Jump to content

Build Theme!
  •  
  • Infected?

Welcome to What the Tech Forums - Register now for FREE

We're your place for tech questions. Join 87498 others, and join the conversation. Ask questions. Find answers. Share your ideas and opinions. Browse our community. You'll find experts who enjoy helping others. Who explain technical issues in a non-technical way that anyone can understand. Create an account today (it's 100% free)!

Create an Account Login to Account


Photo

[Resolved] VIRUS ALERT! In the system tray next to the clock.


  • This topic is locked This topic is locked
12 replies to this topic

#1 Ldee247

Ldee247

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 11 June 2008 - 02:39 PM

Hi can you help me.....I'm having a VIRUS ALERT! in my system tray,well this appeared after my laptop started responding very slow when browsing the net and responding to commands.I was receiving unnecessary pop-ups requesting me to download and install antispyware and Malware saying my laptop had spyware,adware and registry corrupted I was using McAfee at the time but was not doing much help.I ended up downloading pc tools to fix my registry well some errors were fixed but that one remained in the system tray.Someone advised me to use smitfraudfix.exe but still its the same,l have uninstalled McAfee,pc registry tools and l'm now using NortonAntivirus that came with Bt broadband, now my internet explorer is acting up not loading up some web pages.I have tried to revert back to the older version IE6 and uninstalled Bt broadband but still the same problem until today l came across this site called What the Tech....

I have downloaded a Hijack and the report is as follows:

Logfile of HijackThis v1.99.1
Scan saved at 19:35: VIRUS ALERT!, on 11/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: QXK Olive - {B33B96B9-E0C2-4648-9819-A38DDCAFA33C} - C:\WINDOWS\boqnrwdmstg.dll (file missing)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198343091202
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Will be waiting for your response thanx....

#2 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,586 posts
  • MVP

Posted 13 June 2008 - 06:31 AM

Posted Image


Stay with this topic until I give you the all clean post.

You might want to print these instructions out.

I suggest you do this:

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.


Please do not delete anything unless instructed to.


Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.

Next:

Please download Malwarebytes' Anti-Malware to your desktop.

  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected .
  • When completed, a log will open in Notepad. Please save it to a convenient location and post the results.
  • Note: If you receive a notice that some of the items couldn't be removed, that they have been added to the delete on reboot list, please reboot.
Also "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

#3 Ldee247

Ldee247

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 17 June 2008 - 03:44 PM

Hi LDTate

:thumbup:

With response to what you have advised me to do this is what l achieved,VIRUS ALERT in the system tray has vanished and my pc is even running much better and faster :thumbup: :yeah: :woot: I think you 've tackled the problem and l'm ever so happy dont how much to thank you,but many thanks anyway.

Below is the result of the Malwarebytes' Anti-Malware Scan:

Malwarebytes' Anti-Malware 1.17
Database version: 864

21:46:12 17/06/2008
mbam-log-6-17-2008 (21-46-12).txt

Scan type: Quick Scan
Objects scanned: 40732
Time elapsed: 23 minute(s), 47 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 31
Registry Values Infected: 0
Registry Data Items Infected: 5
Folders Infected: 3
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\e405.e405mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{b33b96b9-e0c2-4648-9819-a38ddcafa33c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{b33b96b9-e0c2-4648-9819-a38ddcafa33c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14a9da84-0c80-4520-8452-f5c7c911a003} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3177b0aa-7c67-46b4-ba02-574d7e368d4f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{890f3f83-dca0-42a9-935e-dd01e78970b8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14e6d991-db22-4661-981d-20c168d6847b} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2242513c-f5e9-41b3-bc89-4d9daf487450} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3b489b37-fc1b-45c8-b1ce-78d9aef5b336} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3d6a6e24-fdff-418e-a93d-9fbdcba377af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e318e44-0c35-4292-af91-18dd17795636} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{495349a3-3a35-465f-88df-6ccfc1348246} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{575e8879-d6cf-4992-a7fe-651da9277bcb} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76a15001-ff88-47ee-9e34-9f68e34246af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{819a1c55-735f-4696-8727-3772ec87ad26} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8dc7e656-ffbc-4ba2-af81-1c6c4fe04407} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a86bed71-2b56-4778-9c48-829a3d01c687} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae119e11-cf86-43cb-91aa-1acf2bbf9ec6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a1ce7f-011d-4475-98db-076aaf3b1d18} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b667f141-171c-4ac6-bd2b-8e0c646fb920} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4f8351-05ef-4956-b9ab-1093b732436f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e1e4e46d-53b8-45dc-abf0-3e7adef79012} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{83b0cadc-ea64-4ac6-822a-3ece95f44da6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\e405.e405mgr.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDrives (Hijack.Drives) -> Bad: (12) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\abc\Application Data\WinSecureAv (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\Documents and Settings\abc\Application Data\WinSecureAv\Logs (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\818646 (Trojan.BHO) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\gxikvghh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\abc\Application Data\WinSecureAv\Logs\threats.log (Rogue.WinSecureAv) -> Quarantined and deleted successfully.
C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\clkcnt.txt (Trojan.Vundo) -> Quarantined and deleted successfully.


This is my new HIjackThis Log:
Logfile of HijackThis v1.99.1
Scan saved at 22:39:11, on 17/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198343091202
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Would you want me to do any further tasks l will be very willing to participate....

Thanx again...

Ldee247

#4 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,586 posts
  • MVP

Posted 18 June 2008 - 03:32 PM

Download ComboFix from Here or Here to your Desktop.
**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------
  • Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
  • WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
  • Please do not re-connect your machine back to the Internet until Combofix has completely finished.
--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review

****Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze ****

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Give it atleast 20-30 minutes to finish

#5 Ldee247

Ldee247

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 19 June 2008 - 07:21 AM

Hi LDTate

I have downloaded the COMBOFIX.EXE and followed the procedure,below is the log report:


ComboFix 08-06-16.5 - abc 2008-06-19 8:37:38.1 - NTFSx86
Running from: C:\Documents and Settings\abc\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\setup.exe
C:\WINDOWS\BM77e2b41c.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bkvdfrho.ini
C:\WINDOWS\system32\cjlyjyav.ini
C:\WINDOWS\system32\IhiPoUvw.ini
C:\WINDOWS\system32\IhiPoUvw.ini2
C:\WINDOWS\system32\lacvyuwf.dll
C:\WINDOWS\system32\lsqgtwfw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mtgnljnx.dll
C:\WINDOWS\system32\oglkgaaf.ini
C:\WINDOWS\system32\pgrelqbo.dll
C:\WINDOWS\system32\teqtyysq.dll

----- BITS: Possible infected sites -----

hxxp://www.photoshow.com
.
((((((((((((((((((((((((( Files Created from 2008-05-19 to 2008-06-19 )))))))))))))))))))))))))))))))
.

2008-06-18 21:33 . 2008-06-18 21:33 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Apple Computer
2008-06-18 21:31 . 2008-06-18 21:32 <DIR> d-------- C:\Program Files\iTunes
2008-06-18 21:31 . 2008-06-18 21:31 <DIR> d-------- C:\Program Files\iPod
2008-06-18 21:26 . 2008-06-18 21:26 <DIR> d-------- C:\Program Files\Bonjour
2008-06-18 21:21 . 2008-06-18 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-18 21:03 . 2008-06-18 21:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-18 21:03 . 2008-06-18 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Malwarebytes
2008-06-17 21:05 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 21:05 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 12:53 . 2008-06-16 12:53 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Media Player Classic
2008-06-16 12:50 . 2008-06-16 12:50 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-06-16 12:31 . 2008-06-16 12:31 <DIR> d-------- C:\Program Files\Xvid
2008-06-16 12:31 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-16 12:31 . 2006-11-01 14:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-16 12:31 . 2006-11-01 15:26 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-14 20:59 . 2008-06-14 20:59 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-14 20:58 . 2008-06-14 20:58 <DIR> d-------- C:\Program Files\Real
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Program Files\Mininova
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Program Files\Conduit
2008-06-11 13:35 . 2008-06-11 15:02 <DIR> d-------- C:\Program Files\Microsoft User Agent String Utility
2008-06-11 13:27 . 2008-06-11 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-06-11 13:27 . 2008-06-11 13:28 <DIR> d-------- C:\Documents and Settings\abc\Application Data\MSN6
2008-06-11 12:31 . 2008-06-11 12:31 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-08 12:22 . 2007-01-18 11:46 449,888 --a------ C:\WINDOWS\system32\drivers\wpn511.sys
2008-06-08 12:14 . 2008-06-10 07:57 <DIR> d-------- C:\Program Files\NETGEAR
2008-06-07 18:56 . 2008-06-07 18:56 268 --ah----- C:\sqmdata10.sqm
2008-06-07 18:56 . 2008-06-07 18:56 244 --ah----- C:\sqmnoopt10.sqm
2008-06-07 18:25 . 2008-06-07 18:25 268 --ah----- C:\sqmdata09.sqm
2008-06-07 18:25 . 2008-06-07 18:25 244 --ah----- C:\sqmnoopt09.sqm
2008-06-07 12:33 . 2008-06-07 12:33 268 --ah----- C:\sqmdata08.sqm
2008-06-07 12:33 . 2008-06-07 12:33 244 --ah----- C:\sqmnoopt08.sqm
2008-06-07 00:23 . 2008-06-07 00:23 268 --ah----- C:\sqmdata07.sqm
2008-06-07 00:23 . 2008-06-07 00:23 244 --ah----- C:\sqmnoopt07.sqm
2008-06-05 19:44 . 2008-06-05 19:44 <DIR> d-------- C:\Program Files\Sun
2008-06-05 19:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-05 19:13 . 2008-06-05 19:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-02 19:45 . 2008-06-02 19:46 94,208 --a------ C:\WINDOWS\system32\ramdisk.cpl
2008-06-02 19:45 . 2004-08-04 00:00 20,736 --a------ C:\WINDOWS\system32\drivers\ramdisk.sys
2008-06-02 19:45 . 2004-08-04 00:00 20,736 --a--c--- C:\WINDOWS\system32\dllcache\ramdisk.sys
2008-06-01 17:45 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-06-01 17:45 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-06-01 17:45 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-06-01 13:29 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-01 13:15 . 2008-06-01 13:15 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Motive
2008-06-01 11:39 . 2008-06-01 12:15 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-01 11:39 . 2008-06-01 12:15 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-01 11:39 . 2008-06-01 12:15 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-01 11:39 . 2008-06-01 12:15 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-01 11:38 . 2008-06-01 17:45 <DIR> d-------- C:\Program Files\Symantec
2008-05-31 11:41 . 2008-06-04 06:34 <DIR> d-------- C:\Program Files\BT Home Hub
2008-05-30 19:17 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-05-30 19:17 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-05-30 19:13 . 2002-01-05 06:37 344,064 --------- C:\WINDOWS\system32\msvcr70.dll
2008-05-30 19:13 . 2003-03-18 21:05 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2008-05-30 19:13 . 2002-01-05 05:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-05-30 19:13 . 2001-10-11 10:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-05-30 19:12 . 2008-06-04 06:22 <DIR> d-------- C:\WINDOWS\Motive
2008-05-30 19:08 . 2003-02-28 18:26 404,752 --a------ C:\WINDOWS\system32\javart.dll
2008-05-30 19:08 . 2003-02-28 18:26 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2008-05-30 19:08 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-05-30 19:08 . 2003-02-28 18:26 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2008-05-30 19:08 . 2003-02-28 18:26 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2008-05-30 19:08 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-05-30 19:08 . 2003-02-28 18:26 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2008-05-30 11:27 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-05-30 11:27 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-05-30 08:16 . 2008-06-10 10:22 1,230 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-29 21:20 . 2008-05-29 21:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-27 20:06 . 2008-05-27 20:06 0 --a------ C:\OrbPVR.db
2008-05-27 17:45 . 2008-05-27 17:45 <DIR> d-------- C:\SiteAdvisor
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-05-26 16:27 . 2008-05-27 18:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-25 13:10 . 2008-05-25 13:10 145 --a------ C:\345543.bat
2008-05-25 13:10 . 2008-05-25 13:10 110 --a------ C:\818646.bat
2008-05-24 22:04 . 2008-05-24 22:04 1,145,896 --a------ C:\GoogleToolbarInstaller.exe
2008-05-23 15:41 . 2008-05-23 15:41 268 --ah----- C:\sqmdata06.sqm
2008-05-23 15:41 . 2008-05-23 15:41 244 --ah----- C:\sqmnoopt06.sqm
2008-05-23 00:41 . 2008-05-23 00:41 268 --ah----- C:\sqmdata05.sqm
2008-05-23 00:41 . 2008-05-23 00:41 244 --ah----- C:\sqmnoopt05.sqm
2008-05-20 20:46 . 2008-05-20 20:48 <DIR> d-------- C:\Program Files\VirtualDJ
2008-05-20 16:47 . 2008-06-11 11:24 51,355 --a------ C:\WINDOWS\system32\muzika.xm

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-19 07:42 --------- d-----w C:\Documents and Settings\abc\Application Data\DNA
2008-06-19 06:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-19 06:25 --------- d-----w C:\Program Files\Winamp Remote
2008-06-19 00:08 --------- d-----w C:\Documents and Settings\abc\Application Data\uTorrent
2008-06-18 20:24 --------- d-----w C:\Program Files\QuickTime
2008-06-18 20:07 --------- d-----w C:\Program Files\Apple Software Update
2008-06-15 12:32 --------- d-----w C:\Documents and Settings\abc\Application Data\LimeWire
2008-06-14 19:59 --------- d-----w C:\Program Files\Common Files\Real
2008-06-14 19:58 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-10 07:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-10 07:01 --------- d-----w C:\Program Files\Google
2008-06-07 11:31 --------- d-----w C:\Documents and Settings\abc\Application Data\Winamp
2008-06-05 18:38 --------- d-----w C:\Program Files\Java
2008-06-04 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-04 05:25 --------- d-----w C:\Documents and Settings\abc\Application Data\Yahoo!
2008-06-04 05:23 --------- d-----w C:\Program Files\Yahoo!
2008-06-01 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-31 10:07 --------- d-----w C:\Program Files\Ahead
2008-05-30 18:09 155,995 ----a-w C:\WINDOWS\java\Packages\WI5RDR7Z.ZIP
2008-05-30 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-30 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 09:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 10:49 --------- d-----w C:\Documents and Settings\abc\Application Data\Nero
2008-05-10 06:50 124,100 ----a-w C:\RealPlayer11GOLD.exe
2008-05-09 18:50 --------- d-----w C:\Program Files\Nokia
2008-05-09 07:30 --------- d-----w C:\Program Files\MySpace
2008-05-08 19:51 --------- d-----w C:\Program Files\AskTBar
2008-05-08 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-08 17:28 --------- d-----w C:\Program Files\Common Files\Simple Star Shared
2008-05-08 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star Shared
2008-05-08 17:10 --------- d-----w C:\Program Files\Nero
2008-05-08 17:08 --------- d-----w C:\Documents and Settings\abc\Application Data\Simple Star
2008-05-08 14:32 --------- d-----w C:\Documents and Settings\abc\Application Data\Nokia
2008-05-08 14:32 --------- d-----w C:\Documents and Settings\abc\Application Data\Datalayer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 05:18 --------- d-----w C:\Documents and Settings\abc\Application Data\MySpace
2008-05-02 23:24 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
.

------- Sigcheck -------

2003-07-16 17:45 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2007-12-22 17:53 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f592709f-ff4a-4862-b659-4afabda56312}]
2008-06-04 01:26 1542168 --a------ C:\Program Files\Mininova\tbMini.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 17:49 1185120]
"{F592709F-FF4A-4862-B659-4AFABDA56312}"= "C:\Program Files\Mininova\tbMini.dll" [2008-06-04 01:26 1542168]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{f592709f-ff4a-4862-b659-4afabda56312}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 17:49 1185120]
"{F592709F-FF4A-4862-B659-4AFABDA56312}"= C:\Program Files\Mininova\tbMini.dll [2008-06-04 01:26 1542168]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{f592709f-ff4a-4862-b659-4afabda56312}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 21:02 495616]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-11 22:02 289088]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-04-27 19:16 312848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AS00_WN511B"="C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe" [2007-01-19 11:52 1564790]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-14 20:58 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-06-18 20:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2007-04-27 19:16 312848 C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 {40867A83-9E92-474c-A921-20AA73EAE42F};AIM 3.0 CH-7007;C:\WINDOWS\system32\drivers\A303.sys [2001-09-04 23:58]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\system32\drivers\Vch.sys [2001-09-04 23:58]
R3 ramdisk;Windows RAM Disk Driver;C:\WINDOWS\system32\DRIVERS\ramdisk.sys [2004-08-04 00:00]
S3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2007-01-18 11:46]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 20:09:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 21:34:19 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - abc.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-19 08:44:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-19 8:51:15
ComboFix-quarantined-files.txt 2008-06-19 07:50:52

Pre-Run: 10,292,129,792 bytes free
Post-Run: 10,299,162,624 bytes free

263 --- E O F --- 2008-06-11 12:16:28


This is my new HijackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 13:53:40, on 19/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198343091202
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Regards

Ldee247

#6 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,586 posts
  • MVP

Posted 19 June 2008 - 08:11 AM

Did you create these 2 batch files?
C:\345543.bat
C:\818646.bat


I added them to be removed so unless you created them, leave in the fix.

All those .sqm files are created by Windows Live. Not sure why they get created but won't hurt to remove them.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\sqmdata10.sqm
C:\sqmnoopt10.sqm
C:\sqmdata09.sqm
C:\sqmnoopt09.sqm
C:\sqmdata08.sqm
C:\sqmnoopt08.sqm
C:\sqmdata07.sqm
C:\sqmnoopt07.sqm
C:\sqmdata06.sqm
C:\sqmnoopt06.sqm
C:\sqmdata05.sqm
C:\sqmnoopt05.sqm
C:\345543.bat
C:\818646.bat
C:\WINDOWS\system32\muzika.xm

Folder::
C:\Program Files\Bonjour
C:\Program Files\AskTBar

Save this as Save this as "CFScript"


Posted Image

Drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.


Also please describe how your computer behaves at the moment.

#7 Ldee247

Ldee247

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 20 June 2008 - 05:03 AM

Hi

I did not create the batch files you mentioned earlier on,anyway l have copied the file onto a notepad and draged it to Combofix.exe below is the log report which l saved and named as log.txt cfscript.txt.
My computer is responding very slow to commands now either on internet or,eg when l start windows xp after l put in my password its taking about 4-5mins before the desktop is loaded otherwise it will be just a blank backgroung screen.

ComboFix 08-06-16.5 - abc 2008-06-20 8:04:02.2 - NTFSx86
Running from: C:\Documents and Settings\abc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\abc\My Documents\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\345543.bat
C:\818646.bat
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\WINDOWS\system32\muzika.xm
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\345543.bat
C:\818646.bat
C:\Program Files\AskTBar
C:\Program Files\AskTBar\bar\1.bin\A5POPSWT.DLL
C:\Program Files\AskTBar\bar\1.bin\ASKTBAR.DLL
C:\Program Files\AskTBar\bar\Cache\002B38BD
C:\Program Files\AskTBar\bar\Cache\002B408F
C:\Program Files\AskTBar\bar\Cache\002B4FBD.bin
C:\Program Files\AskTBar\bar\Cache\002B5C38.bin
C:\Program Files\AskTBar\bar\Cache\002B6722.bin
C:\Program Files\AskTBar\bar\Cache\002B764F.bin
C:\Program Files\AskTBar\bar\Cache\002B7AF7.bin
C:\Program Files\AskTBar\bar\Cache\002B7EC2.bin
C:\Program Files\AskTBar\bar\Cache\files.ini
C:\Program Files\AskTBar\bar\History\search2
C:\Program Files\AskTBar\bar\Settings\prevcfg2.htm
C:\Program Files\AskTBar\PopSwatr\History\allowed
C:\Program Files\AskTBar\PopSwatr\History\notallow
C:\Program Files\Bonjour
C:\Program Files\Bonjour\About Bonjour.rtf
C:\Program Files\Bonjour\mdnsNSP.dll
C:\Program Files\Bonjour\mDNSResponder.exe
C:\sqmdata05.sqm
C:\sqmdata06.sqm
C:\sqmdata07.sqm
C:\sqmdata08.sqm
C:\sqmdata09.sqm
C:\sqmdata10.sqm
C:\sqmnoopt05.sqm
C:\sqmnoopt06.sqm
C:\sqmnoopt07.sqm
C:\sqmnoopt08.sqm
C:\sqmnoopt09.sqm
C:\sqmnoopt10.sqm
C:\WINDOWS\system32\muzika.xm

.
((((((((((((((((((((((((( Files Created from 2008-05-20 to 2008-06-20 )))))))))))))))))))))))))))))))
.

2008-06-18 21:33 . 2008-06-18 21:33 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Apple Computer
2008-06-18 21:31 . 2008-06-18 21:32 <DIR> d-------- C:\Program Files\iTunes
2008-06-18 21:31 . 2008-06-18 21:31 <DIR> d-------- C:\Program Files\iPod
2008-06-18 21:21 . 2008-06-18 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-18 21:03 . 2008-06-18 21:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-18 21:03 . 2008-06-18 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Malwarebytes
2008-06-17 21:05 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 21:05 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 12:53 . 2008-06-16 12:53 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Media Player Classic
2008-06-16 12:50 . 2008-06-16 12:50 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-06-16 12:31 . 2008-06-16 12:31 <DIR> d-------- C:\Program Files\Xvid
2008-06-16 12:31 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-16 12:31 . 2006-11-01 14:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-16 12:31 . 2006-11-01 15:26 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-14 20:59 . 2008-06-14 20:59 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-14 20:58 . 2008-06-14 20:58 <DIR> d-------- C:\Program Files\Real
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Program Files\Mininova
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Program Files\Conduit
2008-06-11 13:35 . 2008-06-11 15:02 <DIR> d-------- C:\Program Files\Microsoft User Agent String Utility
2008-06-11 13:27 . 2008-06-11 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-06-11 13:27 . 2008-06-11 13:28 <DIR> d-------- C:\Documents and Settings\abc\Application Data\MSN6
2008-06-11 12:31 . 2008-06-11 12:31 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-08 12:22 . 2007-01-18 11:46 449,888 --a------ C:\WINDOWS\system32\drivers\wpn511.sys
2008-06-08 12:14 . 2008-06-10 07:57 <DIR> d-------- C:\Program Files\NETGEAR
2008-06-05 19:44 . 2008-06-05 19:44 <DIR> d-------- C:\Program Files\Sun
2008-06-05 19:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-05 19:13 . 2008-06-05 19:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-02 19:45 . 2008-06-02 19:46 94,208 --a------ C:\WINDOWS\system32\ramdisk.cpl
2008-06-02 19:45 . 2004-08-04 00:00 20,736 --a------ C:\WINDOWS\system32\drivers\ramdisk.sys
2008-06-02 19:45 . 2004-08-04 00:00 20,736 --a--c--- C:\WINDOWS\system32\dllcache\ramdisk.sys
2008-06-01 17:45 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-06-01 17:45 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-06-01 17:45 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-06-01 13:29 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-01 13:15 . 2008-06-01 13:15 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Motive
2008-06-01 11:39 . 2008-06-01 12:15 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-01 11:39 . 2008-06-01 12:15 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-01 11:39 . 2008-06-01 12:15 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-01 11:39 . 2008-06-01 12:15 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-01 11:38 . 2008-06-01 17:45 <DIR> d-------- C:\Program Files\Symantec
2008-05-31 11:41 . 2008-06-04 06:34 <DIR> d-------- C:\Program Files\BT Home Hub
2008-05-30 19:17 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-05-30 19:17 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-05-30 19:13 . 2002-01-05 06:37 344,064 --------- C:\WINDOWS\system32\msvcr70.dll
2008-05-30 19:13 . 2003-03-18 21:05 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2008-05-30 19:13 . 2002-01-05 05:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-05-30 19:13 . 2001-10-11 10:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-05-30 19:12 . 2008-06-04 06:22 <DIR> d-------- C:\WINDOWS\Motive
2008-05-30 19:08 . 2003-02-28 18:26 404,752 --a------ C:\WINDOWS\system32\javart.dll
2008-05-30 19:08 . 2003-02-28 18:26 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2008-05-30 19:08 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-05-30 19:08 . 2003-02-28 18:26 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2008-05-30 19:08 . 2003-02-28 18:26 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2008-05-30 19:08 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-05-30 19:08 . 2003-02-28 18:26 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2008-05-30 11:27 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-05-30 11:27 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-05-30 08:16 . 2008-06-10 10:22 1,230 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-29 21:20 . 2008-05-29 21:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-27 20:06 . 2008-05-27 20:06 0 --a------ C:\OrbPVR.db
2008-05-27 17:45 . 2008-05-27 17:45 <DIR> d-------- C:\SiteAdvisor
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-05-26 16:27 . 2008-05-27 18:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-24 22:04 . 2008-05-24 22:04 1,145,896 --a------ C:\GoogleToolbarInstaller.exe
2008-05-20 20:46 . 2008-05-20 20:48 <DIR> d-------- C:\Program Files\VirtualDJ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-20 07:11 --------- d-----w C:\Documents and Settings\abc\Application Data\DNA
2008-06-20 07:10 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-19 13:23 --------- d-----w C:\Documents and Settings\abc\Application Data\uTorrent
2008-06-19 06:25 --------- d-----w C:\Program Files\Winamp Remote
2008-06-18 20:24 --------- d-----w C:\Program Files\QuickTime
2008-06-18 20:07 --------- d-----w C:\Program Files\Apple Software Update
2008-06-15 12:32 --------- d-----w C:\Documents and Settings\abc\Application Data\LimeWire
2008-06-14 19:59 --------- d-----w C:\Program Files\Common Files\Real
2008-06-14 19:58 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-10 07:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-10 07:01 --------- d-----w C:\Program Files\Google
2008-06-07 11:31 --------- d-----w C:\Documents and Settings\abc\Application Data\Winamp
2008-06-05 18:38 --------- d-----w C:\Program Files\Java
2008-06-04 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-04 05:25 --------- d-----w C:\Documents and Settings\abc\Application Data\Yahoo!
2008-06-04 05:23 --------- d-----w C:\Program Files\Yahoo!
2008-06-01 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-31 10:07 --------- d-----w C:\Program Files\Ahead
2008-05-30 18:09 155,995 ----a-w C:\WINDOWS\java\Packages\WI5RDR7Z.ZIP
2008-05-30 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-30 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 09:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-16 10:49 --------- d-----w C:\Documents and Settings\abc\Application Data\Nero
2008-05-10 06:50 124,100 ----a-w C:\RealPlayer11GOLD.exe
2008-05-09 18:50 --------- d-----w C:\Program Files\Nokia
2008-05-09 07:30 --------- d-----w C:\Program Files\MySpace
2008-05-08 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-08 17:28 --------- d-----w C:\Program Files\Common Files\Simple Star Shared
2008-05-08 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star Shared
2008-05-08 17:10 --------- d-----w C:\Program Files\Nero
2008-05-08 17:08 --------- d-----w C:\Documents and Settings\abc\Application Data\Simple Star
2008-05-08 14:32 --------- d-----w C:\Documents and Settings\abc\Application Data\Nokia
2008-05-08 14:32 --------- d-----w C:\Documents and Settings\abc\Application Data\Datalayer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 05:18 --------- d-----w C:\Documents and Settings\abc\Application Data\MySpace
2008-05-02 23:24 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

------- Sigcheck -------

2003-07-16 17:45 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2007-12-22 17:53 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-19_ 8.50.01.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 06:10:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-20 07:13:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f592709f-ff4a-4862-b659-4afabda56312}]
2008-06-04 01:26 1542168 --a------ C:\Program Files\Mininova\tbMini.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= "C:\Program Files\Winamp Toolbar\winamptb.dll" [2007-12-13 17:49 1185120]
"{F592709F-FF4A-4862-B659-4AFABDA56312}"= "C:\Program Files\Mininova\tbMini.dll" [2008-06-04 01:26 1542168]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{f592709f-ff4a-4862-b659-4afabda56312}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-12-13 17:49 1185120]
"{F592709F-FF4A-4862-B659-4AFABDA56312}"= C:\Program Files\Mininova\tbMini.dll [2008-06-04 01:26 1542168]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CLASSES_ROOT\clsid\{f592709f-ff4a-4862-b659-4afabda56312}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"Orb"="C:\Program Files\Winamp Remote\bin\OrbTray.exe" [2008-01-07 21:02 495616]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-11 22:02 289088]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-04-27 19:16 312848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AS00_WN511B"="C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe" [2007-01-19 11:52 1564790]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-06-14 20:58 185896]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-06-18 20:50 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2007-04-27 19:16 312848 C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 {40867A83-9E92-474c-A921-20AA73EAE42F};AIM 3.0 CH-7007;C:\WINDOWS\system32\drivers\A303.sys [2001-09-04 23:58]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\system32\drivers\Vch.sys [2001-09-04 23:58]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2007-01-18 11:46]
R3 ramdisk;Windows RAM Disk Driver;C:\WINDOWS\system32\DRIVERS\ramdisk.sys [2004-08-04 00:00]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-18 20:09:18 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 21:34:19 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - abc.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-20 10:25:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
.
**************************************************************************
.
Completion time: 2008-06-20 10:40:46 - machine was rebooted [abc]
ComboFix-quarantined-files.txt 2008-06-20 09:40:21
ComboFix2.txt 2008-06-19 07:51:17

Pre-Run: 10,219,143,168 bytes free
Post-Run: 10,227,945,472 bytes free

305 --- E O F --- 2008-06-11 12:16:28


The new HijackThis log is below:
Logfile of HijackThis v1.99.1
Scan saved at 12:00:28, on 20/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O3 - Toolbar: Mininova Toolbar - {f592709f-ff4a-4862-b659-4afabda56312} - C:\Program Files\Mininova\tbMini.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198343091202
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#8 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,586 posts
  • MVP

Posted 20 June 2008 - 07:00 AM

Lets see if we can remove some un-needed items.
These toolbars aren't bad but might make a difference in speed.

Open notepad and copy/paste the text in the quotebox below into it:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f592709f-ff4a-4862-b659-4afabda56312}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"=-
"{F592709F-FF4A-4862-B659-4AFABDA56312}"=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[-HKEY_CLASSES_ROOT\clsid\{f592709f-ff4a-4862-b659-4afabda56312}]
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"=-
"{F592709F-FF4A-4862-B659-4AFABDA56312}"=-
[-HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[-HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[-HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]
[-HKEY_CLASSES_ROOT\clsid\{f592709f-ff4a-4862-b659-4afabda56312}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Orb"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"TkBellExe"=-
"QuickTime Task"=-


Save this as CFScript.txt


Posted Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

#9 Ldee247

Ldee247

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 21 June 2008 - 04:22 AM

I have copied and pasted the file below into thhe Combofix and below are the results:

ComboFix 08-06-16.5 - abc 2008-06-21 10:43:56.3 - NTFSx86
Running from: C:\Documents and Settings\abc\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\abc\Desktop\cfscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-05-21 to 2008-06-21 )))))))))))))))))))))))))))))))
.

2008-06-18 21:33 . 2008-06-18 21:33 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Apple Computer
2008-06-18 21:31 . 2008-06-18 21:32 <DIR> d-------- C:\Program Files\iTunes
2008-06-18 21:31 . 2008-06-18 21:31 <DIR> d-------- C:\Program Files\iPod
2008-06-18 21:21 . 2008-06-18 21:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-06-18 21:03 . 2008-06-18 21:03 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-06-18 21:03 . 2008-06-18 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-17 21:05 . 2008-06-17 21:05 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Malwarebytes
2008-06-17 21:05 . 2008-06-10 19:02 34,296 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-06-17 21:05 . 2008-06-10 19:02 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-06-16 12:53 . 2008-06-16 12:53 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Media Player Classic
2008-06-16 12:50 . 2008-06-16 12:50 <DIR> d-------- C:\Program Files\Combined Community Codec Pack
2008-06-16 12:31 . 2008-06-16 12:31 <DIR> d-------- C:\Program Files\Xvid
2008-06-16 12:31 . 2006-11-01 14:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
2008-06-16 12:31 . 2006-11-01 14:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2008-06-16 12:31 . 2006-11-01 15:26 77,824 --a------ C:\WINDOWS\system32\xvid.ax
2008-06-14 20:59 . 2008-06-14 20:59 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-06-14 20:58 . 2008-06-14 20:58 <DIR> d-------- C:\Program Files\Real
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Program Files\Mininova
2008-06-13 14:08 . 2008-06-13 14:08 <DIR> d-------- C:\Program Files\Conduit
2008-06-11 13:35 . 2008-06-11 15:02 <DIR> d-------- C:\Program Files\Microsoft User Agent String Utility
2008-06-11 13:27 . 2008-06-11 13:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MSN6
2008-06-11 13:27 . 2008-06-11 13:28 <DIR> d-------- C:\Documents and Settings\abc\Application Data\MSN6
2008-06-11 12:31 . 2008-06-11 12:31 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-06-08 12:22 . 2007-01-18 11:46 449,888 --a------ C:\WINDOWS\system32\drivers\wpn511.sys
2008-06-08 12:14 . 2008-06-10 07:57 <DIR> d-------- C:\Program Files\NETGEAR
2008-06-05 19:44 . 2008-06-05 19:44 <DIR> d-------- C:\Program Files\Sun
2008-06-05 19:40 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-06-05 19:13 . 2008-06-05 19:13 <DIR> d-------- C:\Program Files\Common Files\Java
2008-06-02 19:45 . 2008-06-02 19:46 94,208 --a------ C:\WINDOWS\system32\ramdisk.cpl
2008-06-02 19:45 . 2004-08-04 00:00 20,736 --a------ C:\WINDOWS\system32\drivers\ramdisk.sys
2008-06-02 19:45 . 2004-08-04 00:00 20,736 --a--c--- C:\WINDOWS\system32\dllcache\ramdisk.sys
2008-06-01 17:45 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-06-01 17:45 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-06-01 17:45 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-06-01 13:29 . 2003-02-28 18:26 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2008-06-01 13:15 . 2008-06-01 13:15 <DIR> d-------- C:\Documents and Settings\abc\Application Data\Motive
2008-06-01 11:39 . 2008-06-01 12:15 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-01 11:39 . 2008-06-01 12:15 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-06-01 11:39 . 2008-06-01 12:15 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-01 11:39 . 2008-06-01 12:15 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-01 11:38 . 2008-06-01 17:45 <DIR> d-------- C:\Program Files\Symantec
2008-05-31 11:41 . 2008-06-04 06:34 <DIR> d-------- C:\Program Files\BT Home Hub
2008-05-30 19:17 . 2004-10-25 15:18 131,072 --a------ C:\WINDOWS\system32\ypclsp.dll
2008-05-30 19:17 . 2003-05-19 16:07 86,016 --a------ C:\WINDOWS\system32\YPcservice.exe
2008-05-30 19:13 . 2002-01-05 06:37 344,064 --------- C:\WINDOWS\system32\msvcr70.dll
2008-05-30 19:13 . 2003-03-18 21:05 89,088 --a------ C:\WINDOWS\system32\ATL71.DLL
2008-05-30 19:13 . 2002-01-05 05:18 84,992 --a------ C:\WINDOWS\system32\ATL70.DLL
2008-05-30 19:13 . 2001-10-11 10:26 65,536 --a------ C:\WINDOWS\system32\YCRWin32.dll
2008-05-30 19:12 . 2008-06-04 06:22 <DIR> d-------- C:\WINDOWS\Motive
2008-05-30 19:08 . 2003-02-28 18:26 404,752 --a------ C:\WINDOWS\system32\javart.dll
2008-05-30 19:08 . 2003-02-28 18:26 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2008-05-30 19:08 . 2003-02-28 18:26 172,304 --a------ C:\WINDOWS\system32\jview.exe
2008-05-30 19:08 . 2003-02-28 18:26 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2008-05-30 19:08 . 2003-02-28 18:26 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2008-05-30 19:08 . 2003-02-28 18:26 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2008-05-30 19:08 . 2003-02-28 18:26 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2008-05-30 11:27 . 2004-08-03 23:08 17,024 --a------ C:\WINDOWS\system32\drivers\usbohci.sys
2008-05-30 11:27 . 2004-08-03 23:08 17,024 --a--c--- C:\WINDOWS\system32\dllcache\usbohci.sys
2008-05-30 08:16 . 2008-06-10 10:22 1,230 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-29 21:20 . 2008-05-29 21:21 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2008-05-27 20:06 . 2008-05-27 20:06 0 --a------ C:\OrbPVR.db
2008-05-27 17:45 . 2008-05-27 17:45 <DIR> d-------- C:\SiteAdvisor
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts
2008-05-26 16:27 . 2008-05-27 18:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-24 22:04 . 2008-05-24 22:04 1,145,896 --a------ C:\GoogleToolbarInstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-21 09:52 --------- d-----w C:\Documents and Settings\abc\Application Data\DNA
2008-06-21 09:33 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-21 07:08 --------- d-----w C:\Program Files\Apple Software Update
2008-06-20 09:35 --------- d-----w C:\Program Files\Winamp Remote
2008-06-19 13:23 --------- d-----w C:\Documents and Settings\abc\Application Data\uTorrent
2008-06-18 20:24 --------- d-----w C:\Program Files\QuickTime
2008-06-15 12:32 --------- d-----w C:\Documents and Settings\abc\Application Data\LimeWire
2008-06-14 19:59 --------- d-----w C:\Program Files\Common Files\Real
2008-06-14 19:58 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-10 07:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-10 07:01 --------- d-----w C:\Program Files\Google
2008-06-07 11:31 --------- d-----w C:\Documents and Settings\abc\Application Data\Winamp
2008-06-05 18:38 --------- d-----w C:\Program Files\Java
2008-06-04 05:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2008-06-04 05:25 --------- d-----w C:\Documents and Settings\abc\Application Data\Yahoo!
2008-06-04 05:23 --------- d-----w C:\Program Files\Yahoo!
2008-06-01 16:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-31 10:07 --------- d-----w C:\Program Files\Ahead
2008-05-30 18:09 155,995 ----a-w C:\WINDOWS\java\Packages\WI5RDR7Z.ZIP
2008-05-30 10:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-30 09:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-30 09:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-20 19:48 --------- d-----w C:\Program Files\VirtualDJ
2008-05-16 10:49 --------- d-----w C:\Documents and Settings\abc\Application Data\Nero
2008-05-10 06:50 124,100 ----a-w C:\RealPlayer11GOLD.exe
2008-05-09 18:50 --------- d-----w C:\Program Files\Nokia
2008-05-09 07:30 --------- d-----w C:\Program Files\MySpace
2008-05-08 17:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-05-08 17:28 --------- d-----w C:\Program Files\Common Files\Simple Star Shared
2008-05-08 17:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Simple Star Shared
2008-05-08 17:10 --------- d-----w C:\Program Files\Nero
2008-05-08 17:08 --------- d-----w C:\Documents and Settings\abc\Application Data\Simple Star
2008-05-08 14:32 --------- d-----w C:\Documents and Settings\abc\Application Data\Nokia
2008-05-08 14:32 --------- d-----w C:\Documents and Settings\abc\Application Data\Datalayer
2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-05-06 05:18 --------- d-----w C:\Documents and Settings\abc\Application Data\MySpace
2008-05-02 23:24 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
.

------- Sigcheck -------

2003-07-16 17:45 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 01:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2007-12-22 17:53 502272 6e8ca4fcb30282f216f5db9dd58a5f81 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-06-19_ 8.50.01.92 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-19 06:10:40 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-21 06:16:10 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-04-14 11:01:02 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-13 13:10:50 272,128 ------w C:\WINDOWS\Driver Cache\i386\bthport.sys
+ 2008-06-21 07:08:30 27,136 ----a-r C:\WINDOWS\Installer\{02DFF6B1-1654-411C-8D7B-FD6052EF016F}\AppleSoftwareUpdateIco.exe
- 2008-04-14 11:01:02 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
+ 2008-06-13 13:10:50 272,128 -c--a-w C:\WINDOWS\system32\dllcache\bthport.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54 5674352]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-11 22:02 289088]
"Nero PhotoShow Media Manager"="C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe" [2007-04-27 19:16 312848]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"AS00_WN511B"="C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe" [2007-01-19 11:52 1564790]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-06-02 11:13 267048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 01:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nero PhotoShow Media Manager]
--a------ 2007-04-27 19:16 312848 C:\PROGRA~1\Nero\PHOTOS~1\data\Xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\Orb.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbTray.exe"=
"C:\\Program Files\\Winamp Remote\\bin\\OrbStreamerClient.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

R3 {40867A83-9E92-474c-A921-20AA73EAE42F};AIM 3.0 CH-7007;C:\WINDOWS\system32\drivers\A303.sys [2001-09-04 23:58]
R3 {A7E39B01-B403-11d4-BD18-00D0B7A1821E};AIM 3.0 Part 01 Codec Driver VCH-A;C:\WINDOWS\system32\drivers\Vch.sys [2001-09-04 23:58]
R3 AWINDIS5;AWINDIS5 Protocol Driver;C:\WINDOWS\system32\AWINDIS5.SYS [2007-01-18 11:46]
R3 ramdisk;Windows RAM Disk Driver;C:\WINDOWS\system32\DRIVERS\ramdisk.sys [2004-08-04 00:00]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-06-21 07:08:25 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-06-16 21:34:19 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - abc.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-21 10:51:33
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-21 10:58:33
ComboFix-quarantined-files.txt 2008-06-21 09:57:56
ComboFix2.txt 2008-06-20 09:40:52
ComboFix3.txt 2008-06-19 07:51:17

Pre-Run: 10,143,813,632 bytes free
Post-Run: 10,133,909,504 bytes free

216 --- E O F --- 2008-06-20 22:51:52


The new HijackThis Log is below:

Logfile of HijackThis v1.99.1
Scan saved at 11:08:20, on 21/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Winamp Remote\bin\OrbTray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\Winamp Remote\bin\Orb.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
R3 - URLSearchHook: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198343091202
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Thanx

#10 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,586 posts
  • MVP

Posted 21 June 2008 - 07:22 AM

Run hijackthis. Hit None of the above, Click Do a System Scan Only. Put a checkmark/tick in the box on the left side on these:

R3 - URLSearchHook: (no name) - {f592709f-ff4a-4862-b659-4afabda56312} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: (no name) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - (no file)
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O23 - Service: Bonjour Service - Unknown owner - C:\Program Files\Bonjour\mDNSResponder.exe (file missing)

Close ALL windows and browsers except HijackThis and click "Fix checked"


Reboot and "copy/paste" a new HijackThis log file into this thread.

Also please describe how your computer behaves at the moment.

#11 Ldee247

Ldee247

    Authentic Member

  • Authentic Member
  • PipPip
  • 34 posts

Posted 23 June 2008 - 01:44 PM

Hi, my pc is still slightly slower when loading up the browser and when l try to close some of the internet pages.Probably its to do the virtual memory may be its too low.

Below is the new HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 20:36:57, on 23/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\DNA\btdna.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.msn.com//
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [AS00_WN511B] C:\Program Files\NETGEAR\WN511B\Utility\WN511B.exe -hide
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [Nero PhotoShow Media Manager] C:\PROGRA~1\Nero\PHOTOS~1\data\xtras\mssysmgr.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1198343091202
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h cltCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

#12 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,586 posts
  • MVP

Posted 23 June 2008 - 03:19 PM

Good job :thumbup:

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.

    • Posted Image


    Here's my usual all clean post

    Log looks good :D


    You need to create a new Clean restore point.

    Note: This will remove all previous Restore Points

    Click Start Menu > Run > copy and paste

    %SystemRoot%\System32\restore\rstrui.exe

    Press OK. Choose Create a Restore Point then click Next. Name it (something you'll remember) and click Create, when the confirmation screen shows the restore point has been created click Close.

    Double-click My Computer.
    Click the Tools menu, and then click Folder Options.
    Click the View tab.
    Check "Hide file extensions for known file types."
    Under the "Hidden files" folder, Uncheck "Show hidden files and folders."
    Check "Hide protected operating system files."
    Click Apply, and then click OK.

    • Make your Internet Explorer more secure - This can be done by following these simple instructions:
      • From within Internet Explorer click on the Tools menu and then click on Options.
      • Click once on the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your AntiVirus Software - It is imperative that you update your Antivirus software at least once a week
    (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer.
    Without a firewall your computer is succeptible to being hacked and taken over.
    I am very serious about this and see it happen almost every day with my clients.
    Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:
    Note: I no longer suggest Zone Alarm

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly.
    This will ensure your computer has always the latest security updates available installed on your computer.
    If there are new updates to install, install them immediately, reboot your computer, and revisit the site
    until there are no more critical updates.

  • MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.
  • Winpatrol

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly.
    Without regular updates you WILL NOT be protected when new malicious programs are released.

Only run one Anti-Virus and Firewall program.

I would also suggest you read this:
So how did I get infected in the first place?
by Tony Klein

#13 LDTate

LDTate

    Forum God

  • Root Admin
  • 56,586 posts
  • MVP

Posted 25 June 2008 - 03:53 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.



Similar Topics: [Resolved] VIRUS ALERT! In the system tray next to the clock.     x


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users