Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with "Antivirus Plus"


  • This topic is locked This topic is locked
18 replies to this topic

#1 Howard Winter

Howard Winter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 February 2009 - 05:48 AM

As requested, here are the logs from DDS.scr on the infected machine - note that the Antivirus Plus popups happened as usual, about 2 minutes after boot (DDS started before this).

The second log says to zip it and attach, but I can't see any way to do attachments in here, so I'm pasting them...

DDS (Ver_09-02-01.01) - NTFSx86
Run by Currys.digital at 10:17:38.68 on 03/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.282 [GMT 0:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system\rundll32.exe
C:\WINDOWS\system\se.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Documents and Settings\Currys.digital\Desktop\dds.scr
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.co.uk/
uWindow Title = Packard Bell
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
mSearchAssistant = hxxp://www.google.com/ie
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DDSMEkl: {2502bbd0-d73b-11dd-b4ec-cebf56d89593} - c:\windows\system32\vumer.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - No File
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [MsnMsgr] "c:\program files\msn messenger\MsnMsgr.Exe" /background
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [Alcmtr] ALCMTR.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [ISTray] "c:\program files\spyware doctor\pctsTray.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [shell] c:\windows\system\rundll32.exe 00561
mRun: [se] c:\windows\system\se.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: bbafacbcbeab - c:\windows\system32\bbafacbcbeab.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\currys~1.dig\applic~1\mozilla\firefox\profiles\ewfheh54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\mozilla firefox\components\ccbbdeadfed.dll
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R0 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-6-20 40840]
R1 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-6-20 66952]
R1 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-6-20 81288]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-16 191848]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-16 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-16 169320]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-10-6 139888]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-1-11 102712]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070110.032\NAVENG.Sys [2007-1-11 80408]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070110.032\NavEx15.Sys [2007-1-11 833048]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]

=============== Created Last 30 ================

2009-01-25 01:22 4,352 a------- c:\windows\system32\drivers\cleanhelper.sys
2009-01-25 01:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-24 13:25 <DIR> --d----- c:\documents and settings\currys.digital\.housecall6.6
2009-01-24 01:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-24 01:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-23 18:04 21,504 a------- c:\windows\system32\hidserv.dll
2009-01-23 18:04 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-01-23 16:20 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-23 13:22 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-16 14:06 63 a------- c:\windows\system\cmd
2009-01-16 14:05 30,208 a------- c:\windows\system\se.exe
2009-01-16 14:05 30,208 a------- c:\windows\system\dop.exe
2009-01-16 14:05 57 a------- c:\windows\system32\dmns.cfg
2009-01-16 14:05 1,479,168 a------- c:\windows\system\rundll32.exe
2009-01-16 14:05 5 a------- c:\windows\system32\avp.id
2009-01-15 17:34 118 a------- c:\windows\system32\MRT.INI

==================== Find3M ====================

2009-01-24 16:52 200,208 a------- c:\windows\system32\vumer.dll
2009-01-24 05:55 277,519 a------- c:\windows\system32\bbafacbcbeab.dll
2008-12-13 06:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-04-04 15:27 557,056 a------- c:\documents and settings\currys.digital\GoToAssist_phone__319_en.exe

============= FINISH: 10:20:51.25 ===============


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 16/10/2006 11:26:07
System Uptime: 02/03/2009 10:14:24 (-648 hours ago)

Motherboard: NEC COMPUTERS INTERNATIONAL | | NEC Versa Premium
Processor: Intel® Celeron® M CPU 410 @ 1.46GHz | uPGA775 | 1466/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 48 GiB total, 29.413 GiB free.
D: is CDROM (CDFS)

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: RT73 USB Wireless LAN Card
Device ID: USB\VID_148F&PID_2573\5&38B1F311&0&6
Manufacturer: Ralink Technology Corp.
Name: RT73 USB Wireless LAN Card
PNP Device ID: USB\VID_148F&PID_2573\5&38B1F311&0&6
Service: RT73

==== System Restore Points ===================

RP461: 28/10/2008 12:49:17 - System Checkpoint
RP462: 29/10/2008 17:51:10 - System Checkpoint
RP463: 31/10/2008 15:52:50 - System Checkpoint
RP464: 03/11/2008 11:28:58 - System Checkpoint
RP465: 04/11/2008 15:54:20 - System Checkpoint
RP466: 05/11/2008 16:35:02 - System Checkpoint
RP467: 07/11/2008 10:30:37 - System Checkpoint
RP468: 08/11/2008 13:11:41 - System Checkpoint
RP469: 09/11/2008 13:56:06 - System Checkpoint
RP470: 10/11/2008 14:12:18 - System Checkpoint
RP471: 11/11/2008 17:51:40 - System Checkpoint
RP472: 12/11/2008 18:00:45 - System Checkpoint
RP473: 13/11/2008 03:00:15 - Software Distribution Service 3.0
RP474: 14/11/2008 12:07:19 - System Checkpoint
RP475: 15/11/2008 16:09:21 - System Checkpoint
RP476: 17/11/2008 14:38:17 - System Checkpoint
RP477: 18/11/2008 16:25:52 - System Checkpoint
RP478: 20/11/2008 11:00:05 - System Checkpoint
RP479: 21/11/2008 13:54:33 - System Checkpoint
RP480: 24/11/2008 12:19:10 - System Checkpoint
RP481: 26/11/2008 17:05:36 - System Checkpoint
RP482: 28/11/2008 10:08:27 - System Checkpoint
RP483: 29/11/2008 13:51:47 - System Checkpoint
RP484: 01/12/2008 13:56:28 - System Checkpoint
RP485: 03/12/2008 10:39:14 - System Checkpoint
RP486: 04/12/2008 15:47:26 - System Checkpoint
RP487: 06/12/2008 11:43:24 - System Checkpoint
RP488: 07/12/2008 12:54:10 - System Checkpoint
RP489: 08/12/2008 12:58:04 - System Checkpoint
RP490: 09/12/2008 14:52:34 - System Checkpoint
RP491: 10/12/2008 15:03:19 - System Checkpoint
RP492: 11/12/2008 15:12:44 - System Checkpoint
RP493: 12/12/2008 10:25:15 - Software Distribution Service 3.0
RP494: 13/12/2008 12:03:01 - System Checkpoint
RP495: 15/12/2008 13:34:22 - Software Distribution Service 3.0
RP496: 16/12/2008 16:44:00 - System Checkpoint
RP497: 18/12/2008 12:50:25 - System Checkpoint
RP498: 19/12/2008 12:46:40 - Software Distribution Service 3.0
RP499: 20/12/2008 13:40:53 - System Checkpoint
RP500: 21/12/2008 13:44:47 - System Checkpoint
RP501: 23/12/2008 12:43:15 - System Checkpoint
RP502: 24/12/2008 12:51:10 - System Checkpoint
RP503: 27/12/2008 09:31:52 - System Checkpoint
RP504: 28/12/2008 13:23:16 - System Checkpoint
RP505: 29/12/2008 13:30:08 - System Checkpoint
RP506: 30/12/2008 15:57:26 - System Checkpoint
RP507: 02/01/2009 13:08:38 - System Checkpoint
RP508: 03/01/2009 15:22:57 - System Checkpoint
RP509: 04/01/2009 16:01:27 - System Checkpoint
RP510: 05/01/2009 16:35:44 - System Checkpoint
RP511: 06/01/2009 17:56:15 - System Checkpoint
RP512: 09/01/2009 12:51:37 - System Checkpoint
RP513: 12/01/2009 12:23:34 - System Checkpoint
RP514: 13/01/2009 12:38:25 - System Checkpoint
RP515: 15/01/2009 09:54:47 - System Checkpoint
RP516: 15/01/2009 17:31:50 - Software Distribution Service 3.0
RP517: 22/01/2009 11:27:44 - System Checkpoint
RP518: 24/01/2009 04:42:44 - System Checkpoint

==== Installed Programs ======================

1310
1310_Help
1310Tour
1310Trb
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
Bonjour
BufferChm
CC_ccProxyExt
ccCommon
ccPxyCore
Copy
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
Fax
GalleryPlayer Images
Google Earth
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Updater
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
HPSystemDiagnostics
InstantShare
iTunes
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 3
Java™ 6 Update 7
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.1)
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
Norton WMI Update
OpenOffice.org Installer 1.0
Overland
Packard Bell Toolbar 1.0
PhotoGallery
Picasa 2
PrintScreen
ProductContext
QFolder
QuickProjects
QuickTime
Readme
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
SkinsHP1
Sonic Express Labeler
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC
SpeedTouch USB Software
Spybot - Search & Destroy
Spyware Doctor 6.0
Symantec KB-DocID:2003093015493306
SymNet
Synaptics Pointing Device Driver
TrayApp
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
web'n'walk USB manager
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
ZyXEL USB ADSL Modem/Router

==== Event Viewer Messages From Past Week ========

02/02/2009 21:46:38, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
02/02/2009 21:46:38, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
02/02/2009 21:46:38, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
02/02/2009 21:46:38, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
02/02/2009 21:46:38, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
02/02/2009 21:46:38, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
02/02/2009 21:46:38, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
02/02/2009 21:46:38, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
02/02/2009 21:45:58, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
02/02/2009 21:45:18, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
31/01/2009 11:26:59, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRTPEL SPBBCDrv SYMTDI Tcpip
31/01/2009 10:09:05, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
31/01/2009 09:59:08, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SAVRTPEL SPBBCDrv SYMTDI

==== End Of File ===========================

Cheers,

Howard

BC AdBot (Login to Remove)

 


#2 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 03 February 2009 - 06:34 AM

Please download FileAssassin and unzip it to your Desktop.
  • Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processing
  • Make sure ALL four options are selected (including "Delete file")
  • Copy/paste below file to the box
    • c:\windows\system32\bbafacbcbeab.dll
  • Press Execute button..
Repeat this step with below files..

c:\program files\mozilla firefox\components\ccbbdeadfed.dll
c:\windows\system32\vumer.dll





NEXT


Please download Malwarebytes' Anti-Malware from HERE or HERE

Note: If you already have Malwarebytes' Anti-Malware, just run and update it.. Then do a "Perform Full Scan"

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.




NEXT


Please download RSIT by random/random and save it to your Desktop.
  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.



NEXT


Please download GMER and unzip it to your Desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for Show All.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.


Post me these logs in your next reply.. Post each log in separate post..

1. Tell me whether FileAssassin successfully remove those files
2. Malwarebytes'
3. RSIT log.txt
4. RSIT info.txt
5. Attach GMER result..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#3 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 February 2009 - 08:45 AM

Thanks for your help - nobody has said whether these procedures should be done in Safe Mode - but since the machine is virtually unusable otherwise (clicking on a disk in Explore can take many minutes to respond, and sometimes it never does, for example) I did run it in Safe Mode...

Please download FileAssassin and unzip it to your Desktop.

  • Double-click FileASSASSIN and tick on Attempt FileASSASSIN's method of file processing
  • Make sure ALL four options are selected (including "Delete file")
  • Copy/paste below file to the box
    • c:\windows\system32\bbafacbcbeab.dll
  • Press Execute button..

I did this and a number of seconds after it finished (I had just pasted the 2nd file name) the machine Blue-Screened. On rebooting I tried the above again and it said it couldn't find it, so I assume it did the job.


Repeat this step with below files..

c:\program files\mozilla firefox\components\ccbbdeadfed.dll
c:\windows\system32\vumer.dll


Done successfully

MBAB in next message.

#4 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 03 February 2009 - 10:16 AM

Don't worry howard.. You do the right thing.. I'll wait for the next logs :thumbup2:

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#5 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 February 2009 - 10:22 AM

Please download Malwarebytes' Anti-Malware from HERE or HERE


I already had a previous install in place, but I didn't have networking enabled at this time so I used the installer I'd copied on from a CD earlier. Halfway through it reported an Error '0' in vbAccelerator SGrid II Control. I pressed <OK> and it reported an error '440' Automation Error. On OKing that it ran on and completed the install.

On running it found 55 infections, but I was worried there may be new ones, so I rebooted "Safe with Networking", updated MBAM and it found another 9 !

Here is the First log:

Malwarebytes' Anti-Malware 1.33
Database version: 1654
Windows 5.1.2600 Service Pack 2

03/02/2009 13:59:15
mbam-log-2009-02-03 (13-59-15).txt

Scan type: Full Scan (C:\|)
Objects scanned: 129757
Time elapsed: 28 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 4
Files Infected: 48

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d032570a-5f63-4812-a094-87d007c23012} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\shell (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\dynamic toolbar (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2 (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache (Adware.2020search) -> Quarantined and deleted successfully.

Files Infected:
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP516\A0160047.exe (Rogue.InternetAntivirus) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\batch.bat (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\unins000.dat (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\unins000.exe (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\go.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\home.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\logo_pb.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\parent_off.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\parent_on.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\pbukv2tb0200.cfg (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\popup_off.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\popup_on.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\search.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\services.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\skin.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\skin1.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\skin2.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\skin3.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\skin4.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\skin5.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\store.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\style.css (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\support.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\Cache\ticker.xml (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\ErrorLog.txt (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\go.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\home.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\logo_pb.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\parent_off.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\parent_on.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\PBUKV2TB0200.cfg (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\popup_off.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\popup_on.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\search.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\services.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\skin.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\skin1.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\skin2.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\skin3.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\skin4.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\skin5.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\store.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\style.css (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\support.bmp (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\ticker.xml (Adware.2020search) -> Quarantined and deleted successfully.
C:\Program Files\dynamic toolbar\PBUKV2\Cache\_Ticker_ticker.txt (Adware.2020search) -> Quarantined and deleted successfully.
C:\Documents and Settings\Currys.digital\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus Plus.lnk (Rogue.AntivirusPlus) -> Quarantined and deleted successfully.
C:\WINDOWS\system\rundll32.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

And the Second:

Malwarebytes' Anti-Malware 1.33
Database version: 1718
Windows 5.1.2600 Service Pack 2

03/02/2009 14:59:02
mbam-log-2009-02-03 (14-59-02).txt

Scan type: Full Scan (C:\|)
Objects scanned: 130837
Time elapsed: 23 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\ddsme.kl (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ddsme.kl.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{624f9012-d73b-11dd-95af-61c156d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{52cde0e4-d73b-11dd-9b90-fcc056d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2502bbd0-d73b-11dd-b4ec-cebf56d89593} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP516\A0160132.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{B1C538C0-CBA3-4434-A006-53A338B37653}\RP517\A0160166.dll (Trojan.BHO) -> Quarantined and deleted successfully.


Next I'll go on to RSIT...

#6 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 February 2009 - 10:43 AM

I rebooted into normal mode to run this, so we're getting the "live" picture...

Please download RSIT by random/random and save it to your Desktop.

  • Double click on RSIT.exe to run RSIT
  • Before you click "Continue", make sure you change the List files/folders created or modified in the last 3 months
  • Click Continue at the disclaimer screen.
  • Once it has finished, two logs will open. Please post the contents of both log.txt and info.txt in your next reply.


Done! Here it is:

Logfile of random's system information tool 1.05 (written by random/random)
Run by Currys.digital at 2009-02-03 15:33:21
Microsoft Windows XP Home Edition Service Pack 2
System drive C: has 30 GB (61%) free of 49 GB
Total RAM: 959 MB (35% free)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:33:56, on 03/02/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Symantec\LiveUpdate\AUpdate.exe
C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Currys.digital\Desktop\RSIT.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\Symantec\LiveUpdate\LuCallbackProxy.exe
C:\Program Files\trend micro\Currys.digital.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Packard Bell
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {4E7BD74F-2B8D-469E-A0E8-F479B685FA7D} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [DetectorApp] C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ulead AutoDetector v2] C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [se] C:\WINDOWS\system\se.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O20 - Winlogon Notify: bbafacbcbeab - C:\WINDOWS\system32\bbafacbcbeab.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: USBDeviceService - Unknown owner - C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe

--
End of file - 14098 bytes

======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
C:\WINDOWS\tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
C:\WINDOWS\tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
C:\WINDOWS\tasks\Master CD_DVD Creator.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Currys.digital.job
C:\WINDOWS\tasks\Norton Security Scan for Currys.digital.job
C:\WINDOWS\tasks\Registration reminder 3.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2006-10-22 62080]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
Spybot-S&D IE Protection - C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2008-09-15 1562960]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}]
CNisExtBho Class - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2005-10-22 94336]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}]
CNavExtBho Class - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2007-05-23 140912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
Google Toolbar Helper - c:\program files\google\googletoolbar1.dll [2007-06-20 2403392]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}]
Google Toolbar Notifier BHO - C:\Program Files\Google\GoogleToolbarNotifier\4.1.805.4472\swg.dll [2008-10-03 652784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - Norton Internet Security 2006 - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll [2005-10-22 94336]
{C4069E3A-68F1-403E-B40E-20066696354B} - Norton AntiVirus - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll [2007-05-23 140912]
{4E7BD74F-2B8D-469E-A0E8-F479B685FA7D}
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google - c:\program files\google\googletoolbar1.dll [2007-06-20 2403392]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"=C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE [2004-08-04 208952]
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE [2004-08-04 455168]
"ATICCC"=C:\Program Files\ATI Technologies\ATI.ACE\cli.exe [2006-01-02 45056]
"RTHDCPL"=C:\WINDOWS\RTHDCPL.EXE [2006-04-17 16143872]
"Alcmtr"=C:\WINDOWS\ALCMTR.EXE [2005-05-03 69632]
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe [2006-09-11 26112]
"DetectorApp"=C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe [2005-10-20 102400]
"ISUSPM Startup"=C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe [2004-07-27 221184]
"ISUSScheduler"=C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe [2004-07-27 81920]
"ccApp"=C:\Program Files\Common Files\Symantec Shared\ccApp.exe [2008-02-11 53096]
"Ulead AutoDetector v2"=C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe [2004-11-26 90112]
"SpeedTouch USB Diagnostics"=C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe [2004-01-26 866816]
"HP Software Update"=C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [2004-02-12 49152]
"HP Component Manager"=C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [2004-05-12 241664]
"Adobe Reader Speed Launcher"=C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [2008-01-11 39792]
"ISTray"=C:\Program Files\Spyware Doctor\pctsTray.exe [2008-11-03 1168264]
"AppleSyncNotifier"=C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe [2008-07-22 116040]
"QuickTime Task"=C:\Program Files\QuickTime\QTTask.exe [2008-05-27 413696]
"iTunesHelper"=C:\Program Files\iTunes\iTunesHelper.exe [2008-07-30 289064]
"Symantec PIF AlertEng"=C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
"se"=C:\WINDOWS\system\se.exe [2009-01-16 30208]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"=C:\Program Files\MSN Messenger\MsnMsgr.Exe /background []
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [2007-06-20 68856]
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe [2004-08-04 15360]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
C:\WINDOWS\system32\HDAShCut.exe [2005-01-07 61952]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
c:\APPS\Powercinema\PCMService.exe [2006-02-23 147456]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
C:\APPS\SMP\SmpSys.exe [2005-11-17 975360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe [2006-06-16 794713]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
HP Image Zone Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2006-04-27 61440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\bbafacbcbeab]
C:\WINDOWS\system32\bbafacbcbeab.dll [2006-05-15 313871]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll [2006-10-18 133632]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdauxservice]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\sdcoreservice]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername"=0
"legalnoticecaption"=
"legalnoticetext"=
"shutdownwithoutlogon"=1
"undockwithoutlogon"=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDriveTypeAutoRun"=145

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%ProgramFiles%\AOL 9.0\aol.exe"="%ProgramFiles%\AOL 9.0\aol.exe:*:Enabled:AOL"
"%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\logo_ubi.exe"="%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\logo_ubi.exe:*:Enabled:SPLINTER CELL PANDORA"
"%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\pandora.exe"="%ProgramFiles%\UBISOFT\Splinter Cell Pandora Tomorrow\pandora.exe:*:Enabled:PANDORA"
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\Messenger\msmsgs.exe"="C:\Program Files\Messenger\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\Program Files\Bonjour\mDNSResponder.exe"="C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\Program Files\iTunes\iTunes.exe"="C:\Program Files\iTunes\iTunes.exe:*:Enabled:iTunes"
"C:\WINDOWS\system\rundll32.exe"="C:\WINDOWS\system\rundll32.exe:*:Enabled:rundll32"
"C:\Documents and Settings\Currys.digital\Local Settings\Temporary Internet Files\Content.IE5\RJLD4PI8\installer_00561[2].exe"="C:\Documents and Settings\Currys.digital\Local Settings\Temporary Internet Files\Content.IE5\RJLD4PI8\installer_00561[2].exe:*:Enabled:installer"
"C:\WINDOWS\system\dop.exe"="C:\WINDOWS\system\dop.exe:*:Enabled:se"
"C:\WINDOWS\system\se.exe"="C:\WINDOWS\system\se.exe:*:Enabled:se"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe"="%windir%\system32\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\Program Files\MSN Messenger\msnmsgr.exe"="C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.0"
"C:\Program Files\MSN Messenger\msncall.exe"="C:\Program Files\MSN Messenger\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"%windir%\Network Diagnostic\xpnetdiag.exe"="%windir%\Network Diagnostic\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{398ad082-2184-11dd-9f24-001060fba99b}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{616ac30e-f1dc-11dd-a026-00038a000015}]
shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL E:\m.exe /s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea4-574f-11dd-9f71-00038a000015}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea6-574f-11dd-9f71-00038a000015}]
shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea7-574f-11dd-9f71-00038a000015}]
shell\AutoRun\command - E:\AutoRun.exe


======List of files/folders created in the last 3 months======

2009-02-03 15:29:50 ----D---- C:\Program Files\trend micro
2009-02-03 15:29:48 ----D---- C:\rsit
2009-02-03 13:09:57 ----D---- C:\Documents and Settings\Currys.digital\Application Data\Malwarebytes
2009-02-03 13:08:25 ----D---- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-01-26 15:24:06 ----A---- C:\avenger.txt
2009-01-25 01:10:29 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2009-01-24 01:40:22 ----D---- C:\Program Files\Spybot - Search & Destroy
2009-01-24 01:40:22 ----D---- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-23 18:04:19 ----A---- C:\WINDOWS\system32\hidserv.dll
2009-01-23 16:20:44 ----D---- C:\Program Files\Enigma Software Group
2009-01-23 12:46:17 ----A---- C:\WINDOWS\ntbtlog.txt
2009-01-15 17:36:10 ----HDC---- C:\WINDOWS\$NtUninstallKB958687$
2009-01-15 17:34:55 ----A---- C:\WINDOWS\system32\MRT.INI
2008-12-12 10:33:13 ----HDC---- C:\WINDOWS\$NtUninstallKB952069_WM9$
2008-12-12 10:33:00 ----HDC---- C:\WINDOWS\$NtUninstallKB955839$
2008-12-12 10:27:50 ----HDC---- C:\WINDOWS\$NtUninstallKB954600$
2008-12-12 10:27:25 ----HDC---- C:\WINDOWS\$NtUninstallKB956802$
2008-11-26 16:25:44 ----D---- C:\temp
2008-11-13 03:04:09 ----HDC---- C:\WINDOWS\$NtUninstallKB957097$
2008-11-13 03:03:44 ----HDC---- C:\WINDOWS\$NtUninstallKB955069$

======List of files/folders modified in the last 3 months======

2009-02-03 15:33:37 ----D---- C:\WINDOWS\PREFETCH
2009-02-03 15:33:01 ----D---- C:\WINDOWS
2009-02-03 15:33:00 ----D---- C:\Program Files\Common Files\Symantec Shared
2009-02-03 15:32:01 ----D---- C:\WINDOWS\Temp
2009-02-03 15:29:50 ----RD---- C:\Program Files
2009-02-03 15:29:40 ----AD---- C:\WINDOWS\system32
2009-02-03 15:29:39 ----AD---- C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-03 13:59:14 ----D---- C:\WINDOWS\system
2009-02-03 13:38:50 ----D---- C:\Program Files\Spyware Doctor
2009-02-03 13:09:56 ----D---- C:\WINDOWS\system32\drivers
2009-02-03 10:22:03 ----D---- C:\Documents and Settings\All Users\Application Data\Google Updater
2009-02-03 10:21:05 ----D---- C:\WINDOWS\system32\CatRoot2
2009-01-30 13:49:48 ----SHD---- C:\RECYCLER
2009-01-29 22:25:00 ----SHD---- C:\System Volume Information
2009-01-26 16:11:31 ----D---- C:\Program Files\Mozilla Firefox
2009-01-24 15:45:03 ----D---- C:\Program Files\Google
2009-01-24 15:42:09 ----D---- C:\WINDOWS\SoftwareDistribution
2009-01-24 13:14:27 ----D---- C:\Documents and Settings
2009-01-23 22:24:13 ----A---- C:\WINDOWS\SchedLgU.Txt
2009-01-23 18:04:27 ----RSHD---- C:\WINDOWS\system32\dllcache
2009-01-23 13:45:33 ----D---- C:\Program Files\Common Files
2009-01-23 12:58:46 ----HD---- C:\WINDOWS\inf
2009-01-21 13:54:57 ----D---- C:\Documents and Settings\All Users\Application Data\Google
2009-01-16 15:00:01 ----D---- C:\Program Files\Norton Security Scan
2009-01-16 12:05:38 ----SHD---- C:\WINDOWS\Installer
2009-01-16 12:02:42 ----SHD---- C:\Config.Msi
2009-01-15 17:35:20 ----HD---- C:\WINDOWS\$hf_mig$
2009-01-13 12:13:25 ----A---- C:\WINDOWS\FOXPRO.INI
2009-01-10 11:30:44 ----D---- C:\WINDOWS\Minidump
2009-01-10 01:35:28 ----A---- C:\WINDOWS\system32\MRT.exe
2008-12-19 12:50:05 ----A---- C:\WINDOWS\imsins.BAK
2008-12-19 12:49:50 ----D---- C:\WINDOWS\ie7updates
2008-12-17 15:53:05 ----D---- C:\WINDOWS\system32\CatRoot_bak
2008-12-17 15:53:05 ----D---- C:\WINDOWS\system32\CatRoot
2008-12-13 06:40:02 ----A---- C:\WINDOWS\system32\mshtml.dll
2008-12-12 10:40:12 ----D---- C:\Program Files\Internet Explorer
2008-12-02 15:48:38 ----D---- C:\Documents and Settings\Currys.digital\Application Data\Mozilla
2008-11-24 11:51:40 ----A---- C:\WINDOWS\Iedit.INI
2008-11-20 08:57:57 ----D---- C:\WINDOWS\Help
2008-11-13 03:02:38 ----D---- C:\WINDOWS\WinSxS
2008-11-04 09:43:10 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 eeCtrl;Symantec Eraser Control driver; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\eeCtrl.sys []
R1 IkSysFlt;System Filter Driver; C:\WINDOWS\system32\drivers\iksysflt.sys [2008-11-03 66952]
R1 IKSysSec;System Security Driver; C:\WINDOWS\system32\drivers\iksyssec.sys [2008-11-03 81288]
R1 intelppm;Intel Processor Driver; C:\WINDOWS\system32\DRIVERS\intelppm.sys [2004-08-04 36096]
R1 SAVRTPEL;SAVRTPEL; \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRTPEL.SYS []
R1 SPBBCDrv;SPBBCDrv; \??\C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCDrv.sys []
R1 SYMTDI;SYMTDI; C:\WINDOWS\System32\Drivers\SYMTDI.SYS [2007-10-01 189320]
R2 AegisP;AEGIS Protocol (IEEE 802.1x) v3.4.3.0; C:\WINDOWS\system32\DRIVERS\AegisP.sys [2006-09-11 20747]
R2 ASCTRM;ASCTRM; C:\WINDOWS\system32\drivers\ASCTRM.sys [2006-09-11 8552]
R2 symlcbrd;symlcbrd; \??\C:\WINDOWS\system32\drivers\symlcbrd.sys []
R3 ati2mtag;ati2mtag; C:\WINDOWS\system32\DRIVERS\ati2mtag.sys [2006-04-27 1540096]
R3 CmBatt;Microsoft ACPI Control Method Battery Driver; C:\WINDOWS\system32\DRIVERS\CmBatt.sys [2004-08-03 14080]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv; \??\C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys []
R3 GEARAspiWDM;GEARAspiWDM; C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys [2008-01-29 16168]
R3 HDAudBus;Microsoft UAA Bus Driver for High Definition Audio; C:\WINDOWS\system32\DRIVERS\HDAudBus.sys [2005-01-07 138752]
R3 IntcAzAudAddService;Service for Realtek HD Audio (WDM); C:\WINDOWS\system32\drivers\RtkHDAud.sys [2006-04-17 4262912]
R3 NAVENG;NAVENG; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.032\NAVENG.Sys []
R3 NAVEX15;NAVEX15; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20070110.032\NavEx15.Sys []
R3 RTL8023xp;Realtek 10/100/1000 NIC Family all in one NDIS XP Driver; C:\WINDOWS\system32\DRIVERS\Rtnicxp.sys [2006-01-18 80512]
R3 SAVRT;SAVRT; \??\C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVRT.SYS []
R3 SYMDNS;SYMDNS; C:\WINDOWS\System32\Drivers\SYMDNS.SYS [2007-10-01 12680]
R3 SymEvent;SymEvent; \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS []
R3 SYMFW;SYMFW; C:\WINDOWS\System32\Drivers\SYMFW.SYS [2007-10-01 98184]
R3 SYMIDS;SYMIDS; C:\WINDOWS\System32\Drivers\SYMIDS.SYS [2007-10-01 31624]
R3 SYMIDSCO;SYMIDSCO; \??\C:\PROGRA~1\COMMON~1\SYMANT~1\SymcData\idsdefs\20080926.002\symidsco.sys []
R3 SYMNDIS;SYMNDIS; C:\WINDOWS\System32\Drivers\SYMNDIS.SYS [2007-10-01 28040]
R3 SYMREDRV;SYMREDRV; C:\WINDOWS\System32\Drivers\SYMREDRV.SYS [2007-10-01 23944]
R3 SynTP;Synaptics TouchPad Driver; C:\WINDOWS\system32\DRIVERS\SynTP.sys [2006-06-16 193120]
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbehci.sys [2006-04-19 30080]
R3 usbhub;USB2 Enabled Hub; C:\WINDOWS\system32\DRIVERS\usbhub.sys [2004-08-04 57600]
R3 usbohci;Microsoft USB Open Host Controller Miniport Driver; C:\WINDOWS\system32\DRIVERS\usbohci.sys [2006-04-19 17152]
R3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
R3 wanatw;WAN Miniport (ATW); C:\WINDOWS\system32\DRIVERS\wanatw4.sys [2003-01-10 33588]
S1 kbdhid;Keyboard HID Driver; C:\WINDOWS\system32\DRIVERS\kbdhid.sys [2004-08-03 14848]
S3 alcan5wn;SpeedTouch USB ADSL PPP Networking Driver (NDISWAN); C:\WINDOWS\system32\DRIVERS\alcan5wn.sys [2003-12-08 53600]
S3 alcaudsl;SpeedTouch ADSL Modem ATM Transport; C:\WINDOWS\system32\DRIVERS\alcaudsl.sys [2003-12-08 70688]
S3 HdAudAddService;Microsoft UAA Function Driver for High Definition Audio Service; C:\WINDOWS\system32\drivers\HdAudio.sys [2005-01-07 145920]
S3 HidUsb;Microsoft HID Class Driver; C:\WINDOWS\system32\DRIVERS\hidusb.sys [2001-08-17 9600]
S3 HPZid412;IEEE-1284.4 Driver HPZid412; C:\WINDOWS\system32\DRIVERS\HPZid412.sys [2004-06-21 51088]
S3 HPZipr12;Print Class Driver for IEEE-1284.4 HPZipr12; C:\WINDOWS\system32\DRIVERS\HPZipr12.sys [2004-06-21 16496]
S3 HPZius12;USB to IEEE-1284.4 Translation Driver HPZius12; C:\WINDOWS\system32\DRIVERS\HPZius12.sys [2004-06-21 21744]
S3 hwdatacard;Huawei DataCard USB Modem and USB Serial; C:\WINDOWS\system32\DRIVERS\ewusbmdm.sys [2007-03-05 88960]
S3 mouhid;Mouse HID Driver; C:\WINDOWS\system32\DRIVERS\mouhid.sys [2001-08-17 12160]
S3 RT73;RT73 USB Wireless LAN Card Driver; C:\WINDOWS\system32\DRIVERS\rt73.sys [2006-01-12 252928]
S3 USB_RNDIS;USB Remote NDIS Network Device Driver; C:\WINDOWS\system32\DRIVERS\usb8023k.sys [2002-08-12 11136]
S3 USBAAPL;Apple Mobile USB Driver; C:\WINDOWS\System32\Drivers\usbaapl.sys [2008-07-22 32000]
S3 usbccgp;Microsoft USB Generic Parent Driver; C:\WINDOWS\system32\DRIVERS\usbccgp.sys [2004-08-03 31616]
S3 usbprint;Microsoft USB PRINTER Class; C:\WINDOWS\system32\DRIVERS\usbprint.sys [2004-08-03 25856]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 WpdUsb;WpdUsb; C:\WINDOWS\System32\Drivers\wpdusb.sys [2006-10-18 38528]
S3 WudfPf;Windows Driver Foundation - User-mode Driver Framework Platform Driver; C:\WINDOWS\system32\DRIVERS\WudfPf.sys [2006-09-28 77568]
S3 WudfRd;Windows Driver Foundation - User-mode Driver Framework Reflector; C:\WINDOWS\system32\DRIVERS\wudfrd.sys [2006-09-28 82944]

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 AOL ACS;AOL Connectivity Service; C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe [2004-04-08 1135728]
R2 Apple Mobile Device;Apple Mobile Device; C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe [2008-07-22 116040]
R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\system32\Ati2evxx.exe [2006-04-27 405504]
R2 Automatic LiveUpdate Scheduler;Automatic LiveUpdate Scheduler; C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe [2006-07-25 100032]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 ccEvtMgr;Symantec Event Manager; C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe [2008-02-11 191848]
R2 ccProxy;Symantec Network Proxy; C:\Program Files\Common Files\Symantec Shared\ccProxy.exe [2007-09-13 202088]
R2 ccSetMgr;Symantec Settings Manager; C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe [2008-02-11 169320]
R2 CLCapSvc;CyberLink Background Capture Service (CBCS); c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe [2006-02-23 266338]
R2 CLSched;CyberLink Task Scheduler (CTS); c:\APPS\Powercinema\Kernel\TV\CLSched.exe [2006-02-23 114784]
R2 CyberLink Media Library Service;CyberLink Media Library Service; c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe [2006-02-23 1073152]
R2 gusvc;Google Updater Service; C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-10-03 168432]
R2 LiveUpdate Notice Service;LiveUpdate Notice Service; C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe [2008-01-29 583048]
R2 navapsvc;Norton AntiVirus Auto-Protect Service; C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe [2007-05-23 139888]
R2 sdAuxService;PC Tools Auxiliary Service; C:\Program Files\Spyware Doctor\pctsAuxs.exe [2008-06-13 356920]
R2 sdCoreService;PC Tools Security Service; C:\Program Files\Spyware Doctor\pctsSvc.exe [2008-11-03 1079176]
R2 SNDSrvc;Symantec Network Drivers Service; C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe [2007-10-01 214408]
R2 SPBBCSvc;Symantec SPBBCSvc; C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe [2006-05-11 1160848]
R2 Symantec Core LC;Symantec Core LC; C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe [2008-09-30 1251720]
R2 UleadBurningHelper;Ulead Burning Helper; C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe [2004-02-26 49152]
R2 USBDeviceService;USBDeviceService; C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe [2005-10-20 90112]
R3 iPod Service;iPod Service; C:\Program Files\iPod\bin\iPodService.exe [2008-07-30 532264]
R3 LiveUpdate;LiveUpdate; C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE [2006-07-25 2119360]
S3 aspnet_state;ASP.NET State Service; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\aspnet_state.exe [2007-10-24 33800]
S3 ccISPwdSvc;Symantec Internet Security Password Validation; C:\Program Files\Norton Internet Security\ccPwdSvc.exe [2006-02-03 72328]
S3 clr_optimization_v2.0.50727_32;.NET Runtime Optimization Service v2.0.50727_X86; C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe [2007-10-24 70144]
S3 comHost;COM Host; C:\Program Files\Norton Internet Security\comHost.exe [2007-01-16 45696]
S3 NSCService;Norton Protection Center Service; C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE [2006-12-15 750720]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 Pml Driver HPZ12;Pml Driver HPZ12; C:\WINDOWS\system32\HPZipm12.exe [2004-03-18 65536]
S3 SAVScan;Symantec AVScan; C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe [2005-08-26 198368]
S3 WMPNetworkSvc;Windows Media Player Network Sharing Service; C:\Program Files\Windows Media Player\WMPNetwk.exe [2006-10-18 913408]
S3 WudfSvc;Windows Driver Foundation - User-mode Driver Framework; C:\WINDOWS\system32\svchost.exe [2004-08-04 14336]

-----------------EOF-----------------

GNER next...

#7 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 February 2009 - 11:35 AM

Please download GMER and unzip it to your Desktop.

  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked,
    EXCEPT for 'Show All'.
  • Click on Scan.
  • When the scan has run click Copy and paste the results into a Notepad >> save it and attach in this thread.
Post me these logs in your next reply..


I'm sorry but I can't see how to do an Attach in here, so this is it:

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-02-03 16:24:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateKey [0xF6FC67A6]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xF6FC3794]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xF6FC3F1E]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteKey [0xF6FC71F0]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwDeleteValueKey [0xF6FC742A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xF6FC812A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwSetValueKey [0xF6FC783C]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xF6FC2D0A]
SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xF6FC2384]

Code 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc) ZwCreateKey [0xF7501C8E]
Code 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc) ZwEnumerateKey [0xF7501D13]
Code 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc) ZwOpenKey [0xF7501C10]
Code 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc) ZwQueryDirectoryFile [0xF7501999]
Code 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc) IoCreateFile
Code 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc) NtQueryDirectoryFile

---- Kernel code sections - GMER 1.0.14 ----

PAGE ntoskrnl.exe!ZwOpenKey 805686DB 5 Bytes JMP F7501C14 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!IoCreateFile 8056E00F 5 Bytes JMP F7501872 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!ZwCreateKey 80570647 5 Bytes JMP F7501C92 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!ZwEnumerateKey 80570D4E 7 Bytes JMP F7501D17 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc)
PAGE ntoskrnl.exe!NtQueryDirectoryFile 805795E7 5 Bytes JMP F750199D 39f933bb254c6916d31015af9699f6d3.sys (ckmd/Noves Inc)

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Spyware Doctor\pctsSvc.exe[1112] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ B3, A1, C3, 83 ]
.text C:\Program Files\Spyware Doctor\pctsTray.exe[1388] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ C7, A1, C3, 83 ]

---- Devices - GMER 1.0.14 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)
AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

---- Services - GMER 1.0.14 ----

Service C:\WINDOWS\system32\39f933bb254c6916d31015af9699f6d3.sys (*** hidden *** ) [BOOT] 39f933bb254c6916d31015af9699f6d3 <-- ROOTKIT !!!

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=39f933bb254c6916d31015af9699f6d3&path=system32\39f933bb254c6916d31015af9699f6d3.sys&wmid=Dkx002&idate=2009-01-13 09:40:47:448&last_download_time=2009-2-3 15:53:32.46&first_skip=1&last_update_ip_pos=0
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@Type 1
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@Start 0
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@Tag 15
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@ImagePath system32\39f933bb254c6916d31015af9699f6d3.sys
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@DisplayName 39f933bb254c6916d31015af9699f6d3
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3\Security
Reg HKLM\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=39f933bb254c6916d31015af9699f6d3&path=system32\39f933bb254c6916d31015af9699f6d3.sys&wmid=Dkx002&idate=2009-01-13 09:40:47:448&last_download_time=2009-1-23 8:53:42.15&first_skip=1&last_update_ip_pos=0
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@Type 1
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@Start 0
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@Tag 15
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@ImagePath system32\39f933bb254c6916d31015af9699f6d3.sys
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@DisplayName 39f933bb254c6916d31015af9699f6d3
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3@Group System Bus Extender
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3\Security
Reg HKLM\SYSTEM\ControlSet002\Services\39f933bb254c6916d31015af9699f6d3\Security@Security 0x01 0x00 0x14 0x80 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@c &registry_path=\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\39f933bb254c6916d31015af9699f6d3&download_period=846000&first_download_delay=180&version=2&ip_0=586742989&port_0=7000&max_fails_0=5&ip_1=704183501&port_1=8300&max_fails_1=5&ip_2=2241985741&port_2=9002&max_fails_2=2&ip_3=1512966353&port_3=11234&max_fails_3=2&ips_count=4&name=39f933bb254c6916d31015af9699f6d3&path=system32\39f933bb254c6916d31015af9699f6d3.sys&wmid=Dkx002&idate=2009-01-13 09:40:47:448&last_download_time=2009-1-23 8:53:42.15&first_skip=1&last_update_ip_pos=0
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@Type 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@Start 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@Tag 15
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@ImagePath system32\39f933bb254c6916d31015af9699f6d3.sys
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@DisplayName 39f933bb254c6916d31015af9699f6d3
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3@Group System Bus Extender
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3\Security
Reg HKLM\SYSTEM\CurrentControlSet\Services\39f933bb254c6916d31015af9699f6d3\Security@Security 0x01 0x00 0x14 0x80 ...

---- Files - GMER 1.0.14 ----

File C:\WINDOWS\system32\39f933bb254c6916d31015af9699f6d3.sys 39936 bytes executable <-- ROOTKIT !!!

---- EOF - GMER 1.0.14 ----

I don't know if this means we've finished, or if there is more to do?

What viruses were present, and how is it likely the infections occurred? The owner of the machine is going to ask me how it happened, and how to stop it in future...

I await your verdict with interest!

Cheers,

Howard

#8 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 03 February 2009 - 11:53 AM

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix.. Please visit HERE if you don't know how.. Please re-enable them back after performing all steps given..

Please download ComboFix by sUBs from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.

If ComboFix asked you to install Recovery Console, please do so.. It will be your best interest..

When finished, it shall produce a log for you. Post that log and a fresh HijackThis log in your next reply..

Note: DON'T do anything with your computer while ComboFix is running.. Let ComboFix finishes its job..

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#9 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 February 2009 - 02:00 PM

I'm having trouble with this - if I boot in Normal mode Norton Internet Security doesn't let me stop it running, and ComboFix tells me it's running. If I boot in Safe Mode then there is no Norton icon in the tray, so I can't even try!

I ran ComboFix anyway, but I'm not sure if it's worked. Here is its log:

ComboFix 09-02-02.04 - Currys.digital 2009-02-03 17:19:37.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.752 [GMT 0:00]
Running from: c:\documents and settings\Currys.digital\Desktop\ComboFix.exe
AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Security 2006 *enabled*
FW: Norton Internet Worm Protection *disabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\bbafacbcbeab.dll
c:\windows\system32\dplay.dll
E:\autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-03 17:15 . 2009-02-03 17:15 <DIR> d-------- c:\documents and settings\ComboFix
2009-02-03 17:12 . 2009-02-03 17:12 500,480 --a------ c:\documents and settings\ComboFix\clsid.dat
2009-02-03 17:11 . 2009-02-03 17:11 91 --a------ c:\documents and settings\ComboFix\CCS.bat
2009-02-03 17:11 . 2009-02-03 17:11 16 --a------ c:\documents and settings\ComboFix\CHCP.bat
2009-02-03 17:05 . 2009-02-03 17:05 185,360 --a------ c:\windows\D83886C6EF8B16E95D9D208A88581B.exe
2009-02-03 15:54 . 2009-02-03 15:54 250 --a------ c:\windows\gmer.ini
2009-02-03 15:49 . 2009-02-03 15:49 185,360 --a------ c:\windows\D6B183E553F1FFD9EE5785CFF41FA4C.exe
2009-02-03 15:36 . 2009-02-03 15:36 200,208 --a------ c:\windows\system32\vumer.dll
2009-02-03 15:29 . 2009-02-03 15:31 <DIR> d-------- C:\rsit
2009-02-03 15:29 . 2009-02-03 15:33 <DIR> d-------- c:\program files\trend micro
2009-02-03 13:09 . 2009-02-03 13:09 <DIR> d-------- c:\documents and settings\Currys.digital\Application Data\Malwarebytes
2009-02-03 13:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 13:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-03 13:08 . 2009-02-03 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-02 21:36 . 2009-02-02 21:37 663 --a------ c:\documents and settings\ComboFix\Catch-sub.cmd
2009-02-02 10:53 . 2009-02-02 11:28 3,057 --a------ c:\documents and settings\ComboFix\Auto-RC.cmd
2009-02-02 04:40 . 2009-02-02 18:32 20,672 --a------ c:\documents and settings\ComboFix\CF-Script.cmd
2009-01-25 01:22 . 2009-01-25 01:22 4,352 --a------ c:\windows\system32\drivers\cleanhelper.sys
2009-01-25 01:10 . 2009-02-03 13:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-24 16:49 . 2009-02-02 23:14 58,628 --a------ c:\documents and settings\ComboFix\c.bat
2009-01-24 16:49 . 2009-02-03 17:12 50,177 --a------ c:\documents and settings\ComboFix\023.dat
2009-01-24 16:49 . 2000-08-31 00:00 7,155 --a------ c:\documents and settings\ComboFix\Combobatch.bat
2009-01-24 16:49 . 2000-08-31 00:00 2,126 --a------ c:\documents and settings\ComboFix\023v.dat
2009-01-24 16:49 . 2000-08-31 00:00 962 --a------ c:\documents and settings\ComboFix\av.vbs
2009-01-24 16:49 . 2000-08-31 00:00 533 --a------ c:\documents and settings\ComboFix\AV.cmd
2009-01-24 13:25 . 2009-01-24 15:41 <DIR> d-------- c:\documents and settings\Currys.digital\.housecall6.6
2009-01-24 01:40 . 2009-01-24 04:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 01:40 . 2009-01-24 15:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-23 18:04 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-23 18:04 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2009-01-23 16:20 . 2009-01-24 04:02 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-23 13:22 . 2009-02-03 16:22 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-16 14:06 . 2009-02-03 15:29 63 --a------ c:\windows\system\cmd
2009-01-16 14:05 . 2009-01-16 14:05 30,208 --a------ c:\windows\system\se.exe
2009-01-16 14:05 . 2009-01-16 14:05 30,208 --a------ c:\windows\system\dop.exe
2009-01-16 14:05 . 2009-01-16 14:05 57 --a------ c:\windows\system32\dmns.cfg
2009-01-16 14:05 . 2009-01-16 14:05 5 --a------ c:\windows\system32\avp.id
2009-01-15 17:34 . 2009-01-15 17:34 118 --a------ c:\windows\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 17:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 17:12 --------- d-----w c:\program files\Norton Security Scan
2009-02-03 15:33 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-03 13:38 --------- d-----w c:\program files\Spyware Doctor
2009-02-03 10:22 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-02 18:06 7,411 ----a-w c:\documents and settings\ComboFix\Boot.bat
2009-01-24 15:45 --------- d-----w c:\program files\Google
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-04-04 15:27 557,056 ----a-w c:\documents and settings\Currys.digital\GoToAssist_phone__319_en.exe
2009-02-03 15:37 66,576 ----a-w c:\program files\mozilla firefox\components\ccbbdeadfed.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
2009-02-03 15:36 200208 --a------ c:\windows\system32\vumer.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-09-11 26112]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"se"="c:\windows\system\se.exe" [2009-01-16 30208]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2006-02-23 11:08 147456 c:\apps\Powercinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
--a------ 2005-11-17 08:51 975360 c:\apps\SMP\SMPSYS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-16 15:22 794713 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 16:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system\\dop.exe"=
"c:\\WINDOWS\\system\\se.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-01-11 102712]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-27 356920]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{398ad082-2184-11dd-9f24-001060fba99b}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea4-574f-11dd-9f71-00038a000015}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea6-574f-11dd-9f71-00038a000015}]
\Shell\AutoRun\command - E:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea7-574f-11dd-9f71-00038a000015}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-09-18 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2008-05-13 c:\windows\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2008-05-13 c:\windows\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\documents and settings\Currys.digital\My Documents\My Pictures\items for the website\MENSWEAR [2008-05-12 15:28]

2008-05-13 c:\windows\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2009-02-03 c:\windows\Tasks\Master CD_DVD Creator.job
- c:\apps\SMP\MCDCHECK.EXE [2005-11-08 14:26]

2009-01-10 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Currys.digital.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 11:13]

2009-01-16 c:\windows\Tasks\Norton Security Scan for Currys.digital.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]

2006-10-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 13:00]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MsnMsgr - c:\program files\MSN Messenger\MsnMsgr.Exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Currys.digital\Application Data\Mozilla\Firefox\Profiles\ewfheh54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 17:28:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\39f933bb254c6916d31015af9699f6d3.sys 39936 bytes executable
c:\windows\system32\_39f933bb254c6916d31015af9699f6d3.sys_.vir 39936 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\39f933bb254c6916d31015af9699f6d3]
"ImagePath"="system32\39f933bb254c6916d31015af9699f6d3.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2041210304-1170766828-4057402683-1006\RemoteAccess\Profile\||4*]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(512)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\windows\system32\ati2evxx.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\progra~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-02-03 17:31:47 - machine was rebooted [Currys.digital]
ComboFix-quarantined-files.txt 2009-02-03 17:31:43

Pre-Run: 32,482,361,344 bytes free
Post-Run: 31,577,907,200 bytes free

247 --- E O F --- 2009-01-15 17:36:21


I see the file: c:\windows\system32\bbafacbcbeab.dll Is shown near the top - wasn't that the first thing we deleted? How did it come back?

Edit: I think I will uninstall Norton - it hasn't done any good (it expired ages ago) and it's getting in the way.

Cheers,

Howard

Edited by Howard Winter, 03 February 2009 - 02:01 PM.


#10 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 03 February 2009 - 02:06 PM

Sorry, I forgot to post the DDS logs - I'm getting tired! Here they are:


DDS (Ver_09-02-01.01) - NTFSx86
Run by Currys.digital at 18:44:28.17 on 03/02/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_07
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.959.426 [GMT 0:00]

AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Worm Protection *disabled*
FW: Norton Internet Security 2006 *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
c:\APPS\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Ulead Systems\AutoDetector\monitor.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Currys.digital\Desktop\dds.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe

============== Pseudo HJT Report ===============

uStart Page = www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: DDSMEkl: {2502bbd0-d73b-11dd-b4ec-cebf56d89593} - c:\windows\system32\vumer.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: SSVHelper Class: {761497bb-d6f0-462c-b6eb-d4daf1d92d43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: CNisExtBho Class: {9ecb9560-04f9-4bbc-943d-298ddf1699e1} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\googletoolbar1.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dll
TB: Norton Internet Security 2006: {0b53eac3-8d69-4b9e-9b19-a37c9a5676a7} - c:\program files\common files\symantec shared\adblocking\NISShExt.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton internet security\norton antivirus\NavShExt.dll
TB: &Google: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\googletoolbar1.dll
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [IMJPMIG8.1] "c:\windows\ime\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
mRun: [PHIME2002ASync] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /SYNC
mRun: [PHIME2002A] c:\windows\system32\ime\tintlgnt\TINTSETP.EXE /IMEName
mRun: [ATICCC] "c:\program files\ati technologies\ati.ace\cli.exe" runtime -Delay
mRun: [RTHDCPL] RTHDCPL.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_07\bin\jusched.exe"
mRun: [RealTray] c:\program files\real\realplayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
mRun: [DetectorApp] c:\program files\sonic\digitalmedia le v7\mydvd le\DetectorApp.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Ulead AutoDetector v2] c:\program files\common files\ulead systems\autodetector\monitor.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [HP Software Update] "c:\program files\hp\hp software update\HPWuSchd2.exe"
mRun: [HP Component Manager] "c:\program files\hp\hpcoretech\hpcmpmgr.exe"
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [se] c:\windows\system\se.exe
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpdigi~1.lnk - c:\program files\hp\digital imaging\bin\hpqtra08.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hpimag~1.lnk - c:\program files\hp\digital imaging\bin\hpqthb08.exe
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_03-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
Handler: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - c:\program files\hp\hpcoretech\comp\hpuiprot.dll
Notify: AtiExtEvent - Ati2evxx.dll
Notify: bbafacbcbeab - c:\windows\system32\bbafacbcbeab.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\currys~1.dig\applic~1\mozilla\firefox\profiles\ewfheh54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\google\google updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\picasa2\npPicasa2.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

============= SERVICES / DRIVERS ===============

R1 SAVRTPEL;SAVRTPEL;c:\program files\norton internet security\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\CCEVTMGR.EXE [2005-9-16 191848]
R2 ccProxy;Symantec Network Proxy;c:\program files\common files\symantec shared\CCPROXY.EXE [2005-9-16 202088]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\CCSETMGR.EXE [2005-9-16 169320]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton internet security\norton antivirus\NAVAPSVC.EXE [2005-10-6 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-9-11 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2007-1-11 102712]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070110.032\NAVENG.Sys [2007-1-11 80408]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070110.032\NavEx15.Sys [2007-1-11 833048]
R3 SAVRT;SAVRT;c:\program files\norton internet security\norton antivirus\savrt.sys [2005-8-26 334984]
S3 IKFileSec;File Security Driver;c:\windows\system32\drivers\ikfilesec.sys [2007-6-20 40840]
S3 IkSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys [2007-6-20 66952]
S3 IKSysSec;System Security Driver;c:\windows\system32\drivers\iksyssec.sys [2007-6-20 81288]
S3 SAVScan;Symantec AVScan;c:\program files\norton internet security\norton antivirus\SAVScan.exe [2005-8-26 198368]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\spyware doctor\pctsAuxs.exe [2008-3-27 356920]
S3 sdCoreService;PC Tools Security Service;c:\program files\spyware doctor\pctsSvc.exe [2008-3-27 1079176]

=============== Created Last 30 ================

2009-02-03 17:12 161,792 a------- c:\windows\SWREG.exe
2009-02-03 17:12 98,816 a------- c:\windows\sed.exe
2009-02-03 17:05 185,360 a------- c:\windows\D83886C6EF8B16E95D9D208A88581B.exe
2009-02-03 15:54 250 a------- c:\windows\gmer.ini
2009-02-03 15:49 185,360 a------- c:\windows\D6B183E553F1FFD9EE5785CFF41FA4C.exe
2009-02-03 15:36 200,208 a------- c:\windows\system32\vumer.dll
2009-02-03 15:29 <DIR> --d----- c:\program files\trend micro
2009-02-03 13:09 <DIR> --d----- c:\docume~1\currys~1.dig\applic~1\Malwarebytes
2009-02-03 13:09 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-03 13:09 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 13:08 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-01-25 01:22 4,352 a------- c:\windows\system32\drivers\cleanhelper.sys
2009-01-25 01:10 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-01-24 13:25 <DIR> --d----- c:\documents and settings\currys.digital\.housecall6.6
2009-01-24 01:40 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-01-24 01:40 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-01-23 18:04 21,504 a------- c:\windows\system32\hidserv.dll
2009-01-23 18:04 21,504 a------- c:\windows\system32\dllcache\hidserv.dll
2009-01-23 16:20 <DIR> --d----- c:\program files\Enigma Software Group
2009-01-23 13:22 664 a------- c:\windows\system32\d3d9caps.dat
2009-01-16 14:06 63 a------- c:\windows\system\cmd
2009-01-16 14:05 30,208 a------- c:\windows\system\se.exe
2009-01-16 14:05 30,208 a------- c:\windows\system\dop.exe
2009-01-16 14:05 57 a------- c:\windows\system32\dmns.cfg
2009-01-16 14:05 5 a------- c:\windows\system32\avp.id
2009-01-15 17:34 118 a------- c:\windows\system32\MRT.INI

==================== Find3M ====================

2008-12-13 06:40 3,593,216 -------- c:\windows\system32\dllcache\mshtml.dll
2008-12-11 11:57 333,184 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 11:57 333,184 -------- c:\windows\system32\dllcache\srv.sys
2008-04-04 15:27 557,056 a------- c:\documents and settings\currys.digital\GoToAssist_phone__319_en.exe

============= FINISH: 18:46:08.87 ===============

Second one:


UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-02-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 16/10/2006 11:26:07
System Uptime: 02/03/2009 18:42:37 (-648 hours ago)

Motherboard: NEC COMPUTERS INTERNATIONAL | | NEC Versa Premium
Processor: Intel® Celeron® M CPU 410 @ 1.46GHz | uPGA775 | 1466/100mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 48 GiB total, 29.417 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: RT73 USB Wireless LAN Card
Device ID: USB\VID_148F&PID_2573\5&38B1F311&0&6
Manufacturer: Ralink Technology Corp.
Name: RT73 USB Wireless LAN Card
PNP Device ID: USB\VID_148F&PID_2573\5&38B1F311&0&6
Service: RT73

==== System Restore Points ===================

RP461: 28/10/2008 12:49:17 - System Checkpoint
RP462: 29/10/2008 17:51:10 - System Checkpoint
RP463: 31/10/2008 15:52:50 - System Checkpoint
RP464: 03/11/2008 11:28:58 - System Checkpoint
RP465: 04/11/2008 15:54:20 - System Checkpoint
RP466: 05/11/2008 16:35:02 - System Checkpoint
RP467: 07/11/2008 10:30:37 - System Checkpoint
RP468: 08/11/2008 13:11:41 - System Checkpoint
RP469: 09/11/2008 13:56:06 - System Checkpoint
RP470: 10/11/2008 14:12:18 - System Checkpoint
RP471: 11/11/2008 17:51:40 - System Checkpoint
RP472: 12/11/2008 18:00:45 - System Checkpoint
RP473: 13/11/2008 03:00:15 - Software Distribution Service 3.0
RP474: 14/11/2008 12:07:19 - System Checkpoint
RP475: 15/11/2008 16:09:21 - System Checkpoint
RP476: 17/11/2008 14:38:17 - System Checkpoint
RP477: 18/11/2008 16:25:52 - System Checkpoint
RP478: 20/11/2008 11:00:05 - System Checkpoint
RP479: 21/11/2008 13:54:33 - System Checkpoint
RP480: 24/11/2008 12:19:10 - System Checkpoint
RP481: 26/11/2008 17:05:36 - System Checkpoint
RP482: 28/11/2008 10:08:27 - System Checkpoint
RP483: 29/11/2008 13:51:47 - System Checkpoint
RP484: 01/12/2008 13:56:28 - System Checkpoint
RP485: 03/12/2008 10:39:14 - System Checkpoint
RP486: 04/12/2008 15:47:26 - System Checkpoint
RP487: 06/12/2008 11:43:24 - System Checkpoint
RP488: 07/12/2008 12:54:10 - System Checkpoint
RP489: 08/12/2008 12:58:04 - System Checkpoint
RP490: 09/12/2008 14:52:34 - System Checkpoint
RP491: 10/12/2008 15:03:19 - System Checkpoint
RP492: 11/12/2008 15:12:44 - System Checkpoint
RP493: 12/12/2008 10:25:15 - Software Distribution Service 3.0
RP494: 13/12/2008 12:03:01 - System Checkpoint
RP495: 15/12/2008 13:34:22 - Software Distribution Service 3.0
RP496: 16/12/2008 16:44:00 - System Checkpoint
RP497: 18/12/2008 12:50:25 - System Checkpoint
RP498: 19/12/2008 12:46:40 - Software Distribution Service 3.0
RP499: 20/12/2008 13:40:53 - System Checkpoint
RP500: 21/12/2008 13:44:47 - System Checkpoint
RP501: 23/12/2008 12:43:15 - System Checkpoint
RP502: 24/12/2008 12:51:10 - System Checkpoint
RP503: 27/12/2008 09:31:52 - System Checkpoint
RP504: 28/12/2008 13:23:16 - System Checkpoint
RP505: 29/12/2008 13:30:08 - System Checkpoint
RP506: 30/12/2008 15:57:26 - System Checkpoint
RP507: 02/01/2009 13:08:38 - System Checkpoint
RP508: 03/01/2009 15:22:57 - System Checkpoint
RP509: 04/01/2009 16:01:27 - System Checkpoint
RP510: 05/01/2009 16:35:44 - System Checkpoint
RP511: 06/01/2009 17:56:15 - System Checkpoint
RP512: 09/01/2009 12:51:37 - System Checkpoint
RP513: 12/01/2009 12:23:34 - System Checkpoint
RP514: 13/01/2009 12:38:25 - System Checkpoint
RP515: 15/01/2009 09:54:47 - System Checkpoint
RP516: 15/01/2009 17:31:50 - Software Distribution Service 3.0
RP517: 22/01/2009 11:27:44 - System Checkpoint
RP518: 24/01/2009 04:42:44 - System Checkpoint
RP519: 03/02/2009 18:01:30 - System Checkpoint

==== Installed Programs ======================

1310
1310_Help
1310Tour
1310Trb
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Adobe Reader 8.1.2
Adobe Reader 8.1.2 Security Update 1 (KB403742)
AiO_Scan
AiOSoftware
Apple Mobile Device Support
Apple Software Update
ATI Catalyst Control Center
Bonjour
BufferChm
CC_ccProxyExt
ccCommon
ccPxyCore
Copy
CreativeProjects
CreativeProjectsTemplates
CueTour
Destinations
Director
DocProc
DocumentViewer
Fax
GalleryPlayer Images
Google Earth
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB918005)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB935448)
Hotfix for Windows XP (KB952287)
HP Diagnostic Assistant
HP Image Zone 4.2
HP PSC & OfficeJet 4.2
HP Software Update
HP Unload DLL Patch
HPSystemDiagnostics
InstantShare
iTunes
J2SE Runtime Environment 5.0 Update 4
Java™ 6 Update 3
Java™ 6 Update 7
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Macromedia Shockwave Player
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.1)
MSRedist
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
Norton AntiSpam
Norton AntiVirus 2006
Norton Internet Security
Norton Internet Security 2006 (Symantec Corporation)
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
Norton WMI Update
OpenOffice.org Installer 1.0
Overland
Packard Bell Toolbar 1.0
PhotoGallery
Picasa 2
PrintScreen
ProductContext
QFolder
QuickProjects
QuickTime
Readme
Scan
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Media Encoder (KB954156)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
SkinsHP1
Sonic Express Labeler
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC
SpeedTouch USB Software
Spybot - Search & Destroy
Spyware Doctor 6.0
Symantec KB-DocID:2003093015493306
SymNet
Synaptics Pointing Device Driver
TrayApp
Unload
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB912945)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
web'n'walk USB manager
WebFldrs XP
WebReg
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
ZyXEL USB ADSL Modem/Router

==== Event Viewer Messages From Past Week ========

31/01/2009 10:09:05, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service StiSvc with arguments "" in order to run the server: {A1F4E726-8CF1-11D1-BF92-0060081ED811}
31/01/2009 09:59:08, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: eeCtrl Fips intelppm SAVRTPEL SPBBCDrv SYMTDI
31/01/2009 09:58:17, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service EventSystem with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}
31/01/2009 11:26:59, error: Service Control Manager [7001] - The DHCP Client service depends on the NetBios over Tcpip service which failed to start because of the following error: A device attached to the system is not functioning.
31/01/2009 11:26:59, error: Service Control Manager [7001] - The DNS Client service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
31/01/2009 11:26:59, error: Service Control Manager [7001] - The TCP/IP NetBIOS Helper service depends on the AFD service which failed to start because of the following error: A device attached to the system is not functioning.
31/01/2009 11:26:59, error: Service Control Manager [7001] - The Apple Mobile Device service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
31/01/2009 11:26:59, error: Service Control Manager [7001] - The Bonjour Service service depends on the TCP/IP Protocol Driver service which failed to start because of the following error: A device attached to the system is not functioning.
31/01/2009 11:26:59, error: Service Control Manager [7001] - The IPSEC Services service depends on the IPSEC driver service which failed to start because of the following error: A device attached to the system is not functioning.
31/01/2009 11:26:59, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the PC Tools Security Service service to connect.
31/01/2009 11:26:59, error: Service Control Manager [7000] - The PC Tools Security Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
31/01/2009 11:26:59, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: AFD eeCtrl Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SAVRTPEL SPBBCDrv SYMTDI Tcpip
02/02/2009 21:45:58, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service netman with arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}
03/02/2009 12:56:15, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service iPod Service with arguments "" in order to run the server: {063D34A4-BF84-4B8D-B699-E8CA06504DDE}
03/02/2009 12:57:30, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the iPod Service service to connect.
03/02/2009 12:59:12, error: Service Control Manager [7000] - The iPod Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
03/02/2009 14:02:23, error: PlugPlayManager [11] - The device Root\LEGACY_39F933BB254C6916D31015AF9699F6D3\0000 disappeared from the system without first being prepared for removal.
03/02/2009 17:18:08, error: DCOM [10005] - DCOM got error "%1084" attempting to start the service Symantec Core LC with arguments "-Service" in order to run the server: {60C70E11-2B08-4798-B366-C8450CDA7B1A}

==== End Of File ===========================

#11 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 03 February 2009 - 09:53 PM

Please show hidden files and folders

Do this first.. Please visit this site and upload below file.. At the comment section, just say "fenzodahl512 asked to upload the file"

c:\windows\system32\39f933bb254c6916d31015af9699f6d3.sys




NEXT


Please show hidden files and folders
  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    • c:\windows\system32\drivers\cleanhelper.sys
  • Click on the Upload button
  • Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
  • Paste the contents of the Clipboard in your next reply.
If VirScan.org server is too busy, please submit the file to VirusTotal instead.




NEXT


1. Please open Notepad
  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Driver::
39f933bb254c6916d31015af9699f6d3

Rootkit::
c:\windows\system32\39f933bb254c6916d31015af9699f6d3.sys
c:\windows\system32\_39f933bb254c6916d31015af9699f6d3.sys_.vir

File::
c:\windows\D83886C6EF8B16E95D9D208A88581B.exe
c:\windows\D6B183E553F1FFD9EE5785CFF41FA4C.exe
c:\windows\system32\vumer.dll
c:\windows\system\cmd
c:\windows\system\se.exe
c:\windows\system\dop.exe
c:\windows\system32\dmns.cfg
c:\windows\system32\avp.id
c:\program files\mozilla firefox\components\ccbbdeadfed.dll
c:\windows\system32\39f933bb254c6916d31015af9699f6d3.sys
c:\windows\system32\_39f933bb254c6916d31015af9699f6d3.sys_.vir

RegLock::
[HKEY_USERS\S-1-5-21-2041210304-1170766828-4057402683-1006\RemoteAccess\Profile\||4*]

RegNull::
[HKEY_USERS\S-1-5-21-2041210304-1170766828-4057402683-1006\RemoteAccess\Profile\||4*]

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2502BBD0-D73B-11DD-B4EC-CEBF56D89593}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"se"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\system\\dop.exe"=-
"c:\\WINDOWS\\system\\se.exe"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{398ad082-2184-11dd-9f24-001060fba99b}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea4-574f-11dd-9f71-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea6-574f-11dd-9f71-00038a000015}]
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fd434ea7-574f-11dd-9f71-00038a000015}]
[-HKEY_LOCAL_MACHINE\System\ControlSet003\Services\39f933bb254c6916d31015af9699f6d3]

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • VirScan.org report.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#12 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 04 February 2009 - 06:25 AM

Please show hidden files and folders

Do this first.. Please visit this site and upload below file.. At the comment section, just say "fenzodahl512 asked to upload the file"

c:\windows\system32\39f933bb254c6916d31015af9699f6d3.sys

This file wasn't there - there were no files starting with numbers at all (I double-checked that there was nothing hidden)

Please show hidden files and folders

  • Please go to VirSCAN.org FREE on-line scan service
  • Copy and paste the following file path into the "Suspicious files to scan"box on the top of the page:
    [list]
  • c:\windows\system32\drivers\cleanhelper.sys
[*] Click on the Upload button
[*] Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
[*] Paste the contents of the Clipboard in your next reply.

Done - This is the result:

VirSCAN.org Scanned Report :
Scanned time : 2009/02/04 10:35:30 (GMT)
Scanner results: All Scanners reported not find malware!
File Name : cleanhelper.sys
File Size : 4352 byte
File Type : PE32 executable for MS Windows (native) Intel 80386 32-bit
MD5 : f45dff16dc0def4b069d45abedd977f0
SHA1 : 3106d2dcc0fda57fd47d2b925022d7ba2961ec90
Online report : http://virscan.org/report/9cccfcc192bc0bc2...140092b537.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.29 20090204181506 2009-02-04 2.23 -
AhnLab V3 2009.02.04.02 2009.02.04 2009-02-04 1.27 -
AntiVir 7.9.0.71 7.1.1.222 2009-02-03 1.95 -
Antiy 2.0.18 20090118.2063925 2009-01-18 0.02 -
Authentium 5.1.1 200902031738 2009-02-03 1.10 -
AVAST! 3.0.1 090203-1 2009-02-03 0.00 -
AVG 7.5.52.442 270.10.17/1933 2009-02-03 1.92 -
BitDefender 7.81008.2639533 7.23488 2009-02-04 2.48 -
CA (VET) 9.0.0.143 31.6.6341 2009-02-04 7.77 -
ClamAV 0.94.2 8948 2009-02-04 0.01 -
Comodo 3.0 961 2009-02-03 1.03 -
CP Secure 1.1.0.715 2009.02.04 2009-02-04 7.00 -
Dr.Web 4.44.0.9170 2009.02.04 2009-02-04 3.96 -
F-Prot 4.4.4.56 20090203 2009-02-03 1.13 -
F-Secure 5.51.6100 2009.02.04.01 2009-02-04 0.05 -
Fortinet 2.81-3.117 9.996 2009-02-03 0.18 -
GData 19.2803/19.210 20090204 2009-02-04 5.75 -
ViRobot 20090203 2009.02.03 2009-02-03 0.45 -
Ikarus T3.1.01.45 2009.02.04.72255 2009-02-04 3.63 -
JiangMin 11.0.706 2009.02.04 2009-02-04 1.84 -
Kaspersky 5.5.10 2009.02.04 2009-02-04 0.04 -
KingSoft 2008.9.8.18 2009.2.4.14 2009-02-04 0.61 -
McAfee 5.3.00 5515 2009-02-03 3.09 -
Microsoft 1.4306 2009.02.04 2009-02-04 4.45 -
mks_vir 2.01 2009.02.04 2009-02-04 2.67 -
Norman 6.00.02 6.00.00 2009-02-03 8.01 -
Panda 9.05.01 2009.02.03 2009-02-03 4.71 -
Trend Micro 8.700-1004 5.814.02 2009-02-03 0.02 -
Quick Heal 10.00 2009.02.04 2009-02-04 0.90 -
Rising 20.0 21.15.20.00 2009-02-04 0.80 -
Sophos 2.83.3 4.38 2009-02-04 2.28 -
Sunbelt 4787 4787 2009-01-29 0.77 -
Symantec 1.3.0.24 20090203.003 2009-02-03 0.23 -
nProtect 20090204.05 3106007 2009-02-04 4.36 -
The Hacker 6.3.1.5 v00246 2009-02-04 1.19 -
VBA32 3.12.8.12 20090203.1125 2009-02-03 1.60 -
VirusBuster 4.5.11.10 10.100.48/785173 2009-02-03 0.99 -

1. Please open Notepad

  • Click Start, then Run
  • Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:
...
3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Done - here is the result:

ComboFix 09-02-02.04 - Currys.digital 2009-02-04 10:43:59.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.959.336 [GMT 0:00]
Running from: c:\documents and settings\Currys.digital\Desktop\ComboFix.exe
Command switches used :: E:\CFScript.txt
AV: Norton Internet Security 2006 *On-access scanning enabled* (Outdated)
FW: Norton Internet Security 2006 *disabled*
FW: Norton Internet Worm Protection *disabled*
* Created a new restore point

FILE ::
c:\program files\mozilla firefox\components\ccbbdeadfed.dll
c:\windows\D6B183E553F1FFD9EE5785CFF41FA4C.exe
c:\windows\D83886C6EF8B16E95D9D208A88581B.exe
c:\windows\system\cmd
c:\windows\system\dop.exe
c:\windows\system\se.exe
c:\windows\system32\_39f933bb254c6916d31015af9699f6d3.sys_.vir
c:\windows\system32\39f933bb254c6916d31015af9699f6d3.sys
c:\windows\system32\avp.id
c:\windows\system32\dmns.cfg
c:\windows\system32\vumer.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\mozilla firefox\components\ccbbdeadfed.dll
c:\windows\D6B183E553F1FFD9EE5785CFF41FA4C.exe
c:\windows\D83886C6EF8B16E95D9D208A88581B.exe
c:\windows\system\cmd
c:\windows\system\dop.exe
c:\windows\system\se.exe
c:\windows\system32\_39f933bb254c6916d31015af9699f6d3.sys_.vir
c:\windows\system32\39f933bb254c6916d31015af9699f6d3.sys
c:\windows\system32\avp.id
c:\windows\system32\bbafacbcbeab.dll
c:\windows\system32\dmns.cfg
c:\windows\system32\vumer.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-03 17:15 . 2009-02-03 17:15 <DIR> d-------- c:\documents and settings\ComboFix
2009-02-03 17:12 . 2009-02-03 17:12 500,480 --a------ c:\documents and settings\ComboFix\clsid.dat
2009-02-03 17:11 . 2009-02-03 17:11 91 --a------ c:\documents and settings\ComboFix\CCS.bat
2009-02-03 17:11 . 2009-02-03 17:11 16 --a------ c:\documents and settings\ComboFix\CHCP.bat
2009-02-03 15:54 . 2009-02-03 15:54 250 --a------ c:\windows\gmer.ini
2009-02-03 15:29 . 2009-02-03 15:31 <DIR> d-------- C:\rsit
2009-02-03 15:29 . 2009-02-03 15:33 <DIR> d-------- c:\program files\trend micro
2009-02-03 13:09 . 2009-02-03 13:09 <DIR> d-------- c:\documents and settings\Currys.digital\Application Data\Malwarebytes
2009-02-03 13:09 . 2009-01-14 16:11 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-03 13:09 . 2009-01-14 16:11 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-02-03 13:08 . 2009-02-03 13:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-02-02 21:36 . 2009-02-02 21:37 663 --a------ c:\documents and settings\ComboFix\Catch-sub.cmd
2009-02-02 10:53 . 2009-02-02 11:28 3,057 --a------ c:\documents and settings\ComboFix\Auto-RC.cmd
2009-02-02 04:40 . 2009-02-02 18:32 20,672 --a------ c:\documents and settings\ComboFix\CF-Script.cmd
2009-01-25 01:22 . 2009-01-25 01:22 4,352 --a------ c:\windows\system32\drivers\cleanhelper.sys
2009-01-25 01:10 . 2009-02-03 13:09 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-24 16:49 . 2009-02-02 23:14 58,628 --a------ c:\documents and settings\ComboFix\c.bat
2009-01-24 16:49 . 2009-02-03 17:12 50,177 --a------ c:\documents and settings\ComboFix\023.dat
2009-01-24 16:49 . 2000-08-31 00:00 7,155 --a------ c:\documents and settings\ComboFix\Combobatch.bat
2009-01-24 16:49 . 2000-08-31 00:00 2,126 --a------ c:\documents and settings\ComboFix\023v.dat
2009-01-24 16:49 . 2000-08-31 00:00 962 --a------ c:\documents and settings\ComboFix\av.vbs
2009-01-24 16:49 . 2000-08-31 00:00 533 --a------ c:\documents and settings\ComboFix\AV.cmd
2009-01-24 13:25 . 2009-01-24 15:41 <DIR> d-------- c:\documents and settings\Currys.digital\.housecall6.6
2009-01-24 01:40 . 2009-01-24 04:07 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-01-24 01:40 . 2009-01-24 15:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-01-23 18:04 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\hidserv.dll
2009-01-23 18:04 . 2004-08-04 00:56 21,504 --a------ c:\windows\system32\dllcache\hidserv.dll
2009-01-23 16:20 . 2009-01-24 04:02 <DIR> d-------- c:\program files\Enigma Software Group
2009-01-23 13:22 . 2009-02-03 16:22 664 --a------ c:\windows\system32\d3d9caps.dat
2009-01-15 17:34 . 2009-01-15 17:34 118 --a------ c:\windows\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-04 10:48 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-02-03 17:14 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-02-03 17:12 --------- d-----w c:\program files\Norton Security Scan
2009-02-03 13:38 --------- d-----w c:\program files\Spyware Doctor
2009-02-03 10:22 --------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-02-02 18:06 7,411 ----a-w c:\documents and settings\ComboFix\Boot.bat
2009-01-24 15:45 --------- d-----w c:\program files\Google
2008-12-11 11:57 333,184 ----a-w c:\windows\system32\drivers\srv.sys
2008-04-04 15:27 557,056 ----a-w c:\documents and settings\Currys.digital\GoToAssist_phone__319_en.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-20 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-09-16 1833296]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"RealTray"="c:\program files\Real\RealPlayer\RealPlay.exe" [2006-09-11 26112]
"DetectorApp"="c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\DetectorApp.exe" [2005-10-20 102400]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 221184]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 81920]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-02-11 53096]
"Ulead AutoDetector v2"="c:\program files\Common Files\Ulead Systems\AutoDetector\monitor.exe" [2004-11-26 90112]
"SpeedTouch USB Diagnostics"="c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"HP Software Update"="c:\program files\HP\HP Software Update\HPWuSchd2.exe" [2004-02-12 49152]
"HP Component Manager"="c:\program files\HP\hpcoretech\hpcmpmgr.exe" [2004-05-12 241664]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-17 c:\windows\RTHDCPL.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - c:\program files\HP\Digital Imaging\bin\hpqtra08.exe [2004-05-28 241664]
HP Image Zone Fast Start.lnk - c:\program files\HP\Digital Imaging\bin\hpqthb08.exe [2004-05-28 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm"= c:\progra~1\COMMON~1\ULEADS~1\Vio\Dvacm.acm
"msacm.ulmp3acm"= c:\progra~1\COMMON~1\ULEADS~1\MPEG\ulmp3acm.acm
"msacm.mpegacm "= c:\progra~1\COMMON~1\ULEADS~1\MPEG\mpegacm.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCMService]
--a------ 2006-02-23 11:08 147456 c:\apps\Powercinema\PCMService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SmpcSys]
--a------ 2005-11-17 08:51 975360 c:\apps\SMP\SMPSYS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SynTPEnh]
--a------ 2006-06-16 15:22 794713 c:\program files\Synaptics\SynTP\SynTPEnh.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
--a------ 2005-01-07 16:07 61952 c:\windows\system32\HdAShCut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%ProgramFiles%\\AOL 9.0\\aol.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\logo_ubi.exe"=
"%ProgramFiles%\\UBISOFT\\Splinter Cell Pandora Tomorrow\\pandora.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2007-01-11 102712]
S3 sdAuxService;PC Tools Auxiliary Service;c:\program files\Spyware Doctor\pctsAuxs.exe [2008-03-27 356920]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST
.
Contents of the 'Scheduled Tasks' folder

2009-01-20 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2008-09-18 c:\windows\Tasks\HubTask 0 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2008-05-13 c:\windows\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2008-05-13 c:\windows\Tasks\HubTask 1 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\documents and settings\Currys.digital\My Documents\My Pictures\items for the website\MENSWEAR [2008-05-12 15:28]

2008-05-13 c:\windows\Tasks\HubTask 2 {0E7C166E-2D2F-4269-9034-DE1898BF2B1A} 0~0.job
- c:\program files\Common Files\Sonic Shared\Sonic Central\Main\Mediahub.exe [2005-09-27 01:01]

2009-02-04 c:\windows\Tasks\Master CD_DVD Creator.job
- c:\apps\SMP\MCDCHECK.EXE [2005-11-08 14:26]

2009-01-10 c:\windows\Tasks\Norton AntiVirus - Run Full System Scan - Currys.digital.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2007-05-23 11:13]

2009-01-16 c:\windows\Tasks\Norton Security Scan for Currys.digital.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 03:18]

2006-10-16 c:\windows\Tasks\Registration reminder 3.job
- c:\windows\system32\OOBE\oobebaln.exe [2004-08-04 13:00]
.
.
------- Supplementary Scan -------
.
uStart Page = www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Connection Wizard,ShellNext = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: Add to Google Photos Screensa&ver - c:\windows\system32\GPhotos.scr/200
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Currys.digital\Application Data\Mozilla\Firefox\Profiles\ewfheh54.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - plugin: c:\program files\Google\Google Updater\2.4.1368.5602\npCIDetect13.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 10:50:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-2041210304-1170766828-4057402683-1006\RemoteAccess\Profile\||4*]
"EnableAutodisconnect"=dword:00000001
"EnableExitDisconnect"=dword:00000001
"DisconnectIdleTime"=dword:00000014
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(524)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\apps\Powercinema\Kernel\CLML_NTService\CLMLServer.exe
c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\program files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\program files\Sonic\DigitalMedia LE v7\MyDVD LE\USBDeviceService.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\windows\system32\ati2evxx.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\HP\hpcoretech\comp\hptskmgr.exe
c:\program files\HP\Digital Imaging\bin\hpqgalry.exe
c:\progra~1\COMMON~1\SYMANT~1\SECURI~1\NSCSRVCE.EXE
c:\program files\Symantec\LiveUpdate\AUPDATE.EXE
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2009-02-04 10:53:17 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 10:53:05
ComboFix2.txt 2009-02-03 17:31:49

Pre-Run: 31,530,119,168 bytes free
Post-Run: 31,521,579,008 bytes free

246 --- E O F --- 2009-01-15 17:36:21

#13 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 04 February 2009 - 10:20 PM

Please do this step before you sleep or when you don't use the computer as it will take quite a while..

Please run the Kaspersky Online Scanner

In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.

  • Click on SCAN NOW
  • Click Accept.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
  • The scan will take a while, so be patient and let it finish.

When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:
Click on: Save Report As
  • Next, in the Save as prompt, Save in area, select: Desktop.
  • In the File name area use KScan, or something similar.
  • In Save as type: click the drop arrow and select: Text file [*.txt]
  • Then, click: Save
Posted Image

Copy and paste the Kaspersky Online Scanner Report in your next reply.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive


#14 Howard Winter

Howard Winter
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:07:57 AM

Posted 05 February 2009 - 06:52 AM

OK, here's the Kaspersky report:

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, February 5, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, February 05, 2009 04:00:15
Records in database: 1752787
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Files scanned: 78708
Threat name: 6
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 01:42:48


File name / Threat name / Threats count
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\03595096.exe Infected: Virus.Win32.Tenga.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6DAD2A6F.exe Infected: Virus.Win32.Tenga.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\6E360DD8.exe Infected: Virus.Win32.Tenga.a 1
C:\Documents and Settings\All Users\Documents\vscnum.exe Infected: Virus.Win32.Tenga.a 1
C:\Documents and Settings\Currys.digital\.housecall6.6\Quarantine\InternetExplorer.dll.bac_a00732 Infected: Trojan.Win32.FraudPack.ify 1
C:\Documents and Settings\Currys.digital\.housecall6.6\Quarantine\jar_cache51618.tmp.bac_a00732 Infected: Trojan.Java.ClassLoader.ap 3
C:\Qoobox\Quarantine\C\Program Files\Mozilla Firefox\components\ccbbdeadfed.dll.vir Infected: Trojan-Proxy.Win32.Horst.aqu 1
C:\Qoobox\Quarantine\C\WINDOWS\D6B183E553F1FFD9EE5785CFF41FA4C.exe.vir Infected: Trojan.Win32.Qhost.kng 1
C:\Qoobox\Quarantine\C\WINDOWS\D83886C6EF8B16E95D9D208A88581B.exe.vir Infected: Trojan.Win32.Qhost.kng 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\_bbafacbcbeab_.dll.zip Infected: Worm.Win32.AutoRun.raz 2

The selected area was scanned.

#15 fenzodahl512

fenzodahl512

  • Members
  • 6,738 posts
  • OFFLINE
  •  
  • Local time:03:57 PM

Posted 05 February 2009 - 07:24 AM

Please show hidden files and folders


Find this file and delete it manually...

C:\Documents and Settings\All Users\Documents\vscnum.exe


Lets do some cleanup...


Please download OTCleanIt and save it to Desktop.
  • Make sure you have internet connection..
  • Double-click OTCleanIt.exe
  • Click the CleanUp! button.
  • Select Yes when the "Begin cleanup Process?" prompt appears.
  • If you are prompted to Reboot during the cleanup, select Yes



Please read these excellent articles by miekiemoes :
Help! My computer is slow!
How to prevent Malware

Please reply to this thread once more and tell us about the computer behaviour before we can close this thread :thumbup2:



Have a safe and happy computing day!


Regards
fenzodahl512

Keep calm, make it simple, use your brain, don't freak out, and you'll be just fine..
Awesomeness: When I get sad, I stop being sad and be awesome instead.. True story - Barney Stinson
Posted Image Posted Image
Its gonna be legen.. wait for it.. dary! Cherish the pain, it means you're still alive





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users