Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected with Vundo / Virtumonde


  • This topic is locked This topic is locked
14 replies to this topic

#1 jimhaddon

jimhaddon

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 19 June 2009 - 04:37 PM

Hi all,

First poster so forgive if I've got anything wrong...

My PC:

WindowsXP (dual boot with Kubuntu)
P4 @ 3.9ghz

My computer started displaying error messages on boot like 'services.exe - application erro. The instruction at xxxxxxx referenced memory at xxxxx. The memory could not be written. They got progressively worse until I had about 5 on a normal boot. Norton 360 was installed by the way but doesn't seem to have helped much!

I noticed a huge amount of exes and dll files had been created in the system32 folder so deleted these (they are all correct as they had all been hidden, and all had the same file size).

As my computer stands now, I have no internet connection, no sound and still have the above errors on boot.

I also now get something like services.exe terminated unexpectedly and this computer will now be shutdown (which then gives me 1 minute to run shutdown -a)

Have already run Vundofix to no avail....

Log from Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2Scan saved at 22:35:27, on 19/06/2009Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16827)Boot mode: NormalRunning processes:C:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\svchost.exeC:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exeC:\WINDOWS\system32\PnkBstrA.exeC:\Program Files\CyberLink\Shared files\RichVideo.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\System32\tlntsvr.exeC:\WINDOWS\system32\wdfmgr.exeC:\Program Files\UPHClean\uphclean.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\wbem\wmiprvse.exeC:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exeC:\WINDOWS\system32\ctfmon.exeC:\Program Files\foobar20001\foobar2000.exeC:\Documents and Settings\James.COMPUTERJAMES\Desktop\HiJackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://www.google.co.uk/"]http://www.google.co.uk/[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url="http://go.microsoft.com/fwlink/?LinkId=69157"]http://go.microsoft.com/fwlink/?LinkId=69157[/url]R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>F3 - REG:win.ini: load=C:\WINDOWS\system32\msovohbo.exeF3 - REG:win.ini: run=C:\WINDOWS\system32\msrqfkjk.exeF2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,C:\WINDOWS\system32\sdra64.exe,O2 - BHO: (no name) - {8cfba525-3a2d-467e-a6cb-b6720598a05d} - c:\windows\system32\tkmdwcg.dllO2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {b2c7b2a1-00f3-42bd-f434-00aaba2c8952} - C:\WINDOWS\system32\gsf83iujid.dllO3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dllO4 - HKLM\..\Run: [ccApp] -O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exeO4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\James.COMPUTERJAMES\Application Data\Mozilla\Firefox\Profiles\2nj1fcpp.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\James.COMPUTERJAMES\Application Data\Mozilla\Firefox\Profiles/2nj1fcpp.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exeO4 - HKLM\..\Policies\Explorer\Run: [] O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msjoy.exeO4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [SYSDLL] SYSDLL (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\m69az.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\WINDOWS\TEMP\m69az.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\winamp.exe (User 'Default user')O4 - HKUS\.DEFAULT\..\Run: [kell] C:\Program Files\Manson\liser.exe (User 'Default user')O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htmO8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htmO8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htmO8 - Extra context menu item: &Download with TrueDownloader! - C:\Program Files\TrueDownloader\TrueDownloader.htmO8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000O8 - Extra context menu item: RapidShare-Download - res://C:\Documents and Settings\James\Desktop\Raidshare 12 Tools lamz.ws\RapidShare - the way YOU like it!\more-rapid.exe/RsMenExt.htmlO9 - Extra button: (no name) - AutorunsDisabled - (no file)O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dllO9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLLO9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?linkid=39204"]http://go.microsoft.com/fwlink/?linkid=39204[/url]O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url="http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab"]http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab[/url]O16 - DPF: {9CE73426-1E7C-423E-AD30-3D7CD911B145} (ActiveXATS.ActiveXDemo2) - [url="http://cl-0062.web.uk.netscalibur.com/student/ats/ActiveXATS.CAB"]http://cl-0062.web.uk.netscalibur.com/stud.../ActiveXATS.CAB[/url]O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - [url="http://mediamax.streamload.com/Upload/XUpload.ocx"]http://mediamax.streamload.com/Upload/XUpload.ocx[/url]O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.63,85.255.112.87O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.112.63,85.255.112.87O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.63,85.255.112.87O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dllO20 - Winlogon Notify: olmrkwfd - C:\WINDOWS\SYSTEM32\tkmdwcg.dllO22 - SharedTaskScheduler: hs837hiudjgfo9s8gjio4gfd - {B2C7B2A1-00F3-42BD-F434-00AABA2C8952} - C:\WINDOWS\system32\gsf83iujid.dllO23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exeO23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exeO23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exeO23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\O24 - Desktop Component 0: (no name) - (no file)--End of file - 8599 bytes

Would be so grateful for any assistance!

Thanks,

Jimhaddon

Edited by jimhaddon, 19 June 2009 - 04:40 PM.


BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 20 June 2009 - 05:36 AM

Hi,

Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

Also, Please back up your important data first while you can still access your Windows. Reason is because you are dealing with one of these Trojans/Bots that have the functionality to kill your OS.
Read this article for more info: When a Bot master goes mad - Kill the OS and here A Zeus botnet self-destructs

Then, * Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • In case you already used MBAM previously, please update it before proceeding with the scan. To do this, click the "Update" tab and click the "Check For updates" button.
  • Once the program has loaded and updates were downloaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

In case you're having problems with running malwarebytes, see here for instructions:

Potential Malware infection issues to review to get MBAM runningIf none of above apply in your case, then try if Malwarebytes works when you rename mbam.exe. This is the file located in the Program Files\Malwarebytes' Anti-Malware folder. So rename mbam.exe to blah.exe (or so).
Also try to run Mbam from Windows Safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 jimhaddon

jimhaddon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 20 June 2009 - 10:16 AM

HI,

Thanks for that. I ran MBAM and it did find 57 files to remove - two of which were difficult to remove and so rebooted the PC immediately. It does seem much better now - my sound has returned, and so has my internet!

Regards,

jimhaddon

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 20 June 2009 - 10:23 AM

Hi,

It would be a great idea to post the logs I asked though, because I'm 100% sure that there are still leftovers present.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 jimhaddon

jimhaddon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 20 June 2009 - 04:49 PM

MBAM
Malwarebytes' Anti-Malware 1.38
Database version: 2297
Windows 5.1.2600 Service Pack 3

20/06/2009 22:48:23
mbam-log-2009-06-20 (22-48-23).txt

Scan type: Quick Scan
Objects scanned: 131087
Time elapsed: 13 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8cfba525-3a2d-467e-a6cb-b6720598a05d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\olmrkwfd (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8cfba525-3a2d-467e-a6cb-b6720598a05d} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\tkmdwcg.dll (Trojan.Vundo.H) -> Delete on reboot.

HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:49:43, on 20/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\Program Files\foobar20001\foobar2000.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\James.COMPUTERJAMES\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {8cfba525-3a2d-467e-a6cb-b6720598a05d} - c:\windows\system32\tkmdwcg.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [ccApp] -
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\James.COMPUTERJAMES\Application Data\Mozilla\Firefox\Profiles\2nj1fcpp.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\James.COMPUTERJAMES\Application Data\Mozilla\Firefox\Profiles/2nj1fcpp.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msjoy.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SYSDLL] SYSDLL (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\m69az.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\WINDOWS\TEMP\m69az.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\winamp.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: []  (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with TrueDownloader! - C:\Program Files\TrueDownloader\TrueDownloader.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RapidShare-Download - res://C:\Documents and Settings\James\Desktop\Raidshare 12 Tools lamz.ws\RapidShare - the way YOU like it!\more-rapid.exe/RsMenExt.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {9CE73426-1E7C-423E-AD30-3D7CD911B145} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.uk.netscalibur.com/student/ats/ActiveXATS.CAB
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://mediamax.streamload.com/Upload/XUpload.ocx
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O20 - Winlogon Notify: olmrkwfd - C:\WINDOWS\SYSTEM32\tkmdwcg.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7729 bytes


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 21 June 2009 - 02:37 AM

Hi,

As I thought... Your computer is still infected.

Database version: 2297


First of all, please update MalwareBytes, because the databaseversion is outdated.
  • Start MalwareBytes and click the Update tab. There click "Check for updates"
  • In case you can't update the database via the update option, please download and install the database from here. Only do this when the update option doesn't work.
  • Once the updates are downloaded, perform a full scan again.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log, then we'll proceed from there with new steps.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 jimhaddon

jimhaddon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 21 June 2009 - 04:42 PM

MBAM:
Malwarebytes' Anti-Malware 1.38
Database version: 2319
Windows 5.1.2600 Service Pack 3

21/06/2009 22:40:25
mbam-log-2009-06-21 (22-40-25).txt

Scan type: Full Scan (C:\|)
Objects scanned: 64998
Time elapsed: 18 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8cfba525-3a2d-467e-a6cb-b6720598a05d} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\olmrkwfd (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{8cfba525-3a2d-467e-a6cb-b6720598a05d} (Trojan.Vundo.H) -> Delete on reboot.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\tkmdwcg.dll (Trojan.Vundo.H) -> Delete on reboot.
Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:42:05, on 21/06/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\tlntsvr.exe
C:\Program Files\UPHClean\uphclean.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
C:\Program Files\foobar20001\foobar2000.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\SmartCam\SmartCam.exe
C:\Program Files\Windows Live\Contacts\wlcomm.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\James.COMPUTERJAMES\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:7171
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;<local>
O2 - BHO: (no name) - {8cfba525-3a2d-467e-a6cb-b6720598a05d} - c:\windows\system32\tkmdwcg.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [ccApp] -
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\James.COMPUTERJAMES\Application Data\Mozilla\Firefox\Profiles\2nj1fcpp.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\James.COMPUTERJAMES\Application Data\Mozilla\Firefox\Profiles/2nj1fcpp.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINDOWS\svchost.exe
O4 - HKLM\..\Policies\Explorer\Run: [] 
O4 - HKLM\..\Policies\Explorer\Run: [exec] C:\WINDOWS\system32\msjoy.exe
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [SYSDLL] SYSDLL (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\m69az.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [hsf7husjnfg98gi498aejhiugjkdg4] C:\WINDOWS\TEMP\m69az.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Windows System Recover!] C:\WINDOWS\TEMP\winamp.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: []  (User 'Default user')
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: &Download with TrueDownloader! - C:\Program Files\TrueDownloader\TrueDownloader.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: RapidShare-Download - res://C:\Documents and Settings\James\Desktop\Raidshare 12 Tools lamz.ws\RapidShare - the way YOU like it!\more-rapid.exe/RsMenExt.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra 'Tools' menuitem: &Gears Settings - {09C04DA7-5B76-4EBC-BBEE-B25EAC5965F5} - C:\Program Files\Google\Google Gears\Internet Explorer\0.5.21.0\gears.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~4\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.2.2.28.dll/206 (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {9CE73426-1E7C-423E-AD30-3D7CD911B145} (ActiveXATS.ActiveXDemo2) - http://cl-0062.web.uk.netscalibur.com/student/ats/ActiveXATS.CAB
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://mediamax.streamload.com/Upload/XUpload.ocx
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.0.0.134\coIEPlg.dll
O20 - Winlogon Notify: olmrkwfd - C:\WINDOWS\SYSTEM32\tkmdwcg.dll
O23 - Service: Background Intelligent Transfer Service (BITS) - Unknown owner - C:\WINDOWS\
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Automatic Updates (wuauserv) - Unknown owner - C:\WINDOWS\
O24 - Desktop Component 0: (no name) - (no file)

--
End of file - 7819 bytes


#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 22 June 2009 - 03:26 AM

Hi,

Please download and run WUS_Fix.exe: http://users.telenet.be/marcvn/tools/WUS_Fix.exe
This should restore the default registry settings related with BITS and Automatic updates.

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix in your next reply.

Please make sure you disable ALL of your Antivirus/Antispyware/Firewall before running ComboFix..This because Security Software may see some components ComboFix uses (prep.com for example) as suspicious and blocks the tool, or even deletes it. Please visit HERE if you don't know how.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 jimhaddon

jimhaddon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 22 June 2009 - 11:18 AM

ComboFix:
ComboFix 09-06-21.01 - James 22/06/2009 16:54.1 - NTFSx86
Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.1534.786 [GMT 1:00]
Running from: c:\documents and settings\James.COMPUTERJAMES\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
 * Created a new restore point
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\Common Files\uninstall information
c:\program files\driver
c:\recycler\S-1-5-21-5293994134-3907879480-121409537-3565
c:\recycler\S-1-5-21-8523676522-4157846168-124568405-4066
c:\windows\dll
c:\windows\system32\buaflan.dll
c:\windows\system32\drivers\aftwunnk.sys
c:\windows\system32\Drivers\cohjnp.sys
c:\windows\system32\drivers\elfzfsia.sys
c:\windows\system32\tkmdwcg.dll
c:\recycler\S-1-5-21-5293994134-3907879480-121409537-3565\Desktop.ini
c:\recycler\S-1-5-21-8523676522-4157846168-124568405-4066\Desktop.ini
c:\windows\Install.txt
c:\windows\system32\drivers\cohjnp.sys
c:\windows\system32\Ijl11.dll
c:\windows\system32\Install.txt
c:\windows\system32\jpyihxxg.ini
c:\windows\system32\mdm.exe
c:\windows\system32\qxmcskrd.dll
c:\windows\system32\tmp.reg
c:\windows\system32\uuddc32.dll
E:\Autorun.inf

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_6to4
-------\Legacy_aftwunnk
-------\Legacy_isadisk
-------\Legacy_NPF
-------\Service_aftwunnk
-------\Service_ncgsxtuf


(((((((((((((((((((((((((   Files Created from 2009-05-22 to 2009-06-22  )))))))))))))))))))))))))))))))
.

2009-06-22 15:11 . 2009-06-19 20:56	876144	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVEX15.SYS
2009-06-22 15:11 . 2009-06-19 20:56	1181040	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVEX32A.DLL
2009-06-22 15:11 . 2009-06-19 20:56	89104	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVENG.SYS
2009-06-22 15:11 . 2009-06-19 20:56	371248	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\EECTRL.SYS
2009-06-22 15:11 . 2009-06-19 20:56	101936	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\ERASER.SYS
2009-06-22 15:11 . 2009-06-19 20:56	177520	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVENG32.DLL
2009-06-22 15:11 . 2009-06-19 20:56	259368	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\ECMSVR32.DLL
2009-06-22 15:11 . 2009-06-19 20:56	2414128	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\CCERASER.DLL
2009-06-20 21:53 . 2009-06-19 20:56	165240	----a-r-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-20 14:59 . 2009-03-16 20:03	533880	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\Scxpx86.dll
2009-06-20 14:59 . 2009-06-19 20:56	396848	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSviA64.sys
2009-06-20 14:59 . 2009-06-19 20:56	292912	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSvix86.sys
2009-06-20 14:59 . 2009-06-19 20:56	276344	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSXpx86.sys
2009-06-20 14:59 . 2009-06-19 20:56	447864	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSxpx86.dll
2009-06-19 21:51 . 2009-06-19 21:51	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\Malwarebytes
2009-06-19 21:51 . 2009-06-17 10:27	38160	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-19 21:51 . 2009-06-19 21:51	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2009-06-19 21:51 . 2009-06-19 21:51	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2009-06-19 21:51 . 2009-06-17 10:27	19096	----a-w-	c:\windows\system32\drivers\mbam.sys
2009-06-19 21:14 . 2009-06-19 20:56	554352	----a-r-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
2009-06-19 20:54 . 2009-06-19 20:54	--------	d-----w-	c:\program files\NortonInstaller
2009-06-19 20:36 . 2009-06-19 20:36	--------	d-----w-	c:\documents and settings\Administrator.COMPUTERJAMES\Local Settings\Application Data\Downloaded Installations
2009-06-19 20:15 . 2009-06-19 20:19	46640	----a-w-	c:\windows\system32\msln.exe
2009-06-19 18:18 . 2009-06-19 20:00	--------	d-----w-	C:\VundoFix Backups
2009-06-19 18:12 . 2009-06-19 18:12	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq
2009-06-19 18:12 . 2009-06-19 18:12	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Local Settings\Application Data\ljicdbtq
2009-06-19 17:12 . 2009-06-19 21:00	--------	d-----w-	c:\program files\Common Files\Symantec Shared
2009-06-19 13:05 . 2009-06-19 13:05	2	----a-w-	c:\windows\[u]0[/u]10112010146118114.dat
2009-06-19 13:04 . 2009-06-19 13:04	12288	----a-w-	c:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exe
2009-06-19 13:04 . 2009-06-22 16:03	91468	----a-w-	c:\windows\system32\drivers\60d0f8d.sys
2009-06-15 22:20 . 2008-06-27 04:03	7741	----a-w-	c:\windows\system32\ant.bat
2009-06-15 22:07 . 2009-06-15 22:07	--------	d-----w-	c:\program files\Sun
2009-06-15 22:05 . 2009-06-15 22:05	410984	----a-w-	c:\windows\system32\deploytk.dll

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-22 16:00 . 2006-08-05 21:57	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\foobar2000
2009-06-21 21:49 . 2007-11-25 17:51	139152	----a-w-	c:\windows\system32\drivers\PnkBstrK.sys
2009-06-21 21:49 . 2007-11-25 17:51	111928	----a-w-	c:\windows\system32\PnkBstrB.exe
2009-06-19 20:37 . 2009-05-15 11:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\Norton
2009-06-19 17:13 . 2009-05-15 11:28	--------	d-----w-	c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}
2009-06-19 17:11 . 2009-05-15 11:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\NortonInstaller
2009-06-17 21:11 . 2006-10-13 16:23	49152	---ha-w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2009-06-15 22:05 . 2006-01-01 20:30	--------	d-----w-	c:\program files\Java
2009-06-15 21:49 . 2006-04-16 19:19	--------	d-----w-	c:\program files\Google
2009-06-14 21:37 . 2008-08-10 20:14	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\uTorrent
2009-06-13 22:31 . 2007-12-24 11:55	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\mIRC
2009-06-13 22:30 . 2007-12-24 11:55	--------	d-----w-	c:\program files\mIRC
2009-06-13 16:47 . 2006-01-08 16:06	729088	----a-w-	c:\windows\iun6002.exe
2009-06-12 21:46 . 2009-05-03 21:00	--------	d-----w-	c:\program files\Parrot Software Update Tool
2009-05-23 22:37 . 2006-05-10 20:59	--------	d-----w-	c:\program files\Steam
2009-05-23 22:02 . 2006-02-20 23:26	--------	d-----w-	c:\documents and settings\All Users\Application Data\Symantec
2009-05-19 20:26 . 2009-05-19 20:22	--------	d-----w-	c:\program files\ProxyWay
2009-05-19 20:09 . 2009-05-19 20:09	--------	d-----w-	c:\program files\Hand-Crafted Software
2009-05-16 15:38 . 2009-05-16 15:38	--------	d-----w-	c:\program files\Skrol 29
2009-05-16 13:48 . 2009-05-16 13:48	--------	d-----w-	c:\program files\Camera Mouse
2009-05-15 11:01 . 2009-05-15 11:01	62208	----a-w-	c:\windows\system32\drivers\gxvxcovrevpixlyfwosswwkbcveymafsxyusi.sy_
2009-05-15 10:43 . 2009-05-15 10:43	62208	----a-w-	c:\windows\system32\drivers\gxvxcbhotfuwkkyeudpqqaqbuyaeajewpyybq.sy_
2009-05-13 16:30 . 2009-05-13 16:30	62208	----a-w-	c:\windows\system32\drivers\gxvxcduwiltakytpodvwppyrnuroiyafkpayb.sy_
2009-05-13 16:21 . 2005-10-18 09:04	--------	d-----w-	c:\program files\Common Files\Adobe
2009-05-02 23:05 . 2006-07-28 21:06	--------	d-----w-	c:\program files\Web Publish
2009-05-02 19:57 . 2006-08-06 21:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help
2009-05-02 19:57 . 2009-05-02 16:48	--------	d-----w-	c:\program files\Microsoft Visual Studio 9.0
2009-05-02 19:56 . 2008-08-02 15:28	--------	d-----w-	c:\program files\MSBuild
2009-05-02 18:22 . 2006-07-16 18:02	86552	----a-w-	c:\documents and settings\James.COMPUTERJAMES\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-02 16:59 . 2009-05-02 16:59	--------	d-----w-	c:\program files\Microsoft SQL Server
2009-05-02 16:58 . 2009-05-02 16:58	--------	d-----w-	c:\program files\Microsoft Device Emulator
2009-05-02 16:58 . 2009-05-02 16:57	--------	d-----w-	c:\program files\Windows Mobile 5.0 SDK R2
2009-05-02 16:56 . 2009-05-02 16:56	--------	d-----w-	c:\program files\Microsoft Synchronization Services
2009-05-02 16:56 . 2009-05-02 16:56	--------	d-----w-	c:\program files\Microsoft SQL Server Compact Edition
2009-05-02 16:55 . 2005-10-20 19:52	--------	d-----w-	c:\program files\Microsoft.NET
2009-05-02 16:55 . 2009-05-02 16:55	18368	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll
2009-05-02 16:55 . 2009-05-02 16:55	978432	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll
2009-05-02 16:48 . 2009-05-02 16:48	--------	d-----w-	c:\program files\Microsoft SDKs
2009-05-02 16:47 . 2009-05-02 16:47	--------	d-----w-	c:\program files\Microsoft Web Designer Tools
2009-05-02 16:41 . 2006-09-30 14:07	--------	d-----w-	c:\program files\Microsoft Works
2009-05-02 14:59 . 2009-05-02 14:59	416	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll
2009-05-02 12:02 . 2009-05-02 12:02	--------	d-----w-	c:\program files\Common Files\ActiveXperts
2009-05-02 12:02 . 2009-05-02 12:02	--------	d-----w-	c:\program files\ActiveXperts
2009-05-02 12:02 . 2007-10-29 22:21	--------	d--h--w-	c:\program files\InstallShield Installation Information
2009-04-25 21:02 . 2009-04-25 17:54	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\IcoFX
2009-04-25 17:54 . 2009-04-25 17:54	--------	d-----w-	c:\program files\IcoFX 1.6
2006-10-12 17:17 . 2006-12-09 17:18	3072	----a-w-	c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll
2006-02-13 12:07 . 2006-12-09 17:18	245408	----a-w-	c:\program files\mozilla firefox\plugins\unicows.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-" [X]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"="SYSDLL" [X]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"ConsentPromptBehaviorAdmin"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MIDI5"=diomidi.dll
"wave2"=Digi32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnk
backup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]
path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnk
backup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]
path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\Monitor Apache Servers.lnk
backup=c:\windows\pss\Monitor Apache Servers.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]
path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnk
backup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^WinMySQLadmin.lnk]
path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\WinMySQLadmin.lnk
backup=c:\windows\pss\WinMySQLadmin.lnkStartup

[HKLM\~\startupfolder\c:^documents and settings^james.computerjames^start menu^programs^startup^zqosys32.exe]
path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\zqosys32.exe
backup=c:\windows\pss\zqosys32.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"WinVNC4"=2 (0x2)
"OracleXETNSListener"=2 (0x2)
"OracleXEClrAgent"=3 (0x3)
"OracleServiceXE"=2 (0x2)
"OracleMTSRecoveryService"=3 (0x3)
"IDriverT"=3 (0x3)
"IAANTMon"=2 (0x2)
"MDM"=2 (0x2)
"LVPrcSrv"=2 (0x2)
"LiveUpdate"=3 (0x3)
"VMware NAT Service"=2 (0x2)
"vmount2"=2 (0x2)
"VMnetDHCP"=2 (0x2)
"VMAuthdService"=2 (0x2)
"LogMeIn"=2 (0x2)
"LMIMaint"=2 (0x2)
"Adobe LM Service"=2 (0x2)
"gusvc"=3 (0x3)
"PDEngine"=3 (0x3)
"PDAgent"=2 (0x2)
"odserv"=3 (0x3)
"FileZilla Server"=3 (0x3)
"Bonjour Service"=2 (0x2)
"DigiRefresh"=2 (0x2)
"sdCoreService"=3 (0x3)
"sdAuxService"=3 (0x3)
"rpcapd"=3 (0x3)
"gupdate"=2 (0x2)
"FLEXnet Licensing Service"=2 (0x2)
"AVG Anti-Spyware Guard"=2 (0x2)
"OracleServiceORCL"=2 (0x2)
"OracleOraDb10g_home1TNSListener"=2 (0x2)
"OracleOraDb10g_home1iSQL*Plus"=2 (0x2)
"OracleDBConsoleorcl"=2 (0x2)
"KService"=2 (0x2)
"iPod Service"=3 (0x3)
"idsvc"=3 (0x3)
"Apple Mobile Device"=2 (0x2)
"TVersityMediaServer"=3 (0x3)
"Schedule"=2 (0x2)
"MediaMaxXLService"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"WinDefend"=2 (0x2)
"usnjsvc"=3 (0x3)
"InstallShield Licensing Service"=3 (0x3)
"EhttpSrv"=3 (0x3)
"ServiceLayer"=3 (0x3)
"libusbd"=2 (0x2)
"wuauserv"=2 (0x2)
"cvjser5usjfyigsfhjhswybn4wgss80"=2 (0x2)
"BITS"=2 (0x2)
"JavaQuickStarterService"=2 (0x2)
"ekrn"=2 (0x2)
"dmadmin"=3 (0x3)
"CryptSvc"=3 (0x3)
"Crypkey License"=2 (0x2)
"C-DillaSrv"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\WINDOWS\\system32\\dpnsvr.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"2539:TCP"= 2539:TCP:ppLive
"5899:UDP"= 5899:UDP:ppLive
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"10800:TCP"= 10800:TCP:BitComet 10800 TCP
"10800:UDP"= 10800:UDP:BitComet 10800 UDP
"49255:TCP"= 49255:TCP:BitComet 49255 TCP
"49255:UDP"= 49255:UDP:BitComet 49255 UDP

R0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [27/10/2008 09:56 39472]
R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [06/12/2005 16:11 35328]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\[u]0[/u]300000.086\SymEFA.sys [19/06/2009 21:56 310320]
R0 uGuru;uGuru;c:\windows\system32\drivers\uGuru.SYS [13/10/2005 23:02 10752]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\[u]0[/u]300000.086\BHDrvx86.sys [19/06/2009 21:56 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\[u]0[/u]300000.086\cchpx86.sys [19/06/2009 21:56 482352]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20/02/2008 12:11 33800]
R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [07/07/2007 20:42 132736]
R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [07/07/2007 20:42 4608]
R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16/08/2005 12:17 15360]
R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [05/10/2007 22:19 39584]
R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [05/10/2007 22:19 27744]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe [19/06/2009 21:56 115560]
R3 BluePC_Audio;BlueOpal - Audio Device;c:\windows\system32\drivers\BTAudio.sys [03/03/2007 17:42 19456]
R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [09/07/2008 21:14 31896]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/06/2009 21:56 101936]
R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [08/03/2008 19:45 33792]
R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [10/01/2008 15:35 503680]
S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSXpx86.sys [20/06/2009 15:59 276344]
S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [13/08/2008 20:02 15872]
S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [13/08/2008 20:11 8704]
S3 BlueUsbDevice;Impulsesoft BlueUSB Driver;c:\windows\system32\drivers\BlueUSB.sys [03/03/2007 17:42 161317]
S3 BTNDIS;SmartM - Bluetooth PAN Driver;c:\windows\system32\drivers\BTNdis.sys [03/03/2007 17:42 27523]
S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152]
S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [18/02/2006 14:14 472644]
S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [28/11/2008 20:04 138112]
S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [28/11/2008 20:04 8320]
S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [10/11/2007 23:36 32377]
S4 cvjser5usjfyigsfhjhswybn4wgss80;cvjser5usjfyigsfhjhswybn4wgss80;c:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exe [19/06/2009 14:04 12288]
S4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20/02/2008 12:08 472320]
S4 gupdate;Google Update Service;c:\program files\Google\Update\GoogleUpdate.exe [21/04/2009 22:35 133104]
S4 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]
S4 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [05/05/2007 14:52 708176]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AFTWUNNK
*Deregistered* - aftwunnk
*Deregistered* - uphcleanhlp

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
sjdbksjw
.
Contents of the 'Scheduled Tasks' folder

2009-06-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 21:35]

2009-05-31 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-05-16 21:18]
.
- - - - ORPHANS REMOVED - - - -

HKCU-RunOnce-FFTI - c:\documents and settings\James.COMPUTERJAMES\Application Data\Mozilla\Firefox\Profiles\2nj1fcpp.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe
Notify-WgaLogon - (no file)


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: &Download with TrueDownloader! - c:\program files\TrueDownloader\TrueDownloader.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000
IE: RapidShare-Download - c:\documents and settings\James\Desktop\Raidshare 12 Tools lamz.ws\RapidShare - the way YOU like it!\more-rapid.exe/RsMenExt.html
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {9CE73426-1E7C-423E-AD30-3D7CD911B145} - hxxp://cl-0062.web.uk.netscalibur.com/student/ats/ActiveXATS.CAB
FF - ProfilePath - 
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-22 17:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.134\diMaster.dll\" /prefetch:1"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ccEvtMgr]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SAVRT]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SNDSrvc]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SYMTDI]
"ImagePath"="-"

[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\60d0f8d]
"ImagePath"="\SystemRoot\System32\drivers\60d0f8d.sys"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\s-1-5-21-117586886-112254747-1246546447-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{37A19B2C-CC19-101F-E6A3-365865D245CB}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"fajbdgnhdjmd"=hex:68,61,64,62,6f,6a,65,70,63,70,6d,6d,6e,61,67,69,00,b5
"fajbdgnhdjld"=hex:68,61,64,62,6f,6a,65,70,63,70,6d,6d,6e,61,67,69,00,b5
"faffgkdbpcig"=hex:61,61,00,00

[HKEY_USERS\s-1-5-21-117586886-112254747-1246546447-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
"??"=hex:92,c4,4f,c0,52,b9,58,56,14,f8,79,c2,34,59,03,cd,9b,f8,6e,62,8a,96,5f,
   7d,de,aa,69,b3,c2,f2,3d,d8,41,90,d0,3f,cb,9b,0d,c2,44,24,95,df,06,0c,1b,c8,\
"??"=hex:dc,e9,b4,2e,20,56,00,d1,e6,3c,ec,77,f2,5c,01,17

[HKEY_LOCAL_MACHINE\software\Classes\Installer\Features\464E84C8nk  
	> ]
"Version"=""

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]
"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1096)
c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\PnkBstrA.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\tlntsvr.exe
c:\windows\system32\wdfmgr.exe
c:\program files\UPHClean\uphclean.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-22 17:14 - machine was rebooted
ComboFix-quarantined-files.txt  2009-06-22 16:14

Pre-Run: 32,496,984,064 bytes free
Post-Run: 32,331,591,680 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /FASTDETECT /NOEXECUTE=OPTIN

Current=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4
462	--- E O F ---	2009-05-31 21:28


#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 23 June 2009 - 01:19 AM

Hi,

Please don't use the code tags to post your logs, because I'm having a hard time to read them.

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
c:\windows\010112010146118114.dat
c:\windows\system32\ant.bat
c:\windows\system32\drivers\gxvxcovrevpixlyfwosswwkbcveymafsxyusi.sy_
c:\windows\system32\drivers\gxvxcbhotfuwkkyeudpqqaqbuyaeajewpyybq.sy_
c:\windows\system32\drivers\gxvxcduwiltakytpodvwppyrnuroiyafkpayb.sy_
C:\Windows\System32\drivers\60d0f8d.sys
c:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exe
c:\windows\pss\zqosys32.exeStartup
Folder::
C:\VundoFix Backups
c:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq
c:\documents and settings\James.COMPUTERJAMES\Local Settings\Application Data\ljicdbtq
NetSvc::
sjdbksjw
DDS::
uInternet Settings,ProxyOverride = *.local;<local>
uInternet Settings,ProxyServer = http=localhost:7171
Driver::
60d0f8d
cvjser5usjfyigsfhjhswybn4wgss80
regnull::
[HKEY_USERS\s-1-5-21-117586886-112254747-1246546447-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{37A19B2C-CC19-101F-E6A3-365865D245CB}*]
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cvjser5usjfyigsfhjhswybn4wgss80"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"=-
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"SYSDLL"=-
[-HKLM\~\startupfolder\c:^documents and settings^james.computerjames^start menu^programs^startup^zqosys32.exe]


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

By the way, it isn't such a good idea to disable almost every service via msconfig. A lot of services are really needed.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 jimhaddon

jimhaddon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 23 June 2009 - 04:13 PM

New ComboFix Log:

ComboFix 09-06-21.01 - James 23/06/2009 21:26.2 - NTFSx86Microsoft Windows XP Professional  5.1.2600.3.1252.44.1033.18.1534.974 [GMT 1:00]Running from: c:\documents and settings\James.COMPUTERJAMES\Desktop\ComboFix.exeCommand switches used :: c:\documents and settings\James.COMPUTERJAMES\Desktop\CFScript.txtAV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Outdated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}FILE ::"c:\windows\[u]0[/u]10112010146118114.dat""c:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exe""c:\windows\pss\zqosys32.exeStartup""c:\windows\system32\ant.bat""c:\windows\System32\drivers\60d0f8d.sys""c:\windows\system32\drivers\gxvxcbhotfuwkkyeudpqqaqbuyaeajewpyybq.sy_""c:\windows\system32\drivers\gxvxcduwiltakytpodvwppyrnuroiyafkpayb.sy_""c:\windows\system32\drivers\gxvxcovrevpixlyfwosswwkbcveymafsxyusi.sy_".(((((((((((((((((((((((((((((((((((((((   Other Deletions   ))))))))))))))))))))))))))))))))))))))))))))))))).c:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtqc:\documents and settings\James.COMPUTERJAMES\Local Settings\Application Data\ljicdbtqC:\VundoFix Backupsc:\windows\System32\drivers\60d0f8d.sysc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\profiles.inic:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\cert8.dbc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\compatibility.inic:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\compreg.datc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\cookies.sqlitec:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\formhistory.sqlitec:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\key3.dbc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\localstore.rdfc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\permissions.sqlitec:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\places.sqlitec:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\places.sqlite-stmtjrnlc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\pluginreg.datc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\prefs.jsc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\secmod.dbc:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\webappsstore.sqlitec:\documents and settings\James.COMPUTERJAMES\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\xpti.datc:\documents and settings\James.COMPUTERJAMES\Local Settings\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\urlclassifier3.sqlitec:\documents and settings\James.COMPUTERJAMES\Local Settings\Application Data\ljicdbtq\Profiles\dzb9ptjk.default\XPC.mflc:\vundofix backups\btfunc.dll.badc:\vundofix backups\qxmcskrd.dll.badc:\windows\[u]0[/u]10112010146118114.datc:\windows\cvjser5usjfyigsfhjhswybn4wgss81.exec:\windows\pss\zqosys32.exeStartupc:\windows\system32\ant.batc:\windows\system32\drivers\gxvxcbhotfuwkkyeudpqqaqbuyaeajewpyybq.sy_c:\windows\system32\drivers\gxvxcduwiltakytpodvwppyrnuroiyafkpayb.sy_c:\windows\system32\drivers\gxvxcovrevpixlyfwosswwkbcveymafsxyusi.sy_.(((((((((((((((((((((((((((((((((((((((   Drivers/Services   ))))))))))))))))))))))))))))))))))))))))))))))))).-------\Legacy_cvjser5usjfyigsfhjhswybn4wgss80-------\Service_60d0f8d-------\Service_cvjser5usjfyigsfhjhswybn4wgss80(((((((((((((((((((((((((   Files Created from 2009-05-23 to 2009-06-23  ))))))))))))))))))))))))))))))).2009-06-23 20:51 . 2009-06-19 20:56	165240	----a-r-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll2009-06-22 15:11 . 2009-06-19 20:56	876144	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVEX15.SYS2009-06-22 15:11 . 2009-06-19 20:56	1181040	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVEX32A.DLL2009-06-22 15:11 . 2009-06-19 20:56	89104	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVENG.SYS2009-06-22 15:11 . 2009-06-19 20:56	371248	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\EECTRL.SYS2009-06-22 15:11 . 2009-06-19 20:56	101936	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\ERASER.SYS2009-06-22 15:11 . 2009-06-19 20:56	177520	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\NAVENG32.DLL2009-06-22 15:11 . 2009-06-19 20:56	259368	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\ECMSVR32.DLL2009-06-22 15:11 . 2009-06-19 20:56	2414128	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090622.002\CCERASER.DLL2009-06-20 14:59 . 2009-03-16 20:03	533880	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\Scxpx86.dll2009-06-20 14:59 . 2009-06-19 20:56	396848	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSviA64.sys2009-06-20 14:59 . 2009-06-19 20:56	292912	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSvix86.sys2009-06-20 14:59 . 2009-06-19 20:56	276344	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSXpx86.sys2009-06-20 14:59 . 2009-06-19 20:56	447864	----a-w-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSxpx86.dll2009-06-19 21:51 . 2009-06-19 21:51	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\Malwarebytes2009-06-19 21:51 . 2009-06-17 10:27	38160	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys2009-06-19 21:51 . 2009-06-19 21:51	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware2009-06-19 21:51 . 2009-06-19 21:51	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes2009-06-19 21:51 . 2009-06-17 10:27	19096	----a-w-	c:\windows\system32\drivers\mbam.sys2009-06-19 21:14 . 2009-06-19 20:56	554352	----a-r-	c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll2009-06-19 20:54 . 2009-06-19 20:54	--------	d-----w-	c:\program files\NortonInstaller2009-06-19 20:36 . 2009-06-19 20:36	--------	d-----w-	c:\documents and settings\Administrator.COMPUTERJAMES\Local Settings\Application Data\Downloaded Installations2009-06-19 20:15 . 2009-06-19 20:19	46640	----a-w-	c:\windows\system32\msln.exe2009-06-19 17:12 . 2009-06-19 21:00	--------	d-----w-	c:\program files\Common Files\Symantec Shared2009-06-15 22:07 . 2009-06-15 22:07	--------	d-----w-	c:\program files\Sun2009-06-15 22:05 . 2009-06-15 22:05	410984	----a-w-	c:\windows\system32\deploytk.dll.((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))).2009-06-23 20:48 . 2006-08-05 21:57	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\foobar20002009-06-22 22:24 . 2008-08-10 20:14	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\uTorrent2009-06-22 22:02 . 2007-11-25 17:51	139152	----a-w-	c:\windows\system32\drivers\PnkBstrK.sys2009-06-22 22:02 . 2007-11-25 17:51	111928	----a-w-	c:\windows\system32\PnkBstrB.exe2009-06-19 20:37 . 2009-05-15 11:27	--------	d-----w-	c:\documents and settings\All Users\Application Data\Norton2009-06-19 17:13 . 2009-05-15 11:28	--------	d-----w-	c:\documents and settings\All Users\Application Data\{7B6BA59A-FB0E-4499-8536-A7420338BF3B}2009-06-19 17:11 . 2009-05-15 11:25	--------	d-----w-	c:\documents and settings\All Users\Application Data\NortonInstaller2009-06-17 21:11 . 2006-10-13 16:23	49152	---ha-w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll2009-06-15 22:05 . 2006-01-01 20:30	--------	d-----w-	c:\program files\Java2009-06-15 21:49 . 2006-04-16 19:19	--------	d-----w-	c:\program files\Google2009-06-13 22:31 . 2007-12-24 11:55	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\mIRC2009-06-13 22:30 . 2007-12-24 11:55	--------	d-----w-	c:\program files\mIRC2009-06-13 16:47 . 2006-01-08 16:06	729088	----a-w-	c:\windows\iun6002.exe2009-06-12 21:46 . 2009-05-03 21:00	--------	d-----w-	c:\program files\Parrot Software Update Tool2009-05-23 22:37 . 2006-05-10 20:59	--------	d-----w-	c:\program files\Steam2009-05-23 22:02 . 2006-02-20 23:26	--------	d-----w-	c:\documents and settings\All Users\Application Data\Symantec2009-05-19 20:26 . 2009-05-19 20:22	--------	d-----w-	c:\program files\ProxyWay2009-05-19 20:09 . 2009-05-19 20:09	--------	d-----w-	c:\program files\Hand-Crafted Software2009-05-16 15:38 . 2009-05-16 15:38	--------	d-----w-	c:\program files\Skrol 292009-05-16 13:48 . 2009-05-16 13:48	--------	d-----w-	c:\program files\Camera Mouse2009-05-13 16:21 . 2005-10-18 09:04	--------	d-----w-	c:\program files\Common Files\Adobe2009-05-02 23:05 . 2006-07-28 21:06	--------	d-----w-	c:\program files\Web Publish2009-05-02 19:57 . 2006-08-06 21:00	--------	d-----w-	c:\documents and settings\All Users\Application Data\Microsoft Help2009-05-02 19:57 . 2009-05-02 16:48	--------	d-----w-	c:\program files\Microsoft Visual Studio 9.02009-05-02 19:56 . 2008-08-02 15:28	--------	d-----w-	c:\program files\MSBuild2009-05-02 18:22 . 2006-07-16 18:02	86552	----a-w-	c:\documents and settings\James.COMPUTERJAMES\Local Settings\Application Data\GDIPFONTCACHEV1.DAT2009-05-02 16:59 . 2009-05-02 16:59	--------	d-----w-	c:\program files\Microsoft SQL Server2009-05-02 16:58 . 2009-05-02 16:58	--------	d-----w-	c:\program files\Microsoft Device Emulator2009-05-02 16:58 . 2009-05-02 16:57	--------	d-----w-	c:\program files\Windows Mobile 5.0 SDK R22009-05-02 16:56 . 2009-05-02 16:56	--------	d-----w-	c:\program files\Microsoft Synchronization Services2009-05-02 16:56 . 2009-05-02 16:56	--------	d-----w-	c:\program files\Microsoft SQL Server Compact Edition2009-05-02 16:55 . 2005-10-20 19:52	--------	d-----w-	c:\program files\Microsoft.NET2009-05-02 16:55 . 2009-05-02 16:55	18368	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VSA\9.0\1033\ResourceCache.dll2009-05-02 16:55 . 2009-05-02 16:55	978432	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\VisualStudio\9.0\1033\ResourceCache.dll2009-05-02 16:48 . 2009-05-02 16:48	--------	d-----w-	c:\program files\Microsoft SDKs2009-05-02 16:47 . 2009-05-02 16:47	--------	d-----w-	c:\program files\Microsoft Web Designer Tools2009-05-02 16:41 . 2006-09-30 14:07	--------	d-----w-	c:\program files\Microsoft Works2009-05-02 14:59 . 2009-05-02 14:59	416	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\MSDN\9.0\1033\ResourceCache.dll2009-05-02 12:02 . 2009-05-02 12:02	--------	d-----w-	c:\program files\Common Files\ActiveXperts2009-05-02 12:02 . 2009-05-02 12:02	--------	d-----w-	c:\program files\ActiveXperts2009-05-02 12:02 . 2007-10-29 22:21	--------	d--h--w-	c:\program files\InstallShield Installation Information2009-04-25 21:02 . 2009-04-25 17:54	--------	d-----w-	c:\documents and settings\James.COMPUTERJAMES\Application Data\IcoFX2009-04-25 17:54 . 2009-04-25 17:54	--------	d-----w-	c:\program files\IcoFX 1.62006-10-12 17:17 . 2006-12-09 17:18	3072	----a-w-	c:\program files\mozilla firefox\plugins\ractrlkeyhook.dll2006-02-13 12:07 . 2006-12-09 17:18	245408	----a-w-	c:\program files\mozilla firefox\plugins\unicows.dll.(((((((((((((((((((((((((((((   SnapShot@2009-06-22_16.03.11   ))))))))))))))))))))))))))))))))))))))))).+ 2001-08-23 12:00 . 2009-06-22 16:07	739624              c:\windows\system32\perfc009.dat+ 2001-08-23 12:00 . 2009-06-22 16:07	1953152              c:\windows\system32\perfh009.dat.(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360][HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]"ConsentPromptBehaviorAdmin"= 0 (0x0)[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]"MIDI5"=diomidi.dll"wave2"=Digi32.dll[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice]@=""[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]@="FSFilter Activity Monitor"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]@="Driver"[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Calendar Sync.lnk]path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Google Calendar Sync.lnkbackup=c:\windows\pss\Google Calendar Sync.lnkCommon Startup[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^BBC iPlayer Desktop.lnk]path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\BBC iPlayer Desktop.lnkbackup=c:\windows\pss\BBC iPlayer Desktop.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^Monitor Apache Servers.lnk]path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\Monitor Apache Servers.lnkbackup=c:\windows\pss\Monitor Apache Servers.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^OneNote 2007 Screen Clipper and Launcher.lnk]path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\OneNote 2007 Screen Clipper and Launcher.lnkbackup=c:\windows\pss\OneNote 2007 Screen Clipper and Launcher.lnkStartup[HKLM\~\startupfolder\C:^Documents and Settings^James.COMPUTERJAMES^Start Menu^Programs^Startup^WinMySQLadmin.lnk]path=c:\documents and settings\James.COMPUTERJAMES\Start Menu\Programs\Startup\WinMySQLadmin.lnkbackup=c:\windows\pss\WinMySQLadmin.lnkStartup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"Ati HotKey Poller"=2 (0x2)"WinVNC4"=2 (0x2)"OracleXETNSListener"=2 (0x2)"OracleXEClrAgent"=3 (0x3)"OracleServiceXE"=2 (0x2)"OracleMTSRecoveryService"=3 (0x3)"IDriverT"=3 (0x3)"IAANTMon"=2 (0x2)"MDM"=2 (0x2)"LVPrcSrv"=2 (0x2)"LiveUpdate"=3 (0x3)"VMware NAT Service"=2 (0x2)"vmount2"=2 (0x2)"VMnetDHCP"=2 (0x2)"VMAuthdService"=2 (0x2)"LogMeIn"=2 (0x2)"LMIMaint"=2 (0x2)"Adobe LM Service"=2 (0x2)"gusvc"=3 (0x3)"PDEngine"=3 (0x3)"PDAgent"=2 (0x2)"odserv"=3 (0x3)"FileZilla Server"=3 (0x3)"Bonjour Service"=2 (0x2)"DigiRefresh"=2 (0x2)"sdCoreService"=3 (0x3)"sdAuxService"=3 (0x3)"rpcapd"=3 (0x3)"gupdate"=2 (0x2)"FLEXnet Licensing Service"=2 (0x2)"AVG Anti-Spyware Guard"=2 (0x2)"OracleServiceORCL"=2 (0x2)"OracleOraDb10g_home1TNSListener"=2 (0x2)"OracleOraDb10g_home1iSQL*Plus"=2 (0x2)"OracleDBConsoleorcl"=2 (0x2)"KService"=2 (0x2)"iPod Service"=3 (0x3)"idsvc"=3 (0x3)"Apple Mobile Device"=2 (0x2)"TVersityMediaServer"=3 (0x3)"Schedule"=2 (0x2)"MediaMaxXLService"=2 (0x2)"WLSetupSvc"=3 (0x3)"WinDefend"=2 (0x2)"usnjsvc"=3 (0x3)"InstallShield Licensing Service"=3 (0x3)"EhttpSrv"=3 (0x3)"ServiceLayer"=3 (0x3)"libusbd"=2 (0x2)"wuauserv"=2 (0x2)"BITS"=2 (0x2)"JavaQuickStarterService"=2 (0x2)"ekrn"=2 (0x2)"dmadmin"=3 (0x3)"CryptSvc"=3 (0x3)"Crypkey License"=2 (0x2)"C-DillaSrv"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001"FirewallOverride"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="c:\\Program Files\\EA GAMES\\Battlefield 1942\\BF1942.exe"="c:\\Program Files\\BitComet\\BitComet.exe"="c:\\WINDOWS\\system32\\dpnsvr.exe"="c:\\Program Files\\Kontiki\\KService.exe"="c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application"c:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"="c:\\Program Files\\Messenger\\msmsgs.exe"="c:\\WINDOWS\\system32\\PnkBstrA.exe"="c:\\WINDOWS\\system32\\PnkBstrB.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="c:\\Program Files\\uTorrent\\uTorrent.exe"="c:\\Program Files\\TVersity\\Media Server\\MediaServer.exe"="c:\\Program Files\\Spotify\\spotify.exe"="c:\\Program Files\\Bonjour\\mDNSResponder.exe"="c:\\Program Files\\iTunes\\iTunes.exe"="c:\\Program Files\\Steam\\SteamApps\\common\\peggle extreme\\PeggleExtreme.exe"="c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"="c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"2539:TCP"= 2539:TCP:ppLive"5899:UDP"= 5899:UDP:ppLive"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service"10800:TCP"= 10800:TCP:BitComet 10800 TCP"10800:UDP"= 10800:UDP:BitComet 10800 UDP"49255:TCP"= 49255:TCP:BitComet 49255 TCP"49255:UDP"= 49255:UDP:BitComet 49255 UDPR0 hotcore3;hotcore3;c:\windows\system32\drivers\hotcore3.sys [27/10/2008 09:56 39472]R0 sfsync03;StarForce Protection Synchronization Driver (version 3.x);c:\windows\system32\drivers\sfsync03.sys [06/12/2005 16:11 35328]R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\[u]0[/u]300000.086\SymEFA.sys [19/06/2009 21:56 310320]R0 uGuru;uGuru;c:\windows\system32\drivers\uGuru.SYS [13/10/2005 23:02 10752]R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\[u]0[/u]300000.086\BHDrvx86.sys [19/06/2009 21:56 258608]R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\[u]0[/u]300000.086\cchpx86.sys [19/06/2009 21:56 482352]R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [20/02/2008 12:11 33800]R1 Ext2fs;Ext2fs;c:\windows\system32\drivers\ext2fs.sys [07/07/2007 20:42 132736]R1 IfsDrives;IfsDrives;c:\windows\system32\drivers\IfsDrives.sys [07/07/2007 20:42 4608]R1 TRIXX;TRIXX;c:\program files\TRIXX\TRIXXDriver.sys [16/08/2005 12:17 15360]R1 VBoxDrv;VirtualBox Service;c:\windows\system32\drivers\VBoxDrv.sys [05/10/2007 22:19 39584]R1 VBoxUSBMon;VirtualBox USB Monitor Driver;c:\windows\system32\drivers\VBoxUSBMon.sys [05/10/2007 22:19 27744]R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe [19/06/2009 21:56 115560]R3 BluePC_Audio;BlueOpal - Audio Device;c:\windows\system32\drivers\BTAudio.sys [03/03/2007 17:42 19456]R3 dfmirage;dfmirage;c:\windows\system32\drivers\dfmirage.sys [09/07/2008 21:14 31896]R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [19/06/2009 21:56 101936]R3 libusb0;LibUsb-Win32 - Kernel Driver, Version 0.1.10.1;c:\windows\system32\drivers\libusb0.sys [08/03/2008 19:45 33792]R3 rt2870;Ralink 802.11n USB Wireless LAN Card Driver;c:\windows\system32\drivers\rt2870.sys [10/01/2008 15:35 503680]S1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090618.002\IDSXpx86.sys [20/06/2009 15:59 276344]S3 bfturboh;BUFFALO TurboUSB for HD Filter;c:\windows\system32\drivers\bfturboh.sys [13/08/2008 20:02 15872]S3 bfturboo;BUFFALO TurboUSB for DVD Filter;c:\windows\system32\drivers\bfturboo.sys [13/08/2008 20:11 8704]S3 BlueUsbDevice;Impulsesoft BlueUSB Driver;c:\windows\system32\drivers\BlueUSB.sys [03/03/2007 17:42 161317]S3 BTNDIS;SmartM - Bluetooth PAN Driver;c:\windows\system32\drivers\BTNdis.sys [03/03/2007 17:42 27523]S3 CrystalSysInfo;CrystalSysInfo;c:\program files\MediaCoder\SysInfo.sys [25/09/2007 15:59 15152]S3 HCWBT8xx;Hauppauge WinTV 848/9 WDM Video Driver;c:\windows\system32\drivers\HCWBT8XX.sys [18/02/2006 14:14 472644]S3 nmwcdnsu;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsu.sys [28/11/2008 20:04 138112]S3 nmwcdnsuc;Nokia USB Flashing Generic;c:\windows\system32\drivers\nmwcdnsuc.sys [28/11/2008 20:04 8320]S3 PRODIGY;PRODIGY;c:\windows\system32\drivers\prodigy.sys [10/11/2007 23:36 32377]S4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [20/02/2008 12:08 472320]S4 gupdate;Google Update Service;c:\program files\Google\Update\GoogleUpdate.exe [21/04/2009 22:35 133104]S4 libusbd;LibUsb-Win32 - Daemon, Version 0.1.10.1;system32\libusbd-nt.exe --> system32\libusbd-nt.exe [?]S4 sdAuxService;Spyware Doctor Auxiliary Service;c:\program files\Spyware Doctor\svcntaux.exe [05/05/2007 14:52 708176]--- Other Services/Drivers In Memory ---*Deregistered* - uphcleanhlp.Contents of the 'Scheduled Tasks' folder2009-06-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-21 21:35]2009-05-31 c:\windows\Tasks\WGASetup.job- c:\windows\system32\KB905474\wgasetup.exe [2009-05-16 21:18]..------- Supplementary Scan -------.uStart Page = hxxp://www.google.co.uk/IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htmIE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htmIE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htmIE: &Download with TrueDownloader! - c:\program files\TrueDownloader\TrueDownloader.htmIE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlIE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlIE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlIE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlIE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\Office12\EXCEL.EXE/3000IE: RapidShare-Download - c:\documents and settings\James\Desktop\Raidshare 12 Tools lamz.ws\RapidShare - the way YOU like it!\more-rapid.exe/RsMenExt.htmlDPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cabDPF: {9CE73426-1E7C-423E-AD30-3D7CD911B145} - hxxp://cl-0062.web.uk.netscalibur.com/student/ats/ActiveXATS.CABFF - ProfilePath - .**************************************************************************catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url="http://www.gmer.net"]http://www.gmer.net[/url]Rootkit scan 2009-06-23 21:52Windows 5.1.2600 Service Pack 3 NTFSscanning hidden processes ...  scanning hidden autostart entries ... scanning hidden files ...  scan completed successfullyhidden files: 0**************************************************************************[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\N360]"ImagePath"="\"c:\program files\Norton 360\Engine\3.0.0.134\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.0.0.134\diMaster.dll\" /prefetch:1"[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\ccEvtMgr]"ImagePath"="-"[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SAVRT]"ImagePath"="-"[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SNDSrvc]"ImagePath"="-"[HKEY_LOCAL_MACHINE\System\ControlSet003\Services\SYMTDI]"ImagePath"="-".--------------------- LOCKED REGISTRY KEYS ---------------------[HKEY_USERS\S-1-5-21-117586886-112254747-1246546447-1003\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]@Allowed: (Read) (RestrictedCode)@Allowed: (Read) (RestrictedCode)"??"=hex:92,c4,4f,c0,52,b9,58,56,14,f8,79,c2,34,59,03,cd,9b,f8,6e,62,8a,96,5f,   7d,de,aa,69,b3,c2,f2,3d,d8,41,90,d0,3f,cb,9b,0d,c2,44,24,95,df,06,0c,1b,c8,\"??"=hex:dc,e9,b4,2e,20,56,00,d1,e6,3c,ec,77,f2,5c,01,17[HKEY_LOCAL_MACHINE\software\Classes\Installer\Features\464E84C8nk      > ]"Version"=""[HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Installer\UserData\LocalSystem\Components\|"|w*]"91A14B995DF7C0B42ABAA16065968F3A"="c:\\Program Files\\Alias\\Maya7.0\\presets\\Ashli\\".--------------------- DLLs Loaded Under Running Processes ---------------------- - - - - - - > 'winlogon.exe'(1136)c:\windows\system32\Ati2evxx.dll- - - - - - - > 'explorer.exe'(3444)c:\windows\system32\xpsp3res.dll.------------------------ Other Running Processes ------------------------.c:\windows\system32\PnkBstrA.exec:\program files\CyberLink\Shared files\RichVideo.exec:\windows\system32\tlntsvr.exec:\windows\system32\wdfmgr.exec:\program files\UPHClean\uphclean.exec:\windows\system32\wscntfy.exe.**************************************************************************.Completion time: 2009-06-23 22:06 - machine was rebootedComboFix-quarantined-files.txt  2009-06-23 21:06ComboFix2.txt  2009-06-22 16:14Pre-Run: 32,102,514,688 bytes freePost-Run: 32,064,577,536 bytes freeCurrent=3 Default=3 Failed=1 LastKnownGood=4 Sets=1,2,3,4439	--- E O F ---	2009-05-31 21:28


#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 23 June 2009 - 04:16 PM

Hi,

I already asked you before not to use the Code tags around your logs, because It makes it extremelt hard to read for me.

In anyway, this looks OK again.

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 jimhaddon

jimhaddon
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 24 June 2009 - 02:24 AM

Hi,

Things look fine now - thanks for your help!

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 24 June 2009 - 02:29 AM

Glad I could help. :thumbup2:

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:04:29 PM

Posted 07 July 2009 - 07:25 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users