Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Vundo cannot be deleted


  • This topic is locked This topic is locked
13 replies to this topic

#1 James2281

James2281

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 10 January 2009 - 06:25 AM

Hi,
For the past week I have had a virus infection. The virus was downloaded on 3/1/09 at about 21:00. On initial scans, using free software like AVG and PC Tool, it appeared that several viruses had been downloaded. These included Look2Me as well as Trojan.Vundo. I decided to resubscribe to Norton so that I could get the latest updates, and it appeared to remove all viruses apart from Trojan.Vundo. The file that it says is infected, is C:\WINDOWS\system32.gwnvdv.dll, but it will not delete this file. I tried using a software programme to delete this file on reboot, but even that did not work. There are a few other such software services which I could try, but thought I'd post this log here first.

Symptons of the virus are pop ups for various products, including casino.com, a fancy dress service, the UK govt Inland Revenue etc. My computer has also been running slowly, and was taking a long time to boot up. However, since removing some of the free antivirus software it seems to be running faster now and booting up quicker. I also deleted all of the old Java updates.

I have used VundoFix, FixVundo and Vundobegone - in Safe mode and Normal Mode. I have run virus scans in Safe Mode, and disabled System Restore when doing these processes. I have also checked the registry using the instructions on symantec's page but could not locate any of the entries.

My DDS log is below. I really appreciate this help, this website is a great discovery.


DDS (Ver_09-01-07.01) - NTFSx86
Run by [...] at 10:56:21.51 on 10/01/2009
Internet Explorer: 7.0.5730.11

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://api.home/
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: {c266bb5f-1848-8c99-1b74-fa8ba338adb2}: {2bda833a-b8af-47b1-99c8-8481f5bb662c} - c:\windows\system32\gwnvdv.dll
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {e962136e-c1ec-4a23-9103-07b885b6aa7b} - c:\windows\system32\fccyaBuR.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: urqpqrPJ - urqpqrPJ.dll
AppInit_DLLs: gwnvdv.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccyaBuR

============= SERVICES / DRIVERS ===============


=============== Created Last 30 ================

2009-01-09 18:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-08 22:27 <DIR> --d----- c:\program files\Remove on Reboot
2009-01-08 18:49 91,027,680 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\scripting
2009-01-06 16:33 <DIR> --d----- c:\windows\l2schemas
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\en
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\bits
2009-01-06 16:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-04 09:51 <DIR> --d----- c:\windows\EHome
2009-01-04 00:41 <DIR> --d----- c:\program files\AVG
2009-01-04 00:05 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-03 23:21 <DIR> --d----- C:\VundoFix Backups
2009-01-03 21:47 0 a------- c:\windows\system32\mcrh.tmp
2009-01-03 21:25 40,256 a------- c:\windows\system32\drivers\seneka.sys
2009-01-03 21:02 134,144 -------- c:\windows\system32\gwnvdv.dll
2009-01-03 20:59 2,461 a------- c:\windows\system32\senekadf.dat
2009-01-03 20:59 59 a------- c:\windows\system32\seneka.dat
2009-01-03 20:59 566,795 a--sh--- c:\windows\system32\RuBayccf.ini2
2009-01-03 20:59 566,795 a--sh--- c:\windows\system32\RuBayccf.ini
2009-01-03 20:54 5,756 a------- c:\windows\system32\senekalog.dat
2009-01-03 20:54 40,256 a------- c:\windows\system32\drivers\senekasmloulky.sys

==================== Find3M ====================

2009-01-10 10:44 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-06 16:36 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 23:28 44,250 a------- c:\docume~1\christ~1\applic~1\wklnhst.dat
2008-10-30 06:38 720,896 a------- c:\windows\system32\C-XLS.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-03-09 19:37 4,265,560 a------- c:\program files\FLV PlayerRCATSetup.exe
2008-03-09 19:36 411,248 a------- c:\program files\FLV PlayerRCSetup.exe
2007-01-17 11:33 774,144 a------- c:\program files\RngInterstitial.dll
2007-01-08 21:06 35,912 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2007-01-06 15:09 32 a--sh--- c:\windows\{FA6CB4A7-56D5-4825-9B4E-D3D8AB58A3D2}.dat
2007-03-09 08:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2007-01-06 15:09 32 a--sh--- c:\windows\system32\{88696555-4206-4AFF-BCE9-8B07831C922B}.dat

============= FINISH: 10:58:41.93 ===============

Attached Files


Edited by James2281, 10 January 2009 - 07:08 AM.


BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 13 January 2009 - 12:09 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 James2281

James2281
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 13 January 2009 - 02:37 PM

Thank you for this help. Some developments have occured which perhaps change the requirement to use combofix. I downloaded the latest security update from microsoft (Jan 2009). I thought I had them all, but perhaps this came out in the last few days. I think it was a general security update, and a 'remove malicious software' tool. On rebooting my PC it stated that malicious software had been found and deleted, and I no longer get a virus message from Norton now.

The pop ups seem to have disappeared, but they had been gone for some days before using this new update. I can still run combofix and a hijack this log if you think it will be worth doing to make sure all virus files are deleted.

THanks,

James

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 13 January 2009 - 09:33 PM

If that's the case, please run DDS again and post the logs here :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 James2281

James2281
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 14 January 2009 - 02:10 PM

Here is the new DDS log and new Attach file,

thanks,

DDS (Ver_09-01-07.01) - NTFSx86
Run by [...] at 19:05:02.29 on 14/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.110 [GMT 0:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
uSearch Page = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
uSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://api.home/
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: {e962136e-c1ec-4a23-9103-07b885b6aa7b} - c:\windows\system32\fccyaBuR.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
Notify: urqpqrPJ - urqpqrPJ.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - No File
LSA: Authentication Packages = msv1_0 c:\windows\system32\fccyaBuR

============= SERVICES / DRIVERS ===============

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\NAVENG.Sys [2009-1-7 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090107.002\NavEx15.Sys [2009-1-7 876112]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-11-13 317128]
R4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-11-14 116336]
R4 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-11-14 100032]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-5-11 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-5-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-5-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-5-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-5-11 77072]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2006-5-1 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2006-5-1 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2006-5-1 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2006-5-1 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2006-5-1 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2006-5-1 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2006-5-1 90800]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

=============== Created Last 30 ================

2009-01-13 19:14 206 a------- c:\windows\system32\MRT.INI
2009-01-11 20:58 <DIR> --d----- c:\program files\Shockwave.com
2009-01-11 16:56 <DIR> --d----- c:\program files\Streamripper
2009-01-09 18:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-08 22:27 <DIR> --d----- c:\program files\Remove on Reboot
2009-01-08 18:49 91,027,680 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\scripting
2009-01-06 16:33 <DIR> --d----- c:\windows\l2schemas
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\en
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\bits
2009-01-06 16:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-04 09:51 <DIR> --d----- c:\windows\EHome
2009-01-04 00:41 <DIR> --d----- c:\program files\AVG
2009-01-04 00:05 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-03 23:21 <DIR> --d----- C:\VundoFix Backups
2009-01-03 21:47 0 a------- c:\windows\system32\mcrh.tmp
2009-01-03 20:59 2,461 a------- c:\windows\system32\senekadf.dat
2009-01-03 20:59 59 a------- c:\windows\system32\seneka.dat
2009-01-03 20:59 566,795 a--sh--- c:\windows\system32\RuBayccf.ini2
2009-01-03 20:59 566,795 a--sh--- c:\windows\system32\RuBayccf.ini
2009-01-03 20:54 5,756 a------- c:\windows\system32\senekalog.dat

==================== Find3M ====================

2009-01-14 18:59 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-06 16:36 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 23:28 44,250 a------- c:\docume~1\christ~1\applic~1\wklnhst.dat
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-30 06:38 720,896 a------- c:\windows\system32\C-XLS.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-10-16 20:38 826,368 a------- c:\windows\system32\wininet.dll
2008-03-09 19:37 4,265,560 a------- c:\program files\FLV PlayerRCATSetup.exe
2008-03-09 19:36 411,248 a------- c:\program files\FLV PlayerRCSetup.exe
2007-01-17 11:33 774,144 a------- c:\program files\RngInterstitial.dll
2007-01-08 21:06 35,912 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2007-01-06 15:09 32 a--sh--- c:\windows\{FA6CB4A7-56D5-4825-9B4E-D3D8AB58A3D2}.dat
2007-03-09 08:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2007-01-06 15:09 32 a--sh--- c:\windows\system32\{88696555-4206-4AFF-BCE9-8B07831C922B}.dat

============= FINISH: 19:05:59.67 ===============

Attached Files


Edited by James2281, 15 January 2009 - 07:18 AM.


#6 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 15 January 2009 - 02:06 AM

Ahh... Now, please download and run ComboFix as my previous post.. Post the log here :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#7 James2281

James2281
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 15 January 2009 - 04:23 PM

OK, here is the Combofix log, a DDS log, done after running combofix, follows. I received a message asking me to write down the following file, although I think Logitech is some software that came bundled with my Dell.
C:\Program Files\Common Files\Logitech\LVMVFM\ LVPrcInj.dll

Last night my computer froze, which it has done about 2 times since getting this virus infection. Normally, the computer is very reliable. Also, I have had difficulty with wireless connection cutting out, but not sure if this is related. Another PC was using the wireless, and the ethernet seemed to be working:
:

ComboFix 09-01-13.04 - 2009-01-15 21:01:30.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.188 [GMT 0:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\SW_Win2146X32.DLL
c:\windows\system32\mcrh.tmp
c:\windows\system32\RuBayccf.ini
c:\windows\system32\RuBayccf.ini2
c:\windows\system32\seneka.dat
c:\windows\system32\senekadf.dat
c:\windows\system32\senekalog.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_PACKET


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-15 20:56 . 2009-01-15 20:56 <DIR> d-------- C:\32788R22FWJFW
2009-01-13 19:14 . 2009-01-13 19:14 206 --a------ c:\windows\system32\MRT.INI
2009-01-11 20:58 . 2009-01-11 20:59 <DIR> d-------- c:\program files\Shockwave.com
2009-01-11 16:56 . 2009-01-11 16:56 <DIR> d-------- c:\program files\Winamp
2009-01-11 16:56 . 2009-01-11 16:56 <DIR> d-------- c:\program files\Streamripper
2009-01-09 18:27 . 2009-01-09 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-08 22:27 . 2009-01-08 22:27 <DIR> d-------- c:\program files\Remove on Reboot
2009-01-08 18:49 . 2009-01-08 18:50 91,027,680 --a------ C:\SYM_REGISTRY_BACKUP.reg
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\system32\scripting
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\system32\en
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\system32\bits
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\l2schemas
2009-01-06 16:26 . 2009-01-06 16:34 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-04 09:51 . 2009-01-06 16:09 <DIR> d-------- c:\windows\EHome
2009-01-04 00:41 . 2009-01-04 00:41 <DIR> d-------- c:\program files\AVG
2009-01-04 00:05 . 2009-01-04 02:36 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-03 23:21 . 2009-01-03 23:21 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-15 21:08 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-15 21:06 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 21:05 0 ----a-w c:\windows\system32\drivers\lvuvc.hs
2009-01-13 19:36 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-12 20:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-11 22:43 --------- d-----w c:\program files\MSN Messenger
2009-01-11 22:42 --------- d-----w c:\program files\Napster
2009-01-05 23:28 44,250 ----a-w c:\documents and settings\\Application Data\wklnhst.dat
2009-01-05 23:09 --------- d-----w c:\program files\Java
2009-01-04 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-03 23:04 --------- d-----w c:\program files\Norton AntiVirus
2008-12-28 17:32 --------- d-----w c:\program files\DOSBox-0.72
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-28 20:13 --------- d-----w c:\documents and settings\Christopher Richards\Application Data\Unity
2008-03-09 19:37 4,265,560 ----a-w c:\program files\FLV PlayerRCATSetup.exe
2008-03-09 19:36 411,248 ----a-w c:\program files\FLV PlayerRCSetup.exe
2007-01-17 11:33 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-01-08 21:06 35,912 ----a-w c:\documents and settings\\Application Data\GDIPFONTCACHEV1.DAT
2007-01-06 15:09 32 --sha-w c:\windows\{FA6CB4A7-56D5-4825-9B4E-D3D8AB58A3D2}.dat
2007-03-09 08:12 27,648 --sha-w c:\windows\system32\AVSredirect.dll
2007-01-06 15:09 32 --sha-w c:\windows\system32\{88696555-4206-4AFF-BCE9-8B07831C922B}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-11-14 54976]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-14 59072]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-06 180269]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-05-04 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= c:\progra~1\REPLAY~1\iac25_32.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-06-29 12:13 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 03:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
--a------ 2006-05-04 08:24 489472 c:\program files\Logitech\Video\CameraAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
--a------ 2006-05-04 08:32 73728 c:\program files\Logitech\Video\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-01-12 19:36 323216 c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-08-09 14:35 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2003-12-09 13:03 57344 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-05-11 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-05-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-05-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-05-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-05-11 77072]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-09 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2002-11-14 19:31]

2009-01-15 c:\windows\Tasks\rpevrdia.job
- c:\windows\system32\rundll32.exe [2008-04-14 00:12]

2009-01-15 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]

2009-01-15 c:\windows\Tasks\User_Feed_Synchronization-{67E5F7DD-C4BA-4748-9601-BFC9FFF92048}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
- - - - ORPHANS REMOVED - - - -

BHO-{E962136E-C1EC-4A23-9103-07B885B6AA7B} - c:\windows\system32\fccyaBuR.dll
Notify-urqpqrPJ - urqpqrPJ.dll
MSConfigStartUp-iTunesHelper - c:\program files\iTunes\iTunesHelper.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://api.home/
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: Yahoo! Literati - hxxp://origin.games.yahoo.net/games/clients/y/tt5_x.cab
c:\windows\Downloaded Program Files\Yahoo! Literati.osd

O16 -: Yahoo! Pool 2 - hxxp://origin.games.yahoo.net/games/clients/y/poti_x.cab
c:\windows\Downloaded Program Files\Yahoo! Pool 2.osd

c:\windows\Downloaded Program Files\AstroAvenger2Loader.ocx - O16 -: {D441AB53-A39C-42AE-AB79-3C05B7298F34}
hxxp://www.shockwave.com/content/astroavenger2/sis/AstroAvenger2Loader.cab
c:\windows\Downloaded Program Files\AstroAvenger2Loader.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 21:08:23
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton AntiVirus\Navapsvc.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\windows\system32\wscntfy.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-01-15 21:11:55 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-15 21:11:46

Pre-Run: 22,288,850,944 bytes free
Post-Run: 22,800,990,208 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

215 --- E O F --- 2009-01-06 17:07:27


Here is the DDS log (a new Attach log is attached):

DDS (Ver_09-01-07.01) - NTFSx86
Run by at 21:18:26.84 on 15/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.112 [GMT 0:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://api.home/
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NAVENG.Sys [2009-1-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NavEx15.Sys [2009-1-14 876112]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-11-13 317128]
R4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-11-14 116336]
R4 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-11-14 100032]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-5-11 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-5-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-5-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-5-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-5-11 77072]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2006-5-1 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2006-5-1 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2006-5-1 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2006-5-1 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2006-5-1 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2006-5-1 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2006-5-1 90800]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

=============== Created Last 30 ================

2009-01-15 21:00 <DIR> a-dshr-- C:\cmdcons
2009-01-15 20:57 161,792 a------- c:\windows\SWREG.exe
2009-01-15 20:57 98,816 a------- c:\windows\sed.exe
2009-01-13 19:14 206 a------- c:\windows\system32\MRT.INI
2009-01-11 20:58 <DIR> --d----- c:\program files\Shockwave.com
2009-01-11 16:56 <DIR> --d----- c:\program files\Streamripper
2009-01-09 18:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-08 22:27 <DIR> --d----- c:\program files\Remove on Reboot
2009-01-08 18:49 91,027,680 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\scripting
2009-01-06 16:33 <DIR> --d----- c:\windows\l2schemas
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\en
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\bits
2009-01-06 16:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-04 09:51 <DIR> --d----- c:\windows\EHome
2009-01-04 00:41 <DIR> --d----- c:\program files\AVG
2009-01-04 00:05 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-03 23:21 <DIR> --d----- C:\VundoFix Backups

==================== Find3M ====================

2009-01-15 21:05 0 a------- c:\windows\system32\drivers\lvuvc.hs
2009-01-06 16:36 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 23:28 44,250 a------- c:\docume~1\christ~1\applic~1\wklnhst.dat
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-30 06:38 720,896 a------- c:\windows\system32\C-XLS.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-03-09 19:37 4,265,560 a------- c:\program files\FLV PlayerRCATSetup.exe
2008-03-09 19:36 411,248 a------- c:\program files\FLV PlayerRCSetup.exe
2007-01-17 11:33 774,144 a------- c:\program files\RngInterstitial.dll
2007-01-08 21:06 35,912 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2007-01-06 15:09 32 a--sh--- c:\windows\{FA6CB4A7-56D5-4825-9B4E-D3D8AB58A3D2}.dat
2007-03-09 08:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2007-01-06 15:09 32 a--sh--- c:\windows\system32\{88696555-4206-4AFF-BCE9-8B07831C922B}.dat

============= FINISH: 21:19:13.14 ===============


Thank you for all your help

Attached Files


Edited by James2281, 15 January 2009 - 04:27 PM.


#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 January 2009 - 01:05 AM

1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Rootkit::
c:\windows\system32\drivers\lvuvc.hs

File::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\Tasks\rpevrdia.job

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 James2281

James2281
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 January 2009 - 06:36 AM

OK, done. New combofix and DDS log below, attach file is attached. Thanks:

Combofix

ComboFix 09-01-13.04 - 2009-01-16 11:19:10.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.89 [GMT 0:00]
Running from: c:\documents and settings\\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\lvuvc.hs
c:\windows\Tasks\rpevrdia.job
.
The following files were disabled during the run:
c:\program files\Common Files\Logitech\LVMVFM\LVPrcInj.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\lvuvc.hs
c:\windows\Tasks\rpevrdia.job

.
((((((((((((((((((((((((( Files Created from 2008-12-16 to 2009-01-16 )))))))))))))))))))))))))))))))
.

2009-01-13 19:14 . 2009-01-13 19:14 206 --a------ c:\windows\system32\MRT.INI
2009-01-11 20:58 . 2009-01-11 20:59 <DIR> d-------- c:\program files\Shockwave.com
2009-01-11 16:56 . 2009-01-11 16:56 <DIR> d-------- c:\program files\Winamp
2009-01-11 16:56 . 2009-01-11 16:56 <DIR> d-------- c:\program files\Streamripper
2009-01-09 18:27 . 2009-01-09 18:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avg8
2009-01-08 22:27 . 2009-01-08 22:27 <DIR> d-------- c:\program files\Remove on Reboot
2009-01-08 18:49 . 2009-01-08 18:50 91,027,680 --a------ C:\SYM_REGISTRY_BACKUP.reg
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\system32\scripting
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\system32\en
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\system32\bits
2009-01-06 16:33 . 2009-01-06 16:33 <DIR> d-------- c:\windows\l2schemas
2009-01-06 16:26 . 2009-01-06 16:34 <DIR> d-------- c:\windows\ServicePackFiles
2009-01-04 09:51 . 2009-01-06 16:09 <DIR> d-------- c:\windows\EHome
2009-01-04 00:41 . 2009-01-04 00:41 <DIR> d-------- c:\program files\AVG
2009-01-04 00:05 . 2009-01-04 02:36 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-03 23:21 . 2009-01-03 23:21 <DIR> d-------- C:\VundoFix Backups

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-16 11:25 --------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-01-16 11:24 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-15 21:36 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-01-12 20:56 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-11 22:43 --------- d-----w c:\program files\MSN Messenger
2009-01-11 22:42 --------- d-----w c:\program files\Napster
2009-01-05 23:28 44,250 ----a-w c:\documents and settings\\Application Data\wklnhst.dat
2009-01-05 23:09 --------- d-----w c:\program files\Java
2009-01-04 12:43 --------- d-----w c:\documents and settings\All Users\Application Data\yahoo!
2009-01-03 23:04 --------- d-----w c:\program files\Norton AntiVirus
2008-12-28 17:32 --------- d-----w c:\program files\DOSBox-0.72
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-28 20:13 --------- d-----w c:\documents and settings\\Application Data\Unity
2008-03-09 19:37 4,265,560 ----a-w c:\program files\FLV PlayerRCATSetup.exe
2008-03-09 19:36 411,248 ----a-w c:\program files\FLV PlayerRCSetup.exe
2007-01-17 11:33 774,144 ----a-w c:\program files\RngInterstitial.dll
2007-01-08 21:06 35,912 ----a-w c:\documents and settings\\Application Data\GDIPFONTCACHEV1.DAT
2007-01-06 15:09 32 --sha-w c:\windows\{FA6CB4A7-56D5-4825-9B4E-D3D8AB58A3D2}.dat
2007-03-09 08:12 27,648 --sha-w c:\windows\system32\AVSredirect.dll
2007-01-06 15:09 32 --sha-w c:\windows\system32\{88696555-4206-4AFF-BCE9-8B07831C922B}.dat
.

((((((((((((((((((((((((((((( snapshot@2009-01-15_21.10.09.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-04-14 00:12:08 26,112 -c--a-w c:\windows\system32\dllcache\vdmdbg.dll
+ 2009-01-16 11:23:11 16,384 ----atw c:\windows\temp\Perflib_Perfdata_90.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"DellSupport"="c:\program files\Dell Support\DSAgnt.exe" [2006-07-16 389120]
"CTSyncU.exe"="c:\program files\Creative\Sync Manager Unicode\CTSyncU.exe" [2007-07-17 868352]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2008-02-27 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-10-18 802816]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-10-18 696320]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2002-11-14 54976]
"ccRegVfy"="c:\program files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-11-14 59072]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-07-14 94208]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-07-14 77824]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-07-14 118784]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2007-01-06 180269]
"EPSON Stylus Photo R300 Series"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE" [2003-09-11 99840]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-11-07 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"LVCOMSX"="c:\windows\system32\LVCOMSX.EXE" [2006-05-04 237568]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-06-29 286720]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 144784]
"SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 c:\windows\stsystra.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
"ALUAlert"="c:\program files\Symantec\LiveUpdate\ALUNotify.exe" [2002-08-07 54936]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.iac2"= c:\progra~1\REPLAY~1\iac25_32.ax

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-01-11 22:16 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Dell QuickSet]
--a------ 2006-06-29 12:13 1032192 c:\program files\Dell\QuickSet\quickset.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
--a------ 2005-10-05 03:12 94208 c:\program files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechCameraAssistant]
--a------ 2006-05-04 08:24 489472 c:\program files\Logitech\Video\CameraAssistant.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechVideo[inspector]]
--a------ 2006-05-04 08:32 73728 c:\program files\Logitech\Video\InstallHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NapsterShell]
--a------ 2007-01-12 19:36 323216 c:\program files\Napster\napster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 05:24 286720 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2008-08-09 14:35 39408 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2003-12-09 13:03 57344 c:\progra~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=

S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-05-11 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-05-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-05-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-05-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-05-11 77072]
.
Contents of the 'Scheduled Tasks' folder

2009-01-14 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 13:57]

2009-01-09 c:\windows\Tasks\Norton AntiVirus - Scan my computer.job
- c:\progra~1\NORTON~1\NAVW32.exe [2002-11-14 19:31]

2009-01-16 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2002-08-07 09:04]

2009-01-15 c:\windows\Tasks\User_Feed_Synchronization-{67E5F7DD-C4BA-4748-9601-BFC9FFF92048}.job
- c:\windows\system32\msfeedssync.exe [2006-10-17 11:58]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://news.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://api.home/
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/

O16 -: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
c:\windows\Downloaded Program Files\Microsoft XML Parser for Java.osd

O16 -: Yahoo! Literati - hxxp://origin.games.yahoo.net/games/clients/y/tt5_x.cab
c:\windows\Downloaded Program Files\Yahoo! Literati.osd

O16 -: Yahoo! Pool 2 - hxxp://origin.games.yahoo.net/games/clients/y/poti_x.cab
c:\windows\Downloaded Program Files\Yahoo! Pool 2.osd

c:\windows\Downloaded Program Files\AstroAvenger2Loader.ocx - O16 -: {D441AB53-A39C-42AE-AB79-3C05B7298F34}
hxxp://www.shockwave.com/content/astroavenger2/sis/AstroAvenger2Loader.cab
c:\windows\Downloaded Program Files\AstroAvenger2Loader.inf
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-16 11:24:49
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\program files\Common Files\Logitech\LVMVFM\LVPrcSrv.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
c:\program files\Norton AntiVirus\Navapsvc.exe
c:\program files\Dell\QuickSet\NicConfigSvc.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\windows\system32\stacsv.exe
c:\program files\Common Files\Symantec Shared\Security Center\SymWSC.exe
c:\windows\system32\wscntfy.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-01-16 11:28:23 - machine was rebooted
ComboFix-quarantined-files.txt 2009-01-16 11:28:17
ComboFix2.txt 2009-01-15 21:11:58

Pre-Run: 22,723,461,120 bytes free
Post-Run: 22,783,881,216 bytes free

205 --- E O F --- 2009-01-06 17:07:27

DDS log:

DDS (Ver_09-01-07.01) - NTFSx86
Run by at 11:29:16.81 on 16/01/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.502.104 [GMT 0:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\svchost.exe -k NetworkService
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\QuickSet\NICCONFIGSVC.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\stacsv.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I0F2.EXE
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Creative\Sync Manager Unicode\CTSyncU.exe
C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://news.bbc.co.uk/
uSearchMigratedDefaultURL = hxxp://search.yahoo.com/search?p={searchTerms}&ei=utf-8&fr=b1ie7
mSearch Bar = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
uInternet Connection Wizard,ShellNext = hxxp://api.home/
uSearchURL,(Default) = hxxp://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
BHO: UberButton Class: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\program files\yahoo!\common\yiesrvc.dll
BHO: YahooTaggedBM Class: {65d886a2-7ca7-479b-bb95-14d1efb7946a} - c:\program files\yahoo!\common\YIeTagBm.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
BHO: {7E853D72-626A-48EC-A868-BA8D5E23E045} - No File
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Norton AntiVirus: {42cdd1bf-3ffb-4238-8ad1-7859df00b1d6} - c:\program files\norton antivirus\NavShExt.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [DellSupport] "c:\program files\dell support\DSAgnt.exe" /startup
uRun: [CTSyncU.exe] "c:\program files\creative\sync manager unicode\CTSyncU.exe"
uRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\sony ericsson pc suite\SEPCSuite.exe" /systray /nologon
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
mRun: [SigmatelSysTrayApp] stsystra.exe
mRun: [IntelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe"
mRun: [IntelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [ccRegVfy] "c:\program files\common files\symantec shared\ccRegVfy.exe"
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [EPSON Stylus Photo R300 Series] c:\windows\system32\spool\drivers\w32x86\3\E_S4I0F2.EXE /P30 "EPSON Stylus Photo R300 Series" /O6 "USB001" /M "Stylus Photo R300"
mRun: [DLA] c:\windows\system32\dla\DLACTRLW.EXE
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [LVCOMSX] c:\windows\system32\LVCOMSX.EXE
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_05\bin\jusched.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ALUAlert] c:\program files\symantec\liveupdate\ALUNotify.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office10\OSA.EXE
IE: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - c:\program files\partygaming\partypoker\RunApp.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_05\bin\ssv.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\program files\yahoo!\common\yiesrvc.dll
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

============= SERVICES / DRIVERS ===============

R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NAVENG.Sys [2009-1-14 89104]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20090114.017\NavEx15.Sys [2009-1-14 876112]
R3 SAVRT;SAVRT;c:\windows\system32\drivers\SAVRT.SYS [2002-7-25 235744]
R4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2002-11-13 317128]
R4 navapsvc;Norton AntiVirus Auto Protect Service;c:\program files\norton antivirus\Navapsvc.exe [2002-11-14 116336]
R4 SAVRTPEL;SAVRTPEL;c:\windows\system32\drivers\SAVRTPEL.SYS [2002-7-25 35552]
S3 ccPwdSvc;Symantec Password Validation Service;c:\program files\common files\symantec shared\ccPwdSvc.exe [2002-11-14 100032]
S3 k600bus;Sony Ericsson 600i driver (WDM);c:\windows\system32\drivers\k600bus.sys [2005-5-11 52384]
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;c:\windows\system32\drivers\k600mdfl.sys [2005-5-11 6096]
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;c:\windows\system32\drivers\k600mdm.sys [2005-5-11 87456]
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;c:\windows\system32\drivers\k600mgmt.sys [2005-5-11 79248]
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;c:\windows\system32\drivers\k600obex.sys [2005-5-11 77072]
S3 SE2Ebus;Sony Ericsson Device 046 Driver driver (WDM);c:\windows\system32\drivers\SE2Ebus.sys [2006-5-1 61600]
S3 SE2Emdfl;Sony Ericsson Device 046 USB WMC Modem Filter;c:\windows\system32\drivers\SE2Emdfl.sys [2006-5-1 9360]
S3 SE2Emdm;Sony Ericsson Device 046 USB WMC Modem Driver;c:\windows\system32\drivers\SE2Emdm.sys [2006-5-1 97184]
S3 SE2Emgmt;Sony Ericsson Device 046 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE2Emgmt.sys [2006-5-1 88688]
S3 se2End5;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (NDIS);c:\windows\system32\drivers\se2End5.sys [2006-5-1 18704]
S3 SE2Eobex;Sony Ericsson Device 046 USB WMC OBEX Interface;c:\windows\system32\drivers\SE2Eobex.sys [2006-5-1 86560]
S3 se2Eunic;Sony Ericsson Device 046 USB Ethernet Emulation SEMC46 (WDM);c:\windows\system32\drivers\se2Eunic.sys [2006-5-1 90800]
S4 SBService;ScriptBlocking Service;c:\progra~1\common~1\symant~1\script~1\SBServ.exe [2001-8-13 54408]

=============== Created Last 30 ================

2009-01-15 21:00 <DIR> a-dshr-- C:\cmdcons
2009-01-15 20:57 161,792 a------- c:\windows\SWREG.exe
2009-01-15 20:57 98,816 a------- c:\windows\sed.exe
2009-01-13 19:14 206 a------- c:\windows\system32\MRT.INI
2009-01-11 20:58 <DIR> --d----- c:\program files\Shockwave.com
2009-01-11 16:56 <DIR> --d----- c:\program files\Streamripper
2009-01-09 18:27 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Avg8
2009-01-08 22:27 <DIR> --d----- c:\program files\Remove on Reboot
2009-01-08 18:49 91,027,680 a------- C:\SYM_REGISTRY_BACKUP.reg
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\scripting
2009-01-06 16:33 <DIR> --d----- c:\windows\l2schemas
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\en
2009-01-06 16:33 <DIR> --d----- c:\windows\system32\bits
2009-01-06 16:26 <DIR> --d----- c:\windows\ServicePackFiles
2009-01-04 09:51 <DIR> --d----- c:\windows\EHome
2009-01-04 00:41 <DIR> --d----- c:\program files\AVG
2009-01-04 00:05 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-03 23:21 <DIR> --d----- C:\VundoFix Backups

==================== Find3M ====================

2009-01-06 16:36 77,423 a------- c:\windows\pchealth\helpctr\offlinecache\index.dat
2009-01-05 23:28 44,250 a------- c:\docume~1\christ~1\applic~1\wklnhst.dat
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-10-30 06:38 720,896 a------- c:\windows\system32\C-XLS.dll
2008-10-23 12:36 286,720 a------- c:\windows\system32\gdi32.dll
2008-03-09 19:37 4,265,560 a------- c:\program files\FLV PlayerRCATSetup.exe
2008-03-09 19:36 411,248 a------- c:\program files\FLV PlayerRCSetup.exe
2007-01-17 11:33 774,144 a------- c:\program files\RngInterstitial.dll
2007-01-08 21:06 35,912 a------- c:\docume~1\christ~1\applic~1\GDIPFONTCACHEV1.DAT
2007-01-06 15:09 32 a--sh--- c:\windows\{FA6CB4A7-56D5-4825-9B4E-D3D8AB58A3D2}.dat
2007-03-09 08:12 27,648 a--sh--- c:\windows\system32\AVSredirect.dll
2007-01-06 15:09 32 a--sh--- c:\windows\system32\{88696555-4206-4AFF-BCE9-8B07831C922B}.dat

============= FINISH: 11:29:57.31 ===============

Attached Files


Edited by James2281, 16 January 2009 - 06:38 AM.


#10 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 January 2009 - 08:56 AM

Looks good.. Lets do an online scan to make sure we got them all..


Please run a free online scan with the ESET Online Scanner
Note: You will need to use Internet Explorer for this scan.
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the ActiveX control to install
  • Click Start
  • Make sure that the options Remove found threats and the option Scan unwanted applications is checked
  • Click Scan
    Wait for the scan to finish
  • Use Notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log as a reply to this topic

How's the computer now? :thumbsup:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#11 James2281

James2281
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 January 2009 - 12:47 PM

OK, here is the ESET log. Your help has been greatly appreciated. The computer seems OK. No pop ups. No crashses. Running as fast as it was before the virus, as far as I can tell. So, does everything we did remove all traces of the virus or just the parts that are harmful? Also, do you know, besides pop ups, are there any other operations these viruses perform, e.g.. dialing into expensive connections, or sending my personal information to a server? I know you are volunteering your help and don't necessarily know this info, but I'd be grateful if you happened to know the answers. :



# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3772 (20090116)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.066 (20070917)
# EOSSerial=544cf2af4339c541bb406ad091870cc4
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2009-01-16 05:37:04
# local_time=2009-01-16 05:37:04 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 3
# scanned=209546
# found=0
# scan_time=2920

#12 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 January 2009 - 12:50 PM

Well, from your latest logs, it appears that your machine is free from anything malicious that I known of..

Lets do some cleanup :thumbsup:


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :)



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#13 James2281

James2281
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:46 AM

Posted 16 January 2009 - 03:28 PM

The computer is working now, and the symptoms of the virus appear to have gone. THank you for all your help.

#14 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:04:46 PM

Posted 16 January 2009 - 03:31 PM

You are very welcome, I'm glad that we could help.

I will now close this topic. If you need this topic to be re-open, please pm me or Moderators regarding the matter..

If you have any new malware related questions or issues in the future please start a new topic.

Cheers and Happy Computing !

fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users