Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Xp2008-related Problem I Think


  • Please log in to reply
12 replies to this topic

#1 philipsaxon

philipsaxon

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 17 September 2008 - 04:33 AM

Hi,

I think I might have a version of the Antivirus XP2008 malware which i know is fairly common. I didn't make the mistake of accepting the installation, however, I have since had problems which started with:

1. pop-ups asking me to confirm installation of the software
2. chaging background to a warnining about my computer containing spyware

I ran Spybot and Ad-Aware which didn't seem to pick up much and rebooted.
Now when I gain access to my user profile I can't click on anything (although the cursor moves) and nothing happens with keyboard presses either.

I have got the computer into safe mode and tried to run Spybot again but still not picking anything up.

I downloaded SuperAntiSpyware but when I try to install I get a "the system administrator has set policies to prevent this installation" message. This is also true if I try to install the latest version of Ad-Aware.

I also noticed that I cannot gain any access to the My Documents folder of the profile which was infected. I have since manged to reclaim access but I don't really know where to go from here.

Any advice would be much appreciated as I am writing a thesis at the moment and really need to have things back to normal.

I have run Hijack This and pasted below is the associated file. I know I am meant to do this in 'normal mode' but I can't as I can't click on anything so I have run it in safe mode. Thanks for any help!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:52:55, on 12/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/30.62/uploader2.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/199a88fc681c50...ip/RdxIE601.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144747706390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

BC AdBot (Login to Remove)

 


#2 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 17 September 2008 - 07:20 AM

Hi philipsaxon,

Unfortunately I can't tell much from that restricted log.

Open Hijackthis, take another scan and place a checkmark next to these entries.


O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/199a88fc681c50...ip/RdxIE601.cab


Close all open Windows except Hijackthis and click on "fix Checked".

Reboot the Computer.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
  • Double click on combofix.exe & follow the prompts.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review. (Normal Mode if possible)
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Open Hijackthis,
Click Config | Misc Tools | Open Unistall Manager.
A list of the entries in Add/remove programs will appear.
Click on Save List...
The list will be saved as 'Uninstall_list.txt'
Copy & Paste the contents in your next reply.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#3 philipsaxon

philipsaxon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 18 September 2008 - 02:13 PM

thanks so much for your help. i will try what you've said as soon as i can get back to my computer which will be on monday.

#4 philipsaxon

philipsaxon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 21 September 2008 - 06:25 PM

Hi Joe,

Ok, I've done all requested. In my frustrations to try and get around the problem previously, I changed my Username from Phil to Philnew. Now, obviously, there is no profile to log onto called Phil and I can't access the documents associated with that profile from Philnew. Is there a way around this? - Now when I log on I don't seem to have any problems but as I can't log on with my original profile which had the issue, I don't know whether it is fixed or not.

Thanks so much for your help.

Here are my HijackThis (+uninstall list) and ComboFix logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:58:59, on 21/09/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\aniServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\ssoftsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.euro.dell.com/countries/uk/enu/gen/default.htm
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {33288993-5664-11D4-8B5B-00D0B73B3518} (ell Class) - http://www.easports.com/downloads/games/common/ieell.cab
O16 - DPF: {38D63471-E630-4492-A986-B8C48B79F2F8} (CVideoEgg_ActiveXCtl Object) - http://update.videoegg.com/wintel/VideoEggPublisher.exe
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.co.uk/s/v/30.62/uploader2.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1144747706390
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/s...er/PROFILER.CAB
O16 - DPF: {B020B534-4AA2-4B99-BD6D-5F6EE286DF5C} (Symantec Download Bridge) - https://a248.e.akamai.net/f/248/5462/2h/www...ol/SymDlBrg.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/msnmesse...pdownloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Airgo Networks NIC Service (ANISERVICE) - Airgo Networks, Inc. - C:\WINDOWS\System32\aniServ.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\system32\gearsec.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix - C:\WINDOWS\SYSTEM32\ssoftsrv.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 11191 bytes

µTorrent
4oD
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 7.0.9
Adobe Reader Korean Fonts
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Connectivity Services
AOL Spyware Protection
AOL Toolbar
AOL UK (Choose which version to remove)
AOL You've Got Pictures Screensaver
ArcSoft Camera Suite 1.3
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
AutoHotkey 1.0.37.07
Avanquest update
Azureus
BBC iPlayer Download Manager
BCM V.92 56K Modem
Belkin Wireless Client Utility
BroadJump Client Foundation
c_ronaldo screensaver
Cakewalk VST Adapter 4
Call of Duty® 4 - Modern Warfare™
ccCommon
Citrix Web Client
Corel Graphics Suite 11
CorelDRAW Graphics Suite 12
Creative MediaSource
Cryptainer LE
DAO
dBpowerAMP Nero Mp4 Codec
Dell Media Experience
Dell Picture Studio - Dell Image Expert
Dell Solution Center
DivX
DivX Player
DivX Web Player
Drag Racer v3
DreamStation DXi2
DVD Decrypter (Remove Only)
DVD43 v3.5.3
DVDSentry
Far Cry
FLV Player 1.3.3
Football Manager 2005
Football Manager 2006
Free Games Offer, Desktop Shortcut
Frets On Fire
GoalTV
Google Earth
GraphPad Prism 5 (Trial)
GTAIII
Guitar Pro 4.0
Hauppauge English Help Files and Resources
Hauppauge WinTV Infrared Remote
Hauppauge WinTV Scheduler
Hauppauge WinTV2000
Hidden & Dangerous 2
Hidden & Dangerous 2 Patch
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Worm Protection
InterVideo FilterSDK for Hauppauge
iRiver Caption Editor
iRiver HSeries Manager VER 1.70
iTunes
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment, SE v1.4.2
Java™ 6 Update 3
Java™ SE Runtime Environment 6 Update 1
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft Office XP Professional
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Modem Helper
Motorola Phone Tools
Mozilla Firefox (3.0.1)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
Music Manager
NAVShortcut
Nero 6 Ultra Edition
NeroVision Express 2
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Protection Center
Norton WMI Update
oggcodecs 0.71.0946
Origin 6.0
Paint Shop Pro 7
PeerGuardian 2.0
Picasa 2
Planet Earth Screen Saver
PodcastbarMini 1.0
PowerDVD
PPMate Network TV 2.0.0.40
ppStream 1.0
Pro Evolution Soccer 2008
Pro Evolution Soccer 2008 DEMO
Pro Evolution Soccer 5
Pro Evolution Soccer 6
QuickTime
RAR Password Cracker 4.12
RealPlayer
Registry Mechanic 5.0
Samson SoftPre
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
SONAR LE
Sonic DLA
Sonic Foundry Sound Forge 6.0
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
Sony Ericsson PC Suite 1.20.173
SopCast 1.1.2
SopCore 1.0.1
Sound Blaster Audigy 2
SPBBC
Splinter Cell Pandora Tomorrow
Spybot - Search & Destroy
Spybot - Search & Destroy 1.4
Steam
SUPERAntiSpyware Free Edition
SWAT 4
Sygate Personal Firewall
Symantec
Symantec KB-DocID:2003093015493306
Symantec Technical Support Web Controls
Synacast Plug-in 1.1.0.7
SyncroSoft Emu (Remove only)
TubeHunter Ultra
TVAnts 1.0
TVUPlayer 2.3.0.0
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
VideoLAN VLC media player 0.8.6b
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinMX
WinRAR archiver
WinZip

ComboFix 08-09-20.05 - test 2008-09-21 23:42:27.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.598 [GMT 1:00]
Running from: C:\Documents and Settings\test\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\test.txt
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\tdssadw.dll
C:\WINDOWS\system32\tdssinit.dll
C:\WINDOWS\system32\tdssl.dll
C:\WINDOWS\system32\tdsslog.dll
C:\WINDOWS\system32\tdssmain.dll
C:\WINDOWS\system32\tdssserf.dll
C:\WINDOWS\system32\tdssservers.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_NPF


((((((((((((((((((((((((( Files Created from 2008-08-21 to 2008-09-21 )))))))))))))))))))))))))))))))
.

2008-09-16 23:31 . 2004-01-13 03:17 <DIR> d-------- C:\Documents and Settings\test\Application Data\Symantec
2008-09-16 23:31 . 2004-01-13 03:19 <DIR> d-------- C:\Documents and Settings\test\Application Data\Sonic
2008-09-16 23:31 . 2004-01-13 03:14 <DIR> d-------- C:\Documents and Settings\test\Application Data\Creative
2008-09-16 23:31 . 2008-09-16 23:31 <DIR> d-------- C:\Documents and Settings\test
2008-09-16 23:20 . 2004-01-13 03:17 <DIR> d-------- C:\Documents and Settings\Phil.DDQHCZ0J\Application Data\Symantec
2008-09-16 23:20 . 2004-01-13 03:19 <DIR> d-------- C:\Documents and Settings\Phil.DDQHCZ0J\Application Data\Sonic
2008-09-16 23:20 . 2004-01-13 03:14 <DIR> d-------- C:\Documents and Settings\Phil.DDQHCZ0J\Application Data\Creative
2008-09-16 23:20 . 2008-09-16 23:20 <DIR> d-------- C:\Documents and Settings\Phil.DDQHCZ0J
2008-09-16 23:19 . 2008-09-16 23:20 <DIR> d-------- C:\Program Files\microsoft frontpage
2008-09-15 18:29 . 2008-09-15 18:29 <DIR> d-------- C:\Program Files\XoftSpySE
2008-09-15 18:21 . 2008-09-15 18:21 <DIR> d-------- C:\Program Files\TeaTimer (Spybot - Search & Destroy)
2008-09-12 10:05 . 2008-09-12 10:05 <DIR> d-------- C:\Documents and Settings\Administrator.DDQHCZ0J\Application Data\vlc
2008-09-11 22:17 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\SYSTEM32\VCCLSID.exe
2008-09-11 22:17 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2008-09-11 22:17 . 2008-09-08 23:38 88,576 --a------ C:\WINDOWS\SYSTEM32\AntiXPVSTFix.exe
2008-09-11 22:17 . 2008-09-02 16:51 86,528 --a------ C:\WINDOWS\SYSTEM32\VACFix.exe
2008-09-11 22:17 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\SYSTEM32\IEDFix.exe
2008-09-11 22:17 . 2008-09-15 18:51 82,432 --a------ C:\WINDOWS\SYSTEM32\IEDFix.C.exe
2008-09-11 22:17 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\SYSTEM32\404Fix.exe
2008-09-11 22:17 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\SYSTEM32\Process.exe
2008-09-11 22:17 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2008-09-11 22:17 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\SYSTEM32\WS2Fix.exe
2008-09-11 22:11 . 2008-09-11 22:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-09-11 09:27 . 2008-09-11 09:27 <DIR> d-------- C:\virus maybe
2008-08-30 00:39 . 2008-09-02 22:08 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot_bak
2008-08-23 08:53 . 2008-06-13 14:10 272,128 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\bthport.sys
2008-08-23 08:47 . 2008-05-01 15:30 331,776 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\msadce.dll
2008-08-22 09:54 . 2008-08-22 09:54 <DIR> d-------- C:\GSK and THESIS

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-09-15 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-09-15 18:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-09-15 17:58 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-09-15 14:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-09-11 21:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-08-31 15:42 --------- d-----w C:\Program Files\AOL 8.0
2005-03-18 10:31 56 --sh--r C:\WINDOWS\SYSTEM32\AE98D159EC.sys
2008-06-01 18:06 14,498 --sha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-07-13 339968]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe" [2002-10-29 49152]
"CTDVDDet"="C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE" [2002-09-30 45056]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2003-08-06 114741]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2003-08-13 28672]
"SmcService"="C:\PROGRA~1\Sygate\SPF\smc.exe" [2004-08-13 2532576]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-03-12 517768]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 376912]
"CTHelper"="CTHELPER.EXE" [2003-02-20 C:\WINDOWS\SYSTEM32\CTHELPER.EXE]
"AsioReg"="CTASIO.DLL" [2003-02-20 C:\WINDOWS\SYSTEM32\CTASIO.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 8.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 8.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 8.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AOL 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\AOL 9.0 Tray Icon.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutoStart IR.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutoStart IR.lnk
backup=C:\WINDOWS\pss\AutoStart IR.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SB Audigy 2 Startup Menu]
/L:ENG [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
--a------ 2007-11-27 12:58 1032376 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
--a------ 2004-03-19 14:17 78960 C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
--a------ 2004-11-10 00:22 497240 C:\Program Files\Common Files\AOL\ACS\AOLDial.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
--a------ 2003-01-27 17:16 376912 C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
--a------ 2005-04-27 18:23 788992 C:\Program Files\dvd43\DVD43_Tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iHP-100]
--a------ 2004-07-05 15:50 24576 C:\Program Files\iRiver\HSeries\iHPDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
--a------ 2007-11-27 12:58 1032376 C:\Program Files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswspl]
--a------ 2006-10-18 22:46 64000 C:\Program Files\Windows Media Player\wmplayer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 10:50 155648 C:\WINDOWS\SYSTEM32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--------- 2003-08-26 20:47 204800 C:\Program Files\Dell\Media Experience\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-03-16 18:08 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
-ra------ 2005-10-26 16:17 159744 C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StartCCC]
--a------ 2006-11-10 13:35 90112 C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2006-03-10 17:15 1249280 C:\Program Files\Steam\Steam.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
--a------ 2003-02-13 02:01 155648 C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-09-25 02:11 132496 C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2004-04-30 08:54 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
--------- 2000-05-11 02:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-08-29 06:59 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=2 (0x2)
"Spooler"=2 (0x2)
"iPodService"=3 (0x3)
"KService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"inrhcehbj0el85"=C:\Documents and Settings\Phil\Local Settings\Temp\.tt12E.tmp.exe /CR=5F8C0875B49BA02BB503A8EC828A17BC643C11DFF833E11E2AA5BF229DA50E90506076801380FD3DDE84B83C8AE11D3D2C50D2F3C261FB99506DD8C9447AA0E36965C6CA1F6989AA9B45CB7DA63DC4125C

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 5\\PES5.exe"=
"C:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\ppStream\\ppStream.exe"=
"C:\\Program Files\\tvants\\Tvants.exe"=
"C:\\Program Files\\AOL 9.0\\waol.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 2008\\PES2008.exe"=
"C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"C:\\Program Files\\PPMate\\ppmate.exe"=
"C:\\Program Files\\PPMate\\ppmnet.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8342:TCP"= 8342:TCP:ppLive
"2242:UDP"= 2242:UDP:ppLive
"38889:TCP"= 38889:TCP:ppLive
"45736:UDP"= 45736:UDP:ppLive
"7382:TCP"= 7382:TCP:ppLive
"2294:UDP"= 2294:UDP:ppLive

R2 ANISERVICE;Airgo Networks NIC Service;C:\WINDOWS\System32\aniServ.exe [2004-09-30 143360]
R2 hcw88ts;Hauppauge WinTV 88x TS Capture;C:\WINDOWS\system32\drivers\hcw88ts.sys [2004-10-13 13888]
R2 ssoftnt4;ssoftnt4;C:\WINDOWS\system32\Drivers\ssoftnt4.sys [2004-05-21 114944]
R3 CLEDX;Team H2O CLEDX service;C:\WINDOWS\system32\DRIVERS\cledx.sys [2005-05-09 33792]
R3 HCW88BDA;Hauppauge WinTV 88x DVB Tuner/Demod;C:\WINDOWS\system32\drivers\hcw88bda.sys [2004-09-28 141888]
R3 hcw88rc5;Hauppauge WinTV 88x IR Decoder;C:\WINDOWS\system32\Drivers\hcw88rc5.sys [2004-06-24 10305]
R3 hcw88vid;Hauppauge WinTV 88x Video;C:\WINDOWS\system32\drivers\hcw88vid.sys [2004-09-28 577296]
S3 HCW88TSE;Hauppauge WinTV 88x MPEG/TS Capture;C:\WINDOWS\system32\drivers\hcw88tse.sys [ ]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys [2006-03-16 167808]
S3 SamsonLLDriver;Samson LL Driver;C:\WINDOWS\system32\Drivers\SamsonLLDriver.sys [2006-12-12 56832]
S3 SWWDM_multi;Samson Audio (WDM);C:\WINDOWS\system32\drivers\SWAudWDM.sys [2006-12-12 25088]
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Sonic RecordNow! - (no file)
MSConfigStartUp-H2O - C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe
MSConfigStartUp-lphcahbj0el85 - C:\WINDOWS\system32\lphcahbj0el85.exe
MSConfigStartUp-United Alerts - C:\Program Files\United Alerts\UnitedAlerts.exe
MSConfigStartUp-WildTangent CDA - C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe


.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm
R0 -: HKLM-Main,Start Page = hxxp://www.euro.dell.com/countries/uk/enu/gen/default.htm

O16 -: Microsoft XML Parser for Java - file://C:\WINDOWS\Java\classes\xmldso.cab
C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-21 23:49:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\vsdatant]
"ImagePath"=""
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Sygate\SPF\Smc.exe
C:\WINDOWS\SYSTEM32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\WINDOWS\SYSTEM32\CTSVCCDA.EXE
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.EXE
C:\WINDOWS\SYSTEM32\ssoftsrv.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\SYSTEM32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
.
**************************************************************************
.
Completion time: 2008-09-21 23:56:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-09-21 22:56:05

Pre-Run: 9,277,202,432 bytes free
Post-Run: 9,157,885,952 bytes free

254 --- E O F --- 2008-09-11 15:02:49

#5 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 22 September 2008 - 06:28 AM

Hi philipsaxon,

I changed my Username from Phil to Philnew. Now, obviously, there is no profile to log onto called Phil and I can't access the documents associated with that profile from Philnew. Is there a way around this? - Now when I log on I don't seem to have any problems but as I can't log on with my original profile which had the issue, I don't know whether it is fixed or not.

Changing the name of the user account should make no difference. If the user account was infected prior to the change it will still be infected after the change. My advice is to make no more system changes until we clear this up.

I downloaded SuperAntiSpyware but when I try to install I get a "the system administrator has set policies to prevent this installation" message. This is also true if I try to install the latest version of Ad-Aware.


Sorry about all the following questions but its to assist me get a handle on the situation here:
Who is the Administrator on this Computer?
How many user accounts on his Computer? If more than one I will need you to post separate Hijackthis logs for each user account accordingly named.
Is it on a network?
Is it a business computer or a home computer?

I've gone through your logs carefully and I see files associated with a tool called SmitFraudFix by S!Ri. Did you install this?

I also see entries belonging to some Peer to Peer programmes which are one of the main sources of malware. Would you like these removed?

Can you let me have a list of your current protection programmes?

I can see the following on there:

Ad-Aware SE Personal
SUPERAntiSpyware Free Edition
Sygate Personal Firewall
Norton/Symantec
XoftSpySE

Which version of Norton/Symantec is that and is the licence fully up to date?

Now that you' run the combofix programmes is the computer performing better? Give me a full update please.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#6 philipsaxon

philipsaxon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 22 September 2008 - 11:40 AM

Hi,

It is a home computer which belongs to me. I had one account (called 'Phil') on there when all the problems started. Since then I added one extra profile and then changed the name of the original profile in the hope it would allow me access to the associated 'My Documents' folder. Each of the two new profiles appear to function properly now.

The only problem which remains is that I can only access the My Documents folder of the original profile when I am in safe mode as there isn't an option to log in to 'Phil' at startup. I cannot access the files once I have logged in with either of the new profile names. If I recreate the profile name 'Phil' which was the original profile, will this allow me into my original profile?

I installed the SmitFraud software whilst I was trying to get around this current problem, but I have not used it. I discovered this website so thought best to ask someone who knows what they're doing!

I have not used any of those peer-to-peer programmes for a long time and they definitely weren't connected at the time I picked up the problem.

My protection programmes before the malware were:
Norton Anti-Virus - subscription out of date
Ad-Aware
Spybot
Sygate Firewall

Since the problem I have installed:
XoftSpySE
SUPERAntiSpyware Free Edition

I haven't yet tried to get on the internet with the fixed computer. Do you think that would be safe now?

Thanks again.

#7 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 22 September 2008 - 01:09 PM

I haven't yet tried to get on the internet with the fixed computer. Do you think that would be safe now?

No its best to stay off the Internet for a while until we sort this out.
Is XoftSpySE a trial version or did you buy it? I ask because its a bit expensive and there are free programmes out there.
Is it your intentions to renew your Norton licence? Again there are good free programmes out there.

It sounds as if you may have accidentally deleted your original user account, do you think that is the case?

Let me know please and I'll prepare a fix to remove what I can see now. Please make no changes at this point and we'll see if we can recover the situation.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#8 philipsaxon

philipsaxon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 23 September 2008 - 11:03 AM

Hi,

I definitely haven't deleted the user account. I changed its name from within the user profiles section of the control panel but that was all. What that seems to have done is create a new 'my documents' folder for the new profile but left the old one behind. I can see that old folder still exists and even browse it in safe mode, but i just can't access it any other way. I guess it isn't a big problem as I could simply move the files into my new profile folder but I was reluctant to move anything with all the problems.

Haven't bought XoftSpySE - just downloaded a trial.
I will update Norton unless you know of a better anti-virus.

Cheers

#9 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 23 September 2008 - 12:01 PM

Hi philipsaxon,

I definitely haven't deleted the user account. I changed its name from within the user profiles section of the control panel but that was all. What that seems to have done is create a new 'my documents' folder for the new profile but left the old one behind. I can see that old folder still exists and even browse it in safe mode, but i just can't access it any other way. I guess it isn't a big problem as I could simply move the files into my new profile folder but I was reluctant to move anything with all the problems.

In any event your system is now corrupted and you have lost your original user profile. The first thing therefore is to copy all the important data, settings passwords etc you have and back it up on a removable storage such as an external hard drive, CD or even upload it to an internet storage. You should as you say be able to do that in safe mode or safe mode with networking.

Then if you want to try and recover the original profile you may be able to do so with a system restore to a date prior to when you re-named your user account. This should work as long as there is a system restore point created after creation of the original account and before you re-named it. However I cannot be certain as I don't know the history and I'm not familiar with your computer or even if you have a restore point..

If that works post back and let me know and then we can proceed to clean up the system.

As an alternative and if you're content with your new user profile you can go into safe mode and drag the important files from your old MyDocuments folder into the new one in your new user profile. Once that is done you can delete the old folder. What about your Internet access and all your other programmes? Are they all present in your new profile? I wouldn't expect them to be.

Post back and let me know. Please do that and post back ASAP today if possible as I'll be out all day tomorrow and away from home from the weekend.

Leave the updating etc until we clen this up.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#10 philipsaxon

philipsaxon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 23 September 2008 - 05:37 PM

hi,

i have backed up all my important stuff onto a second hard drive although it is internal rather than external. it has none of the operating system on there and is simply used for saving files. that will be ok won't it? - if something really bad has happened to my computer i could just plug it into another desktop couldn't i?

i am content with the new user profile. some programs have disappeared from the start menu although most of them are still there. i don't know whether those programs which don't appear there are not usable anymore or have been uninstalled for some reason. i will check that tomorrow as i imagine my reply is too late to reach you in time.

hope this helps, i don't know about the system restore points. i seem to remember they might have been deleted by one of the programs i used before finding this website.

phil

#11 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 24 September 2008 - 02:55 AM

Hi phil,

i have backed up all my important stuff onto a second hard drive although it is internal rather than external. it has none of the operating system on there and is simply used for saving files. that will be ok won't it? - if something really bad has happened to my computer i could just plug it into another desktop couldn't i?


That is the ideal way t back up your personal data etc. This is done simply as a precautionary measure so you won't loose something really important such as irreplaceable family photos etc.

If you've done that you can now check to see if you have any system restore points. Just click Start | All Programs | Accessories System Tools | System Restore.
Now check the "Restore my computer to an earlier time check-box" and click next.
If your System restore was active when the mishap occurred you should see lots of dates there in bold text.
Simply select one of those and click next. Be sure its a date prior to when all this occurred.

Thats it basically your computer should now return to normal with all your original programmes and user profile etc.
You would no longer have the new profile.
You may have the infection though as it may be present in the restore point but we can deal with that separately.

i am content with the new user profile. some programs have disappeared from the start menu although most of them are still there. i don't know whether those programs which don't appear there are not usable anymore or have been uninstalled for some reason. i will check that tomorrow as i imagine my reply is too late to reach you in time.

Unfortunately the programmes are lost and can only be recovered by a system restore or by re-installing them into the new user profile.

hope this helps, i don't know about the system restore points. i seem to remember they might have been deleted by one of the programs i used before finding this website.

You would have to manually turn of the system restore utility to remove the system restore points. I'm unaware of any programme that does that.

Its decision time now. Please let me know how you wish to proceed. I'll be back late afternoon or first thing tomorrow morning.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.

#12 philipsaxon

philipsaxon
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:06:05 AM

Posted 24 September 2008 - 05:33 PM

thanks for your patience, i realise this must be frustrating for you.

ok, i checked the system restore points and i must have deleted them before i got in contact with you. i seem to remember reading somewhere that the virus i had corrupted these and that they should be deleted. i think that is what i must have done - at the time i was trying all sorts of things and stupidly didn't really take note of what i was doing.

i've just realised something else too - when i changed the name of the profile the password didn't change and the little picture associated with the profile remained the same so it must still be the original profile but for some reason didn't bring over my old files too - it left them behind. could this be because the malware removed my administrator rights and therefore wouldn't allow transfer of those documents?? when the malware restricted my access to those files i did something in safe mode to change the access rights so i could access the folder when logged in as administrator. i guess this might have something to do with i can't access the files now.

i don't seem to have lost any of my most important programs. in fact i am still to work out which i have actually lost. the start menu list of programs isn't as long as it was on my old profile but i can't work out what has gone - nothing too important obviously.

i don't really know the best way forward. what are the possibilities? i would prefer not to delete any profiles if possible.

#13 Joe - London

Joe - London

  • Security Colleague
  • 327 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:UK
  • Local time:06:05 AM

Posted 25 September 2008 - 05:50 AM

OK, i checked the system restore points and i must have deleted them before i got in contact with you. i seem to remember reading somewhere that the virus i had corrupted these and that they should be deleted. i think that is what i must have done - at the time i was trying all sorts of things and stupidly didn't really take note of what i was doing.

OK, if there are no restore points then you cannot restore the system and you're stuck with what you have.
I know the horse has bolted but the lesson here is, any system restore point, even an infected one, is better than none at all.

So the first thing is to create one now.

Heres how:

Go to Start | All Programs | Accessories | System Tools | System Restore
Double-click "System restore settings" on the left and make sure the check-box "Turn off System restore." is not checked.
Now check the "Create a restore point" in the right hand window and click next.
Now create a new system restore point and give it a recognisable name.

Now drag all your personal data from the old "My Documents folder" to the new My Documents folder in the new user profile and then delete the old one.
I understand you have already made a backup on another hard drive. If not do this first.
You will need administration rights to do this. If necessary update the user rights for your new profile to do this.

When you've done this post back and let me know and then we'll proceed to check for malware etc.

Also look at your user accounts and post an updated list for me to avoid confusion.

Let me know what issues you have at this point.

Joe.
If I have helped you in any way, please consider a donation:
Posted Image
Member of UNITE and ASAP.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users