Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 91845 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] Infected?


  • This topic is locked This topic is locked
16 replies to this topic

#1 bluefoot

bluefoot

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 21 May 2008 - 02:53 AM

Hi
I think I have picked up a trojan. I have tried Trojan remover it seems to keep it at bay until i restart my computer and have to try and get rid of it again.
Can anyone help me clean my computer properly. Any help would be much appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 09:44:06, on 21/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\khfETNHA.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: {b6ad8480-d047-ac4a-bd84-1e5ee011cb17} - {71bc110e-e5e1-48db-a4ca-740d0848da6b} - C:\WINDOWS\system32\nyuifcmd.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [7cb4e71e] rundll32.exe "C:\WINDOWS\system32\mkrbkyms.dll",b
O4 - HKLM\..\Run: [BM7f87d482] Rundll32.exe "C:\WINDOWS\system32\hndibvdx.dll",s
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\idmmbc.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.game...l/kingcomie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: khfETNHA - C:\WINDOWS\SYSTEM32\khfETNHA.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    Advertisements

Register to Remove


#2 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 22 May 2008 - 11:56 AM

Welcome to the What the tech Forums. My name is peku006. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research. Please be patient and I'd be grateful if you would note the following:

1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic. Please stay at one forum for help.
3. Please continue reading posts until I give the All Clear. It is important to note this, as a clean looking HijackThis is not always a sign your system is clean.

Note: As I am still on training, everything that I post to you, must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long.
MRU Master

Posted Image
Posted Image

#3 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 23 May 2008 - 01:43 AM

Hello bluefoot

1 - Old version of HijackThis

First of all, you are using an older version of HijackThis. Please do the following to download and install the latest version of HijackThis v2.0.2:

CLICK HERE to download the HijackThis Installer:
  • Save HJTInstall.exe to your desktop.
  • Double-click on HJTInstall.exe to run the program.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis.
  • Accept the license agreement by clicking the "I Accept" button.
  • It will create a HijackThis icon on the desktop.
  • exit HijackThis

You may uninstall/delete the older version once you have successfully downloaded and installed the latest version of HijackThis v2.0.2.

2 - Download and Run VundoFix
Please download VundoFix.exe by Atribune save it to your desktop.
  • Double click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Fix Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • A log will be saved here: C:\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

If you receive this error - "Run-time error '339': Component 'comdlg32.ocx' or one its dependencies not correctly registered: a file is missing or invalid" , please download this file and save it to your desktop.
  • Right click on Comdlg32.zip and select Extract All....
  • Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  • On the text box above the Browse button, copy and paste in C:\Windows\system32.
  • Click OK.
  • Uncheck (untick) the Show extracted files box and click Finish.
  • Click on Start > Run and copy and paste in the following into the Run box:

    REGSVR32 C:\Windows\system32\comdlg32.ocx
  • Press Enter.
  • You should receive this message - DllRegisterServer in C:\Windows\system32\comdlg32.ocx succeeded.
  • Click OK and restart your computer. Then try running VundoFix again.

3 - uninstall list

Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.

4 - Status Check
Please reply with
1. the vundofix.txt
2. the uninstall list
3. a fresh HijackThis log

Thanks peku006
MRU Master

Posted Image
Posted Image

#4 bluefoot

bluefoot

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 24 May 2008 - 02:06 PM

hi peku006
Firstly thank you for replying to my post I am sorry I have not replied sooner, but hear are the lists that you asked for


VundoFix V7.0.5

Scan started at 23:45:51 23/05/2008

Listing files found while scanning....

No infected files were found.


VundoFix V7.0.5

Scan started at 19:54:19 24/05/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

Adobe Flash Player ActiveX
Adobe Reader 7.0
Adobe Shockwave Player
AppCore
Apple Mobile Device Support
Apple Software Update
Athlon 64 Processor Driver
AV
Bonjour
BT Yahoo! Applications
ccCommon
CCleaner (remove only)
ConvertXtoDVD 3.0.0.9c
Creative MediaSource
DC++ 0.705
GearDrvs
Hijackthis 1.99.1
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
ieSpell
Internet Download Manager
iTunes
Java™ 6 Update 5
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Flash Player 8
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Nero 7 Ultra Edition
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NVIDIA Drivers
PC Probe II
QuickTime
Scientific-Atlanta WebSTAR 2000 series Cable Modem
Security Update for Excel 2007 (KB946974)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Office 2007 (KB947801)
Security Update for Outlook 2007 (KB946983)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Skype™ 3.8
Sound Blaster Audigy
SPBBC 32bit
SpywareBlaster 4.0
SuppSoft
Symantec Technical Support Controls
SymNet
Trojan Remover 6.6.9
TuneUp Utilities 2008
Update for Office 2007 (KB946691)
Update for Outlook 2007 Junk Email Filter (kb950378)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinPatrol 2008
WinRAR archiver

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00:18, on 24/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.client...arch.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Creative MediaSource Go] "C:\Program Files\Creative\MediaSource\Go\CTCMSGo.exe" /SCB
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.game...l/kingcomie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11914 bytes

#5 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 25 May 2008 - 04:00 AM

Hi bluefoot

1- Deckard's System Scanner

Please download Deckard's System Scanner (DSS) and save to your Desktop.

DSS will do the following:

  • Create a new System Restore point in Windows XP and Vista.
  • Clean your Temporary Files, Downloaded Program Files, Internet Cache Files, and empty the Recycle Bin on all drives.
  • Check some important areas of your system and produce a report for an analyst to review.
  • Automatically run HijackThis. It will also install and place a shortcut to HijackThis on your desktop if you do not already have it installed. So if HijackThis is not installed and DSS prompts you to download it, please answer yes.
You must be logged onto an account with administrator privileges when using.
  • Close all applications and windows.
  • Double-click on dss.exe to run it and follow the prompts.
  • If your anti-virus or firewall complains, please allow this script to run as it is not malicious.
  • When the scan is complete, two text files will open in Notepad:
  • main.txt <- this one will be maximized
  • extra.txt <- this one will be minimized
  • If not, they both can be found in the C:\Deckard\System Scanner folder.
  • Please copy (Ctrl+C) and paste (Ctrl+V) the contents of main.txt and extra.txt in your next reply.
-- When running DSS, some firewalls may warn that it is trying to access the Internet especially if your asked to download the most current version of HijackThis. Please ensure that you allow it permission to do so.
-- If you get a warning from your anti-virus while DSS is scanning, please allow DSS to continue as the scan is not harmful.


2- Malwarebytes' Anti-Malware

  • Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. please copy and paste the log into your next reply
    • If you accidently close it, the log file is saved here and will be named like this:
    • C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

3 - Status Check
Please reply with

1. the Malwarebytes' Anti-Malware Log
2. the Deckard's System Scanner main.txt and extra.txt


Thanks peku006
MRU Master

Posted Image
Posted Image

#6 bluefoot

bluefoot

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 25 May 2008 - 04:06 PM

Hi peku006 Well I tried several times to run DSS but it would almost complete then I would get the message that DSS.exe has encountered a problem and has to shut down. I did not know what else to do so I gave up on that one. :pullhair: But here is the log from Malwarebytes :D Malwarebytes' Anti-Malware 1.12 Database version: 786 Scan type: Full Scan (C:\|) Objects scanned: 71618 Time elapsed: 12 minute(s), 58 second(s) Memory Processes Infected: 0 Memory Modules Infected: 2 Registry Keys Infected: 11 Registry Values Infected: 2 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: C:\WINDOWS\system32\urqPIXnn.dll (Trojan.Vundo) -> Unloaded module successfully. C:\WINDOWS\system32\khfETNHA.dll (Trojan.Vundo) -> Unloaded module successfully. Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e138bfe9-c82a-4d48-8f42-ced66d6901d2} (Trojan.Vundo) -> Delete on reboot. HKEY_CLASSES_ROOT\CLSID\{e138bfe9-c82a-4d48-8f42-ced66d6901d2} (Trojan.Vundo) -> Delete on reboot. HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{9bbbbc84-e3e8-48a1-95c9-352ebf873346} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{63d2c293-f1a1-4139-842d-e843dc29bfe4} (Trojan.Vundo) -> Quarantined and deleted successfully. HKEY_CLASSES_ROOT\CLSID\{522e0112-edd9-413d-a99e-c311a54b6676} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{522e0112-edd9-413d-a99e-c311a54b6676} (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\khfetnha (Trojan.Vundo) -> Delete on reboot. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM7f87d482 (Trojan.Agent) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{522e0112-edd9-413d-a99e-c311a54b6676} (Trojan.Vundo) -> Delete on reboot. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqpixnn -> Delete on reboot. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\urqpixnn -> Delete on reboot. Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\cbXRHyVm.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mVyHRXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\mVyHRXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\dhytidoy.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\yodityhd.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nnnLebbb.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bbbeLnnn.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\bbbeLnnn.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\urqPIXnn.dll (Trojan.Vundo) -> Delete on reboot. C:\WINDOWS\system32\nnXIPqru.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\nnXIPqru.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\wokbsgdo.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\odgsbkow.ini (Trojan.Vundo) -> Quarantined and deleted successfully. C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP62\A0005683.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\cookies.ini (Malware.Trace) -> Quarantined and deleted successfully. C:\WINDOWS\system32\iicrwsuj.dll (Trojan.Agent) -> Delete on reboot. C:\WINDOWS\system32\tuvVNEvw.dll (Trojan.Vundo) -> Quarantined and deleted successfully. C:\WINDOWS\system32\khfETNHA.dll (Trojan.Vundo) -> Delete on reboot.

#7 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 26 May 2008 - 12:38 AM

Hi bluefoot
Ok, let's try another utility

1 - rename hijackthis

There is probably an infection which is hiding part of the HijackThis log because it's called hijackthis.exe.
Please rename hijackthis.exe to bluefoot.exe

Using Windows Explorer, click on Tools > Folder Options > View tab
Scroll down and UNtick 'Hide extensions for known file types' OK
Then, in Windows Explorer, navigate to: C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right-click on HijackThis.exe & select Rename to bluefoot.exe
after you have renamed hijackthis right click on it and create a new shortcut and put it on your desktop

2 - Scan With ComboFix

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingc...to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -

  • Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

3 - Run Hijackthis
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad

4 - Status Check
Please reply with

1. the ComboFix log
2. a fresh HijackThis log

Thanks peku006
MRU Master

Posted Image
Posted Image

#8 bluefoot

bluefoot

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 26 May 2008 - 04:44 AM

Hi
I thought I had carried out the instructions but Idont think I have installed the recovery cosloe.

ComboFix 08-05-25.3 - Tom 2008-05-26 11:28:31.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1496 [GMT 1:00]
Running from: C:\Documents and Settings\Tom\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM7f87d482.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bbcMoUvw.ini
C:\WINDOWS\system32\hhiPWyay.ini
C:\WINDOWS\system32\hhiPWyay.ini2
C:\WINDOWS\system32\iihphggt.dll
C:\WINDOWS\system32\jPVyJkkj.ini
C:\WINDOWS\system32\jPVyJkkj.ini2
C:\WINDOWS\system32\jxutgtjg.ini
C:\WINDOWS\system32\lubtqdvs.ini
C:\WINDOWS\system32\mlwlcdph.ini
C:\WINDOWS\system32\nnXIPqru.ini
C:\WINDOWS\system32\nnXIPqru.ini2
C:\WINDOWS\system32\pjpqhtlb.ini
C:\WINDOWS\system32\smykbrkm.ini
C:\WINDOWS\system32\urqPIXnn.dll
C:\WINDOWS\system32\vwxftdjh.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-26 to 2008-05-26 )))))))))))))))))))))))))))))))
.

2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:17 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:11 . 2008-05-25 22:11 <DIR> d-------- C:\Deckard
2008-05-25 20:28 . 2008-05-25 20:28 136,704 --a------ C:\WINDOWS\system32\gjwvaury.dll
2008-05-25 20:16 . 2008-05-25 22:40 125,440 --------- C:\WINDOWS\system32\iicrwsuj.dll
2008-05-25 20:14 . 2008-05-25 20:14 92,160 --a------ C:\WINDOWS\system32\pqkxhetq.dll
2008-05-24 19:51 . 2008-05-24 19:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 23:53 . 2008-05-23 23:53 133,632 --a------ C:\WINDOWS\system32\dtwpcnpg.dll
2008-05-23 23:47 . 2008-05-23 23:47 92,160 --a------ C:\WINDOWS\system32\qhbjxuty.dll
2008-05-23 23:45 . 2008-05-23 23:45 <DIR> d-------- C:\VundoFix Backups
2008-05-23 22:20 . 2008-05-23 22:20 133,632 --a------ C:\WINDOWS\system32\eupnuvio.dll
2008-05-23 05:54 . 2008-05-23 05:54 126,464 --a------ C:\WINDOWS\system32\edqbusuw.dll
2008-05-23 05:52 . 2008-05-23 05:52 92,160 --a------ C:\WINDOWS\system32\jqkcncab.dll
2008-05-21 10:40 . 2008-05-21 10:40 92,160 --a------ C:\WINDOWS\system32\hnpnlbyi.dll
2008-05-21 09:52 . 2008-05-21 09:52 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\ieSpell
2008-05-21 09:51 . 2008-05-21 09:51 <DIR> d-------- C:\Program Files\ieSpell
2008-05-21 09:31 . 2008-05-21 09:31 370,688 --a------ C:\WINDOWS\system32\wvUoMcbb.dll.vir
2008-05-21 09:23 . 2008-05-21 09:23 92,160 --a------ C:\WINDOWS\system32\xnucauxu.dll.vir
2008-05-21 08:14 . 2008-05-21 08:14 370,176 --a------ C:\WINDOWS\system32\jkkJyVPj.dll.vir
2008-05-21 07:57 . 2008-05-21 07:57 371,200 --a------ C:\WINDOWS\system32\yayWPihh.dll.vir
2008-05-21 07:55 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-21 07:55 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-21 07:55 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-21 07:55 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-21 07:55 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-21 07:54 . 2008-05-21 07:55 <DIR> d-------- C:\Program Files\Trojan Remover
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Simply Super Software
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-21 07:35 . 2008-05-21 07:35 117,248 --a------ C:\WINDOWS\system32\blthqpjp.dll.vir
2008-05-19 08:59 . 2008-05-25 22:40 58,880 --------- C:\WINDOWS\system32\khfETNHA.dll
2008-05-16 15:50 . 2008-05-26 10:42 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\skypePM
2008-05-16 15:50 . 2008-05-16 15:50 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 15:44 . 2008-05-26 11:08 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-10 15:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-10 15:51 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-10 15:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-08 13:17 . 2008-05-08 13:17 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-08 13:15 . 2008-05-08 13:15 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-07 08:42 . 2008-05-19 09:34 <DIR> d-------- C:\Program Files\DC++
2008-05-06 10:14 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\MSBuild
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-06 10:10 . 2008-05-06 10:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-06 10:10 . 2008-05-14 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 10:09 . 2008-05-06 10:09 <DIR> dr-h----- C:\MSOCache
2008-05-06 09:39 . 2008-05-21 08:54 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-06 09:33 . 2008-05-06 09:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-06 09:33 . 2008-05-06 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-06 09:02 . 2008-05-06 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-06 01:04 . 2008-05-11 16:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Ahead
2008-05-06 01:02 . 2008-05-06 01:02 <DIR> d-------- C:\Program Files\Nero
2008-05-05 10:32 . 2008-05-05 10:33 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\WINDOWS\Sun
2008-05-05 10:01 . 2008-05-05 10:01 <DIR> d-------- C:\Program Files\Java
2008-05-05 10:01 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 10:00 . 2008-05-05 10:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iTunes
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iPod
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\Bonjour
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Apple Computer
2008-05-05 09:56 . 2008-05-26 11:32 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 09:56 . 2008-05-05 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\QuickTime
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-05 09:29 . 2008-05-05 09:29 425 --a------ C:\WINDOWS\BRWMARK.INI
2008-05-05 09:29 . 2008-05-05 09:29 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-05-05 09:29 . 2008-05-05 09:29 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-05-05 09:29 . 2008-05-05 09:29 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-05-05 09:28 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-05 09:22 . 2008-05-05 09:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Creative
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-05-05 09:20 . 2000-05-22 09:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2008-05-05 09:20 . 1999-10-11 02:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-05-05 09:15 . 1999-12-13 02:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-05-05 09:15 . 1999-11-18 02:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-05-05 09:09 . 2008-05-05 09:09 <DIR> d-------- C:\WINDOWS\system32\Data
2008-05-05 09:09 . 2000-12-13 11:21 7,572,224 --------- C:\WINDOWS\system32\CT8MGM.SF2
2008-05-05 09:09 . 2000-12-05 02:11 4,174,814 --------- C:\WINDOWS\system32\CT4MGM.SF2
2008-05-05 09:09 . 1999-09-22 08:18 2,167,684 -ra------ C:\WINDOWS\system32\ct2mgm.sf2
2008-05-05 09:09 . 2005-06-27 11:37 133,632 -ra------ C:\WINDOWS\system32\CtDvInst.dll
2008-05-05 09:09 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-05-05 09:09 . 2005-06-15 04:07 11,264 --a------ C:\WINDOWS\INRES.DLL
2008-05-05 09:09 . 2005-07-07 10:26 5,627 -ra------ C:\WINDOWS\system32\Ludap17.ini
2008-05-05 09:09 . 2005-03-08 07:14 39 -ra------ C:\WINDOWS\system32\ctzapxx.ini
2008-05-05 09:07 . 2008-05-05 09:20 <DIR> d-------- C:\Program Files\Creative
2008-05-05 08:29 . 2008-05-05 08:29 <DIR> d-------- C:\Program Files\BT Yahoo! Internet
2008-05-05 08:01 . 2008-05-05 08:01 <DIR> d-------- C:\Program Files\CCleaner
2008-05-05 07:58 . 2008-05-21 09:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 07:57 . 2008-05-05 07:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-05 07:57 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-05 07:57 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-05 07:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\WinPatrol
2008-05-05 07:34 . 2008-05-05 07:34 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-05 07:34 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-05 07:33 . 2008-05-15 09:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\TuneUp Software
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-05 07:27 . 2008-05-11 11:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Vso
2008-05-05 07:27 . 2008-05-05 07:27 87,608 --a------ C:\Documents and Settings\Tom\Application Data\inst.exe
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\Documents and Settings\Tom\Application Data\pcouffin.sys
2008-05-05 07:26 . 2008-05-05 07:26 <DIR> d-------- C:\Program Files\VSO
2008-05-05 07:26 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-05 07:26 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-05-05 07:26 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-05 07:26 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-05 07:26 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-05 07:26 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-05 07:26 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 07:56 155,995 ----a-w C:\WINDOWS\java\Packages\LZHZVLJ3.ZIP
2008-05-03 17:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-05 07:21 878848]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 02:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 14:49 7286784]
"nwiz"="nwiz.exe" [2005-10-10 14:49 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 14:49 86016]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 18:31 333120]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-18 14:19 877136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-05 07:34]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 16:25:33 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-24 20:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 11:31:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brss01a.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-05-26 11:35:34 - machine was rebooted [Tom]
ComboFix-quarantined-files.txt 2008-05-26 10:35:29

Pre-Run: 188,700,000,256 bytes free
Post-Run: 188,634,382,336 bytes free

257 --- E O F --- 2008-05-17 11:01:29


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:41:27, on 26/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Trend Micro\HijackThis\bluefoot.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.game...l/kingcomie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11920 bytes

#9 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 26 May 2008 - 10:20 AM

Hi bluefoot
Idont think I have installed the recovery console.
no , but don´t worry let's try another trick

RECOVERY CONSOLE

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, including all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

  • Drag the setup package onto ComboFix.exe and drop it.
  • Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.
  • At the next prompt, click 'Yes' to run the full ComboFix scan.

    Posted Image
  • When the tool is finished, it will produce a report for you.
Please post the C:\ComboFix.txt along with a new HijackThis log for further review.
MRU Master

Posted Image
Posted Image

#10 bluefoot

bluefoot

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 27 May 2008 - 01:15 AM

Hi peku006

Thanks for your patience
Here are the logs you asked for

ComboFix 08-05-25.3 - Tom 2008-05-27 7:58:42.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1483 [GMT 1:00]
Running from: C:\Documents and Settings\Tom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tom\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tom\Application Data\inst.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-26 13:54 . 2008-05-26 13:54 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:17 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:11 . 2008-05-25 22:11 <DIR> d-------- C:\Deckard
2008-05-25 20:28 . 2008-05-25 20:28 136,704 --a------ C:\WINDOWS\system32\gjwvaury.dll
2008-05-25 20:16 . 2008-05-25 22:40 125,440 --------- C:\WINDOWS\system32\iicrwsuj.dll
2008-05-25 20:14 . 2008-05-25 20:14 92,160 --a------ C:\WINDOWS\system32\pqkxhetq.dll
2008-05-24 19:51 . 2008-05-24 19:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 23:53 . 2008-05-23 23:53 133,632 --a------ C:\WINDOWS\system32\dtwpcnpg.dll
2008-05-23 23:47 . 2008-05-23 23:47 92,160 --a------ C:\WINDOWS\system32\qhbjxuty.dll
2008-05-23 23:45 . 2008-05-23 23:45 <DIR> d-------- C:\VundoFix Backups
2008-05-23 22:20 . 2008-05-23 22:20 133,632 --a------ C:\WINDOWS\system32\eupnuvio.dll
2008-05-23 05:54 . 2008-05-23 05:54 126,464 --a------ C:\WINDOWS\system32\edqbusuw.dll
2008-05-23 05:52 . 2008-05-23 05:52 92,160 --a------ C:\WINDOWS\system32\jqkcncab.dll
2008-05-21 10:40 . 2008-05-21 10:40 92,160 --a------ C:\WINDOWS\system32\hnpnlbyi.dll
2008-05-21 09:52 . 2008-05-21 09:52 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\ieSpell
2008-05-21 09:51 . 2008-05-21 09:51 <DIR> d-------- C:\Program Files\ieSpell
2008-05-21 09:31 . 2008-05-21 09:31 370,688 --a------ C:\WINDOWS\system32\wvUoMcbb.dll.vir
2008-05-21 09:23 . 2008-05-21 09:23 92,160 --a------ C:\WINDOWS\system32\xnucauxu.dll.vir
2008-05-21 08:14 . 2008-05-21 08:14 370,176 --a------ C:\WINDOWS\system32\jkkJyVPj.dll.vir
2008-05-21 07:57 . 2008-05-21 07:57 371,200 --a------ C:\WINDOWS\system32\yayWPihh.dll.vir
2008-05-21 07:55 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-21 07:55 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-21 07:55 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-21 07:55 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-21 07:55 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-21 07:54 . 2008-05-21 07:55 <DIR> d-------- C:\Program Files\Trojan Remover
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Simply Super Software
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-21 07:35 . 2008-05-21 07:35 117,248 --a------ C:\WINDOWS\system32\blthqpjp.dll.vir
2008-05-19 08:59 . 2008-05-25 22:40 58,880 --------- C:\WINDOWS\system32\khfETNHA.dll
2008-05-16 15:50 . 2008-05-27 07:47 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\skypePM
2008-05-16 15:50 . 2008-05-16 15:50 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 15:44 . 2008-05-27 07:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-10 15:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-10 15:51 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-10 15:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-08 13:17 . 2008-05-08 13:17 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-08 13:15 . 2008-05-08 13:15 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-07 08:42 . 2008-05-19 09:34 <DIR> d-------- C:\Program Files\DC++
2008-05-06 10:14 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\MSBuild
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-06 10:10 . 2008-05-06 10:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-06 10:10 . 2008-05-14 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 10:09 . 2008-05-06 10:09 <DIR> dr-h----- C:\MSOCache
2008-05-06 09:39 . 2008-05-21 08:54 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-06 09:33 . 2008-05-06 09:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-06 09:33 . 2008-05-06 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-06 09:02 . 2008-05-06 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-06 01:04 . 2008-05-11 16:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Ahead
2008-05-06 01:02 . 2008-05-06 01:02 <DIR> d-------- C:\Program Files\Nero
2008-05-05 10:32 . 2008-05-05 10:33 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\WINDOWS\Sun
2008-05-05 10:01 . 2008-05-05 10:01 <DIR> d-------- C:\Program Files\Java
2008-05-05 10:01 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 10:00 . 2008-05-05 10:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iTunes
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iPod
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\Bonjour
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Apple Computer
2008-05-05 09:56 . 2008-05-27 07:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 09:56 . 2008-05-05 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\QuickTime
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-05 09:29 . 2008-05-05 09:29 425 --a------ C:\WINDOWS\BRWMARK.INI
2008-05-05 09:29 . 2008-05-05 09:29 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-05-05 09:29 . 2008-05-05 09:29 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-05-05 09:29 . 2008-05-05 09:29 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-05-05 09:28 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-05 09:22 . 2008-05-05 09:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Creative
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-05-05 09:20 . 2000-05-22 09:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2008-05-05 09:20 . 1999-10-11 02:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-05-05 09:15 . 1999-12-13 02:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-05-05 09:15 . 1999-11-18 02:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-05-05 09:09 . 2008-05-05 09:09 <DIR> d-------- C:\WINDOWS\system32\Data
2008-05-05 09:09 . 2000-12-13 11:21 7,572,224 --------- C:\WINDOWS\system32\CT8MGM.SF2
2008-05-05 09:09 . 2000-12-05 02:11 4,174,814 --------- C:\WINDOWS\system32\CT4MGM.SF2
2008-05-05 09:09 . 1999-09-22 08:18 2,167,684 -ra------ C:\WINDOWS\system32\ct2mgm.sf2
2008-05-05 09:09 . 2005-06-27 11:37 133,632 -ra------ C:\WINDOWS\system32\CtDvInst.dll
2008-05-05 09:09 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-05-05 09:09 . 2005-06-15 04:07 11,264 --a------ C:\WINDOWS\INRES.DLL
2008-05-05 09:09 . 2005-07-07 10:26 5,627 -ra------ C:\WINDOWS\system32\Ludap17.ini
2008-05-05 09:09 . 2005-03-08 07:14 39 -ra------ C:\WINDOWS\system32\ctzapxx.ini
2008-05-05 09:07 . 2008-05-05 09:20 <DIR> d-------- C:\Program Files\Creative
2008-05-05 08:29 . 2008-05-05 08:29 <DIR> d-------- C:\Program Files\BT Yahoo! Internet
2008-05-05 08:01 . 2008-05-05 08:01 <DIR> d-------- C:\Program Files\CCleaner
2008-05-05 07:58 . 2008-05-21 09:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 07:57 . 2008-05-05 07:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-05 07:57 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-05 07:57 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-05 07:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\WinPatrol
2008-05-05 07:34 . 2008-05-05 07:34 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-05 07:34 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-05 07:33 . 2008-05-15 09:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\TuneUp Software
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-05 07:27 . 2008-05-11 11:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Vso
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\Documents and Settings\Tom\Application Data\pcouffin.sys
2008-05-05 07:26 . 2008-05-05 07:26 <DIR> d-------- C:\Program Files\VSO
2008-05-05 07:26 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-05 07:26 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-05-05 07:26 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-05 07:26 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-05 07:26 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-05 07:26 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-05 07:26 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 07:56 155,995 ----a-w C:\WINDOWS\java\Packages\LZHZVLJ3.ZIP
2008-05-03 17:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-26_11.35.17.79 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-26 10:30:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 06:46:30 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-05 07:21 878848]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 02:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 14:49 7286784]
"nwiz"="nwiz.exe" [2005-10-10 14:49 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 14:49 86016]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 18:31 333120]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-18 14:19 877136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-05 07:34]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 16:25:33 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-24 20:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 07:59:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-27 8:01:20
ComboFix-quarantined-files.txt 2008-05-27 07:00:59
ComboFix2.txt 2008-05-26 10:35:34

Pre-Run: 188,564,127,744 bytes free
Post-Run: 188,569,391,104 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect /usepmtimer
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

237 --- E O F --- 2008-05-17 11:01:29


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:14:53, on 27/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\bluefoot.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.game...l/kingcomie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11960 bytes

    Advertisements

Register to Remove


#11 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 29 May 2008 - 05:40 AM

Hi bluefoot
Looks much better, Is problem away ?

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINDOWS\system32\gjwvaury.dll
C:\WINDOWS\system32\iicrwsuj.dll
C:\WINDOWS\system32\pqkxhetq.dll
C:\WINDOWS\system32\dtwpcnpg.dll
C:\WINDOWS\system32\qhbjxuty.dll
C:\WINDOWS\system32\eupnuvio.dll
C:\WINDOWS\system32\edqbusuw.dll
C:\WINDOWS\system32\jqkcncab.dll
C:\WINDOWS\system32\hnpnlbyi.dll
C:\WINDOWS\system32\wvUoMcbb.dll.vir
C:\WINDOWS\system32\xnucauxu.dll.vir
C:\WINDOWS\system32\jkkJyVPj.dll.vir
C:\WINDOWS\system32\yayWPihh.dll.vir
C:\WINDOWS\system32\blthqpjp.dll.vir
C:\WINDOWS\system32\khfETNHA.dll
C:\WINDOWS\system32\ezsidmv.dat

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

2 - Clean temp files

Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose: Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.
if you use Firefox: Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
if you use Opera: Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program
[/list]
3 - Run Kaspersky online scanner
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans to speed up scan time and to make sure there are no conflicts.
Do not go surfing while your resident protection is disabled!
Once the scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.


Do an online scan with Kaspersky Online Scanner in Internet Explorer. You will be prompted to install and run an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available, otherwise use standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Under select a target to scan, select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Posted Image
  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Posted Image
  • Include the report in your next post.

4 - Update Adobe Reader

Recently there have been vunerabilities detected in older versions of Adobe Reader. It is strongly suggested that you update to the current version. Adobe Reader 8.
You can download it from http://www.adobe.com.../readstep2.html
If you already have Adobe Photoshop® Album Starter Edition installed or do not wish to have it installed UNcheck the box which says Also Download Adobe Photoshop® Album Starter Edition.

Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoft...df/rd_intro.php

5 - Status Check
Please reply with


1. the ComboFix log
2. the Kaspersky online scanner report
3. a fresh HijackThis log

Thanks peku006
MRU Master

Posted Image
Posted Image

#12 bluefoot

bluefoot

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 30 May 2008 - 12:19 AM

Hi peku006

Yes my computer is behaving much better
Here are the logs you asked for

ComboFix 08-05-25.3 - Tom 2008-05-30 5:49:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1442 [GMT 1:00]
Running from: C:\Documents and Settings\Tom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tom\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\blthqpjp.dll.vir
C:\WINDOWS\system32\dtwpcnpg.dll
C:\WINDOWS\system32\edqbusuw.dll
C:\WINDOWS\system32\eupnuvio.dll
C:\WINDOWS\system32\ezsidmv.dat
C:\WINDOWS\system32\gjwvaury.dll
C:\WINDOWS\system32\hnpnlbyi.dll
C:\WINDOWS\system32\iicrwsuj.dll
C:\WINDOWS\system32\jkkJyVPj.dll.vir
C:\WINDOWS\system32\jqkcncab.dll
C:\WINDOWS\system32\khfETNHA.dll
C:\WINDOWS\system32\pqkxhetq.dll
C:\WINDOWS\system32\qhbjxuty.dll
C:\WINDOWS\system32\wvUoMcbb.dll.vir
C:\WINDOWS\system32\xnucauxu.dll.vir
C:\WINDOWS\system32\yayWPihh.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\blthqpjp.dll.vir
C:\WINDOWS\system32\dtwpcnpg.dll
C:\WINDOWS\system32\edqbusuw.dll
C:\WINDOWS\system32\eupnuvio.dll
C:\WINDOWS\system32\ezsidmv.dat
C:\WINDOWS\system32\gjwvaury.dll
C:\WINDOWS\system32\hnpnlbyi.dll
C:\WINDOWS\system32\iicrwsuj.dll
C:\WINDOWS\system32\jkkJyVPj.dll.vir
C:\WINDOWS\system32\jqkcncab.dll
C:\WINDOWS\system32\khfETNHA.dll
C:\WINDOWS\system32\pqkxhetq.dll
C:\WINDOWS\system32\qhbjxuty.dll
C:\WINDOWS\system32\wvUoMcbb.dll.vir
C:\WINDOWS\system32\xnucauxu.dll.vir
C:\WINDOWS\system32\yayWPihh.dll.vir

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-26 13:54 . 2008-05-27 08:35 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:17 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:11 . 2008-05-25 22:11 <DIR> d-------- C:\Deckard
2008-05-25 21:57 . 2008-05-25 21:57 1,917 --a------ C:\WINDOWS\imsins.BAK
2008-05-24 19:51 . 2008-05-24 19:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 23:45 . 2008-05-23 23:45 <DIR> d-------- C:\VundoFix Backups
2008-05-21 09:52 . 2008-05-21 09:52 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\ieSpell
2008-05-21 09:51 . 2008-05-21 09:51 <DIR> d-------- C:\Program Files\ieSpell
2008-05-21 07:55 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-21 07:55 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-21 07:55 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-21 07:55 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-21 07:55 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-21 07:54 . 2008-05-21 07:55 <DIR> d-------- C:\Program Files\Trojan Remover
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Simply Super Software
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-16 15:50 . 2008-05-30 05:28 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\skypePM
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 15:44 . 2008-05-30 05:47 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-10 15:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-10 15:51 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-10 15:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-08 13:17 . 2008-05-08 13:17 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-08 13:15 . 2008-05-08 13:15 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-07 08:42 . 2008-05-19 09:34 <DIR> d-------- C:\Program Files\DC++
2008-05-06 10:14 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\MSBuild
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-06 10:10 . 2008-05-06 10:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-06 10:10 . 2008-05-14 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 10:09 . 2008-05-06 10:09 <DIR> dr-h----- C:\MSOCache
2008-05-06 09:39 . 2008-05-27 18:53 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-06 09:33 . 2008-05-06 09:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-06 09:33 . 2008-05-06 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-06 09:02 . 2008-05-06 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-06 01:04 . 2008-05-11 16:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Ahead
2008-05-06 01:02 . 2008-05-06 01:02 <DIR> d-------- C:\Program Files\Nero
2008-05-05 10:32 . 2008-05-05 10:33 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\WINDOWS\Sun
2008-05-05 10:01 . 2008-05-05 10:01 <DIR> d-------- C:\Program Files\Java
2008-05-05 10:01 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 10:00 . 2008-05-05 10:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iTunes
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iPod
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\Bonjour
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Apple Computer
2008-05-05 09:56 . 2008-05-30 05:27 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 09:56 . 2008-05-05 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\QuickTime
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-05 09:29 . 2008-05-05 09:29 425 --a------ C:\WINDOWS\BRWMARK.INI
2008-05-05 09:29 . 2008-05-05 09:29 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-05-05 09:29 . 2008-05-05 09:29 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-05-05 09:29 . 2008-05-05 09:29 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-05-05 09:28 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-05 09:22 . 2008-05-05 09:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Creative
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-05-05 09:20 . 2000-05-22 09:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2008-05-05 09:20 . 1999-10-11 02:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-05-05 09:15 . 1999-12-13 02:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-05-05 09:15 . 1999-11-18 02:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-05-05 09:09 . 2008-05-05 09:09 <DIR> d-------- C:\WINDOWS\system32\Data
2008-05-05 09:09 . 2000-12-13 11:21 7,572,224 --------- C:\WINDOWS\system32\CT8MGM.SF2
2008-05-05 09:09 . 2000-12-05 02:11 4,174,814 --------- C:\WINDOWS\system32\CT4MGM.SF2
2008-05-05 09:09 . 1999-09-22 08:18 2,167,684 -ra------ C:\WINDOWS\system32\ct2mgm.sf2
2008-05-05 09:09 . 2005-06-27 11:37 133,632 -ra------ C:\WINDOWS\system32\CtDvInst.dll
2008-05-05 09:09 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-05-05 09:09 . 2005-06-15 04:07 11,264 --a------ C:\WINDOWS\INRES.DLL
2008-05-05 09:09 . 2005-07-07 10:26 5,627 -ra------ C:\WINDOWS\system32\Ludap17.ini
2008-05-05 09:09 . 2005-03-08 07:14 39 -ra------ C:\WINDOWS\system32\ctzapxx.ini
2008-05-05 09:07 . 2008-05-05 09:20 <DIR> d-------- C:\Program Files\Creative
2008-05-05 08:29 . 2008-05-05 08:29 <DIR> d-------- C:\Program Files\BT Yahoo! Internet
2008-05-05 08:01 . 2008-05-05 08:01 <DIR> d-------- C:\Program Files\CCleaner
2008-05-05 07:58 . 2008-05-21 09:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 07:57 . 2008-05-05 07:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-05 07:57 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-05 07:57 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-05 07:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\WinPatrol
2008-05-05 07:34 . 2008-05-05 07:34 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-05 07:34 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-05 07:33 . 2008-05-15 09:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\TuneUp Software
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-05 07:27 . 2008-05-11 11:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Vso
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\Documents and Settings\Tom\Application Data\pcouffin.sys
2008-05-05 07:26 . 2008-05-05 07:26 <DIR> d-------- C:\Program Files\VSO
2008-05-05 07:26 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-05 07:26 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-05-05 07:26 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-05 07:26 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-05 07:26 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-05 07:26 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-05 07:26 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-05-05 07:20 . 2008-05-26 11:24 67 --a------ C:\WINDOWS\IDMan.INI
2008-05-05 07:08 . 2008-05-11 10:35 <DIR> d-------- C:\Program Files\Internet Download Manager
2008-05-05 07:08 . 2008-05-05 07:20 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\IDM
2008-05-05 07:08 . 2008-05-30 05:48 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\DMCache
2008-05-04 17:50 . 2008-05-05 00:01 0 --a------ C:\WINDOWS\_INS33IS._MP
2008-05-04 17:49 . 2008-05-04 17:49 <DIR> d-------- C:\Program Files\ASUS
2008-05-04 17:49 . 2005-01-28 09:44 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-05-04 17:49 . 2004-09-07 11:41 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-05-04 17:49 . 2004-10-14 10:52 4,962 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-05-04 17:49 . 2004-03-10 14:31 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-05-04 14:08 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-04 14:08 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-04 14:08 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-05-04 12:53 . 1998-10-29 16:45 306,688 --a------ C:\WINDOWS\IsUninst.exe
2008-05-04 12:53 . 2008-05-04 17:50 382 --a------ C:\WINDOWS\_delis32.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 07:56 155,995 ----a-w C:\WINDOWS\java\Packages\LZHZVLJ3.ZIP
2008-05-03 17:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-26_11.35.17.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-05-26 10:30:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 04:27:01 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2004-08-04 12:00:00 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2008-05-05 07:21 878848]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14 147456]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 17:41 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 02:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 14:49 7286784]
"nwiz"="nwiz.exe" [2005-10-10 14:49 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 14:49 86016]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 18:31 333120]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-18 14:19 877136]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 17:41 223984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-05 07:34]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-16 16:25:33 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-24 20:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 05:51:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-30 5:53:08
ComboFix-quarantined-files.txt 2008-05-30 04:53:04
ComboFix2.txt 2008-05-27 07:01:20
ComboFix3.txt 2008-05-26 10:35:34

Pre-Run: 188,255,195,136 bytes free
Post-Run: 188,246,863,872 bytes free

275 --- E O F --- 2008-05-28 23:07:39


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, May 30, 2008 7:12:27 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/05/2008
Kaspersky Anti-Virus database records: 814071
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 41563
Number of viruses found: 10
Number of infected objects: 31
Number of suspicious objects: 0
Duration of the scan process: 00:35:27

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\B50E081A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D8FB97F7.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe RAR: infected - 1 skipped
C:\Documents and Settings\Tom\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temp\~DF224C.tmp Object is locked skipped
C:\Documents and Settings\Tom\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe RAR: infected - 1 skipped
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\nero.exe/Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE/Nero-7.7.5.1_all_trial.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\nero.exe/Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE/Nero-7.7.5.1_all_trial.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\nero.exe RAR: infected - 2 skipped
C:\Documents and Settings\Tom\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tom\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2008-05-30.05-27-14.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\blthqpjp.dll.vir.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\edqbusuw.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.trd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hnpnlbyi.dll.vir Infected: Trojan.Win32.Obfuscated.auw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jqkcncab.dll.vir Infected: Trojan.Win32.Obfuscated.auw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pqkxhetq.dll.vir Infected: Trojan.Win32.Obfuscated.auw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qhbjxuty.dll.vir Infected: Trojan.Win32.Obfuscated.auw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\xnucauxu.dll.vir.vir Infected: Trojan.Win32.Obfuscated.auw skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP62\A0005634.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.sca skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP62\A0005681.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP62\A0005682.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.srg skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP62\A0005693.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.syt skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP62\A0005710.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP63\A0005789.dll Infected: Trojan.Win32.Monder.jn skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP64\A0005797.dll Infected: Trojan.Win32.Monder.jn skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP65\A0005800.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbv skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP65\A0005803.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.tbv skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP66\A0005850.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trl skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP66\A0005851.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trv skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP68\A0005904.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trl skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP75\A0006596.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.trd skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP75\A0006599.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP75\A0006601.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP75\A0006603.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP75\A0006604.dll Infected: Trojan.Win32.Obfuscated.auw skipped
C:\System Volume Information\_restore{1623E98B-424D-47A1-A46C-96AE8AF226B9}\RP75\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E4A5E6C3-2FF9-4149-9E44-20061B7EBED7}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\JETCACA.tmp Object is locked skipped
C:\WINDOWS\TEMP\JETCB76.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:19:54, on 30/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\PROGRA~1\Yahoo!\browser\ybrowser.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\bluefoot.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.game...l/kingcomie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com...obat/nos/gp.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12432 bytes

#13 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 30 May 2008 - 09:51 AM

Hello bluefoot
Yes my computer is behaving much better
You’ve done a good job so far, bluefoot. :thumbup:

P2P - I see you have P2P software ( DC++ ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation.This pagewill give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.

1 - Run CFScript

Open Notepad and copy/paste the text in the box into the window:

File::
C:\WINDOWS\imsins.BAK
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe
Folder::
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe
Posted Image
This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

2 - Status Check
Please reply with

1. the ComboFix log
2. a fresh HijackThis log

Thanks peku006
MRU Master

Posted Image
Posted Image

#14 bluefoot

bluefoot

    Authentic Member

  • Authentic Member
  • PipPip
  • 26 posts

Posted 30 May 2008 - 09:57 PM

Hi peku006

Removecdthe p2p file share programme will not you that again.

Here are the logs you asked for


ComboFix 08-05-25.3 - Tom 2008-05-31 4:49:45.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1516 [GMT 1:00]
Running from: C:\Documents and Settings\Tom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Tom\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe
C:\WINDOWS\imsins.BAK
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\keygen.exe
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe
C:\Documents and Settings\Tom\Application Data\IDM\DwnlData\Tom\nero_7\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\READ ME FIRST.txt
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\keygen.exe
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\Nero-7.7.5.1_all_trial.exe
C:\Documents and Settings\Tom\My Documents\Downloads\Programs\Ahead.Nero.v7.7.5.1.Multilingual.Incl.Keymaker-EMBRACE\READ ME FIRST.txt
C:\WINDOWS\imsins.BAK

.
((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-31 )))))))))))))))))))))))))))))))
.

2008-05-30 09:56 . 2008-05-30 09:56 56 --ah----- C:\WINDOWS\system32\ezsidmv.dat
2008-05-30 07:14 . 2008-05-30 07:15 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-30 06:09 . 2008-05-30 06:09 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-05-30 06:09 . 2008-05-30 06:09 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-26 13:54 . 2008-05-27 08:35 <DIR> d-------- C:\Program Files\CA Yahoo! Anti-Spy
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-25 22:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 22:17 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 22:17 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-25 22:11 . 2008-05-25 22:11 <DIR> d-------- C:\Deckard
2008-05-24 19:51 . 2008-05-24 19:51 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-23 23:45 . 2008-05-23 23:45 <DIR> d-------- C:\VundoFix Backups
2008-05-21 09:52 . 2008-05-21 09:52 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\ieSpell
2008-05-21 09:51 . 2008-05-21 09:51 <DIR> d-------- C:\Program Files\ieSpell
2008-05-21 07:55 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-21 07:55 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-21 07:55 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-21 07:55 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-21 07:55 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-21 07:54 . 2008-05-21 07:55 <DIR> d-------- C:\Program Files\Trojan Remover
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Simply Super Software
2008-05-21 07:54 . 2008-05-21 07:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-16 15:50 . 2008-05-31 04:36 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\skypePM
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-16 15:44 . 2008-05-31 04:45 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Skype
2008-05-16 15:44 . 2008-05-16 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-10 15:51 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-10 15:51 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-05-10 15:51 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-08 13:17 . 2008-05-08 13:17 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-05-08 13:15 . 2008-05-08 13:15 639,224 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-05-06 10:14 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\MSBuild
2008-05-06 10:13 . 2008-05-06 10:13 <DIR> d-------- C:\Program Files\Microsoft Works
2008-05-06 10:10 . 2008-05-06 10:13 <DIR> d-------- C:\WINDOWS\SHELLNEW
2008-05-06 10:10 . 2008-05-14 12:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-05-06 10:09 . 2008-05-06 10:09 <DIR> dr-h----- C:\MSOCache
2008-05-06 09:39 . 2008-05-27 18:53 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-05-06 09:33 . 2008-05-06 09:34 <DIR> d-------- C:\Program Files\Common Files\Ahead
2008-05-06 09:33 . 2008-05-06 09:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-05-06 09:02 . 2008-05-06 09:02 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles
2008-05-06 01:04 . 2008-05-11 16:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Ahead
2008-05-06 01:02 . 2008-05-06 01:02 <DIR> d-------- C:\Program Files\Nero
2008-05-05 10:32 . 2008-05-05 10:33 <DIR> d-------- C:\WINDOWS\system32\Adobe
2008-05-05 10:02 . 2008-05-05 10:02 <DIR> d-------- C:\WINDOWS\Sun
2008-05-05 10:01 . 2008-05-05 10:01 <DIR> d-------- C:\Program Files\Java
2008-05-05 10:01 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-05 10:00 . 2008-05-05 10:00 <DIR> d-------- C:\Program Files\Common Files\Java
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iTunes
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\iPod
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\Bonjour
2008-05-05 09:56 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Apple Computer
2008-05-05 09:56 . 2008-05-31 04:35 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-05 09:56 . 2008-05-05 09:56 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Program Files\QuickTime
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Common Files\Apple
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Program Files\Apple Software Update
2008-05-05 09:55 . 2008-05-05 09:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-05-05 09:55 . 2008-05-05 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2008-05-05 09:29 . 2008-05-05 09:29 425 --a------ C:\WINDOWS\BRWMARK.INI
2008-05-05 09:29 . 2008-05-05 09:29 184 --a------ C:\WINDOWS\system32\brsvc01a.bsi
2008-05-05 09:29 . 2008-05-05 09:29 30 --a------ C:\WINDOWS\system32\brss01a.ini
2008-05-05 09:29 . 2008-05-05 09:29 27 --a------ C:\WINDOWS\BRPP2KA.INI
2008-05-05 09:28 . 2004-08-03 23:08 26,496 --a--c--- C:\WINDOWS\system32\dllcache\usbstor.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-05 09:24 . 2004-08-03 23:01 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-05 09:22 . 2008-05-05 09:32 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Creative
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settingsbkup.sfm
2008-05-05 09:22 . 2008-05-05 09:22 584 --a------ C:\WINDOWS\system32\settings.sfm
2008-05-05 09:20 . 2000-05-22 09:58 647,872 --------- C:\WINDOWS\system32\Mscomct2.ocx
2008-05-05 09:20 . 1999-10-11 02:00 41,984 --------- C:\WINDOWS\Ctregrun.exe
2008-05-05 09:15 . 1999-12-13 02:01 44,032 --------- C:\WINDOWS\system32\CTSVCCDA.EXE
2008-05-05 09:15 . 1999-11-18 02:00 25,088 --------- C:\WINDOWS\system32\CTSVCCTL.EXE
2008-05-05 09:09 . 2008-05-05 09:09 <DIR> d-------- C:\WINDOWS\system32\Data
2008-05-05 09:09 . 2000-12-13 11:21 7,572,224 --------- C:\WINDOWS\system32\CT8MGM.SF2
2008-05-05 09:09 . 2000-12-05 02:11 4,174,814 --------- C:\WINDOWS\system32\CT4MGM.SF2
2008-05-05 09:09 . 1999-09-22 08:18 2,167,684 -ra------ C:\WINDOWS\system32\ct2mgm.sf2
2008-05-05 09:09 . 2005-06-27 11:37 133,632 -ra------ C:\WINDOWS\system32\CtDvInst.dll
2008-05-05 09:09 . 2000-05-11 01:00 90,112 --------- C:\WINDOWS\Updreg.EXE
2008-05-05 09:09 . 2005-06-15 04:07 11,264 --a------ C:\WINDOWS\INRES.DLL
2008-05-05 09:09 . 2005-07-07 10:26 5,627 -ra------ C:\WINDOWS\system32\Ludap17.ini
2008-05-05 09:09 . 2005-03-08 07:14 39 -ra------ C:\WINDOWS\system32\ctzapxx.ini
2008-05-05 09:07 . 2008-05-05 09:20 <DIR> d-------- C:\Program Files\Creative
2008-05-05 08:29 . 2008-05-05 08:29 <DIR> d-------- C:\Program Files\BT Yahoo! Internet
2008-05-05 08:01 . 2008-05-05 08:01 <DIR> d-------- C:\Program Files\CCleaner
2008-05-05 07:58 . 2008-05-21 09:35 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 07:57 . 2008-05-05 07:57 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-05-05 07:57 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-05 07:57 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-05 07:57 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Program Files\BillP Studios
2008-05-05 07:55 . 2008-05-05 07:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\WinPatrol
2008-05-05 07:34 . 2008-05-05 07:34 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-05 07:34 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-05 07:33 . 2008-05-15 09:43 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\TuneUp Software
2008-05-05 07:33 . 2008-05-05 07:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-05 07:27 . 2008-05-11 11:55 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\Vso
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-05 07:27 . 2008-05-05 07:27 47,360 --a------ C:\Documents and Settings\Tom\Application Data\pcouffin.sys
2008-05-05 07:26 . 2008-05-05 07:26 <DIR> d-------- C:\Program Files\VSO
2008-05-05 07:26 . 2004-05-04 12:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-05-05 07:26 . 2006-05-20 17:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-05-05 07:26 . 2006-05-11 20:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-05-05 07:26 . 2006-09-29 13:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-05-05 07:26 . 2006-09-29 13:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-05-05 07:26 . 2006-09-29 13:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-05-05 07:26 . 2007-03-18 21:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-05-05 07:20 . 2008-05-26 11:24 67 --a------ C:\WINDOWS\IDMan.INI
2008-05-05 07:08 . 2008-05-30 23:05 <DIR> d-------- C:\Program Files\Internet Download Manager
2008-05-05 07:08 . 2008-05-05 07:20 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\IDM
2008-05-05 07:08 . 2008-05-30 16:05 <DIR> d-------- C:\Documents and Settings\Tom\Application Data\DMCache
2008-05-04 17:50 . 2008-05-05 00:01 0 --a------ C:\WINDOWS\_INS33IS._MP
2008-05-04 17:49 . 2008-05-04 17:49 <DIR> d-------- C:\Program Files\ASUS
2008-05-04 17:49 . 2005-01-28 09:44 24,576 -ra------ C:\WINDOWS\system32\AsIO.dll
2008-05-04 17:49 . 2004-09-07 11:41 5,120 --a------ C:\WINDOWS\system32\drivers\AsInsHelp64.sys
2008-05-04 17:49 . 2004-10-14 10:52 4,962 -ra------ C:\WINDOWS\system32\drivers\AsIO.sys
2008-05-04 17:49 . 2004-03-10 14:31 3,328 --a------ C:\WINDOWS\system32\drivers\AsInsHelp32.sys
2008-05-04 14:08 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-05-04 14:08 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-05-04 14:08 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-04 07:56 155,995 ----a-w C:\WINDOWS\java\Packages\LZHZVLJ3.ZIP
2008-05-03 17:31 --------- d-----w C:\Program Files\microsoft frontpage
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-26_11.35.17.79 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-02-26 11:48:44 297,984 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\SP2QFE\msctf.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB932823-v3\update\updspapi.dll
- 2008-05-26 10:30:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-31 03:35:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 06:15:24 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81200000003}\SC_Reader.exe
- 2004-08-04 12:00:00 294,400 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2008-02-26 11:59:50 294,912 -c--a-w C:\WINDOWS\system32\dllcache\msctf.dll
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2006-06-05 13:14:28 479,232 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcm80.dll
+ 2006-06-05 13:14:28 548,864 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcp80.dll
+ 2006-06-05 13:14:28 626,688 ----a-w C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.163_x-ww_681e29fb\msvcr80.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [2004-12-02 18:23 102400]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2008-04-30 17:17 22058792]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 17:41 223984]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-18 02:54 116072]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-10-10 14:49 7286784]
"nwiz"="nwiz.exe" [2005-10-10 14:49 1519616 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2005-10-10 14:49 86016]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-25 18:31 333120]
"CTSysVol"="C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe" [2005-02-15 16:10 57344]
"P17Helper"="P17.dll" [2005-05-03 12:38 64512 C:\WINDOWS\system32\P17.dll]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40 155648]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47 31016]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-05-18 14:19 877136]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-10 17:41 223984]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
R3 BrScnUsb;Brother USB Still Image driver;C:\WINDOWS\system32\Drivers\BrScnUsb.sys [2003-12-19 20:15]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-05 07:34]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-05-30 16:29:07 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClick.exe
"2008-05-24 20:47:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-31 04:51:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-31 4:52:57
ComboFix-quarantined-files.txt 2008-05-31 03:52:53
ComboFix2.txt 2008-05-30 04:53:09
ComboFix3.txt 2008-05-27 07:01:20
ComboFix4.txt 2008-05-26 10:35:34

Pre-Run: 187,948,969,984 bytes free
Post-Run: 187,636,789,248 bytes free

260 --- E O F --- 2008-05-28 23:07:39


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:54:15, on 31/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\browser\YBrowser.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\bluefoot.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...arch.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: IDMIEHlprObj Class - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://uk.midas.game...l/kingcomie.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun....ows-i586-jc.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11892 bytes

#15 peku006

peku006

    Authentic Member

  • Authentic Member
  • PipPip
  • 40 posts

Posted 31 May 2008 - 05:37 AM

Hello bluefoot

Congratulations, your log looks clean! :thumbup:

Time for some housekeeping
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
  • Posted Image
  • When shown the disclaimer, Select "2"

The above procedure will:

  • Delete the following:
  • ComboFix and its associated files and folders.
  • VundoFix backups, if present
  • The C:\Deckard folder, if present
  • The C:_OtMoveIt folder, if present
  • Reset the clock settings.
  • Hide file extensions, if required.
  • Hide System/Hidden files, if required.
  • Reset System Restore.

Here are some free programs I recommend that could help you improve your computer's security.

Spybot Search and Destroy 1.5.2
Download it from here. Just choose a mirror and off you go.
Find here the tutorial on how to use Spybot properly here

Install SpyWare Blaster 4.0
Download it from here
Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Install FireTrust SiteHound
You can find information and download it from here

Install MVPS Hosts File from here
The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer.
Find Tutorial here : http://www.mvps.org/...p2002/hosts.htm

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
You can use one of these sites to check if any updates are needed for your pc.
Secunia Software Inspector
F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.
http://www.update.microsoft.com
Note: If you are running Windows XP SP2, you should upgrade to SP3.

Please check out Tony Klein's article "How did I get infected in the first place?"

Read some information here how to prevent Malware.

Happy surfing and stay clean! ;)
MRU Master

Posted Image
Posted Image

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users