloaded it.

Here are the three logs you asked for:

Malwarebytes:

Malwarebytes' Anti-Malware 1.38
Database version: 2392
Windows 5.1.2600 Service Pack 3

08/07/2009 15:23:04
mbam-log-2009-07-08 (15-23-04).txt

Scan type: Quick Scan
Objects scanned: 108649
Time elapsed: 5 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Kaspersky:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Wednesday, July 8, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, July 08, 2009 15:11:14
Records in database: 2443647
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 103773
Threat name: 7
Infected objects: 15
Suspicious objects: 0
Duration of the scan: 02:30:33


File name / Threat name / Threats count
C:\Documents and Settings\BINDI BHAMBRA\My Documents\BitTorrent Downloads\Championship_Manager_2008_.ISO\Championship_Manager_2008-ISO.iso Infected: Trojan.Win32.Monderb.sbq 2
C:\Documents and Settings\BINDI BHAMBRA\My Documents\NEETA\PRESENTATIONS\santafree.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z 4
C:\Documents and Settings\BINDI BHAMBRA\My Documents\NEETA\PRESENTATIONS\santafree.exe Infected: not-a-virus:AdWare.Win32.NewDotNet 1
C:\Documents and Settings\BINDI BHAMBRA\My Documents\NEETA\PRESENTATIONS\santafree.exe Infected: not-a-virus:AdWare.Win32.WebHancer 5
C:\Documents and Settings\BINDI BHAMBRA\My Documents\NEETA\PRESENTATIONS\santafree.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.h 1
C:\Documents and Settings\BINDI BHAMBRA\My Documents\NEETA\PRESENTATIONS\santafree.exe Infected: not-a-virus:Server-Proxy.Win32.MarketScore.i 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\UACtcutcphrxddowkr.dll.vir Infected: Packed.Win32.Tdss.m 1

The selected area was scanned.


Hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:20:48, on 08/07/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Java\jre6\bin\java.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://portal.uwe.ac.uk/proxy.pac
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4A85DBE0-BFB2-4119-8401-186A7C6EB653} - http://messenger.zone.msn.com/binary/MJSS.cab69309.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://lionhart.webex.com/client/T25L/support/ieatgpc.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: ACTIVdriver Control (ActivDRVcontrol) - ACTIV Software Ltd - C:\Program Files\ACTIV Software\ACTIVdriver\ActivDRVservice.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: ME Repository Service (ME_CRS) - Mastereye LTD - C:\Program Files\ACTIV Software\ACTIVise\CRS\RepSvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SMART Board Service - SMART Technologies Inc. - C:\Program Files\SMART Technologies Inc\SMART Board Software\SMARTBoardService.exe
O23 - Service: SMART Web Server - Unknown owner - C:\Program Files\SMART Technologies Inc\SMART Board Software\WebServer.exe
O23 - Service: TomTomHOMEService - TomTom - C:\Program Files\TomTom HOME 2\TomTomHOMEService.exe
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 7926 bytes


Cheers.
Go to the top of the page
 
+Quote Post
oldman960
post Jul 8 2009, 09:14 PM
Post #10


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi

Kaspersky certainly took a dislike to that file. Personally, I wouldn't trust anything that came via a P2P program.

We'll remove those files and also any folders, if they remained, from the antivirus programs you uninstalled. The Qoobox quaratined file will be removed when we clean up the tools.

Please download the OTM by OldTimer.
  • Save it to your desktop.
  • Please double-click OTM.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
  • Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    Do Not copy the word CODE note the fix starts with the :
    CODE
    :Files
    C:\Documents and Settings\BINDI BHAMBRA\My Documents\BitTorrent Downloads\Championship_Manager_2008_.ISO\Championship_Manager_2008-ISO.iso
    C:\Documents and Settings\BINDI BHAMBRA\My Documents\NEETA\PRESENTATIONS\santafree.exe
    c:\documents and settings\Guest\Application Data\LimeWire
    c:\Program Files\LimeWire
    c:\program files\AVG
    c:\documents and settings\All Users\Application Data\avg8
    c:\documents and settings\BINDI BHAMBRA\Application Data\AVGTOOLBAR
    c:\progra~1\mcafee.com

    :Commands
    [Purity]
    [emptytemp]
    [start explorer]
    [Reboot]

  • Return to OTM, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTM

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTM\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.


Please post back with the OTM log. If all is well we'll clean up our tools after you reply.

Thanks
Go to the top of the page
 
+Quote Post
monisb
post Jul 9 2009, 04:48 AM
Post #11


New Member
*

Group: Authentic Member
Posts: 7
Joined: 6-July 09
Member No.: 86,575
Operating System: windows xp
Hi,
heres the oldtimer log:

All processes killed
========== FILES ==========
C:\Documents and Settings\BINDI BHAMBRA\My Documents\BitTorrent Downloads\Championship_Manager_2008_.ISO\Championship_Manager_2008-ISO.iso moved successfully.
C:\Documents and Settings\BINDI BHAMBRA\My Documents\NEETA\PRESENTATIONS\santafree.exe moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\xml\schemas moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\xml\misc moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\xml\data moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\xml moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\themes\windows_theme moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\themes\other_theme moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\themes\limewire_theme moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\themes\classic_theme moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\themes\black_theme moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\themes moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\.NetworkShare\Incomplete moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire\.NetworkShare moved successfully.
c:\documents and settings\Guest\Application Data\LimeWire moved successfully.
c:\Program Files\LimeWire moved successfully.
File/Folder c:\program files\AVG not found.
c:\documents and settings\All Users\Application Data\avg8\update\prepare moved successfully.
c:\documents and settings\All Users\Application Data\avg8\update\backup moved successfully.
c:\documents and settings\All Users\Application Data\avg8\update moved successfully.
c:\documents and settings\All Users\Application Data\avg8\Temp moved successfully.
c:\documents and settings\All Users\Application Data\avg8\scanlogs moved successfully.
c:\documents and settings\All Users\Application Data\avg8\Log moved successfully.
c:\documents and settings\All Users\Application Data\avg8\emc moved successfully.
c:\documents and settings\All Users\Application Data\avg8\Dumps moved successfully.
c:\documents and settings\All Users\Application Data\avg8\CfgAll moved successfully.
c:\documents and settings\All Users\Application Data\avg8\Cfg moved successfully.
c:\documents and settings\All Users\Application Data\avg8\AvgApi moved successfully.
c:\documents and settings\All Users\Application Data\avg8\AvgAm moved successfully.
c:\documents and settings\All Users\Application Data\avg8\admincli moved successfully.
c:\documents and settings\All Users\Application Data\avg8 moved successfully.
File/Folder c:\documents and settings\BINDI BHAMBRA\Application Data\AVGTOOLBAR not found.
File/Folder c:\progra~1\mcafee.com not found.
========== COMMANDS ==========

[EMPTYTEMP]

User: Administrator
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 2123250 bytes

User: All Users

User: BINDI BHAMBRA
->Temp folder emptied: 79323883 bytes
->Temporary Internet Files folder emptied: 2714383 bytes
->Java cache emptied: 40721499 bytes
->FireFox cache emptied: 113455261 bytes
->Google Chrome cache emptied: 6322255 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 134 bytes

User: Guest
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->FireFox cache emptied: 8718638 bytes

User: LocalService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes
->FireFox cache emptied: 12493660 bytes

User: NetworkService
->Temp folder emptied: 0 bytes
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
->Temporary Internet Files folder emptied: 32902 bytes

User: Owner

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
Windows Temp folder emptied: 791771 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 254.37 mb


OTM by OldTimer - Version 3.0.0.4 log created on 07092009_113909

Files moved on Reboot...

Registry entries deleted on Reboot...

Thanks
Go to the top of the page
 
+Quote Post
oldman960
post Jul 9 2009, 07:04 PM
Post #12


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi monisb,

Please be advised that you had at least one infection that has backdoor capabilities. I strongly suggest you change all passwords to any sites you log onto. This includes financial sites, forums, etc.


Everything else looks good. We can clean up our tools now.,

From your desktop, please delete
  • any notepads/logs that we created
  • MCPR.exe
Kaspersky online scan can be removed via add/remove programs if you wish.


Next

Click the Start button, click Run. Copy and paste the following line into the run box and click OK
Combofix /u


Next

Open OTM then click the Clean Up button. You may get prompted by your firewall that OTM wants to contact the internet - allow this. A cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will do some clean up tasks and delete some of the tools you have downloaded plus itself.

I suggest you keep MBAM as an on demand scanner. Keep MBAM updated and use it on a regular basis.


Updates and upgrades

* If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the cirtical updates installed (Free) Microsoft Office Update

You have an older version of Adobe Reader. You can download the current version HERE

You may want to consider Foxit Reader instead. It may be a bit lighter on resources.

Visit their support forum
Foxit Forum

In either case you should uninstall Adobe Reader 6.0.1 first. Be sure to move any PDF documents to another folder first though.


Some Recommendations and prevention tips

Basic security consists of 1 antivirus program, 1 resident antispyware program, 1 on demand antispyware program and a firewall. You just need to add a firewall.

* If you are behind a router Windows firewall should be fine. Otherwise a 3rd party firewall with outbound monitoring is recommended.

Click FIREWALL for tips, reviews and links to good, free and paid for firewalls. (Note: Zone Alarm is becoming bloatware)


You should also use Spyware Blaster to help immunize your computer.

- SpywareBlaster will add a large list of programs and sites into your Internet Explorer
settings that will protect you from running and downloading known malicious programs.

OR

A guide to understanding and using the hosts file.

Learn how your Hosts file can protect you and how you can protect it.
Besides the Hosts file information, there are links to a very good updated hosts file, a host file manager. and some programs that can protect your hosts file.
HOSTS

Please read the info on disabling the DNS Client before installing a custom hosts file.


-Secure your Internet Explorer

From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


- Keeping your Windows up-to-date is crucial to your computer's security. Please go to the Windows Update Site (using Internet Explorer) and download and install all critical updates on a regular basis

- Ensure that Automatic Update is turned on so you get all the latest patches.
Click start, control panel, click Security Center.


- Keep your antivirus program updated, as well as any other security programs you have.


-Check this site out to check for out of date programs
Secunia Personal Software Inspector (PSI) 1.0


-More tips and programs can be found HERE


- You may also want to read this article By Tony Klein
http://www.freedomlist.com/forum/viewtopic.php?t=22879

We will keep this thread open for a couple of days. Please post back if you have any problems or questions. Please post back when you have finished so this thread can be marked "Resolved".

Take care adios.gif

Go to the top of the page
 
+Quote Post
monisb
post Jul 10 2009, 05:32 AM
Post #13


New Member
*

Group: Authentic Member
Posts: 7
Joined: 6-July 09
Member No.: 86,575
Operating System: windows xp
Thanks for all your help.

About the infection with backdoor capabilities - I've used passwords on financial sites before I got the virus but not after, would these still need to be changed?

Cheers.
Go to the top of the page
 
+Quote Post
oldman960
post Jul 10 2009, 07:18 AM
Post #14


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Hi monisb,

Yes, you should change them.

Take care
Go to the top of the page
 
+Quote Post
oldman960
post Jul 12 2009, 07:59 AM
Post #15


SuperHelper
Group Icon

Group: Classroom Teacher
Posts: 5,744
Joined: 27-April 08
Member No.: 78,707
Operating System: win98se, XP pro
Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.

Go to the top of the page
 
+Quote Post
« Next Oldest · Infections Removal · Next Newest »
 

Closed TopicStart new topic

 
RSS Time is now: 19th March 2010 - 04:30 PM
Advertisements do not imply our endorsement of that product or service. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk.
Member site: Alliance of Security Analysis Professionals | UNITE Against Malware
Memory Forums | Auto Repair Forum
© Geeks to Go, Inc. | All Rights Reserved | Privacy Policy
Powered By IP.Board © 2010  IPS, Inc.