Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vundo, Metajuan, Zlobgen Keep Coming Back


  • This topic is locked This topic is locked
15 replies to this topic

#1 Brian Fantana

Brian Fantana

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 12 July 2008 - 03:04 PM

Hi - a few days ago I downloaded a file which I scanned first with AVG before opening. It showed as vius free, after opening all hell let loose. I had Spybot on the PC and it identified Smitfraud and Smitfraud C. I used the information on this forum to clean them. I still had problems which AVG could not fix so I downloaded Norton AV (free with BT broadband) unfortunately it forces you into removing Spybot.
Since then the PC has improved but Nortons is still finding and repairing viruses but they keep coming back.
I've attached a hijack this log for info.
Any help would be much appreciated
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:40:42, on 12/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.bbc.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [68192817] rundll32.exe "C:\WINDOWS\system32\oijthpyi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224358217
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224334311
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 10429 bytes

BC AdBot (Login to Remove)

 


m

#2 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:43 AM

Posted 13 July 2008 - 11:31 AM

Hello Brian Fantana, and welcome to Bleeping Computer. I will be handling your log to help you get cleaned up.

Please take note of the following:
1. I will start working on your malware issues, this may or may not solve other issues you have with your machine.
2. The fixes are specific to your problem and should only be used for this issue on this machine.
3. The process is not instant. Please continue to review my answers until I tell you your machine is clean.
4. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.
5. Please reply to this thread. Do not start a new topic.

Please give me some time to look over your log and I will get back to you as soon as possible.

Thanks,

htv8
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#3 Brian Fantana

Brian Fantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 13 July 2008 - 02:09 PM

Excellent htv8 - I appreciate your help. :thumbsup:

#4 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:43 AM

Posted 13 July 2008 - 03:16 PM

Hello Brian Fantana. :thumbsup:



Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: ComboFix
Please download ComboFix from any of the links below and save it to your Desktop.
(1) Download ComboFix (ComboFix.exe)
(2) Download ComboFix (ComboFix.exe)
(3) Download ComboFix (ComboFix.exe)
NOTE: ** In the event you already have ComboFix, this is a new version that I need you to download. **

Please print out and follow these instructions: How to use ComboFix.

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says: The Recovery Console was successfully installed.

Please continue as follows:
  • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix.
    ** Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. **
  • Click Yes to allow ComboFix to continue scanning for malware.
    NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you; post the entire contents of C:\ComboFix.txt in your next reply for for further review, and so we may continue cleansing the system.

GENERAL WARNING: Do NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert. It is a powerful tool intended by its creator to be used under the guidance and supervision of an expert, not for private use. Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again. Please read ComboFix's Disclaimer.

Step #2: HijackThis
Occasionally malware hides itself from HijackThis. Using My Computer or Windows Explorer (to get there, right-click your Start button and go to Explore), go to the folder where the HijackThis.exe resides (C:\Program Files\Trend Micro\HijackThis):
  • Right-click on the HijackThis.exe file and select the Rename option from the right-click menu.
  • Rename HijackThis.exe to fluffybunny.exe and press Enter.
  • Double-click te fluffybunny.exe to run HijackThis and make a fresh log.
Post the newly created HijackThis log in your next reply.



So in your next reply, please post the entire contents of:
- C:\ComboFix.txt
- the new HijackThis log

Edited by htv8, 13 July 2008 - 03:18 PM.

If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#5 Brian Fantana

Brian Fantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 14 July 2008 - 11:36 AM

Hi htv8
I've run combofix and hijack this following the instructions.


ComboFix 08-07-13.12 - Ian 2008-07-14 16:56:35.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.98 [GMT 1:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ian\Application Data\inst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\AcIlRXyb.ini
C:\WINDOWS\system32\AcIlRXyb.ini2
C:\WINDOWS\system32\afedfqwx.dll
C:\WINDOWS\system32\atpofwaj.dll
C:\WINDOWS\system32\bfsmwb.dll
C:\WINDOWS\system32\brbyeb.dll
C:\WINDOWS\system32\cyvvqkxr.dll
C:\WINDOWS\system32\evhwaifk.dll
C:\WINDOWS\system32\fccccArq.dll
C:\WINDOWS\system32\fjsqclrt.ini
C:\WINDOWS\system32\fqxbfvoo.ini
C:\WINDOWS\system32\iyphtjio.ini
C:\WINDOWS\system32\jwxtqgan.dll
C:\WINDOWS\system32\ksfgrbbn.dll
C:\WINDOWS\system32\kTuwDfhk.ini
C:\WINDOWS\system32\kTuwDfhk.ini2
C:\WINDOWS\system32\ljgauyki.ini
C:\WINDOWS\system32\nagqtxwj.ini
C:\WINDOWS\system32\nkuqkg.dll
C:\WINDOWS\system32\oijthpyi.dll
C:\WINDOWS\system32\pcuihcyq.ini
C:\WINDOWS\system32\qrAccccf.ini
C:\WINDOWS\system32\qrAccccf.ini2
C:\WINDOWS\system32\sfaimq.dll
C:\WINDOWS\system32\sqlsmyjs.ini
C:\WINDOWS\system32\upiucdhd.ini
C:\WINDOWS\system32\XwFMonnn.ini
C:\WINDOWS\system32\XwFMonnn.ini2
C:\WINDOWS\system32\xwqfdefa.ini
C:\WINDOWS\system32\yaucnkvi.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-06-14 to 2008-07-14 )))))))))))))))))))))))))))))))
.

2008-07-12 23:27 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-12 23:27 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-12 23:27 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-12 20:40 . 2008-07-12 20:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 18:50 . 2008-07-10 18:50 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Yahoo!
2008-07-10 18:48 . 2008-07-10 18:48 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Talkback
2008-07-09 21:20 . 2008-07-09 21:20 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-07-09 20:46 . 2008-07-09 21:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-09 20:46 . 2008-07-09 21:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-09 20:46 . 2008-07-09 21:09 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-09 20:46 . 2008-07-09 21:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-09 20:43 . 2008-07-12 23:27 <DIR> d-------- C:\Program Files\Symantec
2008-07-09 20:43 . 2008-07-12 23:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-09 20:42 . 2008-07-14 17:16 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-09 16:11 . 2008-07-12 20:18 <DIR> d-------- C:\VundoFix Backups
2008-07-09 13:22 . 2008-07-09 13:26 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-07-09 11:44 . 2008-07-09 11:54 2,328 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-09 11:43 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-07-09 11:43 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-07-09 11:43 . 2008-05-29 09:35 86,528 --a------ C:\WINDOWS\system32\VACFix.exe
2008-07-09 11:43 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-07-09 11:43 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-07-09 11:43 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-07-08 20:48 . 2008-07-08 21:01 <DIR> d-------- C:\Program Files\XoftSpySE
2008-07-08 18:53 . 2008-07-08 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-08 17:59 . 2008-07-08 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-07-08 17:58 . 2008-07-08 17:59 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-08 17:25 . 2008-07-09 20:03 405 --a------ C:\WINDOWS\wininit.ini
2008-07-08 12:18 . 2008-07-08 12:18 28,288 --a------ C:\WINDOWS\system32\opnmMccD.dll
2008-07-08 11:53 . 2008-07-09 23:36 <DIR> d-------- C:\Program Files\DVDCoverPrint
2008-07-06 21:30 . 2008-07-06 21:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-06 10:15 . 2008-07-06 10:15 <DIR> d-------- C:\Program Files\Wirelwss LAN Utility
2008-07-06 10:15 . 2004-12-01 18:35 438,912 --a------ C:\WINDOWS\system32\drivers\TNET1130.sys
2008-07-06 10:15 . 2004-11-04 18:55 94,192 --a------ C:\WINDOWS\system32\drivers\FwRad17.bin
2008-07-06 10:15 . 2004-11-04 18:55 92,836 --a------ C:\WINDOWS\system32\drivers\FwRad16.bin
2008-07-06 10:15 . 2004-12-01 18:29 69,632 --a------ C:\WINDOWS\system32\TnetWCoInst.dll
2008-06-22 09:22 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-13 18:23 --------- d-----w C:\Documents and Settings\Ian\Application Data\MailWasherPro
2008-07-12 22:10 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-12 16:54 --------- d-----w C:\Documents and Settings\Ian\Application Data\Azureus
2008-07-11 19:31 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-10 20:21 --------- d--h--r C:\Documents and Settings\Clare\Application Data\yahoo!
2008-07-10 19:04 --------- d-----w C:\Documents and Settings\Cyb\Application Data\Yahoo!
2008-07-10 11:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 22:08 --------- d-----w C:\Program Files\AoA DVD Ripper
2008-07-09 20:07 --------- d-----w C:\Documents and Settings\Ian\Application Data\Yahoo!
2008-07-09 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-07-09 19:41 --------- d-----w C:\Program Files\Yahoo!
2008-07-09 19:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 12:22 --------- d-----w C:\Documents and Settings\Ian\Application Data\URSoft
2008-07-09 11:24 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-07-09 09:45 --------- d-----w C:\Program Files\Pinnacle
2008-07-09 08:34 --------- d-----w C:\Program Files\Trojan Remover
2008-07-01 21:41 --------- d-----w C:\Program Files\Google
2008-06-22 08:30 1,637 ----a-w C:\swlist.reg
2008-06-20 18:47 --------- d-----w C:\Program Files\EPSON Print CD
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 09:42 21,672 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2008-06-12 09:42 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys
2008-05-25 08:55 --------- d-----w C:\Documents and Settings\Clare\Application Data\Talkback
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-08-02 17:30 47,360 ----a-w C:\Documents and Settings\Ian\Application Data\pcouffin.sys
2007-03-03 08:23 19,680 ----a-w C:\Documents and Settings\Ian\Application Data\GDIPFONTCACHEV1.DAT
2007-02-07 18:15 81,920 ----a-w C:\Documents and Settings\Ian\Application Data\ezpinst.exe
2007-01-21 20:11 19,680 ----a-w C:\Documents and Settings\Cyb\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D95A625D-A0FC-4729-A626-B68642946481}]
2008-07-08 12:18 28288 --a------ C:\WINDOWS\system32\opnmMccD.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 02:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 02:50 1603152]
"TI WLAN"="C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe" [2004-12-09 16:49 1150976]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"SoundMan"="SOUNDMAN.EXE" [2003-07-16 15:50 55296 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{D95A625D-A0FC-4729-A626-B68642946481}"= "C:\WINDOWS\system32\opnmMccD.dll" [2008-07-08 12:18 28288]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmMccD]
2008-07-08 12:18 28288 C:\WINDOWS\system32\opnmMccD.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless G Desktop Card Client Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G Desktop Card Client Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless G Desktop Card Client Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^AdsGone.lnk]
path=C:\Documents and Settings\Ian\Start Menu\Programs\Startup\AdsGone.lnk
backup=C:\WINDOWS\pss\AdsGone.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
--------- 2007-08-22 14:34 936960 C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2006-12-07 07:59 935936 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Dbox2 Bootmanager\\DBox_Boot.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\FlashFXP\\flashfxp.exe"=
"C:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftppro.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AdsGone\\adsgone.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"=
"C:\\Program Files\\LG Software Innovations\\1Click DVD Copy 5\\1ClickDvdCopy.exe"=
"C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1128:UDP"= 1128:UDP:Windows Media Format SDK (iexplore.exe)
"1129:UDP"= 1129:UDP:Windows Media Format SDK (iexplore.exe)
"49500:UDP"= 49500:UDP:azureus
"49500:TCP"= 49500:TCP:azureus

R3 LVHybrid;LVHybrid service;C:\WINDOWS\system32\DRIVERS\LVHybrid.sys [2007-01-30 15:20]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-06-12 10:42]
S3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 18:35]
S3 UNDPX1K;UNDPX1K;C:\WINDOWS\system32\drivers\UNDPX1K.SYS []
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys [2001-12-17 12:25]
S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;C:\WINDOWS\system32\DRIVERS\SACMXP1.sys []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-09 17:50:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-14 16:03:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-09 20:03:19 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Ian.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-14 16:17:16 C:\WINDOWS\Tasks\XoftSpySE 2.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
"2008-07-08 19:48:25 C:\WINDOWS\Tasks\XoftSpySE.job"
- C:\Program Files\XoftSpySE\XoftSpy.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{423E0CCD-C73C-478A-B344-B1499D317819} - C:\WINDOWS\system32\byXRlIcA.dll
BHO-{90AA2997-72F6-4CD8-8DD3-89EB2318D4BA} - C:\WINDOWS\system32\nnnoMFwX.dll
BHO-{9B106625-C99B-45BF-96C4-B0555A6C788F} - C:\WINDOWS\system32\pmnKDwus.dll
BHO-{A303402F-6E2C-4073-BD12-82E27C4855BF} - C:\WINDOWS\system32\khfDwuTk.dll
HKLM-Run-68192817 - C:\WINDOWS\system32\jwxtqgan.dll
ShellExecuteHooks-{6B1914F0-4D5D-4798-92E3-9E7A70C3900D} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-14 17:17:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\opnmMccD.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2008-07-14 17:22:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-14 16:22:41

Pre-Run: 21,861,793,792 bytes free
Post-Run: 22,236,545,024 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

269 --- E O F --- 2008-07-06 20:30:04


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:29:33, on 14/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
R3 - URLSearchHook: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {D95A625D-A0FC-4729-A626-B68642946481} - C:\WINDOWS\system32\opnmMccD.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224358217
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224334311
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: opnmMccD - C:\WINDOWS\SYSTEM32\opnmMccD.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12094 bytes

#6 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:43 AM

Posted 16 July 2008 - 03:59 AM

Hello again and sorry for the little delay; I have got sick and really need my rest. I will try to review your replies and reply with a fix as soon as possible. We are making progress. :thumbsup:



Please print out or copy this page to Notepad.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If you have any queries about the process or just general questions, ask your question(s) before proceeding with the fixes.


Step #1: uninstallations
Azureus could be the reason your system is infested with malware. Aside from the obvious legal issues, file sharing is one of the primary ways through which people become infected with malware. Anytime you are running any type of peer-to-peer application, you are more prone to infection. Even when a program like this is not infected itself, it will still bring malware into your system because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware.
Having this said, I recommend that you remove this program from your system. If you agree, go to Start > Control Panel > Add or Remove Programs and remove Azureus if present.
If you do not want to uninstall the program, please at least refrain from using any peer-to-peer programs for the remainder of my fix.

I see XoftSpySE installed on your computer. XoftSpy has been delisted from The Spyware Warrior List of Rogue/Suspect Anti-Spyware Products & Web Sites, but since the program was on it I recommend to uninstall it and use programs from the trustworthy list which can be viewed on the same page. If you agree, uninstall XoftSpySE using Add or Remove Programs as well.

Step #2: CFScript
We need to re-run ComboFix with some additonal directives:
  • Close any open browsers/windows.
  • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix.
    ** Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. **
  • Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
    http://www.bleepingcomputer.com/forums/t/157319/vundo-metajuan-zlobgen-keep-coming-back/
    
    Collect::
    C:\WINDOWS\system32\opnmMccD.dll
    
    File::
    C:\WINDOWS\system32\tmp.reg
    C:\WINDOWS\system32\VCCLSID.exe
    C:\WINDOWS\system32\SrchSTS.exe
    C:\WINDOWS\system32\VACFix.exe
    C:\WINDOWS\system32\Process.exe
    C:\WINDOWS\system32\dumphive.exe
    C:\WINDOWS\system32\WS2Fix.exe
    
    Folder::
    C:\VundoFix Backups
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D95A625D-A0FC-4729-A626-B68642946481}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmMccD]
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Posted Image
    Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
    NOTE: Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang!
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.

    ** When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed.  With the above script, ComboFix will capture a file to submit for analysis.
    Ensure you are connected to the Internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file. **
Step #3: HijackThis fix
Scan again with HijackThis. Put a checkmark by these entries if they are present, double-checking to be sure that only these entries are checked:
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file)
O3 - Toolbar: (no name) - {a1b2f3fa-dd1d-470b-a23e-a133b2f8ef60} - (no file)
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)


Close all other windows - you should only see HijackThis on your Desktop - and then click the Fix checked button.

Step #4: files and folders deletion & Jotti's malware/VirusTotal.com scan
First enable the viewing of hidden files in Windows XP by following these steps:
  • Close all programs so that you are at your Desktop.
  • Go to Start > My Computer.
  • Select the Tools menu and then click on the Folder Options menu option.
  • After the new window appears select the View tab.
  • Remove the checkmark from the checkbox labelled "Hide extensions for known file types".
  • Remove the checkmark from the checkbox labelled "Hide protected operating system files (Recommended)"; you will get a message warning you about showing protected operating system files, click Yes.
  • Select the radio button labelled "Show hidden files and folders".
  • Press the Apply button and then press the OK button and close My Computer.
Your computer is now configured to show all hidden system files and folders.

Only if you uninstalled XoftSpySE as recommended, please delete the folder and the files listed below (if present) using My Computer or Windows Explorer (to get there, press Windows KEY + E):
C:\Program Files\XoftSpySE <-- this folder
C:\WINDOWS\Tasks\XoftSpySE.job
C:\WINDOWS\Tasks\XoftSpySE 2.job

Only if you have uninstalled Azureus as recommended, please delete these folders (if present) using My Computer or Windows Explorer:
C:\Program Files\Azureus <-- this folder
C:\Documents and Settings\Ian\Application Data\Azureus <-- this folder

Now please go to http://virusscan.jotti.org/ and follow these steps to upload a file and scan it with Jotti's malware scan:
  • Click the Browse... button at the top of the page.
  • Navigate to this file if it is present: C:\Documents and Settings\Ian\Application Data\GDIPFONTCACHEV1.DAT
  • Click Open.
  • Now click the Submit button (positioned next to the Browse... button) to upload the file.
  • Please be patient as the file will be scanned.
  • Once scanned, copy and paste the results in your next reply.
NOTE: In case Jotti is busy, try VirusTotal.com.

Step #5: Kaspersky Online Scanner scan
Please do an online scan with Kaspersky Online Scanner:
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer .
    << This will start the program and scan your system. >>
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report.
  • Now, click on the Save Report as button.
  • Change the "Files of Type" dropdown box to "Text Files".
  • Enter a memorable filename.
  • Save the file to your Desktop.
  • Copy (Ctrl + A then Ctrl + C) and paste (Ctrl + V) that information in your next post.
Step #6: HijackThis scan
Scan with HijackThis again and post a new HijackThis log.



So in your next reply, please post the entire contents of:
- the produced ComboFix log (C:\ComboFix.txt)
- the Jotti's malware/VirusTotal.com scan results
- the Kaspersky Online Scanner report
- a new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.

Also let me know if you have already noticed any changes in computer performance. :)
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#7 Brian Fantana

Brian Fantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 18 July 2008 - 09:59 AM

sorry about the delay - but I had to run a second Kaspersky scan as the first one mysteriously disappeared off the PC when I was at work (I blame the missus). The 2nd one took 15 1/2hours!!!!!
anyway - here are my logs
Cheers


ComboFix 08-07-13.12 - Ian 2008-07-16 20:00:22.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT 1:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\WS2Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\pmnKDwus.dll.bad
C:\VundoFix Backups\suwDKnmp.ini.bad
C:\VundoFix Backups\suwDKnmp.ini2.bad
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\aumnikep.ini
C:\WINDOWS\system32\dumphive.exe
C:\WINDOWS\system32\gddqpf.dll
C:\WINDOWS\system32\gmbwynhx.ini
C:\WINDOWS\system32\hgGaBsTN.dll
C:\WINDOWS\system32\ibjkao.dll
C:\WINDOWS\system32\nipovtfd.dll
C:\WINDOWS\system32\NTsBaGgh.ini
C:\WINDOWS\system32\NTsBaGgh.ini2
C:\WINDOWS\system32\opnmMccD.dll
C:\WINDOWS\system32\pekinmua.dll
C:\WINDOWS\system32\Process.exe
C:\WINDOWS\system32\qkenqgxy.ini
C:\WINDOWS\system32\SrchSTS.exe
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\trkmttyt.dll
C:\WINDOWS\system32\ucplzl.dll
C:\WINDOWS\system32\VACFix.exe
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\whyhqudt.dll
C:\WINDOWS\system32\WS2Fix.exe
C:\WINDOWS\system32\xhnywbmg.dll

.
((((((((((((((((((((((((( Files Created from 2008-06-16 to 2008-07-16 )))))))))))))))))))))))))))))))
.

2008-07-15 23:13 . 2008-07-15 23:13 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\Symantec
2008-07-12 23:27 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-12 23:27 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-12 23:27 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-12 20:40 . 2008-07-12 20:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 18:50 . 2008-07-10 18:50 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Yahoo!
2008-07-10 18:48 . 2008-07-10 18:48 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Talkback
2008-07-09 21:20 . 2008-07-09 21:20 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-07-09 20:46 . 2008-07-09 21:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-09 20:46 . 2008-07-09 21:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-09 20:46 . 2008-07-09 21:09 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-09 20:46 . 2008-07-09 21:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-09 20:43 . 2008-07-12 23:27 <DIR> d-------- C:\Program Files\Symantec
2008-07-09 20:43 . 2008-07-14 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-09 20:42 . 2008-07-16 20:25 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-09 13:22 . 2008-07-09 13:26 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-07-08 20:48 . 2008-07-16 19:52 <DIR> d-------- C:\Program Files\XoftSpySE
2008-07-08 18:53 . 2008-07-08 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-08 17:59 . 2008-07-08 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-07-08 17:58 . 2008-07-08 17:59 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-08 17:25 . 2008-07-09 20:03 405 --a------ C:\WINDOWS\wininit.ini
2008-07-08 11:53 . 2008-07-09 23:36 <DIR> d-------- C:\Program Files\DVDCoverPrint
2008-07-06 21:30 . 2008-07-06 21:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-06 10:15 . 2008-07-06 10:15 <DIR> d-------- C:\Program Files\Wirelwss LAN Utility
2008-07-06 10:15 . 2004-12-01 18:35 438,912 --a------ C:\WINDOWS\system32\drivers\TNET1130.sys
2008-07-06 10:15 . 2004-11-04 18:55 94,192 --a------ C:\WINDOWS\system32\drivers\FwRad17.bin
2008-07-06 10:15 . 2004-11-04 18:55 92,836 --a------ C:\WINDOWS\system32\drivers\FwRad16.bin
2008-07-06 10:15 . 2004-12-01 18:29 69,632 --a------ C:\WINDOWS\system32\TnetWCoInst.dll
2008-06-22 09:22 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-16 18:51 --------- d-----w C:\Program Files\Azureus
2008-07-16 18:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-16 18:28 --------- d-----w C:\Documents and Settings\Ian\Application Data\Azureus
2008-07-16 17:05 --------- d-----w C:\Documents and Settings\Ian\Application Data\MailWasherPro
2008-07-11 19:31 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-10 20:21 --------- d--h--r C:\Documents and Settings\Clare\Application Data\yahoo!
2008-07-10 19:04 --------- d-----w C:\Documents and Settings\Cyb\Application Data\Yahoo!
2008-07-10 11:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 22:08 --------- d-----w C:\Program Files\AoA DVD Ripper
2008-07-09 20:07 --------- d-----w C:\Documents and Settings\Ian\Application Data\Yahoo!
2008-07-09 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-07-09 19:41 --------- d-----w C:\Program Files\Yahoo!
2008-07-09 19:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 12:22 --------- d-----w C:\Documents and Settings\Ian\Application Data\URSoft
2008-07-09 11:24 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-07-09 09:45 --------- d-----w C:\Program Files\Pinnacle
2008-07-09 08:34 --------- d-----w C:\Program Files\Trojan Remover
2008-07-01 21:41 --------- d-----w C:\Program Files\Google
2008-06-22 08:30 1,637 ----a-w C:\swlist.reg
2008-06-20 18:47 --------- d-----w C:\Program Files\EPSON Print CD
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 09:42 21,672 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2008-06-12 09:42 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys
2008-05-25 08:55 --------- d-----w C:\Documents and Settings\Clare\Application Data\Talkback
2007-08-02 17:30 47,360 ----a-w C:\Documents and Settings\Ian\Application Data\pcouffin.sys
2007-03-03 08:23 19,680 ----a-w C:\Documents and Settings\Ian\Application Data\GDIPFONTCACHEV1.DAT
2007-02-07 18:15 81,920 ----a-w C:\Documents and Settings\Ian\Application Data\ezpinst.exe
2007-01-21 20:11 19,680 ----a-w C:\Documents and Settings\Cyb\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 02:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 02:50 1603152]
"TI WLAN"="C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe" [2004-12-09 16:49 1150976]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"68192817"="C:\WINDOWS\system32\pekinmua.dll" [BU]
"SoundMan"="SOUNDMAN.EXE" [2003-07-16 15:50 55296 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless G Desktop Card Client Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G Desktop Card Client Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless G Desktop Card Client Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^AdsGone.lnk]
path=C:\Documents and Settings\Ian\Start Menu\Programs\Startup\AdsGone.lnk
backup=C:\WINDOWS\pss\AdsGone.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
--------- 2007-08-22 14:34 936960 C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2006-12-07 07:59 935936 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Dbox2 Bootmanager\\DBox_Boot.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\FlashFXP\\flashfxp.exe"=
"C:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftppro.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AdsGone\\adsgone.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"=
"C:\\Program Files\\LG Software Innovations\\1Click DVD Copy 5\\1ClickDvdCopy.exe"=
"C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1128:UDP"= 1128:UDP:Windows Media Format SDK (iexplore.exe)
"1129:UDP"= 1129:UDP:Windows Media Format SDK (iexplore.exe)
"49500:UDP"= 49500:UDP:azureus
"49500:TCP"= 49500:TCP:azureus

R3 LVHybrid;LVHybrid service;C:\WINDOWS\system32\DRIVERS\LVHybrid.sys [2007-01-30 15:20]
R3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 18:35]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-06-12 10:42]
S3 UNDPX1K;UNDPX1K;C:\WINDOWS\system32\drivers\UNDPX1K.SYS []
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys [2001-12-17 12:25]
S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;C:\WINDOWS\system32\DRIVERS\SACMXP1.sys []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-16 17:50:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-16 19:03:17 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-09 20:03:19 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Ian.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-16 20:24:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
.
**************************************************************************
.
Completion time: 2008-07-16 20:29:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-16 19:29:23
ComboFix2.txt 2008-07-14 16:22:53

Pre-Run: 22,775,791,616 bytes free
Post-Run: 22,760,247,296 bytes free

234 --- E O F --- 2008-07-06 20:30:04



Jotti
Scan taken on 16 Jul 2008 19:35:04 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing



--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, July 18, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, July 17, 2008 16:15:59
Records in database: 963552
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\
I:\

Scan statistics:
Files scanned: 114228
Threat name: 5
Infected objects: 27
Suspicious objects: 0
Duration of the scan: 15:28:43


File name / Threat name / Threats count
C:\Documents and Settings\Ian\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Ian\Desktop\SmitfraudFix\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Documents and Settings\Ian\Desktop\[4]-Submit_2008-07-16@19.59.zip Infected: Trojan.Win32.Monderb.gen 1
C:\Program Files\BT Broadband Desktop Help\vendors\btbb\wwwcache\wt\deviceview\private\content\driven_dev\upgrade\McciContextUpgrade.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
C:\QooBox\Quarantine\C\VundoFix Backups\pmnKDwus.dll.bad.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\afedfqwx.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\atpofwaj.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bfsmwb.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\brbyeb.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\cyvvqkxr.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\evhwaifk.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\fccccArq.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\gddqpf.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\hgGaBsTN.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ibjkao.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jwxtqgan.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ksfgrbbn.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nipovtfd.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\nkuqkg.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\oijthpyi.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pekinmua.dll.vir Infected: Trojan.Win32.Monder.ama 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sfaimq.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\trkmttyt.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\QooBox\Quarantine\C\WINDOWS\system32\xhnywbmg.dll.vir Infected: Trojan.Win32.Monderb.gen 1
C:\WINDOWS\Motive\btbb\UninstallHelper.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
D:\downloaded files\Data.Doctor.Applications.Bundle-YAG\Data.Doctor.Applications.Bundle-YAG.rar Infected: not-a-virus:PSWTool.Win32.Pwdspyhk.d 1


The selected area was scanned.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:48:20, on 18/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [68192817] rundll32.exe "C:\WINDOWS\system32\pekinmua.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224358217
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224334311
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12161 bytes

#8 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:43 AM

Posted 19 July 2008 - 04:10 AM

Hello, Brian Fantana.

We are making good progress, although we are not done yet. Please bear with me if you want your computer to be completely clean from malware. :thumbsup:

One question: It appears you have downloaded Data.Doctor.Applications.Bundle-YAG. Can you confirm please if it is the same as what is mentioned here: http://www.passwordrecovery.in/? Do you use these applications?



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


Step #1: CFScript
We need to re-run ComboFix with some additonal directives:
  • Close any open browsers/windows.
  • VERY IMPORTANT: Close/Disable all running antivirus, antimalware and firewall programs as they may interfere with the proper running of ComboFix.
    ** Click on this link to see a list of programs that should be disabled. NOTE: The list is not all-inclusive. If yours is not listed and you do not know how to disable it, please ask. **
  • Copy the entire contents inside the CODE box below into Notepad - don't use any other text editor than Notepad or the script will fail.
    File::
    C:\WINDOWS\system32\pekinmua.dll
    C:\Documents and Settings\Ian\Desktop\[4]-Submit_2008-07-16@19.59.zip
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "68192817"=-
    WARNING: The above script was written specifically for this infection on this person's computer. It is NOT to be used on another computer, as it may cause damage that could result in a format!
  • Click File > Save and save as CFScript.txt in the same location as ComboFix.exe.
  • Posted Image
    Referring to the picture above, drag CFScript.txt on top of ComboFix.exe. This will start ComboFix again.
    NOTE: ** Do not mouseclick ComboFix's window whilst it's running. That may cause your system to hang! **
  • When finished, ComboFix shall produce a log for you at C:\ComboFix.txt; please post the entire contents of that report in your next reply for further review.
Step #2: ATF Cleaner
We need to clean out some temporary data.

Please download ATF Cleaner by Atribune from the download link below. ** This program is for Windows XP and Windows 2000 only. **
Download ATF Cleaner

Perform a cleanup as follows:

  • Double-click ATF-Cleaner.exe to run the program.
  • Under the Main tab (at the top of the screen) - Select Files to Delete, put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button.

If you use the Mozilla Firefox browser:

  • Click on the Firefox tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use the Opera browser:

  • Click on the Opera tab at the top and put a checkmark in the checkbox labelled "Select All".
  • Click on the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click the Exit button on the Main menu to close the program.
For technical support, double-click the e-mail address located at the bottom of each menu.

Step #3: Malwarebytes' Anti-Malware (MbAM)
I would like you to run a scan with Malwarebytes' Anti-Malware.

Please download Malwarebytes' Anti-Malware (MbAM) from one of the links below and save it to your Desktop.
(1) Download Malwarebytes' Anti-Malware (mbam-setup.exe)
(2) Download Malwarebytes' Anti-Malware (mbam-setup.exe)
(3) Download Malwarebytes' Anti-Malware (mbam-setup.exe)

Once downloaded:

  • Make sure you are connected to the Internet.
  • Double-click mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to the default settings.
  • When installation has finished, make sure you leave both of these checked:
    • "Update Malwarebytes' Anti-Malware"
    • "Launch Malwarebytes' Anti-Malware";
    click Finish.
  • MbAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
    NOTE: ** If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. **
  • On the Scanner tab, make sure the "Perform Quick Scan" option is selected; then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.<< The scan will begin and "Scan in progress..." will show at the top. It may take some time to complete, so please be patient. >>
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found."; click OK to close the message box and continue with the removal process.
  • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer (see NOTE below).
    The log is automatically saved and can be viewed by clicking the Logs tab in MbAM.
  • Copy and paste the entire contents of that report in your next reply and exit MbAM.
NOTE: ** If MbAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MbAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MbAM from removing all the malware. **

Step #4: Java SE Runtime Environment (JRE) update
Your Java is out of date. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove older version Java components and update:
  • Download the latest version of Java Runtime Environment (JRE) 6 and save it to your Desktop:
    • Go to http://java.sun.com/javase/downloads/index.jsp.
    • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 7 … The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
    • Click the Download button to the right.
    • Select your Platform: "Windows".
    • Select your Language: "Multi-language".
    • Review the License Agreement, and if you agree check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
    • Click Continue and the page will refresh.
    • Click on the link to download the Windows Offline Installation and save the file to your Desktop.
  • Close all programs - especially your web browser - so that you have nothing open and are at your Desktop.
  • Go to Start > Control Panel, double-click Add or Remove Programs and remove all older versions of Java:
    • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Follow the on-screen instructions for the Java uninstaller.
    • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • From your Desktop double-click the jre-6u7-windows-i586-p.exe file.
  • Follow the on-screen instructions to install the latest Java version.
Step #5: HijackThis scan
Scan with HijackThis again and post a new HijackThis log, along with a description of any remaining problems.



So in your next reply, please include the following:
  • C:\ComboFix.txt
  • MbAM's report
  • new HijackThis log
NOTE: Use several posts if necessary to include everything in the requested logs.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#9 Brian Fantana

Brian Fantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 19 July 2008 - 06:52 AM

htv8 - it does seem like progress has been made - PC is faster and today I've had no extra IE windows opening.
Re- Data Doctor, I don't think it is the same thing. If I remember rightly it was a trial version for lost data on memory cards. I don't use it. Is it a problem too?

Logs attached


ComboFix 08-07-13.12 - Ian 2008-07-19 12:10:01.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.168 [GMT 1:00]
Running from: C:\Documents and Settings\Ian\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ian\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Documents and Settings\Ian\Desktop\[4]-Submit_2008-07-16@19.59.zip
C:\WINDOWS\system32\pekinmua.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ian\Desktop\[4]-Submit_2008-07-16@19.59.zip

.
((((((((((((((((((((((((( Files Created from 2008-06-19 to 2008-07-19 )))))))))))))))))))))))))))))))
.

2008-07-15 23:13 . 2008-07-15 23:13 <DIR> d-------- C:\Documents and Settings\Ian\Application Data\Symantec
2008-07-12 23:27 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-12 23:27 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-12 23:27 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-12 20:40 . 2008-07-12 20:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-10 18:50 . 2008-07-10 18:50 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Yahoo!
2008-07-10 18:48 . 2008-07-10 18:48 <DIR> d-------- C:\Documents and Settings\Jennifer\Application Data\Talkback
2008-07-09 21:20 . 2008-07-09 21:20 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Apple Computer
2008-07-09 20:46 . 2008-07-09 21:09 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-07-09 20:46 . 2008-07-09 21:09 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-07-09 20:46 . 2008-07-09 21:09 10,671 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-07-09 20:46 . 2008-07-09 21:09 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-07-09 20:43 . 2008-07-12 23:27 <DIR> d-------- C:\Program Files\Symantec
2008-07-09 20:43 . 2008-07-14 23:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-09 20:42 . 2008-07-19 12:03 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-09 13:22 . 2008-07-09 13:26 <DIR> d-------- C:\Program Files\Your Uninstaller 2008
2008-07-08 18:53 . 2008-07-08 18:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-07-08 17:59 . 2008-07-08 17:59 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ipswitch
2008-07-08 17:58 . 2008-07-08 17:59 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-08 17:25 . 2008-07-09 20:03 405 --a------ C:\WINDOWS\wininit.ini
2008-07-08 11:53 . 2008-07-09 23:36 <DIR> d-------- C:\Program Files\DVDCoverPrint
2008-07-06 21:30 . 2008-07-06 21:30 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-07-06 10:15 . 2008-07-06 10:15 <DIR> d-------- C:\Program Files\Wirelwss LAN Utility
2008-07-06 10:15 . 2004-12-01 18:35 438,912 --a------ C:\WINDOWS\system32\drivers\TNET1130.sys
2008-07-06 10:15 . 2004-11-04 18:55 94,192 --a------ C:\WINDOWS\system32\drivers\FwRad17.bin
2008-07-06 10:15 . 2004-11-04 18:55 92,836 --a------ C:\WINDOWS\system32\drivers\FwRad16.bin
2008-07-06 10:15 . 2004-12-01 18:29 69,632 --a------ C:\WINDOWS\system32\TnetWCoInst.dll
2008-06-22 09:22 . 2008-06-13 14:10 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-19 11:07 --------- d-----w C:\Documents and Settings\Ian\Application Data\MailWasherPro
2008-07-16 18:50 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-11 19:31 --------- d-----w C:\Program Files\Common Files\Ahead
2008-07-10 20:21 --------- d--h--r C:\Documents and Settings\Clare\Application Data\yahoo!
2008-07-10 19:04 --------- d-----w C:\Documents and Settings\Cyb\Application Data\Yahoo!
2008-07-10 11:22 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-09 22:08 --------- d-----w C:\Program Files\AoA DVD Ripper
2008-07-09 20:07 --------- d-----w C:\Documents and Settings\Ian\Application Data\Yahoo!
2008-07-09 20:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-07-09 19:41 --------- d-----w C:\Program Files\Yahoo!
2008-07-09 19:31 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-07-09 19:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-09 12:22 --------- d-----w C:\Documents and Settings\Ian\Application Data\URSoft
2008-07-09 11:24 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-07-09 09:45 --------- d-----w C:\Program Files\Pinnacle
2008-07-09 08:34 --------- d-----w C:\Program Files\Trojan Remover
2008-07-01 21:41 --------- d-----w C:\Program Files\Google
2008-06-22 08:30 1,637 ----a-w C:\swlist.reg
2008-06-20 18:47 --------- d-----w C:\Program Files\EPSON Print CD
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 09:42 21,672 ----a-w C:\WINDOWS\system32\drivers\ggsemc.sys
2008-06-12 09:42 13,352 ----a-w C:\WINDOWS\system32\drivers\ggflt.sys
2008-05-25 08:55 --------- d-----w C:\Documents and Settings\Clare\Application Data\Talkback
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-04-23 04:16 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2007-08-02 17:30 47,360 ----a-w C:\Documents and Settings\Ian\Application Data\pcouffin.sys
2007-03-03 08:23 19,680 ----a-w C:\Documents and Settings\Ian\Application Data\GDIPFONTCACHEV1.DAT
2007-02-07 18:15 81,920 ----a-w C:\Documents and Settings\Ian\Application Data\ezpinst.exe
2007-01-21 20:11 19,680 ----a-w C:\Documents and Settings\Cyb\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 02:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 02:50 1603152]
"TI WLAN"="C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe" [2004-12-09 16:49 1150976]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-10-26 15:42 509224]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"SoundMan"="SOUNDMAN.EXE" [2003-07-16 15:50 55296 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.PIM1"= pclepim1.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless G Desktop Card Client Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless G Desktop Card Client Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless G Desktop Card Client Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ian^Start Menu^Programs^Startup^AdsGone.lnk]
path=C:\Documents and Settings\Ian\Start Menu\Programs\Startup\AdsGone.lnk
backup=C:\WINDOWS\pss\AdsGone.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
--------- 2007-08-22 14:34 936960 C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2006-12-07 07:59 935936 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Dbox2 Bootmanager\\DBox_Boot.exe"=
"C:\\Program Files\\Nero\\Nero 7\\Nero Home\\NeroHome.exe"=
"C:\\Program Files\\FlashFXP\\flashfxp.exe"=
"C:\\Program Files\\Ipswitch\\WS_FTP Pro\\wsftppro.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\AdsGone\\adsgone.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Broadband Desktop Help\\bin\\BTHelpBrowser.exe"=
"C:\\Program Files\\LG Software Innovations\\1Click DVD Copy 5\\1ClickDvdCopy.exe"=
"C:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1128:UDP"= 1128:UDP:Windows Media Format SDK (iexplore.exe)
"1129:UDP"= 1129:UDP:Windows Media Format SDK (iexplore.exe)
"49500:UDP"= 49500:UDP:azureus
"49500:TCP"= 49500:TCP:azureus

R3 LVHybrid;LVHybrid service;C:\WINDOWS\system32\DRIVERS\LVHybrid.sys [2007-01-30 15:20]
R3 TNET1130;802.11 WLAN;C:\WINDOWS\system32\DRIVERS\TNET1130.sys [2004-12-01 18:35]
S3 Belkin700F;Belkin Wireless G Desktop Card Service v7;C:\WINDOWS\system32\DRIVERS\BLKWGDv7.sys []
S3 ggflt;SEMC USB Flash Driver Filter;C:\WINDOWS\system32\DRIVERS\ggflt.sys [2008-06-12 10:42]
S3 UNDPX1K;UNDPX1K;C:\WINDOWS\system32\drivers\UNDPX1K.SYS []
S3 WebSTARNdis;WebSTAR DPX USB Cable Modem Adapter;C:\WINDOWS\system32\DRIVERS\WebSTAR.sys [2001-12-17 12:25]
S3 WebSTARXP;Scientific Atlanta WebSTAR 100 & 200 series Cable Modem;C:\WINDOWS\system32\DRIVERS\SACMXP1.sys []

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-16 17:50:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-19 11:05:52 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-07-09 20:03:19 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Ian.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-19 12:13:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-19 12:14:33
ComboFix-quarantined-files.txt 2008-07-19 11:14:24
ComboFix2.txt 2008-07-16 19:29:33
ComboFix3.txt 2008-07-14 16:22:53

Pre-Run: 22,673,444,864 bytes free
Post-Run: 22,760,222,720 bytes free

183 --- E O F --- 2008-07-06 20:30:04







Malwarebytes' Anti-Malware 1.21
Database version: 966
Windows 5.1.2600 Service Pack 2

12:26:12 19/07/2008
mbam-log-7-19-2008 (12-26-12).txt

Scan type: Quick Scan
Objects scanned: 51846
Time elapsed: 5 minute(s), 1 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b} (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{42e2b43f-3954-48ec-b549-5c05cb7dbd0a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{07895222-50a5-4598-acb1-806ef2a9babc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\rhcnblj0ej2l (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\sqvgnrpx.bwbf (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:44:21, on 19/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224358217
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224334311
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12138 bytes

#10 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:43 AM

Posted 19 July 2008 - 02:20 PM

Hello again, Brian Fantanta.

htv8 - it does seem like progress has been made - PC is faster and today I've had no extra IE windows opening. [...]

Good. :)

[...] Re- Data Doctor, I don't think it is the same thing. If I remember rightly it was a trial version for lost data on memory cards. I don't use it. Is it a problem too? [...]

The Kaspersky Online Scanner report showed this about the application:

D:\downloaded files\Data.Doctor.Applications.Bundle-YAG\Data.Doctor.Applications.Bundle-YAG.rar Infected: not-a-virus:PSWTool.Win32.Pwdspyhk.d 1

I wasn't able to get a 100% positive ID on the application. That's why I asked you about it. Note that the "not-a-virus:" detections should be seen as informational; if you trust the program and use it, then continue to use it, if this program was put on your pc without your own consent, then delete it.
As you don't use the program (anymore), I recommend removing it. To do so, delete the following folder using My Computer or Windows Explorer (to get there, press Windows KEY + E):
D:\downloaded files\Data.Doctor.Applications.Bundle-YAG <-- this folder

Now please continue with the instructions below. We are (most likely) almost finished. :thumbsup:



Before we begin, you should save these instructions in Notepad to your Desktop, or print them, for easy reference and to make sure you don't get lost.
Make sure to work through the fixes in the exact order in which they are mentioned below and do not miss any steps out. If at any point you have questions, or are unsure of the instructions, do not hesitate to post here and ask for clarification before proceeding with the fixes.


You appear to have no firewall.
It is important that you use a software firewall, to prevent unauthorised traffic both out of and into your computer.
Your log doesn't show a firewall running. If you have disabled your firewall, please re-enable it. If you do not have a firewall installed, please download and install one of these good (and free) products:NOTE: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
See Bleeping Computer's excellent tutorial to help using and understanding a firewall: Understanding and Using Firewalls.

Step #1: ComboFix uninstallation
Uninstall ComboFix:
  • Close all open programs/windows so that you have nothing open and are at your Desktop.
  • Click on Start, then click on Run.
  • Copy the entire contents inside the CODE box below and paste them into the Open: field.
    ComboFix /u
    NOTE: The space between "ComboFix" and "/u" needs to be there.
  • Click OK (or press Enter).This will uninstall ComboFix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and reset System Restore again.
Step #2: Older version Java component removal
Your log still shows that an older version Java component is running. Older versions have vulnerabilities that malicious sites can use to exploit and infect your system. Please follow these steps to remove the older version Java component:
  • Close all programs/windows - especially your web browser - so that you have nothing open and are at your Desktop.
  • Go to Start > Control Panel, double-click Add or Remove Programs and highlight (click once on) Java™ 6 Update 5 or any similar item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button next to it in order to remove the outdated Java version.
  • Reboot your computer once all Java items are gone.


Your log indicates that Windows is not up to date with the current patches that are available.
Microsoft has released the latest upgrades to the XP OS platform, which can be referenced HERE.
It is critical to stay up to date with the latest upgrades to your Operating System, as this can help prevent future problems.
Windows XP Service Pack 3 (SP3) includes all previously released updates for the operating system.
I strongly recommend that you visit the link above and apply the SP3 patch now.



Step #3: HijackThis scan
Scan with HijackThis again and post a new HijackThis log, along with a description of any remaining problems.
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#11 Brian Fantana

Brian Fantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 22 July 2008 - 01:12 PM

Hi - sorry for not replying sooner. I've deleted all other references to Java (I misunderstood what you asked me to do as the other files didn't contain the extensions you quoted) hopefully should be ok now. I do have a firewall but thought I was to disable everything when running scans. It usually is enabled.
I did have a prompt to install SP3 but it was at the time everything was kicking off so I will do it but want to get this cleared up first.


Hijack this log attached.

Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:05:12, on 22/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
C:\Program Files\Trend Micro\HijackThis\fluffybunny.exe
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.bbc.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [TI WLAN] C:\Program Files\Wirelwss LAN Utility\TIWLANCu.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\DLink\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\DLink\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224358217
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129224334311
O16 - DPF: {CE3409C4-9E26-4F8E-83E4-778498F9E7B4} (PB_Uploader Class) - http://static.photobox.co.uk/sg/common/uploader_uni.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\DLink\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: TI Wlan Service (tiwlnsvc) - Unknown owner - C:\Program Files\Wirelwss LAN Utility\tiwlnsvc.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12680 bytes

#12 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:43 AM

Posted 22 July 2008 - 02:48 PM

Hello, Brian Fantanta.

[...] I've deleted all other references to Java ([...]) hopefully should be ok now. [...]

Yes, looks like it is OK now.

[...] I do have a firewall but thought I was to disable everything when running scans. It usually is enabled. [...]

OK. :thumbsup: What firewall program do you use then normally? Can you please let me know?
If it is a third-party firewall program that you have disabled, please re-enable it. Note for if you are however usually using the Windows Firewall: The Windows Firewall only blocks unsolicited incoming traffic; you cannot configure the Windows Firewall to block outgoing traffic. In order to prevent unauthorised traffic both out of and into your computer, it is stronly reccomended to use a firewall that is more powerful than the Windows Firewall (refer to my previous post for a list of good (and free) firewall products).
It is important that you use a good software firewall in order to keep your computer safe and secure on the Internet.

[...] I did have a prompt to install SP3 but it was at the time everything was kicking off so I will do it but want to get this cleared up first. [...]

How is your computer running? Your log looks clean again. :) If you however still experience any problems, please let me know. If not, please apply the SP3 as instructed to in my previous post, then post back here. Then I will finally give you some steps to follow in order to dramatically lower the chances of re-infection. :)
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#13 Brian Fantana

Brian Fantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 23 July 2008 - 01:38 PM

I use Norton Personal firewall - is this ok?
PC is running a million times better and so far no other IE widows opening.
Thanks loads for all your help htv8
:) :thumbsup: :)

#14 htv8

htv8

  • Members
  • 1,694 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:09:43 AM

Posted 24 July 2008 - 04:09 AM

Hello, Brian Fantanta.

I use Norton Personal firewall - is this ok?
[...]

Yes, that is OK.
I personally don't like anything related to Norton/Symantec though as it is a huge resource hog. I had Norton once and will never run it on a system again. Norton slows your PC down dramatically and it takes up a lot of valuable disk space. Symantec places tremendous amounts of info on your computer and uses vast resources when running.

[...]
PC is running a million times better and so far no other IE widows opening.
[...]

Very good!

[...]
Thanks loads for all your help htv8
[...]

:wink: You're welcome.



Congratulations, your log looks clean again. Great job! However, if you experience any more problems, please report back.

Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. Just find your country room and register your complaint.
The (main) infection you had was: Vundo (aka Virtuemonde, VirtuMonde).

Below are some steps to follow in order to dramatically lower the chances of re-infection.
You may have already implemented some of the steps below; however, you should follow any steps that you have not already implemented.
  • Use an antivirus software and make sure that you keep it updated.
    It is very important that your computer has an antivirus software running on your machine. This alone can save a lot of trouble with malware.
    Two good antivirus programs free for non-commercial home use are avast! antivirus and Avira AntiVir.
    Two good paid for antivirus programs are NOD32 and BitDefender.
    NOTE: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.

    New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software. It is imperitive that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
    :thumbsup:
  • Use a firewall with outbound protection.
    While the firewall built into Windows XP is adequate to protect you from incoming attacks, it will not be much help in alerting you to programs already on your PC attempting to connect to remote servers. I therefore strongly recommend using one of the following good (and free) firewalls products instead:NOTE: You should only have one firewall installed at a time. Having more than one firewall program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    See Bleeping Computer's excellent tutorial to help using and understanding a firewall: Understanding and Using Firewalls.
    :)
  • Make sure you install all the security updates for Windows, Internet Explorer & Microsoft Office.
    Whenever a security problem in its software is found, Microsoft will usually create a patch for it. After the patch is installed, attackers can't use the vulnerability to install malicious software on your PC, so keeping up with these patches will help to prevent malicious software being installed on your PC.
    Visit Microsoft Update regularly to check for and install updates to Microsoft applications. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
    NOTE: The update process uses ActiveX, so you will need to use Internet Explorer for it, and allow the ActiveX control(s) that it wants to install.
    :)
  • Keep your non-Microsoft applications updated as well.
    Microsoft isn't the only company whose products can contain security vulnerabilities. To check for other vulnerable programs running on your PC that are in need of an update, you can use the Secunia Online Software Inspector. I suggest that you run it at least once a month.
    :)
  • Make Internet Explorer more secure:
    • Go to Start > Run.
    • In the Open: field type INETCPL.CPL and click OK.
    • Click the Security tab.
    • Click Reset all zones to default level.
    • Make sure the Internet zone is selected and click Custom level....
      • Change the "Download signed ActiveX controls" option to Prompt.
      • Change the "Download unsigned ActiveX controls" option to Disable.
      • Change the "Initialize and script ActiveX controls not marked as safe" option to Disable.
      • Change the "Installation of desktop items" option to Prompt.
      • Change the "Launching programs and files in an IFRAME" option to Prompt.
      • Change the "Navigate sub-frames across different domains" option to Prompt.
      • Click on the OK button when all these settings have been made.
        If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Click Apply, then OK to exit the Internet Properties page.
    :spacer:
  • Install SpywareBlaster and make sure to update it regularly.
    SpywareBlaster sets killbits in the registry to prevent known malicious ActiveX controls from installing themselves on your computer.
    (If you don't know what ActiveX controls are, see here.)
    You can download SpywareBlaster by from here.
    A tutorial on installing and using this product can be found here: Using SpywareBlaster to protect your computer from Spyware and Malware.
    :spacer:
  • Install and use Spybot - Search & Destroy.
    Instructions: Using Spybot - Search & Destroy to remove Spyware from Your Computer.
    Make sure you update, re-immunize and scan regularly.
    :spacer:
  • Make use of the HOSTS file included with Spybot - Search & Destroy.
    Every version of Microsoft Windows includes a HOSTS file. A HOSTS file is a bit like a phone book: it points to the actual numeric address (i.e. the IP address) from the human friendly name of a website. This feature can be used to block malicious websites.
    Spybot - Search & Destroy has a good HOSTS file built in. To enable it:
    • Run Spybot - Search & Destroy.
    • Click the Mode button on the toolbar, and then place a tick next to Advanced mode.
    • Click Yes.
    • In the left hand pane of Spybot - Search & Destroy, click on Tools, and then on Hosts File.
    • Click on Add Spybot-S&D hosts list.
    NOTE: On some PCs, having a custom HOSTS file installed can cause a significant slowdown. Following these instructions should resolve the issue:
    • Go to Start > Run.
    • In the Open: field type services.msc and click OK.
    • When the Services utility has started up, scroll down the list to find the DNS Client service; double-click on it.
    • On the drop-down box next to Startup type: (General tab), change the setting from Automatic to Manual or Disabled (recommended).
    • Click Apply, then click OK and restart.
    For a more detailed explanation of the HOSTS file, see this reference: What Is The Hosts File?.
    :spacer:
  • Install a-squared Free and update and scan with it regularly.
    a-squared Free is a product from Emsi Software provided free for private use that can detect and remove a variety of malicious software. You can get it here.
    NOTE: If you have a dial-up Internet connection, you may also like to install a-squared Anti-Dialer which provides some real-time protection against premium rate dialers.
    :)
  • Update all your security programs regularly.
    Last but not least: It is absolutely essential to keep all of your security programs up to date. Without regular updates you will NOT be protected when new malicious programs are released!
Glad I was able to help and if there any other problems related to your computer please feel free to post them in the appropriate forum. Though we help people with spyware and viruses here at BC, we also help people with other computer problems! Do not forget to tell your friends about us!
If I have not posted back within 24 hours, feel free to send me a PM with your topic link.

Posted Image

#15 Brian Fantana

Brian Fantana
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Local time:07:43 AM

Posted 24 July 2008 - 01:56 PM

Told loads of people about how much you'd helped.
Thanks again - you've been great

:thumbsup: :) :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users