Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help! Trojan Vundo, Trojon Metajuan, W32 Tratsinf!, Virtumonde And Downloader Is Slowly Destroying My Computer.


  • Please log in to reply
14 replies to this topic

#1 Michellebro

Michellebro

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 24 January 2008 - 03:30 AM

About a month ago I noticed my computer was starting to slow down, particularly when using internet explorer. My Husband had also downloaded 'Steam' an online gaming programme and bought Day of Defeat - a completely online game played on servers..... however i dont think this was the problem - however one of the above infections had started to interefere with the platform and engine and now it is unplayable.
I was alerted via Norton internet Security that I reapetdly was being infected with 'W32 Tratsinf!' and this was happening every 2-3 minutes, then it would be 'Downloader, Trojan Vundo and Metajuan.
I dont know how these all got into my computer but they did despite me have Norton Internet security.
I became confused from there....and still am. I have looked at the regisrty keys, where Values had been added etc and - but to be honest deleted a value that was added - System32/Vundo.exe but only went as far as that. i have deleted files that appear to be infected aswell.
I was getting pop ups, alerts my system was unstable tempting me to try products to fix the problem and other error messages and i think it.they infected by AV as it has not been picking some infections other programmes have.
I have followed your advice and run all the AV, AdAwareprograms, and i must admit my computer has really stabilised from there. could someone please look at the HJT Log to see if i have eradicated the problems, made them worse......

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:21:48, on 24/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/wanadoohome
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B8DFD819-F9E4-4339-A4A6-10D226C10B48} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f421d602] rundll32.exe "C:\WINDOWS\system32\cuqxkgkd.dll",b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] (User 'Default user')
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

--
End of file - 12905 bytes

BIT DEFENDER LOG
:\Documents and Settings\Michelle & Ben\My Documents\Downloads\_PANTHEON_ sonic cineplayer dvd decoder SVCD Special.zip=>Setup.exe
Infected with: Trojan.Dropper.Mudrop.DU

C:\Documents and Settings\Michelle & Ben\My Documents\Downloads\_PANTHEON_ sonic cineplayer dvd decoder SVCD Special.zip=>Setup.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Downloads\_PANTHEON_ sonic cineplayer dvd decoder SVCD Special.zip=>Setup.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Downloads\_PANTHEON_ sonic cineplayer dvd decoder SVCD Special.zip
Updated

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip=>Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack/PowerDVD.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip=>Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack/PowerDVD.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip=>Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack/PowerDVD.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip
Updated

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip=>Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack/PowerDVD7_Patch_2211a.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip=>Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack/PowerDVD7_Patch_2211a.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip=>Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack/PowerDVD7_Patch_2211a.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack.zip
Updated

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{9D80BC34-050C-46A6-9690-F7E081CD791E}\dxwebsetup.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{9D80BC34-050C-46A6-9690-F7E081CD791E}\dxwebsetup.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{9D80BC34-050C-46A6-9690-F7E081CD791E}\dxwebsetup.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar
Update failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{B0237259-E5E2-4381-BD14-9D0C62BDB4B1}\WindowsInstaller-KB893803-x86.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{B0237259-E5E2-4381-BD14-9D0C62BDB4B1}\WindowsInstaller-KB893803-x86.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{B0237259-E5E2-4381-BD14-9D0C62BDB4B1}\WindowsInstaller-KB893803-x86.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar
Update failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{F13C828A-9EAE-4992-AFF2-F21E388A1DFC}\vcredist_x86.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{F13C828A-9EAE-4992-AFF2-F21E388A1DFC}\vcredist_x86.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\ISSetupPrerequisites\{F13C828A-9EAE-4992-AFF2-F21E388A1DFC}\vcredist_x86.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar
Update failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\keygen.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\keygen.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\keygen.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar
Update failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\setup.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\setup.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar=>InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE\setup.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Shareaza Downloads\InterVideo.WinDVD.Platinum.v8.0.6.109.Incl.Keymaker-CORE.rar
Update failed

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\PowerDVD.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\PowerDVD.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\PowerDVD.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\PowerDVD7_Patch_2211a.exe
Infected with: Trojan.Dropper.Delf.FP

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\PowerDVD7_Patch_2211a.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\Cyberlink Power DVD 7.0 Build 2211a Deluxe Advance Edition+ Crack\PowerDVD7_Patch_2211a.exe
Deleted

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\_PANTHEON_ sonic cineplayer dvd decoder SVCD Special\Setup.exe
Infected with: Trojan.Dropper.Mudrop.DU

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\_PANTHEON_ sonic cineplayer dvd decoder SVCD Special\Setup.exe
Disinfection failed

C:\Documents and Settings\Michelle & Ben\My Documents\Unzipped\_PANTHEON_ sonic cineplayer dvd decoder SVCD Special\Setup.exe
Deleted




Thanks so so much in advance for your time i have also attached other logs from Bit Defender etc.

Regards

Michelle :thumbsup:

BC AdBot (Login to Remove)

 


#2 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 PM

Posted 24 January 2008 - 10:26 AM

Hello Michellebro and welcome to BleepingComputer!

Apollogies for the delay. The forum has been very busy lately. If you are still having problems please post a brand new HijackThis log as a reply to this topic. Before posting the log, please make sure you follow all the steps found in this topic: Preparation Guide For Use Before Posting A Hijackthis Log.

Thanks,

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#3 Michellebro

Michellebro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 24 January 2008 - 01:53 PM

Many Thanks for your response.
I have followed guide and this is my HJL:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:20, on 24/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\clclean.0001
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/wanadoohome
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B8DFD819-F9E4-4339-A4A6-10D226C10B48} - (no file)
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [f421d602] rundll32.exe "C:\WINDOWS\system32\cuqxkgkd.dll",b
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] (User 'Default user')
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

--
End of file - 12905 bytes

I think most of my inital problems have been resolved, but am now paranoid and if poss would like some confirmation, however I think my latest problem is that of Internet Explorer - it just wont connect to pages at times,this is the second time i have written this!!!!!

#4 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 PM

Posted 25 January 2008 - 06:08 AM

Hey Michellebro,

Please note that comments are made in green, links are in red, important things are outlined by using the blue color and the numbered steps I would like you to follow are outlined with orange.

Please also take note of the following:
  • I will start working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine
  • The process is not instant. Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
Step #1

Run HijackThis, press Scan, and put a check mark next to all these entries:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {B8DFD819-F9E4-4339-A4A6-10D226C10B48} - (no file)
O4 - HKLM\..\Run: [f421d602] rundll32.exe "C:\WINDOWS\system32\cuqxkgkd.dll",b


Step #2

Please download ComboFix from here and save it to your Desktop.

When done downloading, please print out and follow these instructions: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Click on this link to see a list of programs that should be disabled. The list is not all inclusive.
  • When you have completed the ComboFix instructions, copy and paste the contents of C:\ComboFix.txt in your next reply.
  • When done, be sure to re-enable your anti-virus and other security programs.

Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read Combofix's Disclaimer.


Close all other windows and browsers, and press the Fix Checked button.

Step #3

Please post back with a fresh HijackThis log and the ComboFix log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#5 Michellebro

Michellebro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 25 January 2008 - 06:58 PM

Wow, that was frightening!!!
here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:52:57, on 25/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\DOCUME~1\MICHEL~1\LOCALS~1\Temp\clclean.0001
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/wanadoohome
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [kernel] C:\Program Files\kernel\kernel.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] (User 'Default user')
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

--
End of file - 12463 bytes

This is the CombiFix Log:

ComboFix 08-01-23.1C - Michelle & Ben 2008-01-25 22:52:05.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1322 [GMT 0:00]
Running from: C:\Documents and Settings\Michelle & Ben\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cuqxkgkd.dll
C:\WINDOWS\system32\dkgkxquc.ini
C:\WINDOWS\system32\hhkmp.ini
C:\WINDOWS\system32\hhkmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\orutv.ini2
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\msxml4.dll
C:\WINDOWS\system32\system\msxml4r.dll

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 21:11 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-25 21:11 . 2008-01-21 08:15 209 --a------ C:\Boot.bak
2008-01-25 21:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 19:34 . 2008-01-25 22:59 <DIR> d-------- C:\Program Files\Steam
2008-01-23 21:09 . 2008-01-25 22:59 692,256 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-23 21:09 . 2008-01-25 22:55 9,068 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-23 21:07 . 2008-01-23 21:07 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-23 20:58 . 2008-01-25 22:04 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-22 16:21 . 2008-01-23 14:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-22 07:38 . 2008-01-22 07:38 <DIR> d-------- C:\Program Files\Uniblue
2008-01-21 22:58 . 2008-01-22 16:14 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-01-20 11:09 . 2008-01-20 11:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-20 10:12 . 2008-01-22 18:40 <DIR> d-------- C:\VundoFix Backups
2008-01-19 18:49 . 2008-01-19 18:49 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-19 18:38 . 2008-01-19 18:38 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-19 14:35 . 2008-01-19 14:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-19 13:25 . 2008-01-19 13:25 1,883,804 --ahs---- C:\WINDOWS\system32\ypcojdsn.tmp
2008-01-18 15:24 . 2008-01-19 11:40 1,883,804 --ahs---- C:\WINDOWS\system32\ypcojdsn.ini
2008-01-17 15:24 . 2008-01-18 07:06 1,068,813 --ahs---- C:\WINDOWS\system32\iyltpvmv.ini
2008-01-15 07:34 . 2008-01-17 15:13 1,068,639 --ahs---- C:\WINDOWS\system32\urosxfig.ini
2008-01-02 18:24 . 2008-01-02 18:24 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 18:24 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-02 18:23 . 2008-01-02 18:23 <DIR> d-------- C:\NVIDIA
2008-01-02 18:21 . 2006-04-21 00:27 544,768 --a------ C:\WINDOWS\system32\CLVSD.ax
2008-01-02 18:21 . 2003-03-25 05:49 45,056 --a------ C:\WINDOWS\system32\ogg.dll
2008-01-02 18:21 . 2006-10-02 09:43 3,181 --a------ C:\WINDOWS\FantasyDVD.ini
2008-01-02 18:21 . 2006-07-30 08:02 2,413 --a------ C:\WINDOWS\ShortCutInf.ini
2008-01-02 17:12 . 2008-01-02 17:12 <DIR> d-------- C:\Program Files\MailWasher
2008-01-02 15:55 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-02 15:15 . 2008-01-03 16:34 <DIR> d-------- C:\Program Files\Shareaza
2008-01-02 14:41 . 2008-01-02 15:09 <DIR> d-------- C:\Program Files\Shareaza Applications
2008-01-02 14:41 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-01-02 14:08 . 2008-01-22 07:16 605 --a------ C:\WINDOWS\wininit.ini
2008-01-02 12:33 . 2008-01-02 17:06 0 --a------ C:\WINDOWS\PlayList.Fpl
2008-01-02 12:31 . 2008-01-02 12:55 <DIR> d-------- C:\Program Files\LimeWire Turbo Accelerator
2008-01-02 12:31 . 2008-01-02 12:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-01-02 11:40 . 2008-01-02 18:21 <DIR> d-------- C:\WINDOWS\system32\FTCodecs
2008-01-02 11:40 . 2008-01-02 11:40 <DIR> d-------- C:\Program Files\Fantasysoft-Studio
2008-01-02 11:40 . 2008-01-02 17:06 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-01 16:36 . 2008-01-01 16:36 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-01 16:36 . 2008-01-19 14:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 22:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-25 18:02 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-21 19:34 --------- d-----w C:\Program Files\iTunes
2008-01-20 22:13 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-20 21:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 14:16 --------- d-----w C:\Program Files\MSN Messenger
2008-01-11 17:58 --------- d-----w C:\Program Files\World of Warcraft
2008-01-07 18:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-07 18:10 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-07 18:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-07 18:10 --------- d-----w C:\Program Files\Symantec
2008-01-03 16:34 --------- d-----w C:\Program Files\QuickTime
2008-01-03 16:34 --------- d-----w C:\Program Files\AGEIA Technologies
2008-01-02 12:03 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-02 11:28 --------- d-----w C:\Program Files\RGB
2008-01-02 10:01 --------- d-----w C:\Program Files\Common Files\Real
2007-12-08 16:33 --------- d-----w C:\Program Files\Yahoo!
2007-12-07 20:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-05 01:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-01 03:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-12-01 03:00 --------- d-----w C:\Program Files\Windows Live Favorites
2007-11-30 23:57 43,696 ----a-w C:\WINDOWS\system32\drivers\srtspx.sys
2007-11-30 23:57 317,616 ----a-w C:\WINDOWS\system32\drivers\srtspl.sys
2007-11-30 23:57 279,088 ----a-w C:\WINDOWS\system32\drivers\srtsp.sys
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspx.cat
2007-11-30 23:57 10,549 ----a-w C:\WINDOWS\system32\drivers\srtspl.cat
2007-11-30 23:57 10,545 ----a-w C:\WINDOWS\system32\drivers\srtsp.cat
2007-11-30 23:57 1,430 ----a-w C:\WINDOWS\system32\drivers\srtspl.inf
2007-11-30 23:57 1,421 ----a-w C:\WINDOWS\system32\drivers\srtspx.inf
2007-11-30 23:57 1,415 ----a-w C:\WINDOWS\system32\drivers\srtsp.inf
2007-11-14 16:05 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-10-25 10:26 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
2007-02-25 13:08 7,706,216 ----a-w C:\Program Files\winzip110.exe
2007-02-24 20:58 899,414 ----a-w C:\Program Files\SetupDVDDecrypter_3.5.4.0.exe
2007-02-24 17:51 6,906,544 ----a-w C:\Program Files\videoraipodconverter_Installer.exe
2007-02-24 12:15 4,301,387 ----a-w C:\Program Files\Shareaza_2.2.5.0.exe
2007-02-02 11:21 14,993,976 ----a-w C:\Program Files\GoogleEarthWin.exe
2007-01-25 21:08 278,528 ----a-w C:\Program Files\Common Files\FDEUnInstaller.exe
.
<pre>
----a-w		   158,208 2008-01-20 22:21:34  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
----a-w			15,360 2008-01-19 18:38:45  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8DFD819-F9E4-4339-A4A6-10D226C10B48}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-23 21:07 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8B68564D-53FD-4293-B80C-993A9F3988EE}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938}
{EE5D279F-081B-4404-994D-C6B60AAEBA6D}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-23 21:07 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 19:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"kernel"="C:\Program Files\kernel\kernel.exe" [ ]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-21 08:17 15360]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-24 19:39 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 16:00 282624 C:\WINDOWS\stsystra.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MBMon"="CTMBHA.DLL" [2006-03-15 20:15 1355468 C:\WINDOWS\system32\CTMBHA.DLL]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-20 22:32 517768]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-20 22:32 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-01-20 22:15 26248]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2008-01-21 08:17 64512]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="" []

C:\Documents and Settings\Michelle & Ben\Start Menu\Programs\Startup\
Norton Disk Doctor.LNK - C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE [2003-09-10 05:26:58 376832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 05:12]
S2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys []
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 04:58]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-22 08:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-25 23:17:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-25 20:00:22 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Michelle & Ben.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exeh/TASK:
"2008-01-25 18:02:58 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-25 00:00:01 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 22:59:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 23:28:39 - machine was rebooted [Michelle & Ben]
ComboFix-quarantined-files.txt 2008-01-25 23:28:36
.
2008-01-09 03:02:24 --- E O F ---

I wonder what you make of all of that -
I have niticed that the phishing filter on Norton Internet Security now has an error and wont work - although i have the Zonelabs as backup.
Look forward to hearing from you.

MIchelle:)

#6 Michellebro

Michellebro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 26 January 2008 - 06:30 AM

Hi
I should be waiting for your response, however i thought it might be important to also show you the Spybot S&D teatimer resident log, as the registry entries you asked me to check and fix with HJT were deleted. Was this suppose to happen? I made this decision as I assumed that after i hit the fix button, teatimer was alerting me, so i agreed to deletion. Should they have been?

21/01/2008 22:05:03 Denied (based on user decision) value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
21/01/2008 22:07:06 Allowed (based on user decision) value "SpybotDeletingB5148" (new data: "command /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup user entry!
21/01/2008 22:07:17 Denied (based on user decision) value "SpybotDeletingD2024" (new data: "cmd /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup user entry!
21/01/2008 22:07:26 Allowed (based on user decision) value "SpybotDeletingA3690" (new data: "command /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup global entry!
21/01/2008 22:07:34 Allowed (based on user decision) value "SpybotDeletingC3692" (new data: "cmd /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup global entry!
21/01/2008 22:07:42 Allowed (based on user decision) value "SpybotDeletingA6202" (new data: "command /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup global entry!
21/01/2008 22:07:43 Allowed (based on user decision) value "SpybotDeletingC7051" (new data: "cmd /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup global entry!
21/01/2008 22:07:50 Allowed (based on user decision) value "SpybotDeletingB8621" (new data: "command /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup user entry!
21/01/2008 22:07:51 Allowed (based on user decision) value "SpybotDeletingD5925" (new data: "cmd /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup user entry!
21/01/2008 22:23:12 Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
21/01/2008 22:27:22 Allowed (based on user decision) value "SpybotDeletingB608" (new data: "command /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup user entry!
21/01/2008 22:28:01 Allowed (based on user decision) value "SpybotDeletingD8559" (new data: "cmd /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup user entry!
21/01/2008 22:28:10 Allowed (based on user decision) value "SpybotDeletingA1664" (new data: "command /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup global entry!
21/01/2008 22:28:14 Allowed (based on user decision) value "SpybotDeletingC1647" (new data: "cmd /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup global entry!
21/01/2008 22:28:17 Allowed (based on user decision) value "SpybotDeletingA4740" (new data: "command /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup global entry!
21/01/2008 22:28:24 Allowed (based on user decision) value "SpybotDeletingC4860" (new data: "cmd /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup global entry!
21/01/2008 22:28:27 Allowed (based on user decision) value "SpybotDeletingB9077" (new data: "command /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup user entry!
21/01/2008 22:28:30 Allowed (based on user decision) value "SpybotDeletingD6109" (new data: "cmd /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup user entry!
21/01/2008 22:46:05 Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
21/01/2008 22:46:07 Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
21/01/2008 22:53:01 Denied (based on user decision) value "SpybotDeletingB7143" (new data: "command /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup user entry!
21/01/2008 22:53:18 Allowed (based on user decision) value "SpybotDeletingD9639" (new data: "cmd /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup user entry!
21/01/2008 22:53:25 Allowed (based on user decision) value "SpybotDeletingA4756" (new data: "command /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup global entry!
21/01/2008 22:53:34 Allowed (based on user decision) value "SpybotDeletingC1962" (new data: "cmd /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup global entry!
21/01/2008 22:53:38 Allowed (based on user decision) value "SpybotDeletingA145" (new data: "command /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup global entry!
21/01/2008 22:53:44 Allowed (based on user decision) value "SpybotDeletingC7543" (new data: "cmd /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup global entry!
21/01/2008 22:53:48 Allowed (based on user decision) value "SpybotDeletingB7469" (new data: "command /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup user entry!
21/01/2008 22:53:52 Allowed (based on user decision) value "SpybotDeletingD2559" (new data: "cmd /c del "C:\WINDOWS\system32\vturo.dll_old"") added in System Startup user entry!
21/01/2008 22:59:03 Allowed (based on user decision) value "{215B8138-A3CF-44C5-803F-8226143CFC0A}" (new data: "") added in ActiveX Distribution Unit!
21/01/2008 23:17:14 Denied (based on user blacklist) value "Spybot - Search & Destroy" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
22/01/2008 07:16:52 Denied (based on user decision) value "SpybotDeletingB2846" (new data: "command /c del "C:\WINDOWS\system32\efcyywu.dll_old"") added in System Startup user entry!
22/01/2008 07:23:46 Allowed (based on user decision) value "SpybotDeletingB5148" (new data: "") deleted in System Startup user entry!
22/01/2008 07:23:49 Allowed (based on user decision) value "SpybotDeletingB8621" (new data: "") deleted in System Startup user entry!
22/01/2008 07:23:52 Allowed (based on user decision) value "SpybotDeletingD5925" (new data: "") deleted in System Startup user entry!
22/01/2008 07:23:54 Allowed (based on user decision) value "SpybotDeletingB608" (new data: "") deleted in System Startup user entry!
22/01/2008 07:23:57 Allowed (based on user decision) value "SpybotDeletingD8559" (new data: "") deleted in System Startup user entry!
22/01/2008 07:23:58 Allowed (based on user decision) value "SpybotDeletingB9077" (new data: "") deleted in System Startup user entry!
22/01/2008 07:23:59 Allowed (based on user decision) value "SpybotDeletingD6109" (new data: "") deleted in System Startup user entry!
22/01/2008 07:24:02 Allowed (based on user decision) value "SpybotDeletingD9639" (new data: "") deleted in System Startup user entry!
22/01/2008 07:24:03 Allowed (based on user decision) value "SpybotDeletingB7469" (new data: "") deleted in System Startup user entry!
22/01/2008 07:24:05 Allowed (based on user decision) value "SpybotDeletingD2559" (new data: "") deleted in System Startup user entry!
22/01/2008 07:24:06 Allowed (based on user decision) value "SpybotDeletingD7506" (new data: "") deleted in System Startup user entry!
22/01/2008 07:24:09 Allowed (based on user decision) value "SpybotDeletingB4699" (new data: "") deleted in System Startup user entry!
22/01/2008 07:24:10 Allowed (based on user decision) value "SpybotDeletingD4921" (new data: "") deleted in System Startup user entry!
22/01/2008 07:24:17 Allowed (based on user decision) value "SpybotDeletingA3690" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:22 Allowed (based on user decision) value "SpybotDeletingC3692" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:25 Allowed (based on user decision) value "SpybotDeletingA6202" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:30 Allowed (based on user decision) value "SpybotDeletingC7051" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:33 Allowed (based on user decision) value "SpybotDeletingA1664" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:35 Allowed (based on user decision) value "SpybotDeletingC1647" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:37 Allowed (based on user decision) value "SpybotDeletingA4740" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:39 Allowed (based on user decision) value "SpybotDeletingC4860" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:40 Allowed (based on user decision) value "SpybotDeletingA4756" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:41 Allowed (based on user decision) value "SpybotDeletingC1962" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:42 Allowed (based on user decision) value "SpybotDeletingA145" (new data: "") deleted in System Startup global entry!
22/01/2008 07:24:43 Allowed (based on user decision) value "SpybotDeletingC7543" (new data: "") deleted in System Startup global entry!
22/01/2008 07:39:40 Allowed (based on user decision) value "Uniblue RegistryBooster 2" (new data: "C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S") added in System Startup user entry!
22/01/2008 07:48:27 Allowed (based on user decision) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
22/01/2008 07:48:49 Allowed (based on user decision) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
22/01/2008 07:50:35 Allowed (based on user whitelist) value "ctfmon.exe" (new data: "") deleted in System Startup user entry!
22/01/2008 07:51:54 Allowed (based on user decision) value "swg" (new data: "") deleted in System Startup user entry!
22/01/2008 07:52:02 Allowed (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
22/01/2008 07:52:14 Allowed (based on user decision) value "MsnMsgr" (new data: "") deleted in System Startup user entry!
22/01/2008 07:52:24 Allowed (based on user decision) value "Shareaza" (new data: "") deleted in System Startup user entry!
22/01/2008 07:54:09 Allowed (based on user decision) value "{72750363-A14F-4191-9533-E5CF1CE97B31}" (new data: "") deleted in Browser Helper Object!
22/01/2008 07:54:29 Allowed (based on user decision) value "{89AF1DCA-6355-4465-94B0-E3D49FD2896B}" (new data: "") deleted in Browser Helper Object!
22/01/2008 16:21:44 Allowed (based on user decision) value "{5D86DDB5-BDF9-441B-9E9E-D4730F4EE499}" (new data: "") added in ActiveX Distribution Unit!
22/01/2008 22:20:08 Allowed (based on user whitelist) value "ctfmon.exe" (new data: "C:\WINDOWS\system32\ctfmon.exe") added in System Startup user entry!
22/01/2008 22:39:57 Allowed (based on user decision) value "SmcService" (new data: "C:\PROGRA~1\Sygate\SPF\smc.exe -startgui") added in System Startup global entry!
22/01/2008 22:43:34 Allowed (based on user decision) value "Uniblue RegistryBooster 2" (new data: "") deleted in System Startup user entry!
22/01/2008 22:46:11 Allowed (based on user decision) value "SmcService" (new data: "") deleted in System Startup global entry!
23/01/2008 21:07:43 Allowed (based on user decision) value "ZoneAlarm Client" (new data: ""C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"") added in System Startup global entry!
23/01/2008 21:08:00 Allowed (based on user decision) value "{F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA}" (new data: "") added in Global browser toolbar!
23/01/2008 21:08:03 Allowed (based on user decision) value "{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}" (new data: "") added in Browser Helper Object!
23/01/2008 21:11:28 Allowed (based on user decision) value "{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}" (new data: "hex:39,B2,D4,F0,4B,DA,AF,4D,81,E4,DF,EE,49,31,A4,AA") added in User-specific browser toolbar!
23/01/2008 21:25:51 Denied (based on user decision) value "Steam" (new data: ""C:\Program Files\Steam\Steam.exe" -silent") added in System Startup user entry!
23/01/2008 21:29:21 Allowed (based on user decision) value "ALUAlert" (new data: "C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe") added in System Startup global entry!
24/01/2008 19:03:12 Allowed (based on user decision) value "Steam" (new data: ""C:\Program Files\Steam\Steam.exe" -silent") added in System Startup user entry!
24/01/2008 19:05:23 Allowed (based on user decision) value "Steam" (new data: "") deleted in System Startup user entry!
24/01/2008 19:34:39 Allowed (based on user whitelist) value "Steam" (new data: ""C:\Program Files\Steam\Steam.exe" -silent") added in System Startup user entry!
2008-01-25 21:34:45 Allowed (based on user decision) value "" (new data: "") deleted in System Startup global entry!
2008-01-25 21:34:49 Allowed (based on user decision) value "ALUAlert" (new data: "") deleted in System Startup global entry!
2008-01-25 21:34:50 Allowed (based on user decision) value "{90222687-F593-4738-B738-FBEE9C7B26DF}" (new data: "") deleted in Global browser toolbar!
[color="#000000"][color="#FF00FF"]2008-01-25 22:59:49 Allowed (based on user decision) value "f421d602" (new data: "") deleted in System Startup global entry!
25/01/2008 23:42:28 Allowed (based on user decision) value "{7E853D72-626A-48EC-A868-BA8D5E23E045}" (new data: "") deleted in Browser Helper Object!
25/01/2008 23:42:38 Allowed (based on user decision) value "{B8DFD819-F9E4-4339-A4A6-10D226C10B48}" (new data: "") deleted in Browser Helper Object!

regards

Michelle

#7 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 PM

Posted 26 January 2008 - 12:25 PM

Hey Michelle,

Thanks for posting those logs and letting me know about the spybot deletions. This is ok in this case, but please note that in the instructions to run combofix, there was also a link to this: "How to temporarily disable your anti-virus, firewall and anti-malware programmes", which also included instructions to turn off the spybot teatimer. This is just so that nothing interferes with the fixes involved and a temporary thing. Kindly make sure that you follow the instructions mentioned there, for consequent runs of Combofix. Thanks.

Step #1

Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Step #2
  • Open notepad and copy/paste the text in the codebox below into it:

    File::
    C:\WINDOWS\system32\ypcojdsn.tmp
    C:\WINDOWS\system32\ypcojdsn.ini
    C:\WINDOWS\system32\iyltpvmv.ini
    C:\WINDOWS\system32\urosxfig.ini
    
    Folder::
    C:\VundoFix Backups
    C:\Program Files\kernel
    
    RenV::
    ----a-w		   158,208 2008-01-20 22:21:34  C:\WINDOWS\pchealth\helpctr\binaries\MSConfig .exe
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8DFD819-F9E4-4339-A4A6-10D226C10B48}]
    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "kernel"=-
  • Save this as CFScript.txt

    Posted Image
  • Refering to the picture above, drag CFScript.txt into ComboFix.exe
  • When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
    Note:
    Do not mouse click combofix's window whilst it's running. That may cause it to stall
Step #3

Once you have done this please create an uninstall list:
  • Start HiJackThis
  • Press 'Config'
  • Press 'Misc Tools'
  • Press 'Open Uninstall Manager'
  • Press 'Save List'
  • Save the log to a convenient location
Step #4

Please post back with a fresh HijackThis log. the Uninstall list and the ComboFix log. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#8 Michellebro

Michellebro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 27 January 2008 - 05:55 AM

Hey :thumbsup:
These are the 3 logs you asked for:
Thanks so much for your time, and I completely followed instructions this time!!
Look forward to hearing from you

Michelle


ComboFix 08-01-23.1C - Michelle & Ben 2008-01-27 9:35:59.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1556 [GMT 0:00]
Running from: C:\Documents and Settings\Michelle & Ben\Desktop\ComboFix.exe
* Created a new restore point

FILE
C:\WINDOWS\system32\iyltpvmv.ini
C:\WINDOWS\system32\urosxfig.ini
C:\WINDOWS\system32\ypcojdsn.ini
C:\WINDOWS\system32\ypcojdsn.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\koankyxk.dllbox.bad
C:\VundoFix Backups\mljgg.dll.bad
C:\VundoFix Backups\oeftbknd.ini.bad
C:\VundoFix Backups\ssqpm.dll.bad
C:\VundoFix Backups\vturq.dll.bad
C:\WINDOWS\system32\iyltpvmv.ini
C:\WINDOWS\system32\urosxfig.ini
C:\WINDOWS\system32\ypcojdsn.ini
C:\WINDOWS\system32\ypcojdsn.tmp

.
((((((((((((((((((((((((( Files Created from 2007-12-27 to 2008-01-27 )))))))))))))))))))))))))))))))
.

2008-01-25 21:11 . 2004-08-03 23:00 260,272 --a------ C:\cmldr
2008-01-25 21:11 . 2008-01-21 08:15 209 --a------ C:\Boot.bak
2008-01-25 21:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-24 19:34 . 2008-01-27 09:09 <DIR> d-------- C:\Program Files\Steam
2008-01-23 21:09 . 2008-01-27 08:54 942,112 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-23 21:09 . 2008-01-26 15:57 11,012 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-23 21:07 . 2008-01-23 21:07 <DIR> d-------- C:\Program Files\ZoneAlarmSB
2008-01-23 20:58 . 2008-01-26 22:19 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-01-22 16:21 . 2008-01-23 14:49 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-01-22 07:38 . 2008-01-22 07:38 <DIR> d-------- C:\Program Files\Uniblue
2008-01-21 22:58 . 2008-01-22 16:14 <DIR> d-------- C:\WINDOWS\system32\HouseCall 6.6
2008-01-20 22:13 . 2008-01-20 22:21 158,208 --a--c--- C:\WINDOWS\system32\dllcache\msconfig.exe
2008-01-20 11:09 . 2008-01-20 11:09 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-19 18:49 . 2008-01-19 18:49 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-01-19 18:38 . 2008-01-19 18:38 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-19 14:35 . 2008-01-19 14:35 <DIR> d-------- C:\Program Files\Lavasoft
2008-01-02 18:24 . 2008-01-02 18:24 <DIR> d-------- C:\WINDOWS\nview
2008-01-02 18:24 . 2007-12-17 13:53 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb
2008-01-02 18:23 . 2008-01-02 18:23 <DIR> d-------- C:\NVIDIA
2008-01-02 18:21 . 2006-04-21 00:27 544,768 --a------ C:\WINDOWS\system32\CLVSD.ax
2008-01-02 18:21 . 2003-03-25 05:49 45,056 --a------ C:\WINDOWS\system32\ogg.dll
2008-01-02 18:21 . 2006-10-02 09:43 3,181 --a------ C:\WINDOWS\FantasyDVD.ini
2008-01-02 18:21 . 2006-07-30 08:02 2,413 --a------ C:\WINDOWS\ShortCutInf.ini
2008-01-02 17:12 . 2008-01-02 17:12 <DIR> d-------- C:\Program Files\MailWasher
2008-01-02 15:55 . 2001-03-08 18:30 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2008-01-02 15:15 . 2008-01-03 16:34 <DIR> d-------- C:\Program Files\Shareaza
2008-01-02 14:41 . 2008-01-02 15:09 <DIR> d-------- C:\Program Files\Shareaza Applications
2008-01-02 14:41 . 2006-11-12 11:39 483,328 --a------ C:\WINDOWS\system32\actskn45.ocx
2008-01-02 14:08 . 2008-01-22 07:16 605 --a------ C:\WINDOWS\wininit.ini
2008-01-02 12:33 . 2008-01-02 17:06 0 --a------ C:\WINDOWS\PlayList.Fpl
2008-01-02 12:31 . 2008-01-02 12:55 <DIR> d-------- C:\Program Files\LimeWire Turbo Accelerator
2008-01-02 12:31 . 2008-01-02 12:31 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-01-02 11:40 . 2008-01-02 18:21 <DIR> d-------- C:\WINDOWS\system32\FTCodecs
2008-01-02 11:40 . 2008-01-02 11:40 <DIR> d-------- C:\Program Files\Fantasysoft-Studio
2008-01-02 11:40 . 2008-01-02 17:06 389,120 --a------ C:\WINDOWS\system32\ACTSKN43.OCX
2008-01-02 10:01 . 2008-01-02 10:01 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-01 16:36 . 2008-01-01 16:36 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-01 16:36 . 2008-01-19 14:35 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 09:06 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-26 19:41 --------- d-----w C:\Program Files\World of Warcraft
2008-01-25 18:02 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-21 19:34 --------- d-----w C:\Program Files\iTunes
2008-01-21 08:17 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-01-20 22:21 158,208 ----a-w C:\WINDOWS\pchealth\helpctr\binaries\MSConfig.exe
2008-01-20 22:13 --------- d-----w C:\Program Files\Norton Internet Security
2008-01-20 21:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-15 14:16 --------- d-----w C:\Program Files\MSN Messenger
2008-01-07 18:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-01-07 18:10 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
2008-01-07 18:10 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-01-07 18:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-01-07 18:10 --------- d-----w C:\Program Files\Symantec
2008-01-03 16:34 --------- d-----w C:\Program Files\QuickTime
2008-01-03 16:34 --------- d-----w C:\Program Files\AGEIA Technologies
2008-01-02 12:03 --------- d-----w C:\Program Files\NCH Swift Sound
2008-01-02 11:28 --------- d-----w C:\Program Files\RGB
2008-01-02 10:01 --------- d-----w C:\Program Files\Common Files\Real
2007-12-14 11:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-08 16:33 --------- d-----w C:\Program Files\Yahoo!
2007-12-07 20:50 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-12-07 20:50 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-12-05 02:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 01:41 81,920 ----a-w C:\WINDOWS\system32\nvwddi.dll
2007-12-05 01:41 81,920 ----a-w C:\WINDOWS\system32\nvmctray.dll
2007-12-05 01:41 8,523,776 ----a-w C:\WINDOWS\system32\nvcpl.dll
2007-12-05 01:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 01:41 7,435,392 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-12-05 01:41 6,901,760 ----a-w C:\WINDOWS\system32\nvoglnt.dll
2007-12-05 01:41 6,549,504 ----a-w C:\WINDOWS\system32\nvdisps.dll
2007-12-05 01:41 5,773,568 ----a-w C:\WINDOWS\system32\nv4_disp.dll
2007-12-05 01:41 5,611,520 ----a-w C:\WINDOWS\system32\nvdispsr.dll
2007-12-05 01:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 01:41 458,752 ----a-w C:\WINDOWS\system32\nvmccssr.dll
2007-12-05 01:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 01:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 01:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 01:41 385,024 ----a-w C:\WINDOWS\system32\nvapi.dll
2007-12-05 01:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 01:41 35,328 ----a-w C:\WINDOWS\system32\nvcodins.dll
2007-12-05 01:41 35,328 ----a-w C:\WINDOWS\system32\nvcod.dll
2007-12-05 01:41 335,872 ----a-w C:\WINDOWS\system32\nvwrses.dll
2007-12-05 01:41 335,872 ----a-w C:\WINDOWS\system32\nvwrsel.dll
2007-12-05 01:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsfr.dll
2007-12-05 01:41 327,680 ----a-w C:\WINDOWS\system32\nvwrsesm.dll
2007-12-05 01:41 327,680 ----a-w C:\WINDOWS\system32\nvrshe.dll
2007-12-05 01:41 327,680 ----a-w C:\WINDOWS\system32\nvrsar.dll
2007-12-05 01:41 323,584 ----a-w C:\WINDOWS\system32\nvwrspt.dll
2007-12-05 01:41 323,584 ----a-w C:\WINDOWS\system32\nvwrsit.dll
2007-12-05 01:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsptb.dll
2007-12-05 01:41 319,488 ----a-w C:\WINDOWS\system32\nvwrsnl.dll
2007-12-05 01:41 315,392 ----a-w C:\WINDOWS\system32\nvwrsru.dll
2007-12-05 01:41 315,392 ----a-w C:\WINDOWS\system32\nvwrshu.dll
2007-12-05 01:41 311,296 ----a-w C:\WINDOWS\system32\nvwrsde.dll
2007-12-05 01:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 01:41 303,104 ----a-w C:\WINDOWS\system32\nvwrstr.dll
2007-12-05 01:41 303,104 ----a-w C:\WINDOWS\system32\nvwrssl.dll
2007-12-05 01:41 303,104 ----a-w C:\WINDOWS\system32\nvwrsfi.dll
2007-12-05 01:41 3,715,072 ----a-w C:\WINDOWS\system32\nvvitvsr.dll
2007-12-05 01:41 3,710,976 ----a-w C:\WINDOWS\system32\nvvitvs.dll
2007-12-05 01:41 3,420,160 ----a-w C:\WINDOWS\system32\nvgames.dll
2007-12-05 01:41 3,334,144 ----a-w C:\WINDOWS\system32\nvgamesr.dll
2007-12-05 01:41 299,008 ----a-w C:\WINDOWS\system32\nvwrssk.dll
2007-12-05 01:41 299,008 ----a-w C:\WINDOWS\system32\nvwrsno.dll
2007-12-05 01:41 294,912 ----a-w C:\WINDOWS\system32\nvwrssv.dll
2007-12-05 01:41 294,912 ----a-w C:\WINDOWS\system32\nvwrspl.dll
2007-12-05 01:41 294,912 ----a-w C:\WINDOWS\system32\nvwrsda.dll
2007-12-05 01:41 290,816 ----a-w C:\WINDOWS\system32\nvwrsth.dll
2007-12-05 01:41 286,720 ----a-w C:\WINDOWS\system32\nvwrseng.dll
2007-12-05 01:41 286,720 ----a-w C:\WINDOWS\system32\nvwrscs.dll
2007-12-05 01:41 286,720 ----a-w C:\WINDOWS\system32\nvnt4cpl.dll
2007-12-05 01:41 282,624 ----a-w C:\WINDOWS\system32\nvwrsar.dll
2007-12-05 01:41 282,624 ----a-w C:\WINDOWS\system32\nvrsfr.dll
2007-12-05 01:41 282,624 ----a-w C:\WINDOWS\system32\nvrses.dll
2007-12-05 01:41 282,624 ----a-w C:\WINDOWS\system32\nvrsel.dll
2007-12-05 01:41 278,528 ----a-w C:\WINDOWS\system32\nvwrshe.dll
2007-12-05 01:41 278,528 ----a-w C:\WINDOWS\system32\nvrsit.dll
2007-12-05 01:41 278,528 ----a-w C:\WINDOWS\system32\nvrsde.dll
2007-12-05 01:41 274,432 ----a-w C:\WINDOWS\system32\nvrspt.dll
2007-12-05 01:41 274,432 ----a-w C:\WINDOWS\system32\nvrsnl.dll
2007-12-05 01:41 274,432 ----a-w C:\WINDOWS\system32\nvrsesm.dll
2007-12-05 01:41 270,336 ----a-w C:\WINDOWS\system32\nvrsru.dll
2007-12-05 01:41 266,240 ----a-w C:\WINDOWS\system32\nvrsptb.dll
2007-12-05 01:41 266,240 ----a-w C:\WINDOWS\system32\nvrsja.dll
2007-12-05 01:41 258,048 ----a-w C:\WINDOWS\system32\nvrstr.dll
2007-12-05 01:41 258,048 ----a-w C:\WINDOWS\system32\nvrssl.dll
2007-12-05 01:41 258,048 ----a-w C:\WINDOWS\system32\nvrssk.dll
2007-12-05 01:41 258,048 ----a-w C:\WINDOWS\system32\nvrsko.dll
2007-12-05 01:41 258,048 ----a-w C:\WINDOWS\system32\nvrshu.dll
2007-12-05 01:41 253,952 ----a-w C:\WINDOWS\system32\nvrsth.dll
2007-12-05 01:41 253,952 ----a-w C:\WINDOWS\system32\nvrssv.dll
2007-12-05 01:41 253,952 ----a-w C:\WINDOWS\system32\nvrspl.dll
2007-12-05 01:41 253,952 ----a-w C:\WINDOWS\system32\nvrsno.dll
2007-12-05 01:41 253,952 ----a-w C:\WINDOWS\system32\nvrsda.dll
2007-12-05 01:41 249,856 ----a-w C:\WINDOWS\system32\nvrsfi.dll
2007-12-05 01:41 249,856 ----a-w C:\WINDOWS\system32\nvrscs.dll
2007-12-05 01:41 245,760 ----a-w C:\WINDOWS\system32\nvrseng.dll
2007-12-05 01:41 229,376 ----a-w C:\WINDOWS\system32\nvmccs.dll
2007-12-05 01:41 225,280 ----a-w C:\WINDOWS\system32\nvrszhc.dll
.
<pre>
----a-w			15,360 2008-01-19 18:38:45  C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-25_23.28.19.60 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-25 22:19:30 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-27 09:35:43 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-25 22:19:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-27 09:35:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-25 22:19:30 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-27 09:35:43 1,343,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-25 22:19:30 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-27 09:35:43 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-25 22:19:30 6,975,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-27 09:35:43 6,975,488 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-25 22:19:30 577,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-27 09:35:43 577,536 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA}]
2008-01-23 21:07 262144 --a------ C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{8B68564D-53FD-4293-B80C-993A9F3988EE}
{2318C2B1-4965-11D4-9B18-009027A5CD4F}
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
{BC4FFE41-DE9F-46FA-B455-AAD49B9F9938}
{EE5D279F-081B-4404-994D-C6B60AAEBA6D}
{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{F0D4B239-DA4B-4DAF-81E4-DFEE4931A4AA}"= C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL [2008-01-23 21:07 262144]

[HKEY_CLASSES_ROOT\clsid\{f0d4b239-da4b-4daf-81e4-dfee4931a4aa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2004-12-22 19:40 24576 C:\WINDOWS\MIDIDEF.EXE]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-21 08:17 15360]
"Steam"="C:\Program Files\Steam\Steam.exe" [2008-01-24 19:39 1266936]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-20 16:00 282624 C:\WINDOWS\stsystra.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
"MBMon"="CTMBHA.DLL" [2006-03-15 20:15 1355468 C:\WINDOWS\system32\CTMBHA.DLL]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-20 22:32 517768]
"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36 267048]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-20 22:32 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2008-01-20 22:15 26248]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2008-01-21 08:17 64512]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-11-14 16:05 919016]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="" []

C:\Documents and Settings\Michelle & Ben\Start Menu\Programs\Startup\
Norton Disk Doctor.LNK - C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE [2003-09-10 05:26:58 376832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2007-12-03 11:10:00 394856]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

R1 GhPciScan;GhostPciScanner;C:\Program Files\Norton SystemWorks\Norton Ghost\ghpciscan.sys [2003-05-28 19:01]
R3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 05:12]
S2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys []
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 04:58]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-01-22 08:01:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-27 09:17:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-01-25 20:00:22 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Michelle & Ben.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\Navw32.exeh/TASK:
"2008-01-25 18:02:58 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-27 00:00:01 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-27 10:05:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-27 10:06:46
ComboFix-quarantined-files.txt 2008-01-27 10:06:43
ComboFix2.txt 2008-01-25 23:28:40
.
2008-01-09 03:02:24 --- E O F ---


Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 8.1.1
Adobe Shockwave Player
AGEIA PhysX v2.3.3
Andrea VoiceCenter
AppCore
Apple Mobile Device Support
Apple Software Update
AV
Battlefield 2™
Battlestations: Midway
ccCommon
Creative Audio Pack
Creative MediaSource 5
Day of Defeat: Source
Dell Resource CD
DellConnect
Disc2Phone
DVD Decrypter (Remove Only)
EPSON PhotoQuicker3.5
EPSON Printer Software
EPSON Web-To-Page
ESC86 Reference Guide
ESC86 Software Guide
ESPNMotion
FantasyDVD Player 9 Platinum
GameShadow
GemMaster Mystic
Ghost Recon Advanced Warfighter
Google Earth
Google Toolbar for Firefox
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB835221
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Intel® Viiv™ Software
iQuiz Maker
iTunes
iWin Games (remove only)
LiveReg (Symantec Corporation)
LiveUpdate 3.1 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Logitech Gaming Software
MailWasher Free
Map Button (Windows Live Toolbar)
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows XP Video Decoder Checkup Utility
MSRedist
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
Norton AntiVirus
Norton CleanSweep
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Ghost
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Password Manager
Norton Protection Center
Norton SystemWorks 2004 Professional
Norton SystemWorks 2004 Professional (Symantec Corporation)
Norton Utilities
NSW_DRM_COLLECTION
NVIDIA Drivers
OneCare Advisor (Windows Live Toolbar)
Otto
Popup Blocker (Windows Live Toolbar)
QuickTime
RealPlayer
ScanToWeb
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Shareaza version 2.3.0.0
SigmaTel Audio
Smart Menus (Windows Live Toolbar)
Sonic Advanced Decoder
Sonic Encoders
Sony Ericsson PC Suite
Sound Blaster ADVANCED MB Drivers
Sound Blaster Audigy ADVANCED MB
SPBBC 32bit
Spybot - Search & Destroy
Steam
SweetIM For Internet Explorer 3.0b
Symantec Technical Support Web Controls
The Sims 2
Uniblue RegistryBooster 2
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925720)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 2 for Windows XP Media Center Edition 2005
Ventrilo Client
Videora iPod Converter 2.02
WavePad Uninstall
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Media Center Edition 2005 KB925766
WinZip 11.1
World of Warcraft
WW2 Pacific Heroes
ZoneAlarm
ZoneAlarm Spy Blocker

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:51:58, on 27/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Inventel\Gateway\wlancfg.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.wanadoo.co.uk/cd_redirects/wanadoohome
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE Class - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MBMon] Rundll32 CTMBHA.DLL,MBMon
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Steam] "C:\Program Files\Steam\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] (User 'Default user')
O4 - Startup: Norton Disk Doctor.LNK = C:\Program Files\Norton SystemWorks\Norton Utilities\NDD32.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\NORTON~2\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Service de lancement de WlanCfg (Wlancfg) - Inventel - C:\Program Files\Inventel\Gateway\wlancfg.exe

--
End of file - 11554 bytes

#9 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 PM

Posted 27 January 2008 - 04:23 PM

Hey Michelle,

Your log(s) show that you are using so called peer-to-peer or file-sharing programmes (in your case Shareaza version 2.3.0.0). These programmes allow to share files between users as the name(s) suggest. In today's world the cyber crime has come to an enormous dimension and any means is used to infect personal computers to make use of their stored data or machine power for further propagation of the malware files. A popular means is the use of file-sharing tools as a tremendous amount of prospective victims can be reached through it.

It is therefore possible to be infected by downloading manipulated files via peer-to-peer tools and thus suggested to be used with intense care. Some further readings on this subject, along the included links, are as follows: "File-Sharing, otherwise known as Peer To Peer" and "Risks of File-Sharing Technology."

It is also important to note that sharing entertainment files and proprietary software infringes the copyright laws in many countries over the world and you are putting yourself at risk of being indicted through organisations watching over the rights of the authors of such files (i.e. the RIAA for music files, or the MPAA for movie files in the USA) or the authors of the files themselves.

Naturally there are also legal ways to use these services, such as downloading Linux distributions or office suites such as "Open Office."

The following is referring to Uniblue RegistryBooster 2.
Please be aware that bleepingcomputer staff do not recommend the usage of registry cleaners / tools due to the following facts:
  • Registry tools can cause irreparable damage to your Operating System
  • Registry tools can, as a result of the above, render your pc to be inoperable.
This is done, assuming that the major audience here at this board might be inexperienced users and thus a suggested safeguard from our side.
If you feel you have the need for a registry cleaner, then you are just as welcome to keep it. This is what we refer to an "optional fix" and is up to the user, so just take this as a recommendation from my side.

Step #1

Please copy the entire contents inside the CODE box below into Notepad.

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{2318C2B1-4965-11D4-9B18-009027A5CD4F}]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"=-

Then click File > Save and save as fix.reg (save as type: All files) to the Desktop.
Go to the Desktop and double-click fix.reg. When prompted to merge its contents to the registry, click the Yes button. You may remove the file afterwards.

Step #2

Please do an online scan with Kaspersky Webscan (You need to use InternetExplorer or enable IEView in Firefox)

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report as button >> name it >> chose "Text file" in the Save as type dialogue
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Step #3

Please post back with the Kaspersky Onlinescan. Thanks.

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#10 Michellebro

Michellebro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 28 January 2008 - 12:25 PM

Hi

Here is the report you asked for. I will remove the other programmes you mention in your last reply!!!! Not sure where the Uniblue Registry thing came from, and I didn't intend on using it.
Look forward to hearing from you again

Michelle :thumbsup:



KASPERSKY ONLINE SCANNER REPORT
Monday, January 28, 2008 5:18:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/01/2008
Kaspersky Anti-Virus database records: 534458


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 359190
Number of viruses found 3
Number of infected objects 4
Number of suspicious objects 0
Duration of the scan process 03:07:02

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-01-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\24A98BEB.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\C3006D0E.TMP Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\SubEng\submissions.idx Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Michelle & Ben\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Michelle & Ben\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Michelle & Ben\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Michelle & Ben\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Michelle & Ben\Local Settings\Temp\clclean.0001.dir.0000\~efe2.tmp Object is locked skipped

C:\Documents and Settings\Michelle & Ben\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Michelle & Ben\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Michelle & Ben\My Documents\Downloads\[Full Version] wings of fury by Cinemaniacs (Unreleased).zip/Setup.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ig skipped

C:\Documents and Settings\Michelle & Ben\My Documents\Downloads\[Full Version] wings of fury by Cinemaniacs (Unreleased).zip ZIP: infected - 1 skipped

C:\Documents and Settings\Michelle & Ben\ntuser.dat Object is locked skipped

C:\Documents and Settings\Michelle & Ben\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\NFWEVT.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\iWin Games\iWinGamesHookIE.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Steam\Steam.log Object is locked skipped

C:\Program Files\Steam\steamapps\winui.gcf Object is locked skipped

C:\QooBox\Quarantine\C\VundoFix Backups\mljgg.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dqi skipped

C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{739FB71B-5505-49D5-A53F-872DEBA8979D}\RP17\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped

C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped

C:\WINDOWS\Internet Logs\MICHELLE-BEN.ldb Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{34BB7A73-87F4-4397-A806-D62D44190CD1}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped

C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\TEMP\ZLT02a35.TMP Object is locked skipped

C:\WINDOWS\TEMP\ZLT066e8.TMP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#11 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 PM

Posted 29 January 2008 - 12:00 AM

Hey Michelle,

Step #1

Now please delete the following files and folders (NB: if you cannot find a file or folder that is just fine):

C:\Documents and Settings\Michelle & Ben\My Documents\Downloads\[Full Version] wings of fury by Cinemaniacs (Unreleased).zip <-- this file
C:\Program Files\iWin Games\iWinGamesHookIE.dll <-- this file


Step #2
  • Now please navigate to: Start >> Run...
  • Type: Combofix /u and hit Enter
  • This will delete:
    • \Qoobox
    • \VundoFix Backups
    • \Deckard
    • \_OTMoveIt
    • %systemroot%\erdnt\subs
  • Also resets System Restore, re-hides system & hidden files, resets system clock and last but not least, hides the file extensions of known filetypes
Step #3

Please also have a look at the following links, giving some advice and suggestions for preventing future infections:I recommend you regularly visit the Windows Update Site!
  • Lots of Hacking/Trojans use the methods found (plugged by the updates) that have not been stopped by people not updating.
  • By updating your machine, you have one less headache! Posted Image
  • Update ALL Critical updates and any other Windows updates for services/programs that you use.
  • If you wish, you can also use automatic updates. This is a good thing to have if you want to be up-to-date all the time, but can also be a bit of an annoyance due to its handling and the sizes of the updates. If you wish to turn on automatic updates then you will find here is a nice little article about turning on automatic updates.
  • Note that it will download them for you, but you still have to actually click install.
  • If you do not want to have automatic updates turned on, or are on dial-up, you can always download updates seperately at: http://windowsupdate.microsoft.com.
It is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities. You can check these by visiting Secunia Software Inspector and Calendar of Updates.

For a nice list of freeware programmes in all categories, please have a look at this thread with freeware products that are regarded as useful by the users of this forum: Commonly Used Freeware Replacements.

Another recommendation, is to download HostMan. It safeguards you with a regularly updated Hosts-file that blocks dangerous sites from opening. This adds another bit of safety while surfing the Internet. For installlation and setting up, follow these steps:
  • Double-click the Downloaded installer and install the tool to a location of your choice
  • Via the Startmenu, navigate to HostsMan and run the program.
    • Click "Hosts" in the menu
    • Click "Manage Updates" in the submenu
    • Out of the three, select atl east one of them (I have MVPS Host as my main one)
    • Click "Add Update." After that you will only need to click on the following button to retrieve updates:
      Posted Image
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Finally, and definitely the MOST IMPORTANT step, click on the following tutorial and follow each step listed there:

Simple and easy ways to keep your computer safe and secure on the Internet

Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#12 Michellebro

Michellebro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 29 January 2008 - 03:18 AM

Hi

Thanks so much for your help. Can i just check with the Combofix /u instruction that it was actually supposed to unistall combofix? Its gone and i am not convinced that was supposed to happen!!!!
shall i also unistall the ATF Cleaner etc that yous directed me too?

Thanks again so much for you help and I will surely reccommend the sites help and support to friends family shoudl they have problems.


Michelle :thumbsup:

#13 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 PM

Posted 29 January 2008 - 12:38 PM

Hi Michelle,

the /u actually stands for uninstall and intends exactly that :thumbsup: . So its intended to disappear on you :blink:. You may keep ATF Cleaner if you like. Its a nice tool to clean temporary files and the recycle bin. You do not have to though. As for anything else related to our fix, if you still have any copies of the files you may delete them as well.

You are welcome and please do tell your friends and family. We are a friendly bunch here and try to help as good as we can and it is possible for us.

Johannes

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image


#14 Michellebro

Michellebro
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:10:56 PM

Posted 31 January 2008 - 03:29 AM

thanks for your response -

I have noticed a problem with Mailwasher and Outlook express, woudl this be anything to do with the clean up?

if i use outlook express and run it alone without mailwasher first this is the error message i receive:

The connection to the server has failed. Account: 'pop.orangehome.co.uk', Server: 'pop.orangehome.co.uk', Protocol: POP3, Port: 110, Secure(SSL): No, Socket Error: 10061, Error Number: 0x800CCC0E

Mailwasher is also not able to access my emails.


Have you any ideas or should i change forums?

#15 Yourhighness

Yourhighness

    The BSG Malware Fighter


  • Malware Response Team
  • 7,943 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Hamburg
  • Local time:11:56 PM

Posted 31 January 2008 - 03:56 AM

Hi Michelle,

this is not to do with our malware fixing, but rather a problem within the communication of the two programmes it seems. I would like to ask you to direct your question to this forum area: Internet & Networking Subforums

Once you selected the right category, you will find that there are also lots of knowledgable and friendly people ;) .

"How did I get infected?" - "Safe-hex" - Member of UNITE -
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users