Hi,
Firstly to say that I'm running Windows XP SP2 with an up to date Norton Internet Security 2007.
A couple of weeks ago I noticed in the Windows Task Manager that explorer.exe was using 99% of my CPU usage which was causing my computer to completely crash so I did a scan with Ad-Aware to see if I had some viruses or Trojans on my Desktop.
It came back saying that I had Virtumonde and gave the file paths (included at the bottom of this post) which incidently were in the Explorer folder of the registry. Ad-Aware supposedly removed the infection but I continued to have problems so I did a full scan with Spybot, Spyware Terminator, Ad-Aware and Norton Anti Virus which all showed nothing.
After finding this Forum I then used Vundo Fix which came back with 4 or 5 .dll files in the C:\Windows\System folder which it removed. I scanned the entire computer again with Vundo Fix to see if it was clean which it was and also scanned again with Norton, Ad-Aware, Spybot and Spyware Terminator. This came back clean with the exception of Spybot which said that Windows Security Centre was disabled so I clicked on "fix" to rectify that.
So the computer came up clean and initially when using the Desktop for the first hour everything was fine but then explorer.exe starts using 99% of the CPU again.
Scanned it all again as above and this time used the VirtumondeBeGone and it all came back clean again.
Again for the first hour after all the scans everything is fine and then the explorer.exe clicks in and takes up 99% of the CPU again and I can shut the computer down and restart and the problem is still there. It's only after I complete all the scans is it ok for the first hour.
My Desktop was fine before the Vundo/Virtumonde infection and explorer.exe was not using up anymore than it's normal resources but now it's at 99% all of the time so the two must be connected.
Windows XP SP2 has all the critical updates. I download all updates for Ad-aware, Spybot, Spyware Terminator before I scan and I've also installed Java to the latest version.
I've done a Hijack This log which is below.
Can anyone help?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:00, on 23/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://gb8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
--
End of file - 8733 bytes
Full Version: Virtumonde-vundo Infection-hijack This Log File
I have moved your Topic that includes a HijackThis log here to the Misplaced HJT Logs forum. You posted your log in a forum not intended for HijackThis logs analysis and probably missed the directions we provide to those who require assistance. We can only allow topics with such logs in the HijackThis Logs and Malware Removal forum. This restriction is to ensure you get the best help available, from those who specialize in malware anlaysis and removal. It also should prevent you from receiving ineffective or even potentially dangerous advice, whether well meaning or not.
Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system.
Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. If you can't perform a step, then skip it and continue with the next. The last step will include downloading and using the most current version of HijackThis if the first line of your log does not appear as follows:
Logfile of Trend Micro HijackThis v2.0.2
Please note that it is important that HijackThis be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log.
Please DO NOT post any more logs to this topic, or post a log again in the wrong forum.
The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for.
When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.
Thanks for your cooperation and good luck.
The BC Staff
Prior to posting a HJT log, we ask that you please read and follow all instructions in the pinned topic titled Preparation Guide For Use Before Posting A Hijackthis Log. Following the steps in this Guide will allow the HJT Team to quickly help you with specific fixes for what may remain on your system.
Please complete all the steps in the Guide. If you have performed some of them already, then just continue with the next. If you can't perform a step, then skip it and continue with the next. The last step will include downloading and using the most current version of HijackThis if the first line of your log does not appear as follows:
Logfile of Trend Micro HijackThis v2.0.2
Please note that it is important that HijackThis be run and a log created while in normal mode. If you run it and create your log while in safe mode, you will be asked to redo it again properly. When you have completed those steps, start a new topic in the HijackThis Logs and Malware Removal forum as directed in the Guide to post a new log.
Please DO NOT post any more logs to this topic, or post a log again in the wrong forum.
The Misplaced HJT Logs forum is strictly a holding area where the BC Staff can assist you with preparations for and to properly post your log. If you have a question or encounter a problem in the Prep Guide, please do post back to this topic; that is what it is here for.
When your new HJT log is posted in the proper forum, please reply to this topic with a link to your new topic. Once that is done, a Member of the HJT Team will analyze your log and assist you with step by step instructions to clean your computer or otherwise advise what needs to be done.
Thanks for your cooperation and good luck.
The BC Staff
Hi, and Welcome to Bleeping Computer 
My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.
jpshortstuff
My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:
- I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
- The fixes are specific to your problem and should only be used for the issues on this machine.
- Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
- It's often worth reading through these instructions and printing them for ease of reference.
- If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
- Please reply to this thread. Do not start a new topic.
As I am still training, my posts to you will be checked by an Expert member. This will ensure that all advice and instructions I give you are accurate and safe. This may mean that my replies may take a little longer.
jpshortstuff
Hi Jpshortstuff,
Thankyou for your reply and thanks in advance for your help which will be appreciated.
I'll wait for your posts.
Thanks again.
Benny
Thankyou for your reply and thanks in advance for your help which will be appreciated.
I'll wait for your posts.
Thanks again.
Benny
Hi
Viewpoint Manager is installed without the users permission. If you didn't install it, or if you did but you no longer use it, I recommend you get rid of it.
Please click Start >> Control Panel >> Add or Remove Programs.
Find the item below on the list and click Remove.
Viewpoint Manager
Let me know how it goes.
Download ComboFix by sUBs from here or here
**Save it to your desktop**
Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Thanks,
jpshortstuff
Viewpoint Manager is installed without the users permission. If you didn't install it, or if you did but you no longer use it, I recommend you get rid of it.
Please click Start >> Control Panel >> Add or Remove Programs.
Find the item below on the list and click Remove.
Viewpoint Manager
Let me know how it goes.
Download ComboFix by sUBs from here or here
**Save it to your desktop**
Double click on ComboFix.exe & follow the prompts.
When finished, it shall produce a log for you. Please save that log to post in your next reply along with a fresh HJT log
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Thanks,
jpshortstuff
Hi jpshortstuff,
Thankyou very much for your reply and for your help which is appreciated.
I have sucessfully uninstalled the Viewpoint Manager as you requested.
I also downloaded the Combo Fix and attempted to run it. It did crash explorer.exe and left me with just the screensaver and I lost all desktop items and the systems tray although the ComboFix continued to run. Ironically it's the explorer.exe that is using up 99% of my CPU so I don't know if that's relevant here.
Basically Combo Fix completed 40 stages of this program and then came to something which said deleting files and folders and listed the following files:
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
Combo Fix then tried to reboot my computer but that failed and I had to restart my computer manually.
I have run Combo Fix 3 times and it names the same files so obviously they haven't been deleted. I haven't manually deleted them and I won't unless you tell me to do so and if you do then please say how you want me to delete them.
I can't post a log of Combo Fix as it didn't give me one. I have done another HiJackThis Log although I'm not sure how relevant it is without the ComboFix log but I've included it with this post anyway.
So what's the next step? Do you want me to remove the files (above) manually? Or maybe something else?
Thanks again for your help and I'll await your next reply.
Benny
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9575 bytes
Thankyou very much for your reply and for your help which is appreciated.
I have sucessfully uninstalled the Viewpoint Manager as you requested.
I also downloaded the Combo Fix and attempted to run it. It did crash explorer.exe and left me with just the screensaver and I lost all desktop items and the systems tray although the ComboFix continued to run. Ironically it's the explorer.exe that is using up 99% of my CPU so I don't know if that's relevant here.
Basically Combo Fix completed 40 stages of this program and then came to something which said deleting files and folders and listed the following files:
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
Combo Fix then tried to reboot my computer but that failed and I had to restart my computer manually.
I have run Combo Fix 3 times and it names the same files so obviously they haven't been deleted. I haven't manually deleted them and I won't unless you tell me to do so and if you do then please say how you want me to delete them.
I can't post a log of Combo Fix as it didn't give me one. I have done another HiJackThis Log although I'm not sure how relevant it is without the ComboFix log but I've included it with this post anyway.
So what's the next step? Do you want me to remove the files (above) manually? Or maybe something else?
Thanks again for your help and I'll await your next reply.
Benny
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:22, on 2008-01-25
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.95 195.92.195.94
O17 - HKLM\System\CS1\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.95 195.92.195.94
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9575 bytes
There should be a ComboFix log, look here:
C:\ComboFix.txt
and post whatever is there.
(Note, not ComboFix2 or ComboFix3, just ComboFix.txt.
C:\ComboFix.txt
and post whatever is there.
(Note, not ComboFix2 or ComboFix3, just ComboFix.txt.
Hi,
Thanks again for your reply.
All it says is this:
ComboFix 08-01-23.1B - Owner 2008-01-25 16:34:33.6 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
That's it. It said the same before and I did another scan and it's said the same again.
After the scan says completed 40 stages or whatever, it says it is deleting the files and folders that I mentioned before and then says attempting reboot windows or something similar. Then it says something like "add is not an external command". Repeats this line several times and then the scan disappears and doesn't reappear.
The computer doesn't reboot and the desktop and systems tray are no longer there because the explorer.exe file has been stopped which I presume the ComboFix has done. So I have to reboot using the Windows Task Manager.
I also noticed this afternoon the following message:
Google has blocked an attempt by another program to change your settings".
I've seen this several times recently although I have no idea if it's relevant.
Today I have scanned with Ad-Aware again and I found 2 things I didn't know about which said:
Trojan.Peed.Gen whose file path was:
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache59065.tmp
and also:
Win32.Trojan.KillProc whose file paths were:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg5.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\nsa.tmp
Again I've no idea if they are relevant but Ad-Aware says they were removed although I deleted all temp files in safe mode logged on as both the administrator and the owner to be sure.
Any help would be greatly appreciated as I'm tearing my hair out.
Benny
Thanks again for your reply.
All it says is this:
ComboFix 08-01-23.1B - Owner 2008-01-25 16:34:33.6 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
That's it. It said the same before and I did another scan and it's said the same again.
After the scan says completed 40 stages or whatever, it says it is deleting the files and folders that I mentioned before and then says attempting reboot windows or something similar. Then it says something like "add is not an external command". Repeats this line several times and then the scan disappears and doesn't reappear.
The computer doesn't reboot and the desktop and systems tray are no longer there because the explorer.exe file has been stopped which I presume the ComboFix has done. So I have to reboot using the Windows Task Manager.
I also noticed this afternoon the following message:
Google has blocked an attempt by another program to change your settings".
I've seen this several times recently although I have no idea if it's relevant.
Today I have scanned with Ad-Aware again and I found 2 things I didn't know about which said:
Trojan.Peed.Gen whose file path was:
C:\Documents and Settings\Owner\Local Settings\Temp\jar_cache59065.tmp
and also:
Win32.Trojan.KillProc whose file paths were:
C:\Documents and Settings\Administrator\Local Settings\Temp\nsg5.tmp
C:\Documents and Settings\Owner\Local Settings\Temp\nsa.tmp
Again I've no idea if they are relevant but Ad-Aware says they were removed although I deleted all temp files in safe mode logged on as both the administrator and the owner to be sure.
Any help would be greatly appreciated as I'm tearing my hair out.
Benny
Hi Benny,
I'm just contacting the developer of ComboFix about these issues, see what we can do about it.
Thanks for your patience.
I'm just contacting the developer of ComboFix about these issues, see what we can do about it.
Thanks for your patience.
Hi jpshortstuff,
No problem with the patience as I appreciate your help.
Just one other thing. When I scanned with Spyware Terminator today, later on I looked in the list of unknown software and the C:\WINDOWS\system32\fgjlm.ini was there that I mentioned earlier as mljgf.dll {BH} with a registry entry of:
HKLM\SOFTWARE\Microsoft\windows\current version\explorer\browser helper objects\{46B5D4F8-2609-4974-B170-47867DB42F87}
There was no mention of the other file which was C:\WINDOWS\system32\fgjlm.ini2
What's making me suspicious of this is that Combo Fix identified the file for deleting and it has a registry entry in the Explorer Folder and it's the explorer.exe that is using 99% of the CPU.
I'm thinking that the 2 could be connected but I'd like to know your opinion?
Regards
Benny
No problem with the patience as I appreciate your help.
Just one other thing. When I scanned with Spyware Terminator today, later on I looked in the list of unknown software and the C:\WINDOWS\system32\fgjlm.ini was there that I mentioned earlier as mljgf.dll {BH} with a registry entry of:
HKLM\SOFTWARE\Microsoft\windows\current version\explorer\browser helper objects\{46B5D4F8-2609-4974-B170-47867DB42F87}
There was no mention of the other file which was C:\WINDOWS\system32\fgjlm.ini2
What's making me suspicious of this is that Combo Fix identified the file for deleting and it has a registry entry in the Explorer Folder and it's the explorer.exe that is using 99% of the CPU.
I'm thinking that the 2 could be connected but I'd like to know your opinion?
Regards
Benny
Sorry I got the file name wrong in my last post.
It wasn't C:\WINDOWS\system32\fgjlm.ini as I stated.
It was C:\WINDOWS\system32\mljgf.dll
I have Googled mljgf.dll and it comes up as a variant of Virtumonde and there is a page here to help with it's removal.
Should I go on and follow those instructions to remove it?
Regards
Benny
It wasn't C:\WINDOWS\system32\fgjlm.ini as I stated.
It was C:\WINDOWS\system32\mljgf.dll
I have Googled mljgf.dll and it comes up as a variant of Virtumonde and there is a page here to help with it's removal.
Should I go on and follow those instructions to remove it?
Regards
Benny
We have been dealing with Virtumonde from the beginning.
Talked to the developer of ComboFix, there is another copy he would like us to try,
Delete your exiting copy of ComboFix.
Download and run the new one:
http://subs.geekstogo.com/zh/ComboFix.exe
(save to your desktop)
Post the logs, let me know how it goes.
Thanks.
Talked to the developer of ComboFix, there is another copy he would like us to try,
Delete your exiting copy of ComboFix.
Download and run the new one:
http://subs.geekstogo.com/zh/ComboFix.exe
(save to your desktop)
Post the logs, let me know how it goes.
Thanks.
I can't download the other ComboFix and that has been one of the problems with this malware in that it stops me downloading things at times (not all the time) and I struggle to keep Ad-Aware, Spybot, Spyware Terminator and Norton up to date.
I'll try again later but I've tried 3 times already today with no luck.
I'll try again later but I've tried 3 times already today with no luck.
What happens when you click the link that's provided?
Hi,
Ok thanks to jpshortstuff and sUBs for your replies.
Ok I managed to download the CF.exe and ran it and it worked and I have posted the Combo Fix log file and a new HiJackThis log file and I would very much appreciate any more input if either of you have any?
The files I was particularly worried about were:-
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
and
C:\WINDOWS\system32\mlgjf.dll
which had a registry entry in the HKLM\software\microsoft\windows\current version\explorer\browser helper objects\
This was particular interest to me as it was in the explorer folder and it is the explorer.exe that iis using 99% of the CPU usage and after looking quickly at the ComboFix log and with an uneducated eye the following interested me:-
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\mljgf.dll
I Googled the mljgf.dll file and the fgjlm.ini and fgjlm.ini2 yesterday as I previously said and they came back as variants of Virtumonde.
Any ideas guys as I think we're now getting somewhere?
Thanks again for your help.
Benny
ComboFix 08-01-27.4 - Owner 2008-01-27 10:35:48.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\CF.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
D:\Autorun.inf
.
---- Previous Run -------
.
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-27 10:46 . 2008-01-27 10:53 371 --ahs---- C:\WINDOWS\system32\fgjlm.ini
2008-01-21 18:47 . 2008-01-21 21:47 <DIR> d-------- C:\VundoFix Backups
2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys
2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera
2008-01-13 22:41 . 2008-01-25 20:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-09 02:25 . 2003-01-02 09:36 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS
2008-01-09 02:25 . 2003-01-02 11:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-09 02:25 . 2003-01-02 09:33 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-09 02:25 . 2003-01-02 09:38 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-09 02:25 . 2003-01-02 09:35 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-01-06 16:05 . 2008-01-06 16:05 314,720 --a------ C:\WINDOWS\system32\mljgf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 17:19 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP
2008-01-24 20:46 --------- d-----w C:\Program Files\Viewpoint
2008-01-24 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-21 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-18 01:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-13 20:34 --------- d-----w C:\Program Files\Java
2008-01-12 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 16:00 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-12 11:22 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats
2007-12-07 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 10:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-30 19:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2005-02-14 12:23 57,744 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys
2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98697b10-7559-4601-ba26-60260b9a4c4b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF157CD1-78DF-4539-B739-2F567D2BA293}]
2008-01-06 16:05 314720 --a------ C:\WINDOWS\system32\mljgf.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"combofix"="C:\ComboFix\kmd.exe" [2004-08-04 07:56 388608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyxx]
byxyyxx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk
backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe
R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys [2005-11-16 15:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 10:50:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\fgjlm.ini2 443 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\mljgf.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\mljgf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
**************************************************************************
.
Completion time: 2008-01-27 11:02:39 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-27 11:02:23
.
2008-01-23 23:50:27 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:50, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 8778 bytes
Ok thanks to jpshortstuff and sUBs for your replies.
Ok I managed to download the CF.exe and ran it and it worked and I have posted the Combo Fix log file and a new HiJackThis log file and I would very much appreciate any more input if either of you have any?
The files I was particularly worried about were:-
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
and
C:\WINDOWS\system32\mlgjf.dll
which had a registry entry in the HKLM\software\microsoft\windows\current version\explorer\browser helper objects\
This was particular interest to me as it was in the explorer folder and it is the explorer.exe that iis using 99% of the CPU usage and after looking quickly at the ComboFix log and with an uneducated eye the following interested me:-
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\mljgf.dll
I Googled the mljgf.dll file and the fgjlm.ini and fgjlm.ini2 yesterday as I previously said and they came back as variants of Virtumonde.
Any ideas guys as I think we're now getting somewhere?
Thanks again for your help.
Benny
ComboFix 08-01-27.4 - Owner 2008-01-27 10:35:48.7 - NTFSx86 MINIMAL
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.133 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\CF.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
D:\Autorun.inf
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
D:\Autorun.inf
.
---- Previous Run -------
.
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-27 10:46 . 2008-01-27 10:53 371 --ahs---- C:\WINDOWS\system32\fgjlm.ini
2008-01-21 18:47 . 2008-01-21 21:47 <DIR> d-------- C:\VundoFix Backups
2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys
2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera
2008-01-13 22:41 . 2008-01-25 20:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-09 02:25 . 2003-01-02 09:36 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS
2008-01-09 02:25 . 2003-01-02 11:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-09 02:25 . 2003-01-02 09:33 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-09 02:25 . 2003-01-02 09:38 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-09 02:25 . 2003-01-02 09:35 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust
2008-01-06 16:05 . 2008-01-06 16:05 314,720 --a------ C:\WINDOWS\system32\mljgf.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 17:19 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP
2008-01-24 20:46 --------- d-----w C:\Program Files\Viewpoint
2008-01-24 20:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-01-21 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-18 01:54 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-13 20:34 --------- d-----w C:\Program Files\Java
2008-01-12 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-12 16:00 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-01-12 11:22 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats
2007-12-07 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 10:33 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-10-30 19:55 625,032 ----a-w C:\WINDOWS\system32\SymNeti.dll
2007-10-30 19:55 242,056 ----a-w C:\WINDOWS\system32\SymRedir.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2005-02-14 12:23 57,744 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys
2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98697b10-7559-4601-ba26-60260b9a4c4b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF157CD1-78DF-4539-B739-2F567D2BA293}]
2008-01-06 16:05 314720 --a------ C:\WINDOWS\system32\mljgf.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
"combofix"="C:\ComboFix\kmd.exe" [2004-08-04 07:56 388608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyxx]
byxyyxx.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk
backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe
R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys [2005-11-16 15:42]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Info.exe folder.htt 480 480
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 10:50:26
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\fgjlm.ini2 443 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\mljgf.dll
PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\mljgf.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
**************************************************************************
.
Completion time: 2008-01-27 11:02:39 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-01-27 11:02:23
.
2008-01-23 23:50:27 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:50, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 8778 bytes
Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
- ViewPoint
---------------
Open notepad and copy/paste the text in the quotebox below into it:
CODE
http://www.bleepingcomputer.com/forums/topic127278.html
Collect::
C:\WINDOWS\system32\mljgf.dll
File::
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
Folder::
C:\VundoFix Backups
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98697b10-7559-4601-ba26-60260b9a4c4b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF157CD1-78DF-4539-B739-2F567D2BA293}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyxx]
Collect::
C:\WINDOWS\system32\mljgf.dll
File::
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
Folder::
C:\VundoFix Backups
C:\Program Files\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{98697b10-7559-4601-ba26-60260b9a4c4b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF157CD1-78DF-4539-B739-2F567D2BA293}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyyxx]
Save this as "CFScript"
Referring to the picture above, drag CFScript.txt into ComboFix.exe
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
Additonally, ComboFix will generate a zipped file on your Desktop, called [4]Submit@Date_Time.zip
Before proceeding to the next step, please submit this file to http://www.bleepingcomputer.com/submit-malware.php?channel=4
---------------
Using Internet Explorer, visit http://www.kaspersky.com/kos/eng/partner/d...kavwebscan.html
Answer Yes, when prompted to install an ActiveX component.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded click on NEXT
- Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
- Extended
- Scan Options:
- Scan Archives
- Scan Mail Bases
- Scan using the following Anti-Virus database:
- Click OK & have it scan My Computer
- Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
- Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
---------------
In your next post, please include fresh logs from:
- Fresh Hijackthis log taken just before replying
- Online scan
- ComboFix's log
Hi sUBs and jpshortstuff,
I know I keep saying it but thanks again for all your help which is greatly appreciated.
Okay.
I deleted Viewpoint and then copied and pasted the text you gave me into notepad, saved it to the Desktop and dragged it into ComboFix as you requested and it ran the program successfully and I have copied and pasted that text file with this post.
I also sent the ZIP file that you asked me to send to the URL that you posted.
I then ran the Kaspersky Online scanner to your instructions and I have posted that also with this post.
Lastly I did another HiJackThis log just before typing out this out and that is with this post also.
The logs are posted in the order you requested them i.e. :-
1). HiJackThis
2). Kaspersky Online Scanner
3). ComboFix Log File
As for how the computer is reacting now then it is a bit early to tell as there have been times before when I thought it had all gone away (like after the first Vundo Fix scan) and the explorer.exe file was not using 99% of the CPU only for it to come back so I'll see what happens this evening and let you know.
Again I'd welcome any thoughts that you might have and any more help would be appreciated also.
Thanks again.
Benny
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:33, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 10227 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 27, 2008 9:02:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/01/2008
Kaspersky Anti-Virus database records: 534146
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 110379
Number of viruses found: 3
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 02:43:56
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\4E33B026.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D81AB33A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba .. ... /[From "Volksbanken Raiffeisenbanken" <custsupport_9806604539ib@vr-networld.de ... /html Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba .. ... /[From "Volksbanken Raiffeisenbanken" <custsupport_9806604539ib@vr-networld.de>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba ... /[From "tim" <nuttingzh@arcusabsorbents.com>][Date Mon, 13 Nov 2006 23:12:54 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ban ... /[From ... /[From detail" <xvdxuetjt@alltel.net>][Date 13 Nov 2006 12:22:46 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ban ... /[From "mandy blake" <cheekydoll6@hotmail.com>][Date Sun, 24 Sep 2006 16:13:32 +0000]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Banking" <online-support_id ... /[From "Mirella Arnot" <angharadstiv@iris-inspection.com>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Banking" <online-support_id_006099446153id@barclays.com>][Date 19 Sep 2006 04:59:42 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... ... /[From "Afua Jayne" <gethstorry@accessamg.com>][Date Mon, 18 Sep 2006 13:36:44 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... ... /[From "Signe Stauber" <hyselleboa@finisar.com>][Date Mon, 18 Sep 2006 08:39:45 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From "" <izxip@telnor.net>][Date Mon, 18 Sep 2006 11:47:31 +0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C .. ... /[From <mail@thehubpeople.com>][Date Mon, 18 Sep 2006 15:01:48 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From But ... /[From "Barclays IBank" <supprefnum98123id@barclays.com>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From Butcher" <jvancecpa@1-stopnet.com>][Date 18 Sep 2006 02:02:38 +0180]/html Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri Cordray" <tueposton@bonsackbaptist.org>][Date Sun, 17 Sep 2006 15:50:25 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From ... /[From "Irenka Cargo" <gretaslusher@acun.com>][Date Sat, 16 Sep 2006 17:28:32 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From ... /[From "Get the" <mitizckse@shawcable.net>][Date Sat, 16 Sep 2006 13:00:28 +0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Thu, 14 Sep 2006 15:17:58 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Support" <support@ ... /[From "rick lezemore" <ninja1rl@hotmail.co.uk>][Date Thu, 07 Sep 2006 22:11:53 +0100]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Support" <support@formmail.com>][Date Mon, 17 Apr 2006 12:13:00 -0600]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 23 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ahgxvyja.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ojwtkpca.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rrjyobrk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rslrwula.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rwfohjrv.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{69EE390C-99FC-4477-AB84-45CF4B9BFD7E}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
ComboFix 08-01-23.1B - Owner 2008-01-27 16:56:27.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.63 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1002466322.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-293628968.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\253621806.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\964329184_1.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-299397824.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1991437604.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\501407029.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-850653353.mtj&p2=0&p3=05904293139052970165172212541909&p4=0
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1859761695.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1850579979.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\670487064.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\VundoFix Backups
C:\VundoFix Backups\ahgxvyja.dll.bad
C:\VundoFix Backups\ojwtkpca.dll.bad
C:\VundoFix Backups\rrjyobrk.dll.bad
C:\VundoFix Backups\rslrwula.dll.bad
C:\VundoFix Backups\rwfohjrv.dll.bad
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mljgf.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-24 21:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys
2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 11:24 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP
2008-01-13 20:34 --------- d-----w C:\Program Files\Java
2008-01-12 11:22 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats
2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys
2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk
backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe
R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys [2005-11-16 15:42]
S4 Propsprt;Propsprt;C:\WINDOWS\System32\drivers\modem.sys [2004-08-04 06:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 17:17:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-27 17:31:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 17:31:36
ComboFix2.txt 2008-01-27 11:02:41
.
2008-01-23 23:50:27 --- E O F ---
I know I keep saying it but thanks again for all your help which is greatly appreciated.
Okay.
I deleted Viewpoint and then copied and pasted the text you gave me into notepad, saved it to the Desktop and dragged it into ComboFix as you requested and it ran the program successfully and I have copied and pasted that text file with this post.
I also sent the ZIP file that you asked me to send to the URL that you posted.
I then ran the Kaspersky Online scanner to your instructions and I have posted that also with this post.
Lastly I did another HiJackThis log just before typing out this out and that is with this post also.
The logs are posted in the order you requested them i.e. :-
1). HiJackThis
2). Kaspersky Online Scanner
3). ComboFix Log File
As for how the computer is reacting now then it is a bit early to tell as there have been times before when I thought it had all gone away (like after the first Vundo Fix scan) and the explorer.exe file was not using 99% of the CPU only for it to come back so I'll see what happens this evening and let you know.
Again I'd welcome any thoughts that you might have and any more help would be appreciated also.
Thanks again.
Benny
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:07:33, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.94 195.92.195.95
O17 - HKLM\System\CS1\Services\Tcpip\..\{05022F37-CDF8-49DC-AB11-2C7F226DD8F5}: NameServer = 195.92.195.94 195.92.195.95
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 10227 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, January 27, 2008 9:02:00 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/01/2008
Kaspersky Anti-Virus database records: 534146
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 110379
Number of viruses found: 3
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 02:43:56
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\4E33B026.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\D81AB33A.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba .. ... /[From "Volksbanken Raiffeisenbanken" <custsupport_9806604539ib@vr-networld.de ... /html Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba .. ... /[From "Volksbanken Raiffeisenbanken" <custsupport_9806604539ib@vr-networld.de>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ba ... /[From "tim" <nuttingzh@arcusabsorbents.com>][Date Mon, 13 Nov 2006 23:12:54 +0200]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ban ... /[From ... /[From detail" <xvdxuetjt@alltel.net>][Date 13 Nov 2006 12:22:46 -0600]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Ban ... /[From "mandy blake" <cheekydoll6@hotmail.com>][Date Sun, 24 Sep 2006 16:13:32 +0000]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Banking" <online-support_id ... /[From "Mirella Arnot" <angharadstiv@iris-inspection.com>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.c ... /[From "Barclays Banking" <online-support_id_006099446153id@barclays.com>][Date 19 Sep 2006 04:59:42 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... ... /[From "Afua Jayne" <gethstorry@accessamg.com>][Date Mon, 18 Sep 2006 13:36:44 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... ... /[From "Signe Stauber" <hyselleboa@finisar.com>][Date Mon, 18 Sep 2006 08:39:45 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From "" <izxip@telnor.net>][Date Mon, 18 Sep 2006 11:47:31 +0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C .. ... /[From <mail@thehubpeople.com>][Date Mon, 18 Sep 2006 15:01:48 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From But ... /[From "Barclays IBank" <supprefnum98123id@barclays.com>]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri C ... /[From Butcher" <jvancecpa@1-stopnet.com>][Date 18 Sep 2006 02:02:38 +0180]/html Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... ... /[From "Jiri Cordray" <tueposton@bonsackbaptist.org>][Date Sun, 17 Sep 2006 15:50:25 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From ... /[From "Irenka Cargo" <gretaslusher@acun.com>][Date Sat, 16 Sep 2006 17:28:32 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From ... /[From "Get the" <mitizckse@shawcable.net>][Date Sat, 16 Sep 2006 13:00:28 +0700]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Suppo ... /[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Thu, 14 Sep 2006 15:17:58 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Support" <support@ ... /[From "rick lezemore" <ninja1rl@hotmail.co.uk>][Date Thu, 07 Sep 2006 22:11:53 +0100]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED/[From "FormMail.com :: Support" <support@formmail.com>][Date Mon, 17 Apr 2006 12:13:00 -0600]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text/[From "Kenny Henderson" <kennyhenderson2001@yahoo.co.uk>][Date Mon, 19 Jun 2006 22:41:59 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED/[From "paul jones" <paul257@hotmail.com>][Date Thu, 01 Jun 2006 19:49:55 +0000]/text Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED/[From <lillian@lillians.co.uk>][Date Sun, 30 Apr 2006 17:39:59 +0100]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.od skipped
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox Mail Berkeley mbox: infected - 23 skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ahgxvyja.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ojwtkpca.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rrjyobrk.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rslrwula.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\VundoFix Backups\rwfohjrv.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{69EE390C-99FC-4477-AB84-45CF4B9BFD7E}\RP9\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
ComboFix 08-01-23.1B - Owner 2008-01-27 16:56:27.8 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.63 [GMT 0:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mcrh.tmp
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Viewpoint
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\ComponentRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\DownLoadHist.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\HostRegistry.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamConfig.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MetaStreamID.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\MTSDownloadSites.txt
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-1002466322.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\-293628968.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\253621806.mtx
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\964329184_1.mts
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_00\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\-299397824.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\1991437604.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\501407029.mtz
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_01\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\-850653353.mtj&p2=0&p3=05904293139052970165172212541909&p4=0
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\1859761695.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_02\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\-1850579979.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\670487064.swf
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\ResourceFolder_03\URLCache.ini
C:\Documents and Settings\All Users\Application Data\Viewpoint\Viewpoint Experience Technology\Resources\UpdateVersionList_v2.mtx
C:\VundoFix Backups
C:\VundoFix Backups\ahgxvyja.dll.bad
C:\VundoFix Backups\ojwtkpca.dll.bad
C:\VundoFix Backups\rrjyobrk.dll.bad
C:\VundoFix Backups\rslrwula.dll.bad
C:\VundoFix Backups\rwfohjrv.dll.bad
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\mljgf.dll
.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.
2008-01-24 21:03 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys
2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 11:24 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP
2008-01-13 20:34 --------- d-----w C:\Program Files\Java
2008-01-12 11:22 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats
2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys
2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk
backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe
R0 iviVD;iviVD;C:\WINDOWS\system32\DRIVERS\iviVD.sys [2005-11-16 15:42]
S4 Propsprt;Propsprt;C:\WINDOWS\System32\drivers\modem.sys [2004-08-04 06:08]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 17:17:04
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-01-27 17:31:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-27 17:31:36
ComboFix2.txt 2008-01-27 11:02:41
.
2008-01-23 23:50:27 --- E O F ---
This is an infected email which you need to manaully delete from your Thunderbird's Inbox:
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox
/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]
-------------
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run
Post back to tell me what it says
C:\Documents and Settings\Owner\Application Data\Thunderbird\Profiles\yu29t5rv.default\Mail\Local Folders\Inbox
/[From Emma <emanuelle_48@yahoo.com>][Date Fri, 20 May 2005 10:39:06 -0700 (PDT)]
-------------
Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:
CODE
@echo off
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >log.txt
swreg add "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" /v reg_multi_sz /d msv1_0
echo.>>log.txt
echo.============>>log.txt
echo.>>log.txt
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >>log.txt
Start Notepadlog.txt
Nircmd wait 1500
del log.txt
del %0
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >log.txt
swreg add "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" /v reg_multi_sz /d msv1_0
echo.>>log.txt
echo.============>>log.txt
echo.>>log.txt
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >>log.txt
Start Notepadlog.txt
Nircmd wait 1500
del log.txt
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run
Post back to tell me what it says
Hi sUBs,
Ok I have deleted the file manually as you suggested and I saved the file fix.bat as you said but I think there was a problem with that as an error box come up and whatever it was running appeared to abort so I'm not sure what that was all about.
Anyway.
After yesterdays actions that you so kindly talked me through then my computer does appear to be back to as it was before the Vundo/Virtumonde infection and the explorer.exe file is running at it's normal CPU usage.
Therefore I take it that no further action is needed and everything is ok?
Would that be correct?
Regards
Benny
Ok I have deleted the file manually as you suggested and I saved the file fix.bat as you said but I think there was a problem with that as an error box come up and whatever it was running appeared to abort so I'm not sure what that was all about.
Anyway.
After yesterdays actions that you so kindly talked me through then my computer does appear to be back to as it was before the Vundo/Virtumonde infection and the explorer.exe file is running at it's normal CPU usage.
Therefore I take it that no further action is needed and everything is ok?
Would that be correct?
Regards
Benny
QUOTE
an error box come up and whatever it was running appeared to abort
Sorry about that. I just noted a typo in my script. Did it create a logfile named Log.txt next to the batchfile?
Thanks for your reply.
Yes it did but when the fix.bat aborted and closed the window it deleted the fix.bat and the log file on it's own accord from the desktop although I'm not sure why or how it did that.
Do you want me to run that script again and if so what was the typo?
Benny
Yes it did but when the fix.bat aborted and closed the window it deleted the fix.bat and the log file on it's own accord from the desktop although I'm not sure why or how it did that.
Do you want me to run that script again and if so what was the typo?
Benny
Please run this new script
CODE
@echo off
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >log.txt
swreg add "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" /v reg_multi_sz /d msv1_0
echo.>>log.txt
echo.============>>log.txt
echo.>>log.txt
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >>log.txt
Start Notepad log.txt
Nircmd wait 1500
del log.txt
del %0
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >log.txt
swreg add "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" /v reg_multi_sz /d msv1_0
echo.>>log.txt
echo.============>>log.txt
echo.>>log.txt
swreg query "hklm\system\currentcontrolset\control\lsa" /v "authentication packages" >>log.txt
Start Notepad log.txt
Nircmd wait 1500
del log.txt
del %0
Ok thanks for your post.
I ran the fix.bat and here is the log file:-
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\mljgf.dll\0\0
============
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\mljgf.dll\0\0
I ran the fix.bat and here is the log file:-
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\mljgf.dll\0\0
============
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0C:\WINDOWS\system32\mljgf.dll\0\0
Log looks awful. Please delete your existing copy of ComboFix.exe. Grab a new copy from here:
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then post a fresh log
http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Then post a fresh log
Ok will do.
It looks awful in what way?
You've got me worried now as I thought everything was fine.
Benny
It looks awful in what way?
You've got me worried now as I thought everything was fine.
Benny
Benny, where's the log?
I have included the new ComboFix log and another HiJackThis in case you need that.
I noticed that on this Combo Fix it only completed 38 satges compared to 40 stages before and that after Stage 30 it said:
SED: Can't read temp0w: No such file or directory.
Whilst running Combo Fix it also tried to change my Default Search engine settings (or something did).
I don't know if any of these are relevant.
Your help as always is appreciated.
Benny
ComboFix 08-01-29.2 - Owner 2008-01-28 23:51:51.9 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-27 17:48 . 2008-01-27 17:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-27 17:48 . 2008-01-27 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys
2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera
2008-01-13 22:41 . 2008-01-25 20:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-09 02:25 . 2003-01-02 09:36 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS
2008-01-09 02:25 . 2003-01-02 11:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-09 02:25 . 2003-01-02 09:33 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-09 02:25 . 2003-01-02 09:38 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-09 02:25 . 2003-01-02 09:35 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:50 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-01-28 23:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-28 10:43 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP
2008-01-21 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:34 --------- d-----w C:\Program Files\Java
2008-01-12 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats
2007-12-07 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2005-02-14 12:23 57,744 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys
2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk
backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 00:06:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
**************************************************************************
.
Completion time: 2008-01-30 0:19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 00:18:57
ComboFix2.txt 2008-01-27 17:31:47
ComboFix3.txt 2008-01-27 11:02:41
.
2008-01-23 23:50:27 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:14, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9853 bytes
I noticed that on this Combo Fix it only completed 38 satges compared to 40 stages before and that after Stage 30 it said:
SED: Can't read temp0w: No such file or directory.
Whilst running Combo Fix it also tried to change my Default Search engine settings (or something did).
I don't know if any of these are relevant.
Your help as always is appreciated.
Benny
ComboFix 08-01-29.2 - Owner 2008-01-28 23:51:51.9 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-30 )))))))))))))))))))))))))))))))
.
2008-01-27 17:48 . 2008-01-27 17:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-01-27 17:48 . 2008-01-27 17:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-17 21:42 . 2002-08-28 23:59 154,624 --a--c--- C:\WINDOWS\system32\dllcache\wlluc48.sys
2008-01-17 21:42 . 2003-01-20 17:23 69,120 --a--c--- C:\WINDOWS\system32\dllcache\wingb.ime
2008-01-17 21:42 . 2001-08-17 12:12 34,890 --a--c--- C:\WINDOWS\system32\dllcache\wlandrv2.sys
2008-01-17 21:42 . 2004-08-04 07:07 8,832 --a--c--- C:\WINDOWS\system32\dllcache\wmiacpi.sys
2008-01-17 21:40 . 2001-08-17 22:36 525,568 --a--c--- C:\WINDOWS\system32\dllcache\tridxp.dll
2008-01-17 21:39 . 2001-08-17 12:18 285,760 --a--c--- C:\WINDOWS\system32\dllcache\stlnata.sys
2008-01-17 21:38 . 2001-08-17 14:56 252,032 --a--c--- C:\WINDOWS\system32\dllcache\sis300iv.dll
2008-01-17 21:37 . 2001-07-21 14:29 161,568 --a--c--- C:\WINDOWS\system32\dllcache\sgsmusb.sys
2008-01-17 21:37 . 2001-08-17 12:51 98,080 --a--c--- C:\WINDOWS\system32\dllcache\sgiulnt5.sys
2008-01-17 21:37 . 2001-07-21 14:29 18,400 --a--c--- C:\WINDOWS\system32\dllcache\sgsmld.sys
2008-01-17 21:35 . 2001-08-17 13:28 899,146 --a--c--- C:\WINDOWS\system32\dllcache\r2mdkxga.sys
2008-01-17 21:34 . 2001-08-17 14:05 351,616 --a--c--- C:\WINDOWS\system32\dllcache\ovcodek2.sys
2008-01-17 21:33 . 2003-01-20 17:04 229,439 --a--c--- C:\WINDOWS\system32\dllcache\multibox.dll
2008-01-17 21:32 . 2003-01-20 17:04 1,875,968 --a--c--- C:\WINDOWS\system32\dllcache\msir3jp.lex
2008-01-17 21:31 . 2003-01-20 17:00 1,158,818 --a--c--- C:\WINDOWS\system32\dllcache\korwbrkr.lex
2008-01-17 21:30 . 2001-08-17 22:36 8,704 --a--c--- C:\WINDOWS\system32\dllcache\kbdjpn.dll
2008-01-17 21:30 . 2001-08-17 22:36 8,192 --a--c--- C:\WINDOWS\system32\dllcache\kbdkor.dll
2008-01-17 21:28 . 2001-08-17 22:36 90,200 --a--c--- C:\WINDOWS\system32\dllcache\io8ports.dll
2008-01-17 21:28 . 2004-08-04 07:00 87,424 --a--c--- C:\WINDOWS\system32\dllcache\irda.sys
2008-01-17 21:28 . 2001-08-17 12:12 45,632 --a--c--- C:\WINDOWS\system32\dllcache\ip5515.sys
2008-01-17 21:28 . 2001-08-17 13:49 26,624 --a--c--- C:\WINDOWS\system32\dllcache\irstusb.sys
2008-01-17 21:28 . 2001-08-17 13:49 23,552 --a--c--- C:\WINDOWS\system32\dllcache\irmk7.sys
2008-01-17 21:28 . 2001-08-17 13:51 18,688 --a--c--- C:\WINDOWS\system32\dllcache\irsir.sys
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd106.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101c.dll
2008-01-17 21:28 . 2001-08-17 14:55 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101b.dll
2008-01-17 21:28 . 2001-08-17 14:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\kbd103.dll
2008-01-17 21:26 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-01-17 21:25 . 2001-08-17 12:17 629,952 --a--c--- C:\WINDOWS\system32\dllcache\eqn.sys
2008-01-17 21:24 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-01-17 21:23 . 2001-08-17 22:36 614,429 --a--c--- C:\WINDOWS\system32\dllcache\digiview.exe
2008-01-17 21:22 . 2003-01-20 17:46 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll
2008-01-17 21:21 . 2001-08-17 14:05 314,752 --a--c--- C:\WINDOWS\system32\dllcache\camdro21.sys
2008-01-17 21:20 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-01-17 21:19 . 2001-08-17 12:19 747,392 --a--c--- C:\WINDOWS\system32\dllcache\adm8830.sys
2008-01-17 21:18 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-01-15 17:03 . 2008-01-15 18:13 <DIR> d-------- C:\Program Files\SpywareBlaster
2008-01-14 23:18 . 2008-01-14 23:18 <DIR> d-------- C:\Program Files\Opera
2008-01-13 22:41 . 2008-01-25 20:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 00:09 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Spyware Terminator
2008-01-13 21:55 . 2008-01-27 01:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-01-11 00:45 . 2008-01-11 00:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-09 21:23 . 2008-01-09 23:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-09 02:25 . 2003-01-02 09:36 <DIR> d-a------ C:\Documents and Settings\Administrator\WINDOWS
2008-01-09 02:25 . 2003-01-02 11:40 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Symantec
2008-01-09 02:25 . 2003-01-02 09:33 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\Sonic
2008-01-09 02:25 . 2003-01-02 09:38 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\SampleView
2008-01-09 02:25 . 2003-01-02 09:35 <DIR> d-a------ C:\Documents and Settings\Administrator\Application Data\InterTrust
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 23:50 --------- d---a-w C:\Program Files\Common Files\Symantec Shared
2008-01-28 23:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Symantec
2008-01-28 10:43 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-24 20:47 --------- d-----w C:\Program Files\SmartFTP
2008-01-21 13:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-13 20:34 --------- d-----w C:\Program Files\Java
2008-01-12 16:02 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-08 18:59 --------- d-----w C:\Program Files\Lx_cats
2007-12-07 23:34 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent
2007-12-05 10:33 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-12-05 10:33 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-12-05 10:33 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-12-05 10:33 --------- d---a-w C:\Program Files\Symantec
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2005-02-14 12:23 57,744 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-06-14 22:44 56 --sh--r C:\WINDOWS\system32\A07B39D1A5.sys
2007-06-14 22:44 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-17 11:21 68856]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [1998-05-07 23:04 52736]
"KBD"="C:\HP\KBD\KBD.EXE" [2003-02-12 03:02 61440]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-14 04:42 212992]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-11-02 07:59 126976]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2002-10-16 23:57 81920]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"LXCFCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll" [2005-07-20 17:47 73728]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 21:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 01:22 26248]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-03-04 01:44 4595712]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 07:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 19:51 583048]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\mljgf.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo Scheduler server.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo Scheduler server.lnk
backup=C:\WINDOWS\pss\InterVideo Scheduler server.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^Owner^Start Menu^Programs^Startup^TomTom HOME.lnk]
path=C:\Documents and Settings\Owner\Start Menu\Programs\Startup\TomTom HOME.lnk
backup=C:\WINDOWS\pss\TomTom HOME.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AlcxMonitor]
--a------ 2004-09-07 13:47 57344 C:\WINDOWS\ALCXMNTR.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 07:56 15360 C:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2004-11-02 08:03 155648 C:\WINDOWS\System32\igfxtray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
--a------ 2002-07-25 04:20 28672 C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
-ra------ 2001-07-10 02:50 155648 C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIEW]
--a------ 2003-03-04 01:44 831557 C:\WINDOWS\system32\nview.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2003-03-04 01:44 323584 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]
--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 01:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe]
--a------ 2007-03-14 15:52 3770024 C:\Program Files\TomTom HOME\TomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{34cc226c-7714-11db-927d-000e5038fc37}]
\Shell\AutoRun\command - G:\InstallTomTomHOME.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a7ddce07-1e40-11dc-9413-000e5038fc37}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-11 20:02:04 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Owner.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-30 00:06:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
.
**************************************************************************
.
Completion time: 2008-01-30 0:19:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-30 00:18:57
ComboFix2.txt 2008-01-27 17:31:47
ComboFix3.txt 2008-01-27 11:02:41
.
2008-01-23 23:50:27 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:21:14, on 30/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
C:\Program Files\Belkin\Belkin Wireless Network Utility\WLanCfgG.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-gb8.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.orange.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.crawler.com/search/ie.aspx?tb_id=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,CustomizeSearch = http://dnl.crawler.com/support/sa_customize.aspx?TbId=60311
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-gb8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-gb8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.symantec.com/techsupp/oem
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - c:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Orange Toolbar - {E97B5F2E-CA8E-4D34-BDA3-44EEC4ED2B12} - C:\Program Files\Orange Toolbar UK\ToolbarContainer192.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Money Viewer - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.orange.co.uk
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by15fd.bay15.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1160512250765
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj01.rightnowtech.com/5570-b298...l/java/RntX.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin Wireless USB Network Adapter (Belkin Wireless USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\Belkin Wireless Network Utility\WLService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
--
End of file - 9853 bytes
QUOTE
Whilst running Combo Fix it also tried to change my Default Search engine settings (or something did).
How did you become aware of that?
I noticed it in the systems tray at the bottom right where the start up programs have their icons. A white icon with G for Google appeared and when I ran the mouse over the top of it, it said we have blocked an attempt to change your default search settings (or something very similar).
When ComboFix restarted that same icon was there again. It never usually is and it's happened a couple of times using ComboFix and it happened once recently whilst using the computer normally.
I can't say that I've seen this too many times whilst I've had this computer. Maybe never but I wouldn't quite be sure it was never.
I take it that it's part of the Google Toolbar Notifier process?
Again I don't know if this is relevant but I thought I'd post it and let you decide that?
Benny
When ComboFix restarted that same icon was there again. It never usually is and it's happened a couple of times using ComboFix and it happened once recently whilst using the computer normally.
I can't say that I've seen this too many times whilst I've had this computer. Maybe never but I wouldn't quite be sure it was never.
I take it that it's part of the Google Toolbar Notifier process?
Again I don't know if this is relevant but I thought I'd post it and let you decide that?
Benny
Forgot to say that I lost some of my Firefox Bookmarks whilst using this computer this evening as they mysteriously disappeared.
Not sure why as I didn't manually delete or even try to delete them.
Not sure why as I didn't manually delete or even try to delete them.
QUOTE
Combo Fix it also tried to change my Default Search engine settings
Yes, ComboFix will reset default search settings to default MS values. Reason why I asked how you knew was that I was trying to ascertain if any 3rd party program was interfering with ComboFix.
ComboFix's log looks okay. Just that niggling orphaned registry entry that needs fixing. When our previous attempt failed, I thought that your infection may have regenerated. ComboFix shows that you're still okay. Lets take another whack at clearing that stubborn registry entry.
CODE
@echo off
set "key=hklm\system\currentcontrolset\control\lsa"
swreg acl "%key%" /reset /q
swreg query "%key%" /v "authentication packages" >log.txt
call :WriteLog
swreg delete "%key%" /v "authentication packages"
swreg delete "%key%" /v "reg_multi_sz" >nul 2>&1
swreg add "%key%" /v "authentication packages" /t reg_multi_sz /d "msv1_0"
swreg query "%key%" /v "authentication packages" >>log.txt
call :WriteLog
swreg acl "%key%" /ro:f /ra:f /q
swreg acl "%key%" >>log.txt
Start Notepad log.txt
Nircmd wait 1500
del log.txt
del %0
:WriteLog
echo.>>log.txt
echo.============>>log.txt
echo.>>log.txt
set "key=hklm\system\currentcontrolset\control\lsa"
swreg acl "%key%" /reset /q
swreg query "%key%" /v "authentication packages" >log.txt
call :WriteLog
swreg delete "%key%" /v "authentication packages"
swreg delete "%key%" /v "reg_multi_sz" >nul 2>&1
swreg add "%key%" /v "authentication packages" /t reg_multi_sz /d "msv1_0"
swreg query "%key%" /v "authentication packages" >>log.txt
call :WriteLog
swreg acl "%key%" /ro:f /ra:f /q
swreg acl "%key%" >>log.txt
Start Notepad log.txt
Nircmd wait 1500
del log.txt
del %0
:WriteLog
echo.>>log.txt
echo.============>>log.txt
echo.>>log.txt
Hi sUBs,
I take it that you want me to save this code in notepad as before i.e. save as fix.bat and choose to "Save type as - all files"?
Benny
I take it that you want me to save this code in notepad as before i.e. save as fix.bat and choose to "Save type as - all files"?
Benny
Yes, that's correct. Sorry for being presumptuous.
Ok here is the log file of that fix.bat
Benny
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
MARKYS\Users
Allowed Read This Key Only (Inherited)
MARKYS\Users
Allowed Special (Unknown) Subkeys only (Inherited)
MARKYS\Administrators
Allowed Full Control This Key Only (Inherited)
MARKYS\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (MARKYS\Administrators)
Benny
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
MARKYS\Users
Allowed Read This Key Only (Inherited)
MARKYS\Users
Allowed Special (Unknown) Subkeys only (Inherited)
MARKYS\Administrators
Allowed Full Control This Key Only (Inherited)
MARKYS\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (MARKYS\Administrators)
Log appears incomplete. Could I trouble you to do it once more.
Ok here it is but I think it's the same as the one before.
Benny
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
MARKYS\Users
Allowed Read This Key Only (Inherited)
MARKYS\Users
Allowed Special (Unknown) Subkeys only (Inherited)
MARKYS\Administrators
Allowed Full Control This Key Only (Inherited)
MARKYS\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (MARKYS\Administrators)
Benny
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
MARKYS\Users
Allowed Read This Key Only (Inherited)
MARKYS\Users
Allowed Special (Unknown) Subkeys only (Inherited)
MARKYS\Administrators
Allowed Full Control This Key Only (Inherited)
MARKYS\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (MARKYS\Administrators)
Here's what it looks like when I ran it on my machine. There's a before & after section.
QUOTE
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
sUBs-PC\Users
Allowed Read This Key Only (Inherited)
sUBs-PC\Users
Allowed Special (Unknown) Subkeys only (Inherited)
sUBs-PC\Power Users
Allowed Read This Key Only (Inherited)
sUBs-PC\Power Users
Allowed Special (Unknown) Subkeys only (Inherited)
sUBs-PC\Administrators
Allowed Full Control This Key Only (Inherited)
sUBs-PC\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (sUBs-PC\Administrators)
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
sUBs-PC\Users
Allowed Read This Key Only (Inherited)
sUBs-PC\Users
Allowed Special (Unknown) Subkeys only (Inherited)
sUBs-PC\Power Users
Allowed Read This Key Only (Inherited)
sUBs-PC\Power Users
Allowed Special (Unknown) Subkeys only (Inherited)
sUBs-PC\Administrators
Allowed Full Control This Key Only (Inherited)
sUBs-PC\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (sUBs-PC\Administrators)
I've run it a 3rd time and I think it's the same as before but I've posted the new one again anyway.
When I save the file the encoding is ANSI. There are 3 other codes Unicode, Unicode big endian and CTF-8.
I take it that ANSI is the one I want?
Benny
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
MARKYS\Users
Allowed Read This Key Only (Inherited)
MARKYS\Users
Allowed Special (Unknown) Subkeys only (Inherited)
MARKYS\Administrators
Allowed Full Control This Key Only (Inherited)
MARKYS\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (MARKYS\Administrators)
When I save the file the encoding is ANSI. There are 3 other codes Unicode, Unicode big endian and CTF-8.
I take it that ANSI is the one I want?
Benny
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
SteelWerX Registry Console Tool 2.0
Written by Bobbi Flekman 2006 ©
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
authentication packages REG_MULTI_SZ msv1_0\0\0
============
*******************************************************************************
Registrykey: HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Permissions:
*******************************************************************************
Username
Type Permissions Inheritance
*******************************************************************************
MARKYS\Users
Allowed Read This Key Only (Inherited)
MARKYS\Users
Allowed Special (Unknown) Subkeys only (Inherited)
MARKYS\Administrators
Allowed Full Control This Key Only (Inherited)
MARKYS\Administrators
Allowed Special (Unknown) Subkeys only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Full Control This Key Only (Inherited)
NT AUTHORITY\SYSTEM
Allowed Special (Unknown) Subkeys only (Inherited)
\CREATOR OWNER
Allowed Special (Unknown) Subkeys only (Inherited)
Perms
No Auditing set
Owner: Administrators (MARKYS\Administrators)
Looking at it again then I think the last fix.bat is what you are looking for.
I'll check in again in 4 or 5 hours to see if it was.
Benny
I'll check in again in 4 or 5 hours to see if it was.
Benny
Yes, that's the correct one. The malware entry has been removed.
How's the machine now?
How's the machine now?
To be honest the machine seems fine and has done so since you very kindly wrote that script for me to drag into ComboFix last weekend.
I take it that my computer is now clean and I'll go ahead and make a new systems restore point to reflect that?
I would like to thankyou very much for your time, efforts and patience with me over this. All your help has been greatly appreciated and over the next couple of days I will make a donation to this site to reflect that.
Thanks once again to you and to jpshortstuff for all his help as well.
Many Thanks
Benny
I take it that my computer is now clean and I'll go ahead and make a new systems restore point to reflect that?
I would like to thankyou very much for your time, efforts and patience with me over this. All your help has been greatly appreciated and over the next couple of days I will make a donation to this site to reflect that.
Thanks once again to you and to jpshortstuff for all his help as well.
Many Thanks
Benny
Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html
After doing all these, your system will be optimised against future threats.
It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.
Kindly respond to this thread once more so we can mark this thread as resolved.
- Uninstall ComboFix ... do not skip this step
This process will perform some post cleanup measures.
Do this by going to to Start > Run & typing in ComboFix /u - ANTIVIRUS SOFTWARE
It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out. - FIREWALL
Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here ? http://www.bleepingcomputer.com/forums/tutorial60.html - Microsoft Windows Update ? http://www.windowsupdate.com
Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates. - SPYWAREBLASTER
SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here ? http://www.bleepingcomputer.com/forums/tutorial49.html
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
- http://www.trillian.cc ? Trillian or http://www.miranda-im.com ? Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
- http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
- http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
- http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html
After doing all these, your system will be optimised against future threats.
It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.
Kindly respond to this thread once more so we can mark this thread as resolved.
Thanks to sUBs for donating his expertise here, we're lucky we have people like you around to step in 
Thankyou to sUBs for your final post in this thread and for the tips on how to delete ComboFix and the Virus/Malware stuff etc etc although I did follow very similar lines before my computer got infected but I will be doubley sure to do so from now onwards.
Also just to ditto jpshortstuff's comments about sUBs help that he gave me in this thread and I am forever in gratitude to you for this.
Lastly just to thank jpshortstuff again who helped me out also and got the ball rolling.
Thanks guys.
Benny
Also just to ditto jpshortstuff's comments about sUBs help that he gave me in this thread and I am forever in gratitude to you for this.
Lastly just to thank jpshortstuff again who helped me out also and got the ball rolling.
Thanks guys.
Benny
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.