Hi folks
I downloaded a file, and tried to open it, and ever since something has not been right with my PC.
When i go to my pc and try to open the disc drives nothing happens. my firewall program tells me that an application is trying to modify the 'physical memory' of the disc. The first time i let it do this something started to want to access the internet via IE, which i don't use, I use Firefox, I have denied permission cos this has never happened before. Another thing has also happened. I appear to have lost access to one of my discs. But when i went to try and reset the drive number in disc administrator via the control panel, none of my hard discs show up, including C. If i want to access my discs i have to use the right click explore function.
i have run windows defender,and NOD 32 virus scanner, which don't appear to catch anything. The only thing that appears to notice anything is my firewall, Outpost Firewall Pro. I even removed my C disc and connected it to another PC and ran its antivirus and nothing showed up.
Can anyone give me a clue as to what's going on

This is in my windows temp file Perfib_Perfdata_338 which i cant delete because it says its being used
windows defender has just told me that it can't delete this file Tool:Win32/Dnschanger.K which is in C:\WINDOWS\TEMP\tempo-47641250.tmp


hi jack this scan is this
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:04:13, on 15/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Archivos de programa\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Archivos de programa\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\DeltTray.exe
C:\Archivos de programa\LogMeIn\x86\LogMeInSystray.exe
C:\WINDOWS\system32\DeltaIITray.exe
C:\Archivos de programa\Windows Defender\MSASCui.exe
C:\Archivos de programa\Eset\nod32kui.exe
C:\WINDOWS\system32\bcd2kcpan.exe
C:\Archivos de programa\LogMeIn\x86\LMIGuardian.exe
C:\Archivos de programa\Java\jre6\bin\jusched.exe
C:\Archivos de programa\D-Link\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\ARCHIV~1\Iomega\System32\AppServices.exe
C:\Archivos de programa\Java\jre6\bin\jqs.exe
C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
C:\Archivos de programa\LogMeIn\x86\RaMaint.exe
C:\Archivos de programa\LogMeIn\x86\LogMeIn.exe
C:\Archivos de programa\LogMeIn\x86\LMIGuardian.exe
C:\Archivos de programa\MGE\PersonalSolutionPac\RunSC.exe
C:\Archivos de programa\MGE\PersonalSolutionPac\PCtl.exe
C:\Archivos de programa\Eset\nod32krn.exe
C:\Archivos de programa\MGE\PersonalSolutionPac\BIL.EXE
C:\WINDOWS\system32\slserv.exe
C:\Archivos de programa\MGE\PersonalSolutionPac\CILUSB.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Archivos de programa\Mozilla Firefox\firefox.exe
C:\Archivos de programa\Creative\SB Wireless Music\Media Server\SBWMsvr.exe
C:\Archivos de programa\Windows Live\Messenger\msnmsgr.exe
C:\Archivos de programa\Windows Live\Contacts\wlcomm.exe
C:\Archivos de programa\Winamp\winamp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\DJ Kwilty\Escritorio\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Archivos de programa\Archivos comunes\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Archivos de programa\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Archivos de programa\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [DeltTray] DeltTray.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Archivos de programa\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DeltaIITaskbarApp] C:\WINDOWS\system32\DeltaIITray.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Archivos de programa\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Archivos de programa\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [OutpostMonitor] C:\ARCHIV~1\Agnitum\OUTPOS~1\op_mon.exe /tray /noservice
O4 - HKLM\..\Run: [OutpostFeedBack] "C:\Archivos de programa\Agnitum\Outpost Firewall Pro\feedback.exe" /dump:os_startup
O4 - HKLM\..\Run: [M-Audio Taskbar Icon] C:\WINDOWS\System32\DeltaIITray.exe
O4 - HKLM\..\Run: [BCD2000] %SystemRoot%\system32\bcd2kcpan.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Archivos de programa\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ccleaner] "C:\Archivos de programa\CCleaner\CCleaner.exe" /AUTO
O4 - HKCU\..\Run: [Update Service] "C:\Archivos de programa\Archivos comunes\Teknum Systems\update.exe" /startup
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Enviar a &Bluetooth - C:\Archivos de programa\D-Link\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Outpost Firewall Pro Quick Tune - {44627E97-789B-40d4-B5C2-58BD171129A1} - C:\Archivos de programa\Agnitum\Outpost Firewall Pro\ie_bar.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\D-Link\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Archivos de programa\D-Link\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\..\{1E586424-49BA-4AC8-933B-9533FEEB0561}: NameServer = 85.255.112.171,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\..\{D5352143-7E06-44CB-88BD-CAD9B18B4AD8}: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS1\Services\Tcpip\..\{1E586424-49BA-4AC8-933B-9533FEEB0561}: NameServer = 85.255.112.171,85.255.112.109
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O17 - HKLM\System\CS3\Services\Tcpip\..\{1E586424-49BA-4AC8-933B-9533FEEB0561}: NameServer = 85.255.112.171,85.255.112.109
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.112.198,85.255.112.70
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\ARCHIV~1\ARCHIV~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: c:\archiv~1\agnitum\outpos~1\wl_hook.dll
O22 - SharedTaskScheduler: Fences - {EC654325-1273-C2A9-2B7C-45A29BCE2FBD} - C:\Archivos de programa\Stardock\Fences\DesktopDock.dll
O23 - Service: Agnitum Client Security Service (acssrv) - Agnitum Ltd. - C:\ARCHIV~1\Agnitum\OUTPOS~1\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Archivos de programa\D-Link\Bluetooth Software\bin\btwdins.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Google Update Service (gupdate1c99756ed5f26ec) (gupdate1c99756ed5f26ec) - Google Inc. - C:\Archivos de programa\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Archivos de programa\Archivos comunes\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\ARCHIV~1\Iomega\System32\AppServices.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Archivos de programa\Java\jre6\bin\jqs.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Archivos de programa\Archivos comunes\LightScribe\LSSrvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Archivos de programa\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Archivos de programa\LogMeIn\x86\LogMeIn.exe
O23 - Service: MGE Service module - Unknown owner - C:\Archivos de programa\MGE\PersonalSolutionPac\RunSC.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Archivos de programa\Eset\nod32krn.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Archivos de programa\Archivos comunes\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: SmartLinkService (SLService) - Smart Link - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Archivos de programa\Archivos comunes\SureThing Shared\stllssvr.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe

--
End of file - 9597 bytes

This post has been edited by kwisj: May 15 2009, 03:00 PM

hi

Download ComboFix from one of these locations:

Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you don't know how to disable them then just continue on.
  
  
• Double click on ComboFix.exe & follow the prompts.
  
  
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  
  
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.





Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt log in your next reply.

Hi Rorschach112 thanx for getting back to me so quickly. Unfortunately for me, I downloaded MBAM which removed about 17 trojans. but in the process it removed stuff from the temp file in windows,put ther by these things, which means i now cant boot the computer. there was something there called something like perfil_perfdata_360 which i removed, along with a few other things using the file killer tool in MBAM. On restarting the pc, it would not get past the initial start up screen, and would not allow me into the bios. Even without the hard discs connected only the initial screen comes up, it doesn't even say cant find bootable drives. I discovered why i could not access the hard drives originally,this was due to an autorun infection. I removed that with autorun eater, and things went back to normal.
I also had a DNSchanger infection which MBAM removed, and again things went back to normal with the DNS settings. What annoys me is why the antivirus did not catch these, neithr did windows defender. the firewall saw something happening, but it was not very clear to me what was going on.
Maybe you could give me some help on fixing the pc, however, i bet you things are now much more difficult, if notimpossible to fix. If unfixable could you tell me how to avoid this in the future? I now have MBAM, and Autorun Eater (this is always on) is it woth getting MBAM subscription version so that runs all the time? this pc is vista. The ones at work are XP and I have run MBAM, and it has spotted a few trojans. Norton is running on one, and did not see them, and ESET is running on the other. MBAM and Autorun Eater are free ware and the payed for antivirus progs missed all this. Thanks for your time and patience in reading all this.
kwisj
Unfortuneatly for the cheeky f***ers that designed all this virus and malware s**t i backed up everything 3 times and have lost no data, but its been a right pain in the BTM.

can you boot up properly on the infected machine ?

hi
no i cant it just goes to the fujitsu siemens start page. I cant even enter the BIOS
sounds like i made a complete bollacka with this eh?
kwisj
thanks for getting back so quick
you mentioned a recovery console, i would like to know a littel more about that at least to set that up to try and avoid such things happening in future

try this first

Boot from the Windows XP installation CD.

At the "Welcome to Setup" screen, press R to start Recovery Console. Choose the installation to be repaired by number (usually 1) and press "Enter".

When you are asked for the Administrator password, leave it blank and press "Enter".

At the command prompt, type chkdsk /r and press "Enter". (Note the space before /r) The disk check operation will start.

This will be a very thorough check of the hard drive and the file system...be patient and let it complete. It may appear to hang or even back up a few times...this is normal. 60 to 90 minutes is not unusual for this check...it may take longer in some cases.

Once the check completes and you are back at the command prompt, type exit and press "Enter". Let your computer boot normally to Windows.

ok this is really weird what just happened. I started to do what you said. i started the pc put the disc in, restarted the pc. but there was no signal detected by the monitor. I left it for a minute or two but nothing happened. I switched the pc off at the power button and restarted it. i got distracted for about 5 mins and all of a sudden the pc booted. I ran MBAM and it reported that the system was clean.
Is everything OK now?
Should there be any other checks that i should do?
and like i said are there any precautions that i can take. Like that recovery console. I keep reading about booting from floppy discs, but my pc has no floppy drive. Mentioning paid for anti virus software and their inability to catch this malware, i ran mbam on a friends pc and it caught 39 infections. So i guess you need more than antivirus, firewall, and windows defender software running. as you have been so helpful could you give me an idiots guide to some standing security features that i should have set up to avoid all this happening again?
i'm so impressed that folks like you do this for free.
Kwisj
Malwarebytes' Anti-Malware 1.36
Database version: 2143
Windows 5.1.2600 Service Pack 3

5/20/2009 10:36:56 AM
mbam-log-2009-05-20 (10-36-56).txt

Scan type: Quick Scan
Objects scanned: 70296
Time elapsed: 2 minute(s), 13 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This post has been edited by kwisj: May 20 2009, 03:01 AM

can you run combofix on it again

hi here is the combofix log
cheers for your trouble in looking at this
kwisj
ComboFix 09-05-19.08 - PORKY 05/20/2009 18:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2047.1492 [GMT 2:00]
Running from: c:\documents and settings\PORKY\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 4.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
.

((((((((((((((((((((((((( Files Created from 2009-04-20 to 2009-05-20 )))))))))))))))))))))))))))))))
.

2009-05-20 16:01 . 2009-05-20 16:01 -------- d-----w c:\windows\Cache
2009-05-20 11:14 . 2009-05-20 11:14 -------- d-----w c:\documents and settings\etc
2009-05-20 11:13 . 2009-05-20 13:27 -------- d-----w c:\documents and settings\PORKY\Application Data\Creative
2009-05-20 10:43 . 2003-03-05 10:19 15840 ----a-w c:\windows\system32\drivers\PfModNT.sys
2009-05-20 10:43 . 1999-11-18 01:00 25088 ------w c:\windows\system32\CTSVCCTL.EXE
2009-05-20 10:43 . 1999-12-13 01:01 44032 ------w c:\windows\system32\CTSVCCDA.EXE
2009-05-20 10:43 . 2009-05-20 11:08 -------- d-----w c:\program files\Creative
2009-05-20 10:20 . 2009-05-20 10:20 -------- d-----w c:\program files\Freecom Network Storage Assistant
2009-05-20 10:15 . 2008-04-14 00:12 221184 ----a-w c:\windows\system32\wmpns.dll
2009-05-20 10:15 . 2009-05-20 10:15 -------- d-----w c:\program files\Windows Media Connect 2
2009-05-20 10:14 . 2009-05-20 10:14 -------- d-----w c:\windows\system32\drivers\UMDF
2009-05-20 10:14 . 2009-05-20 10:14 -------- d-----w c:\windows\system32\LogFiles
2009-05-20 09:26 . 2009-05-20 10:12 -------- d-----w c:\program files\Winamp
2009-05-20 09:26 . 2009-05-20 10:12 -------- d-----w c:\documents and settings\PORKY\Application Data\Winamp
2009-05-20 09:10 . 2009-05-20 09:10 -------- d-----w c:\program files\Audacity
2009-05-20 08:36 . 2008-10-16 12:06 208744 ----a-w c:\windows\system32\muweb.dll
2009-05-20 08:36 . 2008-10-16 12:06 268648 ----a-w c:\windows\system32\mucltui.dll
2009-05-17 09:05 . 2009-05-17 09:05 -------- d-----w c:\program files\Microsoft
2009-05-17 09:05 . 2009-05-17 09:05 -------- d-----w c:\program files\Windows Live SkyDrive
2009-05-17 09:05 . 2009-05-17 09:05 -------- d-----w c:\program files\Windows Live
2009-05-17 08:55 . 2009-05-17 08:55 -------- d-----w c:\program files\Common Files\Windows Live
2009-05-17 08:21 . 2009-05-17 08:21 -------- d-----w c:\documents and settings\PORKY\Application Data\Malwarebytes
2009-05-17 08:21 . 2009-04-06 13:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-05-17 08:21 . 2009-04-06 13:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-05-17 08:21 . 2009-05-17 08:21 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-05-17 08:21 . 2009-05-17 08:21 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-17 08:18 . 2009-05-20 13:41 -------- d-----w c:\program files\Autorun Eater
2009-05-11 14:32 . 2009-05-11 14:32 -------- d-----w c:\documents and settings\PORKY\Local Settings\Application Data\GHISLER
2009-05-11 12:45 . 2009-05-11 12:45 -------- d-----w c:\program files\File Shredder
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\NOCLOSE.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\PKUNZIP.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\PKZIP.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\RAR.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\UC.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\ARJ.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\LHA.PIF
2009-05-11 12:45 . 2009-05-11 12:46 -------- d-----w C:\totalcmd

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-20 11:07 . 2009-04-15 19:07 -------- d--h--w c:\program files\InstallShield Installation Information
2009-05-20 08:35 . 2009-04-18 08:30 -------- d-----w c:\program files\LogMeIn
2009-05-17 09:06 . 2009-04-15 19:03 13688 ----a-w c:\documents and settings\PORKY\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-18 20:50 . 2009-04-18 20:50 -------- d-----w c:\program files\JRE
2009-04-18 20:49 . 2009-04-18 20:49 -------- d-----w c:\program files\OpenOffice.org 3
2009-04-18 20:49 . 2009-04-18 11:21 -------- d-----w c:\program files\Java
2009-04-18 20:47 . 2009-04-18 20:47 410984 ----a-w c:\windows\system32\deploytk.dll
2009-04-15 22:36 . 2009-04-15 22:36 -------- d-----w c:\program files\CCleaner
2009-04-15 22:17 . 2009-04-15 22:17 0 ----a-w c:\windows\nsreg.dat
2009-04-15 20:57 . 2009-04-15 20:57 -------- d-----w c:\program files\Realtek
2009-04-15 20:57 . 2009-04-15 20:57 315392 ----a-w c:\windows\HideWin.exe
2009-04-15 20:55 . 2009-04-15 20:55 0 ----a-w c:\windows\ativpsrm.bin
2009-04-15 20:51 . 2009-04-15 20:51 -------- d-----w c:\program files\My Company Name
2009-04-15 20:51 . 2009-04-15 20:46 -------- d-----w c:\program files\ATI Technologies
2009-04-15 20:49 . 2009-04-15 20:49 -------- d-----w c:\program files\Common Files\ATI Technologies
2009-04-15 20:47 . 2009-04-15 19:07 -------- d-----w c:\program files\Common Files\InstallShield
2009-04-15 19:29 . 2009-04-15 19:29 -------- d-----w c:\program files\ESET
2009-04-15 19:08 . 2009-04-15 19:07 -------- d-----w c:\program files\ANI
2009-04-15 19:07 . 2009-04-15 19:07 -------- d-----w c:\program files\Conceptronic
2009-04-15 18:58 . 2009-04-15 18:58 -------- d-----w c:\program files\microsoft frontpage
2009-04-15 18:56 . 2009-04-15 18:56 21640 ----a-w c:\windows\system32\emptyregdb.dat
2009-03-19 09:45 . 2009-03-19 09:45 93848 ----a-w c:\windows\system32\drivers\epfwtdir.sys
2009-03-19 09:44 . 2009-03-19 09:44 107256 ----a-w c:\windows\system32\drivers\ehdrv.sys
2009-03-19 09:41 . 2009-03-19 09:41 113960 ----a-w c:\windows\system32\drivers\eamon.sys
2009-03-06 14:22 . 2004-08-04 01:07 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 01:07 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-20 18:09 . 2004-08-04 01:07 78336 ----a-w c:\windows\system32\ieencode.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"SB Wireless Music"="c:\program files\Creative\SB Wireless Music\Media Server\SBWMsvr.exe" [2004-02-19 98304]
"Creative Detector"="c:\program files\Creative\MediaSource\Detector\CTDetect.exe" [2003-10-02 98304]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ANIWZCS2Service"="c:\program files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2007-01-19 49152]
"egui"="c:\program files\ESET\ESET NOD32 Antivirus\egui.exe" [2009-03-19 2029640]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2008-07-24 63048]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-04-18 148888]
"Autorun Eater"="c:\program files\Autorun Eater\oldmcdonald.exe" [2008-11-27 501768]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2009-04-10 37888]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1826816]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-08-20 16384512]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2008-10-16 18:35 87352 ----a-w c:\windows\system32\LMIinit.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Freecom Network Storage Assistant\\FNSA.exe"=
"c:\\Program Files\\Creative\\SB Wireless Music\\Media Server\\SBWMsvr.exe"=
"c:\\Program Files\\Conceptronic\\Conceptronic 54Mbps Wireless Utility\\WlanMon.exe"=

R1 ehdrv;ehdrv;c:\windows\system32\drivers\ehdrv.sys [3/19/2009 11:44 AM 107256]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [3/19/2009 11:45 AM 93848]
R2 ekrn;ESET Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [3/19/2009 11:44 AM 731840]
R2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\rainfo.sys [7/24/2008 6:46 PM 12856]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;c:\windows\system32\drivers\LMIRfsDriver.sys [4/18/2009 10:31 AM 47640]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [4/15/2009 10:47 PM 93696]
S0 aochxtar;aochxtar;c:\windows\system32\drivers\amxkzgh.sys --> c:\windows\system32\drivers\amxkzgh.sys [?]
S4 LMIRfsClientNP;LMIRfsClientNP; [x]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://uk.yahoo.com/index_narrow.html
FF - ProfilePath - c:\documents and settings\PORKY\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\
FF - prefs.js: browser.startup.homepage - hxxp://uk.yahoo.com/
FF - plugin: c:\documents and settings\PORKY\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\extensions\LogMeInClient@logmein.com\plugins\npRACtrl.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-20 18:14
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Creative Detector = c:\program files\Creative\MediaSource\Detector\CTDetect.exe /R??o?u?r?c?e?\?D?e?t?e?c?t?o?r?\?C?T?D?e?t?e?c?t?.?e?x?e??????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(584)
c:\windows\system32\Ati2evxx.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll

- - - - - - - > 'explorer.exe'(3108)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-05-20 18:15
ComboFix-quarantined-files.txt 2009-05-20 16:15

Pre-Run: 96,458,661,888 bytes free
Post-Run: 96,470,110,208 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

155 --- E O F --- 2009-05-20 13:40

do you recognise these files

2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\NOCLOSE.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\PKUNZIP.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\PKZIP.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\RAR.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\UC.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\ARJ.PIF
2009-05-11 12:45 . 2008-08-08 05:04 545 ----a-w c:\windows\LHA.PIF

Hi No i dont think so. I downloaded rarzilla the other day, but no on the 8th.
kwisj

hi

Please download OTMoveIt3 by OldTimer

• Save it to your desktop.
• Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
• Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
  
  
  CODE
  :Processes
  explorer.exe
  
  :Services
  
  :Reg
  
  :Files
  c:\windows\NOCLOSE.PIF
  c:\windows\PKUNZIP.PIF
  c:\windows\PKZIP.PIF
  c:\windows\RAR.PIF
  c:\windows\UC.PIF
  c:\windows\ARJ.PIF
  c:\windows\LHA.PIF
  
  :Commands
  [purity]
  [emptytemp]
  [start explorer]
  [Reboot]
  
  
• Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window (under the yellow bar) and choose Paste.
  
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
• Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.



Please download ATF Cleaner by Atribune.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.




Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.

hi there
her is the ot move it log, and the mbam log. I have tried to scan the pc using kapersky, but it keeps rebooting at 25% pc scan. this has happened 3 times. whats going on there? my anti virus is telling me its deactivated,and i cant seem to activate it
thanks for your time in all this
kwisj
========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
c:\windows\NOCLOSE.PIF moved successfully.
c:\windows\PKUNZIP.PIF moved successfully.
c:\windows\PKZIP.PIF moved successfully.
c:\windows\RAR.PIF moved successfully.
c:\windows\UC.PIF moved successfully.
c:\windows\ARJ.PIF moved successfully.
c:\windows\LHA.PIF moved successfully.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\PORKY\LOCALS~1\Temp\etilqs_k5e5d1G22WMo2rkzQCZE scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\PORKY\LOCALS~1\Temp\JET4008.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\PORKY\LOCALS~1\Temp\JET4315.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\PORKY\LOCALS~1\Temp\~DF41E5.tmp scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\PORKY\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User's Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_2ac.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 05212009_205243

Files moved on Reboot...
File C:\DOCUME~1\PORKY\LOCALS~1\Temp\etilqs_k5e5d1G22WMo2rkzQCZE not found!
File C:\DOCUME~1\PORKY\LOCALS~1\Temp\JET4008.tmp not found!
File C:\DOCUME~1\PORKY\LOCALS~1\Temp\JET4315.tmp not found!
C:\DOCUME~1\PORKY\LOCALS~1\Temp\~DF41E5.tmp moved successfully.
File C:\WINDOWS\temp\Perflib_Perfdata_2ac.dat not found!
C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_001_ moved successfully.
C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_002_ moved successfully.
C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_003_ moved successfully.
C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\Cache\_CACHE_MAP_ moved successfully.
C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\PORKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\isfsdvpg.default\XUL.mfl moved successfully.


Malwarebytes' Anti-Malware 1.36
Database version: 2143
Windows 5.1.2600 Service Pack 3

5/21/2009 9:04:17 PM
mbam-log-2009-05-21 (21-04-17).txt

Scan type: Quick Scan
Objects scanned: 71764
Time elapsed: 1 minute(s), 41 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

This post has been edited by kwisj: May 21 2009, 03:06 PM

try this

Please click here to download AVP Tool by Kaspersky.

• Save it to your desktop.
• Reboot your computer into SafeMode.
  

  You can do this by restarting your computer and continually tapping the F8 key until a menu appears.
  Use your up arrow key to highlight SafeMode then hit enter.

• Double click the setup file to run it.
• Click Next to continue.
• It will by default install it to your desktop folder.Click Next.
• Hit ok at the prompt for scanning in Safe Mode.
• It will then open a box There will be a tab that says Automatic scan.
• Under Automatic scan make sure these are checked.

• System Memory
• Startup Objects
• Disk Boot Sectors.
• My Computer.
• Also any other drives (Removable that you may have)

• Then click on Scan at the to right hand Corner.
• It will automatically Neutralize any objects found.
• If some objects are left unneutralized then click the button that says Neutralize all
• If it says it cannot be Neutralized then chooose The delete option when prompted.
• After that is done click on the reports button at the bottom and save it to file name it Kas.
• Save it somewhere convenient like your desktop and just post only the detected Virus\malware in the report it will be at the very top under Detected post those results in your next reply.
  
  

  Note: This tool will self uninstall when you close it so please save the log before closing it.

hi there
OK i downloaded the AVP kapersky setup file, rebooted in safe mode, started the application and it told me that some of the files were corrupted. so it couldn't complete the set up
would it be an idea to download the AVP to another computer and pass it over to the pc that we are working on. Because yesterday i had real problems trying to download the kapersky stuff to the problem pc. it kept rebooting. so maybe with all the rebooting the files may have been corrupted.
cheers for your time again
kwisj
BTW
i notice in the windows temp file there are loads of things called Perflib_Perfdata_ with the extension DAT
is any of that relevant?
ok i downloaded again the AVP tool started in safe mode and it failed 'virus bases are invalid' it says
I think i'm beginning to get bored of this, and perhaps it would be a good idea to reformat the whole of the hard drive...What do you think?

This post has been edited by kwisj: May 22 2009, 07:00 AM