25 replies to this topic

[baby_gurlyuk]

Here is my hijackthis log.

HerLogfile of HijackThis v1.99.1
Scan saved at 3:49:04 PM, on 3/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Chelsea\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\system32\msasvc.exe (file missing)
O23 - Service: NCULFF - Unknown owner - C:\DOCUME~1\Chelsea\LOCALS~1\Temp\NCULFF.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

e is my hijackthis log.

[silver]

Hi, Welcome to TomCoyote! I'm _silver_ and I'm currently looking over your log. Please hold on while I research a fix for you.

[silver]

Hi baby_gurlyuk,

FIrst, you need to know that your computer is infected by a backdoor trojan. This program has the ability to steal passwords and other information from your system. If you are using your computer for sensitive purposes such as internet banking then I recommend you take the following steps immediately:

• Use a another, uninfected computer to change all your internet passwords, especially ones with financial implications such as banks, paypal, ebay, etc. You should also change the passwords for any other site you use.
• Call your bank(s), credit card company or any other institution which may be affected and advise them that your login/password or credit card information may have been stolen and ask what steps to take with regard to your account.
• Consider what other private information could possibly have been taken from your computer and take appropriate steps

This infection can almost certainly be cleaned, but as the malware could be configured to run any program a remote attacker requires, it will be impossible to be 100% sure that the machine is clean, if this is unacceptable to you then you should consider reformatting the system partition and reinstalling Windows as this is the only 100% sure answer.

I will now continue with instructions for cleaning but if you decide to reformat then please let me know in your next response.

Now press Start->Run, type services.msc into the box and press OK
Find in the list the service named NCULFF and double-click it.
Change the Startup type dropdown to Disabled, press Apply then press the Stop button.
Then press OK and close the Services console.

Next download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

Next please do an online scan with Kaspersky:

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky,
Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  Extended (if available otherwise Standard)
  
  • Scan Options:
  Scan Archives Scan Mail Bases
• Click OK
• Now under select a target to scan:Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.

Now open a web browser and navigate to:
http://virusscan.jotti.org/
Copy/paste this file and path into the white box at the top:
C:\Documents and Settings\Chelsea\Local Settings\Temp\NCULFF.exe
Press Submit - this will submit the file for testing.
The results will be displayed on-screen, please copy and paste the results into your next response.

Once complete, please post the Report.txt, the Kaspersky report and the Jotti results along with a new HijackThis log. Also let me know if you had any problems with the instructions.

[baby_gurlyuk]

Hi Silver, Thank you so much for your help!! Oh no, I just knew I was infected with something as my computer was running really slowly. I will follow your orders as far as cleaning the computer, as I don't know how to do the other thing you said about. I have just did the first part and put disabled in and clicked apply, however, I couldn't press the Stop button, as it was lit up, but I did press the Ok button, will that be a problem? Should I continue on? Thank you so much!

[silver]

Hi baby_gurlyuk,

I'm glad you let me know about the problem. First I'll explain a little more about reformatting:

Reformatting basically means backing up your data, then wiping your hard drive and installing Windows again from scratch. This would involve using your Windows CD or the system recovery cds that came with your computer to reinstall the whole operating system.

This infection can be cleaned, and for a lot of people, changing all passwords from another machine and cleaning their computer is fine. There is a small chance that this infection has installed other malware deeply hidden in Windows that we won't find. This isn't very likely but if you are concerned about this risk then I would consider reformatting. It depends mostly on what you use your computer for, here is some further information which I hope will help you understand and make the right choice:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

OK now with regard to the first part of the instructions, try doing this:

Press Start->Run, type services.msc into the box and press OK
Find in the list the service named NCULFF and double-click it.
Change the Startup type dropdown to Disabled, press Apply then press the Stop button.
If you can't press the Stop button because it's greyed out don't worry.
Then press OK and close the Services console.
Now reboot your computer.

Next we will check that the change has 'stuck'
Now repeat the previous steps but this time when you double-click NCULFF check that Disabled is already selected and Service status is Stopped
If so, then we are successful so please continue with the previous instructions by downloading SDFix and so on.
If not, then post back and let me know what happened.

Edited by _silver_, 09 March 2007 - 12:47 AM.

[baby_gurlyuk]

Hi Silver,


Thanks for all of your help! I have finally finished doing all of the things you wanted me to do for this problem. I could not do the virusscan.jotti.org as the following message came up (I even disabled my firewall to make sure that it wasn't stopping the program from doing its job.):

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file


KASPERSKY ONLINE SCANNER REPORT
Friday, March 09, 2007 12:35:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/03/2007
Kaspersky Anti-Virus database records: 279761

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 80523
Number of viruses found 5
Number of infected objects 8 / 0
Number of suspicious objects 2
Duration of the scan process 01:11:30

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip/Uninstall.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SpySheriff.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\Chelsea\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Temp\fnm35.tmp Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Temp\fnm36.tmp Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Temp\fnm37.tmp Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Temp\fnm38.tmp Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Temp\~DF12C.tmp Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Temp\~DFAF2.tmp Object is locked skipped

C:\Documents and Settings\Chelsea\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Chelsea\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Chelsea\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\a-squared Free\Quarantine\20ec168eef16af057786d1d5c9372c29.a2q/Program Files/Common Files/Microsoft Shared/DAO/PCD/SVCHOST.EXE Infected: not-a-virus:Monitor.Win32.PCDetective.b skipped

C:\Program Files\a-squared Free\Quarantine\20ec168eef16af057786d1d5c9372c29.a2q ZIP: infected - 1 skipped

C:\Program Files\a-squared Free\Quarantine\c48a67017dc909f475e8554f541a9d47.a2q/Program Files/Common Files/Microsoft Shared/DAO/PCD/SVCHOST.EXE Infected: not-a-virus:Monitor.Win32.PCDetective.b skipped

C:\Program Files\a-squared Free\Quarantine\c48a67017dc909f475e8554f541a9d47.a2q ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP773\A0055614.exe Infected: Trojan-Dropper.Win32.VB.lu skipped

C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP799\A0059809.exe Infected: not-a-virus:Porn-Dialer.Win32.GBDialer.i skipped

C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP822\A0065213.EXE Infected: not-a-virus:Monitor.Win32.PCDetective.b skipped

C:\System Volume Information\_restore{B9776B22-0B08-4CAD-800C-B246686E8DDF}\RP869\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{8BAB9129-499B-42BB-A60D-6B45F2D58367}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\procguard.sys Object is locked skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\pghash.dat Object is locked skipped

C:\WINDOWS\system32\pguard.dat Object is locked skipped

C:\WINDOWS\system32\sinvfct.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.60006 skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 7:31:21 PM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\PC Tools Firewall Plus\PCTFW.exe
C:\Documents and Settings\Chelsea\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


SDFix: Version 1.69

Run by Chelsea - Fri 03/09/2007 @ 10:02:30.73

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
MsaSvc
new_drv

Path:
C:\WINDOWS\system32\msasvc.exe
\??\C:\WINDOWS\new_drv.sys

MsaSvc Deleted
new_drv Deleted



Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Documents and Settings\\Chelsea\\My Documents\\My Music\\LimeWire.exe"="C:\\Documents and Settings\\Chelsea\\My Documents\\My Music\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"
"C:\\Program Files\\WinMX\\WinMX.exe"="C:\\Program Files\\WinMX\\WinMX.exe:*:Enabled:WinMX Application"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\YPager.exe:*:Enabled:Yahoo! Messenger"
"C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe"="C:\\PROGRA~1\\Yahoo!\\MESSEN~1\\yserver.exe:*:Enabled:Yahoo! FT Server"
"C:\\StubInstaller.exe"="C:\\StubInstaller.exe:*:Enabled:LimeWire swarmed installer"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\GameHouse\\Wheel of Fortune\\Wheel of Fortune.exe"="C:\\Program Files\\GameHouse\\Wheel of Fortune\\Wheel of Fortune.exe:*:Enabled:Wheel of Fortune"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"
"C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG Free\\avgemc.exe:*:Enabled:avgemc.exe"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:MSN Messenger 6.2"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"
"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe"="C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"
"C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe"="C:\\Program Files\\Microsoft ActiveSync\\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\WINDOWS\system32\sinvfct.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\Outlook Express\msimn.exe
C:\tpcd.sys
C:\vp.sys
C:\WINDOWS\uccspecb.sys

Add/Remove Programs List:

a-squared Free 2.1
a-squared HiJackFree 2.1
ACDSee Classic
Active Security Monitor 2.0.0.18
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
AVG Free Edition
CCleaner (remove only)
Codec Pack - All In 1 6.0.2.2
DiamondCS ProcessGuard v3.150
DVD Decrypter (Remove Only)
DVDFab Platinum 3.0.5.0
GrabIt 1.6.2 Beta (build 940)
HijackThis 1.99.1
Java 2 Runtime Environment Standard Edition v1.3.1_04
Libronix Digital Library System
Macromedia Shockwave Player
Nero 6 Ultra Edition
NVIDIA Drivers
Panda ActiveScan
PC Tools Firewall Plus 1.0
QuickTime
RealPlayer
RegScrubXP 3.25
Spybot - Search & Destroy 1.4
SpyCatcher Express 2006
SpywareBlaster v3.5.1
SpywareGuard v2.2
Windows Genuine Advantage Validation Tool
WinRAR archiver
Opera 9.12
OEB Resource Driver
J2SE Runtime Environment 5.0 Update 10
FUJIFILM USB Driver
Bible Data Type System Files
Common System Files
Libronix Digital Library System
Libronix DLS Application
Libronix Update
LLS Resource Driver
PDF Resource Driver
PowerDVD
Batch Update
Macromedia Flash Player 8
Microsoft Office Professional Edition 2003
Macromedia Flash Player 8 Plugin
Sentence Diagramming
Adobe Reader 7.0.8
Microsoft ActiveSync 4.0
Libronix DLS Shortcuts
Graphical Query Editor
Clause Visualizer
AusLogics Disk Defrag

Finished

[silver]

Hi baby_gurlyuk,

The main malware is gone so we're making progress. I've had a look through your scans and there are a couple more baddies in there but we will deal with them shortly.

Your log shows that MSConfig is running at startup. This indicates that you may be using "diagnostic startup" rather than "normal startup" to stop something from running. While this is normally OK, it is possible that you have disabled something that will affect how we fix your malware problem. While disabled, it will not then show up in the HijackThis log.

Go to Start > Run and type Notepad
Copy/paste the following quote box into a new notepad (not wordpad) document. Make sure that wordwrap is unchecked.

regedit /a /e %systemdrive%\regkey.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
notepad %systemdrive%\regkey.txt
del /q %systemdrive%\regkey.txt

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "mslook.bat" (you MUST include the quotes)
Locate mslook.bat on your Desktop and double-click it. When notepad opens, copy/paste the content in your reply. When you close Notepad the CMD window will close automatically and the text file will be deleted.

Next, we'll check for that elusive NCULFF.exe:

Let's make your hidden/system files and folders visible:
Click Start -> My Computer
Select the Tools menu, click Folder Options and select the View tab
Under the Hidden files and folders heading SELECT Show hidden files and folders
UNCHECK the Hide protected operating system files (recommended) option
Click Yes to confirm and press OK

Now please use Windows Explorer to navigate to
C:\Documents and Settings\Chelsea\Local Settings\Temp\
and look down the list for NCULFF.exe
If you can't see it, that's fine just let me know in your next post.
If it's there, then:
- Rename the file to NCULFF.bak (this is to prevent it being run accidentally)
- Move the file into a new folder on your Desktop called Junk

Next we will try uploading it again to Jotti
- Open a web browser and navigate to:
- http://virusscan.jotti.org/
- Press the Browse... button and find NCULFF.bak in the folder on your Desktop
- Press Open and then Submit - this will submit the file for testing.
- The results will be displayed on-screen, please copy and paste the results into your next response.

There's also one more file I'd like you to upload to Jotti, so please repeat the upload instructions for this file:
C:\WINDOWS\uccspecb.sys

Next, please use Explorer to find and delete the following files:
C:\WINDOWS\system32\sinvfct.dll
C:\tpcd.sys
C:\vp.sys

Next please open a-squared Free, select Quarantine and delete/empty everything there.
There are some major nasties in there we don't want to come back.

And then a further scan:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

IMPORTANT: Do NOT run any other options until you are asked to do so!

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C: ), and launch from there.

Once complete, please post the MSlook information, the Jotti results, the SmitfraudFix scan report (rapport.txt), and a new HijackThis log. Also let me know if you found our friend NCULFF.exe

[baby_gurlyuk]

Hi Silver, Thanks once again for all of your help! I could not find NCULFF.exe on Windows Explorer. Strangely enough, I managed to have no problems getting the file C:\Documents and Settings\Chelsea\Local Settings\Temp\ to come up in Windows Explorer, but when you wanted me to do the same thing for: C:\WINDOWS\system32\sinvfct.dll and C:\tpcd.sys and C:\vp.sys, it wouldn't come up. What did come up was "You are attempting to open a file of type 'System File'(.sys) "These files are used by the operating system and by various programs. Editing them or modifying them could damage your system. If you still want to open the file, click Open with, otherwise, click Cancel." Then I click Open with and then it says that Windows can not open this file and that Windows needs to know program created it and then I click on Use the Web Service to find the appropriate program and then I don't know what to choose. I'm not sure what to do next? I'm so glad you know!!

[baby_gurlyuk]

Oops, I forgot to mention that I am still having problems with virusscan.jotti.org, as I still can not scan C:\Documents and Settings\Chelsea\Local Settings\Temp\ I am still getting the same message as before, which is: The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file Kind regards

[silver]

Hi baby_gurlyuk,

Hey we're glad to help! So it sounds like we didn't get any further than the Jotti uploads, so we'll try tackling it a different way.

First we will have a look at your MSConfig and sort out all those bad files together with this:

Go to Start > Run and type Notepad
Copy/paste the following quote box into a new notepad (not wordpad) document. Before starting select Format from the top menu and make sure Word Wrap is NOT checked.

mkdir C:\Junk
regedit /a /e "C:\Documents and Settings\Chelsea\Desktop\regkey.txt" "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig"
move "C:\Documents and Settings\Chelsea\Local Settings\Temp\NCULFF.exe" C:\Junk
ren C:\Junk\NCULFF.exe C:\Junk\NCULFF.bak
attrib -r -s -h C:\WINDOWS\uccspecb.sys
move C:\WINDOWS\uccspecb.sys C:\Junk
attrib -r -s -h C:\WINDOWS\system32\sinvfct.dll
del C:\WINDOWS\system32\sinvfct.dll
attrib -r -s -h C:\tpcd.sys
del C:\tpcd.sys
attrib -r -s -h C:\vp.sys
del C:\vp.sys
dir C:\Junk > C:\Documents and Settings\Chelsea\Desktop\junk.txt

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "fix.bat" (you MUST include the quotes)
Locate fix.bat on your Desktop and double-click it. Two text files should appear on your Desktop, regkey.txt and junk.txt, post the contents of these files in your next response.

Next we will continue with some instructions from my last post:

Next please open a-squared Free, select Quarantine and delete/empty everything there.
There are some major nasties in there we don't want to come back.

And then a further scan:

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.exe

Double-click SmitfraudFix.exe
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed.

IMPORTANT: Do NOT run any other options until you are asked to do so!

If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C: ), and launch from there.

Once complete, please post the notepad files regkey.txt and junk.txt, the SmitfraudFix scan report (rapport.txt), and a new HijackThis log - and of course let me know if everything went OK.

[baby_gurlyuk]

Hi Silver,

I have everything that you wanted except the junk.txt, as that did not appear on the desktop like the
regkey.txt did?! However, I did notice under Local Disk (C:) a folder called Junk appeared and this is what was in it uccspecb.sys I hope this helps a little bit, at least. Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 11:18:37 AM, on 3/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Chelsea\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
"system.ini"=dword:00000000
"win.ini"=dword:00000000
"bootini"=dword:00000002
"services"=dword:00000000
"startup"=dword:00000000


mitFraudFix v2.148

Scan done at 11:14:25.39, Mon 03/12/2007
Run from C:\Documents and Settings\Chelsea\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chelsea


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Chelsea\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Chelsea\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="interceptor.dll"


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[silver]

Hello baby_gurlyuk,

Those logs look good so we're getting there.

First, I'd like you to try Jotti once more, I know you haven't had much success with this but please bear with me:
- Open a web browser and navigate to:
- http://virusscan.jotti.org/
- Press the Browse... button and navigate to C:\Junk and select uccspecb.sys
- Press Open and then Submit - this will submit the file for testing.
- The results will be displayed on-screen, please copy and paste the results into your next response.

Next, open Notepad again:
Go to Start > Run and type Notepad
Copy/paste the following quote box into a new notepad (not wordpad) document. Before starting select Format from the top menu and make sure Word Wrap is NOT checked.

type C:\boot.ini > "C:\Documents and Settings\Chelsea\Desktop\boot.txt"

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "showme.bat" (you MUST include the quotes)
Locate showme.bat on your Desktop and double-click it. Another text file should appear on your Desktop called boot.txt, post the contents of these files in your next response.

Next, open HijackThis choose Open the Misc Tools section
(If you have bypassed the welcome screen then just press Config and then Misc Tools)
Then press the Delete an NT service button.
Type NCULFF into the white box, press OK and Yes/OK to any prompts.

Next click Start->Run and type cleanmgr in the box and press OK
Ensure the boxes for Temporary Files and Temporary Internet Files are checked, and please uncheck the all other boxes.
Press OK and Yes to confirm

Then please run an online scan with Panda Activescan:
Open this page in Internet Explorer:
http://www.pandasoft.../activescan.htm

Once you are on the Panda site click the Scan your PC button.
A new window will open...click the Check Now button.
Enter your Country, State/Province, enter an e-mail address and click Send.
Select either Home User or Company.
Click the big Scan Now button.
If it wants to install an ActiveX component allow it.
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan.
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Once complete, please post the Jotti results, the contents of boot.txt, the Panda Activescan report and a new HijackThis log.

[baby_gurlyuk]

Hello Silver,

Here are the requested logs. I hope everything is getting better with the computer? Much thanks.

Logfile of HijackThis v1.99.1
Scan saved at 12:20:08 PM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\ProcessGuard\dcsuserprot.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Chelsea\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: DiamondCS Process Guard Service v3.000 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect


ncident Status Location

Adware:adware program Not disinfected c:\windows\ss3unstl.exe
Dialer:dialer.ok Not disinfected HKEY_CURRENT_USER\CLSID\{35F59C80-C1F2-4EEA-9981-686C7D5A9277}
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Chelsea\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Virus:Trj/Sinowal.EV Disinfected C:\SDFix\backups\backups.zip[backups/ibm00001.dll]
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe

Jotti's malware scan 2.99-TRANSITION_TO_3.00-R1
File to upload & scan:
Service
Service load: 0% 100%

File: uccspecb.sys
Status: OK(Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 b15e178351636937341b49215e147ab9
Packers detected: -

Scanner results
Scan taken on 13 Mar 2007 14:39:24 (GMT)
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

[silver]

Hello baby_gurlyuk,

You had some very bad stuff of your computer so we are still finding bits that need cleaning up, and we need a couple further scans to make sure everythings OK; but we're almost there

We have another Notepad job (I think you're pretty good with this now!):
Go to Start > Run and type Notepad
Copy/paste the following quote box into a new notepad (not wordpad) document. Before starting select Format from the top menu and make sure Word Wrap is NOT checked.

@echo off
del c:\Junk
attrib -r -s -h C:\windows\ss3unstl.exe
del C:\windows\ss3unstl.exe
regedit /e c:\registrybackup.reg "HKEY_CURRENT_USER\CLSID"
regedit /d "HKEY_CURRENT_USER\CLSID\{35F59C80-C1F2-4EEA-9981-686C7D5A9277}"
echo All done!
pause

Go to the menu at the top of the Notepad File and Save as
Save it to your Desktop as "fix.bat" (you MUST include the quotes)

Locate fix.bat on your Desktop and double-click it. A black box should appear and say "All done!" and ask for you to press a key - press a key and the black box will close. If this doesn't occur then please let me know.

Next please do a couple further scans:

Please download F-Secure Blacklight (blbeta.exe):
https://europe.f-sec...light/try.shtml

• Click I ACCEPT and download the graphical user interface version to your Desktop
• Double click the file to run it, choose I accept the agreement then press Scan
• It will create the "fsbl-xxxxxxx.log" on your desktop.
• The log will have a list of all items found.
• Do not choose to rename any yet! I want to see the log first because legitimate items can also be present.
• Exit Blacklight and post the contents of the log in your next reply.

Next please scan with AVG Antispyware:
Download the installer from this page:
http://www.ewido.net/en/download/

• Save the installer to desktop
• Double click the installer, select your language, and then select OK
• Click NEXT->Do or don't read the "User License Agreement"
  Select I Agree->NEXT->INSTALL
• AVG will now install and afterwards click FINISH
• Click the Update tab at the top. Under Manual Update click Start update.
• After the update finishes the status bar at the bottom will display "Update successful"
• Close AVG Anti-Spyware 7.5. Do not run a scan yet.

Reboot your computer into Safe Mode
To boot into Safe Mode, please restart your computer. Tap F8 before Windows loads.
Select Safe Mode at the top, on the screen that appears.
Sign in with your normal user account

Once in safe mode:

• Then run AVG Anti-Spyware 7.5 and click on the Scanner tab at the top
• Click the Settings tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected and Un-check Only if Threats are found
• Click back to the Scan tab and then click on Complete System Scan.
• This scan can take quite a while to run, so be prepared.
• AVG Anti-Spyware 7.5 will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action.
• Click the Apply all actions button. AVG Anti-Spyware 7.5 will display All actions have been applied on the right hand side.
• Click on Save Report, then Save Report As. This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Once complete, please reboot your computer normally and post the Blacklight log, the AVG log along with another HijackThis log and tell me if everything went OK with the notepad job.

[baby_gurlyuk]

Hi Silver, When I did what you said with"fix.bat", it did not bring up say "All done!" What came up was C:\Junk\*, Are you sure (Y/N)? I don't know if I was meant to try and do anymore, but I went on to the F-Secure Blacklight and that wouldn't create the "fsbl-xxxxxxx.log" on my desktop. Kind regards.