Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Trojan.vundo


  • This topic is locked This topic is locked
6 replies to this topic

#1 anotherdebbie

anotherdebbie

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 24 July 2008 - 01:18 PM

Please help. In an attempt to speed up my computer I downloaded RegCure at the beginning of July. Big mistake. To be fair I'm not sure whether RegCure has caused all the problems I am experiencing but it was certainly the start of it.

The first problem I noticed was that my disk drives were no longer recognised (known as D:/ & E:/) by my computer. Although I uninstalled these disk drives and then used 'Add Hardware' in my Control Panel nothing worked. On the same day when trying to open up an Excel Document my computer started asking me to insert installation discs for this to work - couldn't because the disk drives weren't working. The problem with Excel seems to have rectified itself somehow??

I now have a virus or viruses on my computer. Norton is popping up to say they are there but does not seem to be doing anything about them. Also when I run a full scan with Norton it isn't picking them up. The scan you recommended (Kaspersky) is picking viruses up however. The viruses are severely affect my computer's ability to access the internet. I am particularly experiencing problems getting onto your site. When I open Internet Explorer sometimes several windows (all adverts) open behind but other times it works OK. I can get into most of the sites I have saved as favourates but certain ones (Bleeping Computer for example) just won't load up. It might be my imagination but certain things appear to be blocked. If I use my homepage (Google) to search for something daft for the kids it comes straight back with results. If I search for anything to help fix my problem such as "how to I remove viruses from my computer" it just times out!!

As recommended I have attached the results of my Kaspersky scan and below is my Hijack This report. Many thanks.

Deckard's System Scanner v20071014.68
Run by Debbie on 2008-07-24 18:56:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Debbie.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:56:59, on 24/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Debbie\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Debbie.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {0D327C04-7D50-4DFA-AF92-D8C0DB25E8FF} - (no file)
O2 - BHO: (no name) - {201730B6-BD69-436F-AD78-E986CD960B8D} - C:\WINDOWS\system32\geBsrpPF.dll (file missing)
O2 - BHO: (no name) - {3F467E1E-4942-4503-9950-67D32A1E8806} - C:\WINDOWS\system32\koigcatr.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: (no name) - {674D1434-CC4F-481C-B256-30F6B59A14Ad} - C:\WINDOWS\system32\koigcatr.dll
O2 - BHO: {d7da1986-e59d-2439-c0f4-dbf6be5e9b76} - {67b9e5eb-6fbd-4f0c-9342-d95e6891ad7d} - C:\WINDOWS\system32\qrvusy.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: (no name) - {788629AF-89BB-40CC-825C-44170578E2CC} - C:\WINDOWS\system32\xxyxUmMf.dll (file missing)
O2 - BHO: (no name) - {A94C12EB-B70D-458D-91C1-B02694E3E17B} - C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\WFTM89BS\3077ahntdksr[1].dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [90802bda] rundll32.exe "C:\WINDOWS\system32\hjvftdeg.dll",b
O4 - HKLM\..\Run: [BM93b31846] Rundll32.exe "C:\WINDOWS\system32\grcxeyfr.dll",s
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141762545265
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypixmania.com/uk/uk/importer/MypixUploader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - https://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10610 bytes

-- Files created between 2008-06-24 and 2008-07-24 -----------------------------

2008-07-23 18:18:54 96768 --a------ C:\WINDOWS\system32\qrvusy.dll
2008-07-23 18:18:52 96768 --a------ C:\WINDOWS\system32\mogphqio.dll
2008-07-23 18:18:45 81408 --a------ C:\WINDOWS\system32\hjvftdeg.dll
2008-07-23 18:18:41 91711 --a------ C:\WINDOWS\system32\shdnyjux.dll
2008-07-23 18:11:07 0 d-------- C:\Program Files\Trend Micro
2008-07-20 15:00:43 91711 --a------ C:\WINDOWS\system32\qjsdhxgt.dll
2008-07-20 08:47:09 0 d-------- C:\Program Files\Java
2008-07-20 08:20:00 90236 --a------ C:\WINDOWS\system32\mphodoid.dll
2008-07-20 08:02:15 90251 --a------ C:\WINDOWS\system32\etdifmon.dll
2008-07-19 23:15:04 598116 --ahs---- C:\WINDOWS\system32\UtCIkUvw.ini2
2008-07-19 21:03:08 0 dr-h----- C:\Documents and Settings\Debbie\Recent
2008-07-19 19:55:27 0 d-------- C:\Program Files\CCleaner
2008-07-19 11:06:43 90236 --a------ C:\WINDOWS\system32\mgkekwsj.dll
2008-07-19 11:05:55 600163 --ahs---- C:\WINDOWS\system32\FPprsBeg.ini2
2008-07-18 07:09:50 90236 --a------ C:\WINDOWS\system32\psjajtim.dll
2008-07-18 06:43:44 78336 --a------ C:\WINDOWS\system32\eejpsxct.dll
2008-07-18 06:40:43 90251 --a------ C:\WINDOWS\system32\lepxapmt.dll
2008-07-17 22:38:23 586912 --ahs---- C:\WINDOWS\system32\vuBKlnpo.ini2
2008-07-17 21:27:59 0 d-------- C:\Documents and Settings\Debbie\.housecall6.6
2008-07-17 20:54:30 90236 --a------ C:\WINDOWS\system32\bwgvixok.dll
2008-07-17 20:53:38 601025 --ahs---- C:\WINDOWS\system32\iiPsAJlm.ini2
2008-07-17 19:13:30 90251 --a------ C:\WINDOWS\system32\hhgnpiqx.dll
2008-07-17 19:12:05 598767 --ahs---- C:\WINDOWS\system32\cIhiQqss.ini2
2008-07-15 13:13:59 90251 --a------ C:\WINDOWS\system32\olnegulb.dll
2008-07-14 08:20:00 594341 --ahs---- C:\WINDOWS\system32\NXwvDcdd.ini2
2008-07-12 11:32:37 91711 --a------ C:\WINDOWS\system32\tianflwm.dll
2008-07-10 21:25:42 49664 --a------ C:\WINDOWS\system32\koigcatr.dll
2008-07-10 21:23:48 600480 --ahs---- C:\WINDOWS\system32\MVDeOXbc.ini2
2008-07-10 20:32:51 0 d-------- C:\Documents and Settings\Debbie\Application Data\WinRAR
2008-07-10 20:30:46 0 d-------- C:\Program Files\PocketRAR
2008-07-08 19:14:24 0 d-------- C:\Program Files\SiSoftware
2008-07-07 08:59:13 0 d-------- C:\Documents and Settings\Mark\Application Data\Talkback
2008-07-07 08:59:00 0 d-------- C:\Documents and Settings\Mark\Application Data\Mozilla
2008-07-06 19:23:08 0 d-------- C:\WINDOWS\system32\Dell
2008-07-06 14:19:14 0 d-------- C:\Program Files\PC Drivers HeadQuarters
2008-07-06 14:19:14 0 d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-06 14:10:35 0 d-------- C:\WINDOWS\system32\Adobe
2008-07-06 13:21:36 0 d-------- C:\WINDOWS\Prefetch
2008-07-06 12:52:18 0 d-------- C:\WINDOWS\system32\scripting
2008-07-06 12:52:16 0 d-------- C:\WINDOWS\system32\en
2008-07-06 12:52:16 0 d-------- C:\WINDOWS\l2schemas
2008-07-05 16:38:15 0 d-------- C:\Documents and Settings\NetworkService\Start Menu
2008-07-05 15:24:13 0 d-------- C:\Program Files\RegCure


-- Find3M Report ---------------------------------------------------------------

2008-07-24 16:53:08 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-07-20 08:27:01 0 d-------- C:\Program Files\Common Files
2008-07-19 14:21:52 0 d-------- C:\Program Files\Ubisoft
2008-07-06 19:23:08 0 d-------- C:\Program Files\Dell
2008-07-06 14:20:07 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-06 12:52:42 0 d-------- C:\Program Files\Messenger
2008-07-06 12:52:15 0 d-------- C:\Program Files\Movie Maker
2008-07-06 12:48:55 0 d-------- C:\Program Files\Windows NT
2008-07-05 14:07:57 0 d-------- C:\Documents and Settings\Debbie\Application Data\Teleca
2008-07-05 14:07:48 0 d-------- C:\Program Files\Common Files\Teleca Shared
2008-07-05 14:05:02 0 d-------- C:\Program Files\Atari
2008-07-05 13:53:29 0 d-------- C:\Program Files\McDonaldsDragons
2008-07-05 13:50:59 0 d-------- C:\Program Files\Yahoo!
2008-07-05 13:50:58 0 d-------- C:\Program Files\SpywareBot
2008-07-05 13:50:57 0 d-------- C:\Program Files\Modem Helper
2008-07-05 13:50:57 0 d-------- C:\Program Files\DivX
2008-07-05 13:49:33 0 d-------- C:\Program Files\Common Files\AOL
2008-06-15 15:58:22 0 d-------- C:\Program Files\microsoft frontpage
2008-06-03 08:15:57 0 d-------- C:\Program Files\Symantec


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D327C04-7D50-4DFA-AF92-D8C0DB25E8FF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201730B6-BD69-436F-AD78-E986CD960B8D}]
C:\WINDOWS\system32\geBsrpPF.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3F467E1E-4942-4503-9950-67D32A1E8806}]
10/07/2008 21:25 49664 --a------ C:\WINDOWS\system32\koigcatr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{602ADB0E-4AFF-4217-8AA1-95DAC4DFA408}]
25/08/2007 04:51 316784 --a------ C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{674D1434-CC4F-481C-B256-30F6B59A14Ad}]
10/07/2008 21:25 49664 --a------ C:\WINDOWS\system32\koigcatr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{67b9e5eb-6fbd-4f0c-9342-d95e6891ad7d}]
23/07/2008 18:18 96768 --a------ C:\WINDOWS\system32\qrvusy.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
31/01/2008 08:41 116088 --a------ C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{788629AF-89BB-40CC-825C-44170578E2CC}]
C:\WINDOWS\system32\xxyxUmMf.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A94C12EB-B70D-458D-91C1-B02694E3E17B}]
C:\Documents and Settings\Debbie\Local Settings\Temporary Internet Files\Content.IE5\WFTM89BS\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
20/07/2008 08:47 34816 --a------ C:\Program Files\Java\jre6\bin\jp2ssv.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}"= C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll [25/08/2007 04:51 316784]

[-HKEY_CLASSES_ROOT\CLSID\{7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA}]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar.1]
[HKEY_CLASSES_ROOT\CoIEPlg.CoToolbar]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [19/08/2003 01:01]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [27/08/2003 14:20]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [03/09/2003 20:12]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [29/06/2004 11:23]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [31/01/2008 14:15]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [09/09/2005 02:18]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [02/01/2006 17:41]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [11/03/2004 01:26]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [17/07/2007 20:54]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [25/08/2007 05:53]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [11/04/2004 20:15]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [15/03/2004 01:04]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [25/05/2004 22:35]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [20/07/2008 08:47]
"90802bda"="C:\WINDOWS\system32\hjvftdeg.dll" [23/07/2008 18:18]
"BM93b31846"="C:\WINDOWS\system32\grcxeyfr.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [29/06/2005 12:34]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [06/06/2007 19:16]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [14/04/2008 01:12]

C:\Documents and Settings\Debbie\Start Menu\Programs\Startup\
DESKTOP.INI [03/09/2002 09:00:00]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
DESKTOP.INI [03/09/2002 09:00:00]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [17/07/2007 20:53:13]
Microsoft Works Calendar Reminders.lnk - C:\WINDOWS\Installer\{f04aff5e-362e-11d3-81ab-00c04fb932ba}\4AA756BB.exe [28/06/2005 22:36:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{788629AF-89BB-40CC-825C-44170578E2CC}"= C:\WINDOWS\system32\xxyxUmMf.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
C:\WINDOWS\System32\dimsntfy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
eapsvcs eaphost
dot3svc dot3svc

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
napagent
hkmsvc

*Newly Created Service* - COMHOST



-- End of Deckard's System Scanner: finished at 2008-07-24 18:57:27 ------------

Attached Files



BC AdBot (Login to Remove)

 


#2 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 25 July 2008 - 10:58 AM

Hello, and welcome to the forum.

My name is Simon V., and I'll be glad to help you with your computer problems.

Please download and install CCleaner.

Open CCleaner. On the Windows tab, leave the default options alone.
  • On the Applications tab, check (tick) all the boxes except Saved Form Information. This will remove all your saved passwords if you leave this box checked.
  • Click on the Run Cleaner button at the bottom right hand corner.
  • When the cleaner has completed, click Tools in the Left Pane.
  • Verify that Uninstall is highlighted in color, or click on it.
  • In the lower right, click Save to Text File.
  • Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
  • You can leave the filename as install.txt.
  • Click Save, then exit Ccleaner.
______________

Please visit this webpage for download links, and instructions for running ComboFix -

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says -

The Recovery Console was successfully installed.

Please continue as follows -
  • Close/Disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, so we may continue cleansing the system -

- the Combofix log (C:\ComboFix.txt)
- a HijackThis log
- the CCleaner Uninstall List (install.txt)

Edited by Simon V., 25 July 2008 - 11:08 AM.

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#3 anotherdebbie

anotherdebbie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 26 July 2008 - 04:30 AM

Thank you very much Simon for offering to help.

Prior to receiving your reply my Norton Antivirus finally kicked into action. It states that it identified and removed Trojan.Vundo and then the next day it advised that it has removed Infostealer. I am still getting pop ups from Norton telling me that it has blocked attempts by both Trojan.Vundo and Infostealer to access my computer so I guess something is still affecting things??

Anyway, I tried to follow your instructions. Everything was going well until I attempted to install the Windows Recovery Console. As I stated on my post, one of the things which has happened on my PC was that my disk drives are no longer recognised. Although I do have a Windows CD I can't use it so instead I went the route of downloading the necessary file from Microsoft. This worked OK but it was when I got to the point of dragging the file onto the ComboFix icon that I had problems. I first got the blue window with "Please wait. Combofix is preparing to run." then a small box came up headed 'CFScript Name Error' and it stated "Were you trying to run CFScript? The name, CFScript appears to be incorrectly spelt.". As a result this stage of your instructions weren't completed. I tried a few times without luck. As you can see on the results of the ComboFix scan (below) I still do not have the recovery console installed.

I completed the other things you asked for.

Below is the Hijack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:28, on 26/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [90802bda] rundll32.exe "C:\WINDOWS\system32\hjvftdeg.dll",b
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141762545265
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypixmania.com/uk/uk/importer/MypixUploader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - https://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10057 bytes




Here is the ComboFix log:


ComboFix 08-07-24.6 - Debbie 2008-07-26 9:55:39.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.562 [GMT 1:00]
Running from: C:\Documents and Settings\Debbie\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM93b31846.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files\setup.inf
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\bvyjojmo.ini
C:\WINDOWS\system32\bwgvixok.dll
C:\WINDOWS\SYSTEM32\cIhiQqss.ini
C:\WINDOWS\SYSTEM32\cIhiQqss.ini2
C:\WINDOWS\system32\etdifmon.dll
C:\WINDOWS\SYSTEM32\FPprsBeg.ini
C:\WINDOWS\SYSTEM32\FPprsBeg.ini2
C:\WINDOWS\system32\gedtfvjh.ini
C:\WINDOWS\system32\hhgnpiqx.dll
C:\WINDOWS\system32\hobduepq.ini
C:\WINDOWS\system32\ieiguhbo.ini
C:\WINDOWS\SYSTEM32\iiPsAJlm.ini
C:\WINDOWS\SYSTEM32\iiPsAJlm.ini2
C:\WINDOWS\system32\iuoyvfkb.ini
C:\WINDOWS\system32\kjdxsyrb.ini
C:\WINDOWS\system32\koigcatr.dll
C:\WINDOWS\system32\lepxapmt.dll
C:\WINDOWS\system32\mardlrnm.ini
C:\WINDOWS\system32\mgkekwsj.dll
C:\WINDOWS\system32\mphodoid.dll
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\SYSTEM32\MVDeOXbc.ini
C:\WINDOWS\SYSTEM32\MVDeOXbc.ini2
C:\WINDOWS\SYSTEM32\NXwvDcdd.ini
C:\WINDOWS\SYSTEM32\NXwvDcdd.ini2
C:\WINDOWS\system32\olnegulb.dll
C:\WINDOWS\system32\pgtycdvq.ini
C:\WINDOWS\system32\psjajtim.dll
C:\WINDOWS\system32\qjsdhxgt.dll
C:\WINDOWS\system32\shdnyjux.dll
C:\WINDOWS\system32\sklcqpbv.ini
C:\WINDOWS\system32\tcxspjee.ini
C:\WINDOWS\system32\tianflwm.dll
C:\WINDOWS\SYSTEM32\UtCIkUvw.ini
C:\WINDOWS\SYSTEM32\UtCIkUvw.ini2
C:\WINDOWS\system32\vgcteqtf.ini
C:\WINDOWS\SYSTEM32\vuBKlnpo.ini
C:\WINDOWS\SYSTEM32\vuBKlnpo.ini2
C:\WINDOWS\system32\vwkkxlom.ini
C:\WINDOWS\system32\xmihpxap.ini
C:\WINDOWS\system32\xqgrcopr.ini
C:\WINDOWS\system32\xthppdmo.ini

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 18:05 . 2008-07-25 18:05 <DIR> d-------- C:\Program Files\CCleaner
2008-07-24 21:50 . 2008-04-29 11:33 16,952 --------- C:\WINDOWS\SYSTEM32\DRIVERS\RkPavproc1.sys
2008-07-24 21:48 . 2008-07-24 21:48 <DIR> d-------- C:\Program Files\Panda Security
2008-07-24 21:48 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-24 21:39 . 2008-07-24 21:47 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\HouseCall 6.6
2008-07-23 18:18 . 2008-07-23 18:18 81,408 --a------ C:\WINDOWS\SYSTEM32\hjvftdeg.dll
2008-07-23 18:11 . 2008-07-23 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 18:08 . 2008-07-23 18:08 <DIR> d-------- C:\Deckard
2008-07-20 08:47 . 2008-07-20 08:47 <DIR> d-------- C:\Program Files\Java
2008-07-20 08:47 . 2008-07-20 08:47 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-20 08:45 . 2008-07-20 08:47 410,976 --a------ C:\WINDOWS\SYSTEM32\deploytk.dll
2008-07-18 06:43 . 2008-07-18 06:43 78,336 --a------ C:\WINDOWS\SYSTEM32\eejpsxct.dll
2008-07-17 21:42 . 2008-07-17 21:28 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-07-17 21:27 . 2008-07-18 18:30 <DIR> d-------- C:\Documents and Settings\Debbie\.housecall6.6
2008-07-10 21:25 . 2008-07-24 16:47 110,451 --a------ C:\WINDOWS\BM93b31846.xml
2008-07-10 20:30 . 2008-07-10 20:30 <DIR> d-------- C:\Program Files\PocketRAR
2008-07-08 19:14 . 2008-07-08 19:14 <DIR> d-------- C:\Program Files\SiSoftware
2008-07-07 08:59 . 2008-07-07 08:59 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Talkback
2008-07-06 19:23 . 2008-07-06 19:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dell
2008-07-06 14:19 . 2008-07-06 14:19 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-07-06 14:19 . 2008-07-06 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-06 14:10 . 2008-07-06 14:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
2008-07-06 12:52 . 2008-07-06 12:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-06 12:52 . 2008-07-06 12:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-06 12:52 . 2008-07-06 12:52 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-06 12:24 . 2008-04-14 01:12 1,306,624 --a------ C:\WINDOWS\SYSTEM32\msxml6.dll
2008-07-06 12:23 . 2008-04-14 01:11 233,472 --a------ C:\WINDOWS\SYSTEM32\azroles.dll
2008-07-06 12:23 . 2008-04-14 01:11 136,192 --a------ C:\WINDOWS\SYSTEM32\aaclient.dll
2008-07-06 12:23 . 2008-04-14 01:11 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx4.dll
2008-07-05 15:24 . 2008-07-05 16:00 <DIR> d-------- C:\Program Files\RegCure
2008-07-05 13:49 . 2008-07-05 13:49 2 --a------ C:\WINDOWS\msoffice.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 09:01 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-26 05:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-25 19:15 --------- d-----w C:\Program Files\Google
2008-07-25 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-19 13:21 --------- d-----w C:\Program Files\Ubisoft
2008-07-06 18:23 --------- d-----w C:\Program Files\Dell
2008-07-06 13:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 13:07 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-07-05 13:07 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Teleca
2008-07-05 13:05 --------- d-----w C:\Program Files\Atari
2008-07-05 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-07-05 12:53 --------- d-----w C:\Program Files\McDonaldsDragons
2008-07-05 12:50 --------- d-----w C:\Program Files\Yahoo!
2008-07-05 12:50 --------- d-----w C:\Program Files\SpywareBot
2008-07-05 12:50 --------- d-----w C:\Program Files\Modem Helper
2008-07-05 12:50 --------- d-----w C:\Program Files\DivX
2008-07-05 12:49 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-05 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\SYSTEM32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\dnsapi.dll
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:51 361,600 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\tcpip6.sys
2008-06-15 14:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 13:45 579,464 ----a-w C:\WINDOWS\SYSTEM32\SymNeti.dll
2008-06-13 13:45 207,240 ----a-w C:\WINDOWS\SYSTEM32\SymRedir.dll
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 13:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 13:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-06-03 07:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 07:15 60,800 ----a-w C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2008-06-03 07:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 07:15 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 07:15 --------- d-----w C:\Program Files\Symantec
2008-05-09 10:53 90,112 ----a-w C:\WINDOWS\SYSTEM32\wshext.dll
2008-05-09 10:53 90,112 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wshext.dll
2008-05-09 10:53 512,000 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2008-05-09 10:53 430,080 ----a-w C:\WINDOWS\SYSTEM32\vbscript.dll
2008-05-09 10:53 430,080 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\vbscript.dll
2008-05-09 10:53 180,224 ----a-w C:\WINDOWS\SYSTEM32\scrobj.dll
2008-05-09 10:53 180,224 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\scrobj.dll
2008-05-09 10:53 172,032 ----a-w C:\WINDOWS\SYSTEM32\scrrun.dll
2008-05-09 10:53 172,032 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\scrrun.dll
2008-05-08 14:02 203,136 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\rmcast.sys
2008-05-08 11:24 155,648 ----a-w C:\WINDOWS\SYSTEM32\wscript.exe
2008-05-08 11:24 155,648 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\wscript.exe
2008-05-07 09:07 135,168 ----a-w C:\WINDOWS\SYSTEM32\cscript.exe
2008-05-07 09:07 135,168 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\cscript.exe
2008-05-07 05:12 1,288,192 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll
2008-05-07 05:12 1,288,192 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\quartz.dll
2008-02-11 18:43 7,707 ----a-w C:\Program Files\FTW.ini
2007-01-07 18:17 3,525 ----a-w C:\Documents and Settings\Mark\Application Data\Install.dat
2006-03-12 17:58 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-11-16 17:31 35 ----a-w C:\Program Files\SCSSDist.ini
2005-09-09 19:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi
2005-09-09 19:55 4,588,454 ----a-w C:\Program Files\setup.exe
2005-09-09 19:55 37,766,164 ----a-w C:\Program Files\Data1.cab
2004-10-07 20:52 83,385 ----a-w C:\Program Files\Uninst.isu
2004-10-07 20:52 10,824 ---ha-w C:\Program Files\Readme32.GID
2003-08-27 13:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 12:34 1346560]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 19:16 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 11:23 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-17 20:54 1836544]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-07-20 08:47 136600]
"90802bda"="C:\WINDOWS\system32\hjvftdeg.dll" [2008-07-23 18:18 81408]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-17 20:53:13 125624]
Microsoft Works Calendar Reminders.lnk - C:\WINDOWS\Installer\{f04aff5e-362e-11d3-81ab-00c04fb932ba}\4AA756BB.exe [2005-06-28 22:36:32 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-09-01 15:50]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-07-20 08:47]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-04-22 18:23]
R3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]
S3 cdiskdun;cdiskdun;C:\DOCUME~1\Debbie\LOCALS~1\Temp\cdiskdun.sys []
S3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2005-02-10 12:55]

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - PROCEXP90
.
Contents of the 'Scheduled Tasks' folder
"2008-07-21 21:54:28 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Debbie.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-26 08:01:50 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-17 05:01:46 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
- - - - ORPHANS REMOVED - - - -

BHO-{201730B6-BD69-436F-AD78-E986CD960B8D} - C:\WINDOWS\system32\geBsrpPF.dll
MSConfigStartUp-CTFMON - (no file)


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.google.co.uk/
R0 -: HKCU-Main,SearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
R0 -: HKLM-Main,Start Page = hxxp://www.dell.co.uk/myway
R1 -: HKCU-Internet Connection Wizard,ShellNext = iexplore
R1 -: HKCU-Internet Settings,ProxyOverride = 127.0.0.1
R1 -: HKCU-SearchURL,(Default) = hxxp://www.google.com/search?q=%s
O8 -: Add to Google Photos Screensa&ver - C:\WINDOWS\system32\GPhotos.scr/200
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 10:01:40
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-26 10:04:49
ComboFix-quarantined-files.txt 2008-07-26 09:03:40

Pre-Run: 167,049,863,168 bytes free
Post-Run: 167,369,650,176 bytes free

274 --- E O F --- 2008-07-10 06:06:48




and finally here is the CCleaner Uninstall List:

Adobe Flash Player ActiveX
Adobe Photoshop Elements 4.0
Adobe Reader 8.1.2
Adobe Shockwave Player 11
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
Broadcom Advanced Control Suite 2
Canon Camera Support Core Library
Canon Camera Window for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon MP Drivers
Canon MP Toolbox 4.1.1.0.mp10
Canon PhotoRecord
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
CCleaner (remove only)
Cypress USB Mass Storage Driver Installation
day
Dell Media Experience
Dell Solution Center
Dell System Restore
Disney's Winnie the Pooh Toddler
DivX
DivX Content Uploader
DivX Web Player
Dora Backpack
Dora the Explorer - Lost City
Driver Detective
Family Tree Maker 6.0
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
HouseCall 6.6
Intel Application Accelerator
Intel® 537EP V9x DF PCI Modem
Japanese Fonts Support For Adobe Reader 8
Java™ 6 Update 10
Learn2 Player (Uninstall Only)
Learning Ladder Preschool
LEGO Racers 2
LEGO Stunt Rally
Little Robots - Making Friends
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Lizardtech DjVu Control (autoinstall)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Home Publishing 2000
Microsoft Office Basic Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (2.0.0.11)
MSN Music Assistant
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Network Play System (Patching)
Norton Internet Security (Symantec Corporation)
Norton Security Scan
Panda ActiveScan 2.0
Pinnacle Hollywood FX for Studio
Pinnacle Instant DVD Recorder
Pinnacle Studio MediaSuite
Pocket RAR documentation
PowerDVD 5.1
proDAD Heroglyph 2.0
QuickTime
RealPlayer
RegCure 1.5.0.1
SiSoftware Sandra Lite XII.SP2c
SmartSound Quicktracks Plugin
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Studio 10
Studio 10 Bonus DVD
Symantec Technical Support Web Controls
The Movies™
The Sims
Thomas Saves the Day
USB Storage Adapter FX (SM1)
WaveLab Lite
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11

#4 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 26 July 2008 - 11:04 AM

Hi :thumbsup:

downloading the necessary file from Microsoft.

What file did you download? Was it called WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe or similar? If it wasn't, please try again using the correct file.

After that, follow these instructions -

Step 1

Open Notepad (Go to Start > Run, type Notepad and hit Enter), and copy/paste the text in the quotebox below into it:

File::

C:\WINDOWS\SYSTEM32\hjvftdeg.dll
C:\WINDOWS\SYSTEM32\eejpsxct.dll
C:\WINDOWS\BM93b31846.xml

Registry::

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"90802bda"=-

Driver::

cdiskdun

Click on File > Save as....

In the File Name box, copy/paste CFScript.txt (Note: Do not change the filename!)

Click Save (Save the CFScript in the same location as Combofix.exe)

Close any open windows.

Close/disable all anti-virus and anti-malware programs so they do not interfere with the running of ComboFix.

Posted Image

Referring to the picture above, drag CFScript into ComboFix.exe.
It will create a log. Be sure to save it to a convenient location.

Step 2

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • You can also access the log by doing the following:
  • Click on the Malwarebytes' Anti-Malware icon to launch the program.
  • Click on the Logs tab.
  • Click on the log at the bottom of those listed to highlight it.
  • Click Open.
Step 3

In your next reply, please post:
  • the Combofix log (C:\Combofix.txt)
  • the Malwarebytes' Anti-Malware log
  • a new HijackThis log

Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#5 anotherdebbie

anotherdebbie
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:30 AM

Posted 26 July 2008 - 04:58 PM

Everything worked fine this time. I'm no longer getting adverts popping up when opening Internet Explorer.

Below are the logs you asked me to run.


Hijack This Log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:53:43, on 26/07/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.co.uk/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IAAnotif] C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\\PSDrvCheck.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [IW_Drop_Icon] C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe /DropDisc
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0E8D0700-75DF-11D3-8B4A-0008C7450C4A} (DjVuCtl Class) - http://www.lizardtech.com/download/files/w...ntrol_en_US.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1141762545265
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://www.mypixmania.com/uk/uk/importer/MypixUploader.cab
O16 - DPF: {BF6BBE9A-0656-4598-A0CD-32DAC03959B5} (Image Uploader 3.0 Control) - https://www.tescophoto.com/wpp/tesco/app/opcuploader.cab
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: SiSoftware Deployment Agent Service (SandraAgentSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9870 bytes


Malware Log:


Malwarebytes' Anti-Malware 1.23
Database version: 996
Windows 5.1.2600 Service Pack 3

22:52:09 26/07/2008
mbam-log-7-26-2008 (22-52-09).txt

Scan type: Quick Scan
Objects scanned: 45820
Time elapsed: 6 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\SpywareBot (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\HOSTS Backups (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings (Rogue.SpywareBot) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\SpywareBot\DataBaseNew.ref (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\HOSTS Backups\2007-1-7-1168182901_hosts (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_07_15_14_28.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_07_15_14_29.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_07_18_14_59.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_07_18_16_48.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_07_18_17_25.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_07_18_17_26.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_07_18_19_41.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_08_09_01_54.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_08_18_18_22.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_09_08_10_01.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_11_14_32_33.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Log\log_2007_01_12_19_40_14.log (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\CustomScan.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\IgnoreList.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\ScanInfo.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\ScanResults.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\SelectedFolders.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\SpywareBot\Settings\Settings.stg (Rogue.SpywareBot) -> Quarantined and deleted successfully.
C:\Program Files\setup.exe (Rogue.Installer) -> Quarantined and deleted successfully.

Combo Fix Log:

ComboFix 08-07-24.6 - Debbie 2008-07-26 22:23:53.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.544 [GMT 1:00]
Running from: C:\Documents and Settings\Debbie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Debbie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM93b31846.xml
C:\WINDOWS\SYSTEM32\eejpsxct.dll
C:\WINDOWS\SYSTEM32\hjvftdeg.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Mark\Application Data\Install.dat
C:\WINDOWS\SYSTEM32\eejpsxct.dll
C:\WINDOWS\SYSTEM32\hjvftdeg.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CDISKDUN
-------\Service_cdiskdun


((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-25 18:05 . 2008-07-25 18:05 <DIR> d-------- C:\Program Files\CCleaner
2008-07-24 21:50 . 2008-04-29 11:33 16,952 --------- C:\WINDOWS\SYSTEM32\DRIVERS\RkPavproc1.sys
2008-07-24 21:48 . 2008-07-24 21:48 <DIR> d-------- C:\Program Files\Panda Security
2008-07-24 21:48 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\pavboot.sys
2008-07-24 21:39 . 2008-07-24 21:47 <DIR> d-------- C:\Documents and Settings\Debbie\Application Data\HouseCall 6.6
2008-07-23 18:11 . 2008-07-23 18:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-23 18:08 . 2008-07-23 18:08 <DIR> d-------- C:\Deckard
2008-07-20 08:47 . 2008-07-20 08:47 <DIR> d-------- C:\Program Files\Java
2008-07-20 08:47 . 2008-07-20 08:47 73,728 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-07-20 08:45 . 2008-07-20 08:47 410,976 --a------ C:\WINDOWS\SYSTEM32\deploytk.dll
2008-07-17 21:42 . 2008-07-17 21:28 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-07-17 21:27 . 2008-07-18 18:30 <DIR> d-------- C:\Documents and Settings\Debbie\.housecall6.6
2008-07-10 20:30 . 2008-07-10 20:30 <DIR> d-------- C:\Program Files\PocketRAR
2008-07-08 19:14 . 2008-07-08 19:14 <DIR> d-------- C:\Program Files\SiSoftware
2008-07-07 08:59 . 2008-07-07 08:59 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Talkback
2008-07-06 19:23 . 2008-07-06 19:23 <DIR> d-------- C:\WINDOWS\SYSTEM32\Dell
2008-07-06 14:19 . 2008-07-06 14:19 <DIR> d-------- C:\Program Files\PC Drivers HeadQuarters
2008-07-06 14:19 . 2008-07-06 14:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Drivers HeadQuarters
2008-07-06 14:10 . 2008-07-06 14:10 <DIR> d-------- C:\WINDOWS\SYSTEM32\Adobe
2008-07-06 12:52 . 2008-07-06 12:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\scripting
2008-07-06 12:52 . 2008-07-06 12:52 <DIR> d-------- C:\WINDOWS\SYSTEM32\en
2008-07-06 12:52 . 2008-07-06 12:52 <DIR> d-------- C:\WINDOWS\l2schemas
2008-07-06 12:24 . 2008-04-14 01:12 1,306,624 --a------ C:\WINDOWS\SYSTEM32\msxml6.dll
2008-07-06 12:23 . 2008-04-14 01:11 233,472 --a------ C:\WINDOWS\SYSTEM32\azroles.dll
2008-07-06 12:23 . 2008-04-14 01:11 136,192 --a------ C:\WINDOWS\SYSTEM32\aaclient.dll
2008-07-06 12:23 . 2008-04-14 01:11 7,168 --a------ C:\WINDOWS\SYSTEM32\bitsprx4.dll
2008-07-05 15:24 . 2008-07-05 16:00 <DIR> d-------- C:\Program Files\RegCure
2008-07-05 13:49 . 2008-07-05 13:49 2 --a------ C:\WINDOWS\msoffice.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 21:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-07-26 20:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-07-26 20:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2008-07-25 19:15 --------- d-----w C:\Program Files\Google
2008-07-19 13:21 --------- d-----w C:\Program Files\Ubisoft
2008-07-06 18:23 --------- d-----w C:\Program Files\Dell
2008-07-06 13:20 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-05 13:07 --------- d-----w C:\Program Files\Common Files\Teleca Shared
2008-07-05 13:07 --------- d-----w C:\Documents and Settings\Debbie\Application Data\Teleca
2008-07-05 13:05 --------- d-----w C:\Program Files\Atari
2008-07-05 12:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Napster
2008-07-05 12:53 --------- d-----w C:\Program Files\McDonaldsDragons
2008-07-05 12:50 --------- d-----w C:\Program Files\Yahoo!
2008-07-05 12:50 --------- d-----w C:\Program Files\SpywareBot
2008-07-05 12:50 --------- d-----w C:\Program Files\Modem Helper
2008-07-05 12:50 --------- d-----w C:\Program Files\DivX
2008-07-05 12:49 --------- d-----w C:\Program Files\Common Files\AOL
2008-07-05 12:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL
2008-06-20 11:51 361,600 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 11:40 138,496 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 11:08 225,856 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-15 14:58 --------- d-----w C:\Program Files\microsoft frontpage
2008-06-13 13:14 31,280 ----a-w C:\WINDOWS\system32\drivers\SymIM.sys
2008-06-13 13:14 13,093 ----a-w C:\WINDOWS\system32\drivers\SymRedir.cat
2008-06-13 13:14 1,611 ----a-w C:\WINDOWS\system32\drivers\SymRedir.inf
2008-06-13 13:13 96,432 ----a-w C:\WINDOWS\system32\drivers\symfw.sys
2008-06-13 13:13 41,008 ----a-w C:\WINDOWS\system32\drivers\symndisv.sys
2008-06-13 13:13 38,576 ----a-w C:\WINDOWS\system32\drivers\symids.sys
2008-06-13 13:13 37,424 ----a-w C:\WINDOWS\system32\drivers\symndis.sys
2008-06-13 13:13 22,320 ----a-w C:\WINDOWS\system32\drivers\symredrv.sys
2008-06-13 13:13 184,240 ----a-w C:\WINDOWS\system32\drivers\symtdi.sys
2008-06-13 13:13 13,616 ----a-w C:\WINDOWS\system32\drivers\symdns.sys
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-03 07:15 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-06-03 07:15 123,952 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-06-03 07:15 10,671 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-06-03 07:15 --------- d-----w C:\Program Files\Symantec
2008-02-11 18:43 7,707 ----a-w C:\Program Files\FTW.ini
2006-03-12 17:58 32 ----a-r C:\Documents and Settings\All Users\hash.dat
2005-11-16 17:31 35 ----a-w C:\Program Files\SCSSDist.ini
2005-09-09 19:55 7,155,864 ----a-w C:\Program Files\NGhost10.msi
2005-09-09 19:55 4,588,454 ----a-w C:\Program Files\setup.exe
2005-09-09 19:55 37,766,164 ----a-w C:\Program Files\Data1.cab
2004-10-07 20:52 83,385 ----a-w C:\Program Files\Uninst.isu
2004-10-07 20:52 10,824 ---ha-w C:\Program Files\Readme32.GID
2003-08-27 13:19 36,963 ----a-r C:\Program Files\Common Files\SM1updtr.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-26_10.03.21.82 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 19:02:28 163,328 ----a-w C:\WINDOWS\ERDNT\subs\ERDNT.EXE
+ 2008-07-26 21:27:27 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_2e8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IW_Drop_Icon"="C:\Program Files\Pinnacle\InstantCDDVD\InstantWrite\iwctrl.exe" [2005-06-29 12:34 1346560]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-06 19:16 68856]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01 110592]
"SM1BG"="C:\WINDOWS\SM1BG.EXE" [2003-08-27 14:20 94208]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12 221184]
"IAAnotif"="C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe" [2004-06-29 11:23 135168]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-31 14:15 51048]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 17:41 45056]
"PinnacleDriverCheck"="C:\WINDOWS\system32\\PSDrvCheck.exe" [2004-03-11 01:26 406016]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-17 20:54 1836544]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-25 05:53 714608]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2004-04-11 20:15 290816]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04 122933]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-25 22:35 335872]
"SunJavaUpdateSched"="C:\Program Files\Java\jre6\bin\jusched.exe" [2008-07-20 08:47 136600]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-07-17 20:53:13 125624]
Microsoft Works Calendar Reminders.lnk - C:\WINDOWS\Installer\{f04aff5e-362e-11d3-81ab-00c04fb932ba}\4AA756BB.exe [2005-06-28 22:36:32 30720]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= vdrcodec.dll
"VIDC.MJPG"= Pvmjpg30.dll
"VIDC.PIM1"= pclepim1.dll
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task
HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\RpcAgentSrv.exe"=
"C:\\Program Files\\SiSoftware\\SiSoftware Sandra Lite XII.SP2c\\WNt500x86\\RpcSandraSrv.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys [2004-09-01 15:50]
R2 JavaQuickStarterService;Java Quick Starter;C:\Program Files\Java\jre6\bin\jqs.exe [2008-07-20 08:47]
R2 LiveUpdate Notice;LiveUpdate Notice;C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe [2008-01-31 14:15]
R2 SandraAgentSrv;SiSoftware Deployment Agent Service;C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII.SP2c\RpcAgentSrv.exe [2008-04-22 18:23]
S3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys [2005-02-10 12:55]
S3 COH_Mon;COH_Mon;C:\WINDOWS\system32\Drivers\COH_Mon.sys [2008-03-06 22:32]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-07-21 21:54:28 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Debbie.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
"2008-07-26 21:28:12 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-07-17 05:01:46 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 22:28:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Intel\Intel Application Accelerator\IAANTmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
.
**************************************************************************
.
Completion time: 2008-07-26 22:38:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-07-26 21:37:56
ComboFix2.txt 2008-07-26 21:09:19
ComboFix3.txt 2008-07-26 09:04:50

Pre-Run: 167,813,361,664 bytes free
Post-Run: 167,720,730,624 bytes free

210 --- E O F --- 2008-07-10 06:06:48

#6 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 27 July 2008 - 07:37 AM

Hi :thumbsup:

Congratulations, your log looks clean. Please advise of any problems you are still experiencing, or follow these simple steps to keep your computer clean in the future:

Click Start then Run....
  • Type Combofix /u in the runbox and click OK. (Note: The space between the x and the /u needs to be there)

    Posted Image

  • This will uninstall Combofix.
Make your Internet Explorer More Secure - Please read and follow the recommendations at this site - http://surfthenetsafely.com/ieseczone8.htm

Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

Install WinPatrol - An excellent startup manager, notifies you if programs are added to startup, allows delayed startup, ... A must have! An installation guide can be found here: http://www.winpatrol.com/download.html

Malwarebytes' Anti-Malware - You should scan your computer with the program on a regular basis just as you would with your anti-virus software.

Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A tutorial can be found here: http://www.bleepingcomputer.com/tutorials/use-spywareblaster-to-protect-your-computer/

Update All Your Security Programs Regularly - Make sure you update all your security programs (Anti-Virus, Firewall, Anti-Spyware) regularly (once a weak, at least). Without regular updates you WILL NOT be protected when new malicious programs are released.

You can also read this excellent article by TonyKlein: So how did I get infected in the first place?

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted! - Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints: Malware Complaints. You have to be registered to post. After registering just find your country room and register your complaint. The infection you had was Vundo (Virtumundo).
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.

#7 Simon V.

Simon V.

  • Members
  • 439 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 AM

Posted 30 July 2008 - 12:27 PM

Since this issue appears to be resolved ... this topic has been closed. Glad we could be of assistance.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a new topic.
Simon V.

Posted Image
Posted Image

So How Did I Get Infected In The First Place?
Stand Up and Be Counted!

My help at this forum is free, but if you wish to make a donation to help me continue the fight against malware - click here.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users