Can somebody please take me through the paces to help me remove this virus named 'Troj/Rustok-N'?

It would be greatly appreciated

Please follow all of the steps in this section of the Malware Forum. These self-help tools will help you clean up 70% of problems on your own. If you are still having problems after doing the steps, then please post the rooter and OTL Logs in this thread

Thanks Essex but i've hit a snag, I've gotten to the step that says download mbam and it tells me Oops! This link appears to be broken.. I've tried to go to the web address manually and searching it etc.

Should I be doing this all in safe mode rather than normal mode which i am currently in?

*Update* tried to download mbam in safe mode and experienced the same problem

OK in that case

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS to your Desktop

• Close ALL OTHER PROGRAMS.
• Double-click on OTS.exe to start the program.
• Check the box that says Scan All Users
• Under Additional Scans check the following:
  • File - Lop Check
    
  • File - Purity Scan
    
  • Evnt - EvtViewer (last 10)
• Now click the Run Scan button on the toolbar.
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

• Click Add Reply
• Under the reply panel is the Attachments Panel
• Browse for the attachment file you want to upload, then click the green Upload button
• Once it has uploaded, click the Manage Current Attachments drop down box
• Click on to insert the attachment into your post

Thank you very much so far EssexBoy. Here's my log



 OTS.Txt ( 182.77K ) Number of downloads: 82

OK you appear to have a rootkit. I will reset your internet first so that you can download stuff. I note that you have Avira nad Norton which is your main Antivirus ?

Start OTS. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.



The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here.

I will review the information when it comes back in.

THEN

Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

Link 1
Link 2
Link 3





--------------------------------------------------------------------

Double click on Combo-Fix.exe & follow the prompts.

• When finished, it will produce a report for you.
• Please post the C:\ComboFix.txt along with a OTListit log so we can continue cleaning the system.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

Hello again,


I use Norton as my main antivirus and Avira as a second opinion.


Regarding the code you sent to place within ots, no luck. I can copy/paste into the program just fine but as soon as a say run fix it goes for 30 seconds then the program freezes up or my system will freeze forcing me to restart the machine.

OK go straight to Combofix and run it from safe mode if need be, it will complain but ignore that

Hello, Here's my combofix log.

ComboFix 09-06-14.02 - Peter 14/06/2009 21:42.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6000.0.1252.2.1033.18.2046.999 [GMT -6:00]
Running from: c:\users\Peter\Desktop\Combo-Fix.exe
AV: AntiVir Desktop *On-access scanning disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
AV: Norton Internet Security *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Security *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
SP: AntiVir Desktop *disabled* (Updated) {AD166499-45F9-482A-A743-FDD3350758C7}
SP: Lavasoft Ad-Watch Live! *disabled* (Updated) {67844DAE-4F77-4D69-9457-98E8CFFDAA22}
SP: Norton Internet Security *disabled* (Updated) {CBB7EE13-8244-4DAB-8B55-D5C7AA91E59A}
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\autorun.inf
c:\windows\system32\gxvxccount
c:\windows\Tasks\{5B57CF47-0BFA-43c6-ACF9-3B3653DCADBA}.job
D:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-05-15 to 2009-06-15 )))))))))))))))))))))))))))))))
.

2009-06-15 03:53 . 2009-06-15 09:05 606 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\WebProtectionDefs\tmp181.tmp\cur.scr
2009-06-15 03:50 . 2009-06-15 03:51 -------- d-----w- c:\users\Peter\AppData\Local\temp
2009-06-15 03:32 . 2009-03-12 09:03 165240 ----a-r- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-06-14 07:22 . 2009-06-14 07:22 -------- d-----w- C:\_OTS
2009-06-14 05:48 . 2009-06-04 16:24 89104 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\NAVENG.SYS
2009-06-14 05:48 . 2009-06-04 16:24 876144 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\NAVEX15.SYS
2009-06-14 05:48 . 2009-06-04 16:24 177520 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\NAVENG32.DLL
2009-06-14 05:48 . 2009-06-04 16:24 1181040 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\NAVEX32A.DLL
2009-06-14 05:48 . 2009-06-04 16:24 101936 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\ERASER.SYS
2009-06-14 05:48 . 2009-06-04 16:24 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\EECTRL.SYS
2009-06-14 05:48 . 2009-06-04 16:24 259368 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\ECMSVR32.DLL
2009-06-14 05:48 . 2009-06-04 16:24 2414128 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090613.023\CCERASER.DLL
2009-06-12 21:40 . 2009-03-16 20:03 533880 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\Scxpx86.dll
2009-06-12 21:40 . 2009-01-29 21:50 276344 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSXpx86.sys
2009-06-12 21:40 . 2009-01-29 21:50 447864 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSxpx86.dll
2009-06-12 21:40 . 2009-01-29 21:50 292912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSvix86.sys
2009-06-12 21:40 . 2009-01-29 21:50 396848 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSviA64.sys
2009-06-12 20:37 . 2009-06-12 20:37 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtb8D91.tmp.exe
2009-06-12 20:01 . 2009-06-12 20:01 -------- d-----w- c:\program files\ERUNT
2009-06-10 07:53 . 2009-03-30 16:33 96104 ----a-w- c:\windows\system32\drivers\avipbb.sys
2009-06-10 07:53 . 2009-03-24 22:08 55640 ----a-w- c:\windows\system32\drivers\avgntflt.sys
2009-06-10 07:52 . 2009-06-10 07:52 -------- d-----w- c:\programdata\Avira
2009-06-10 07:52 . 2009-06-10 07:52 -------- d-----w- c:\program files\Avira
2009-06-08 19:04 . 2009-03-16 20:03 533880 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\Scxpx86.dll
2009-06-08 19:04 . 2009-01-29 21:50 276344 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSXpx86.sys
2009-06-08 19:04 . 2009-01-29 21:50 292912 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSvix86.sys
2009-06-08 19:04 . 2009-01-29 21:50 447864 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSxpx86.dll
2009-06-08 19:03 . 2009-01-29 21:50 396848 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090604.001\IDSviA64.sys
2009-06-05 17:36 . 2005-05-25 05:00 90112 ------w- c:\windows\SDUnInst.exe
2009-06-04 06:02 . 2009-06-05 17:07 680 ----a-w- c:\users\Peter\AppData\Local\d3d9caps.dat
2009-06-03 07:27 . 2009-06-03 07:27 152904 ----a-w- c:\windows\system32\vghd.scr
2009-06-03 07:27 . 2009-06-04 06:01 -------- d-----w- c:\program files\vghd
2009-06-03 07:27 . 2009-06-04 05:54 -------- d-----w- c:\users\Peter\AppData\Roaming\vghd
2009-05-28 03:54 . 2009-05-28 03:54 456304 ----a-w- c:\programdata\Google\Google Toolbar\Update\gtbB8B6.tmp.exe
2009-05-25 03:22 . 2008-04-17 18:12 107368 ----a-w- c:\windows\system32\GEARAspi.dll
2009-05-25 03:22 . 2009-03-19 22:32 23400 ----a-w- c:\windows\system32\drivers\GEARAspiWDM.sys
2009-05-25 03:22 . 2009-05-25 03:22 -------- d-----w- c:\program files\iPod
2009-05-25 03:22 . 2009-05-25 03:22 -------- d-----w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-25 03:22 . 2009-05-25 03:22 -------- d-----w- c:\program files\iTunes
2009-05-25 03:10 . 2009-05-25 03:10 75048 ----a-w- c:\programdata\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-17 20:04 . 2009-05-17 19:55 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-05-17 19:55 . 2009-05-17 19:54 64160 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-05-17 19:55 . 2009-05-17 19:55 299352 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\threatwork.exe
2009-05-17 19:55 . 2009-05-17 19:55 25440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\savapibridge.dll
2009-05-17 19:55 . 2009-05-17 19:55 165728 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavamessage.dll
2009-05-17 19:55 . 2009-05-17 19:55 15688 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lsdelete.exe
2009-05-17 19:55 . 2009-05-17 19:55 343888 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\lavalicense.dll
2009-05-17 19:55 . 2009-05-17 19:55 289632 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\UpdateManager.dll
2009-05-17 19:55 . 2009-05-17 19:55 82784 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\ShellExt.dll
2009-05-17 19:55 . 2009-05-17 19:55 1629024 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Resources.dll
2009-05-17 19:54 . 2009-05-17 19:54 212848 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\RPAPI.dll
2009-05-17 19:54 . 2009-05-17 19:54 40288 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\PrivacyClean.dll
2009-05-17 19:54 . 2009-05-17 19:54 64160 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Drivers\32\lbd.sys
2009-05-17 19:54 . 2009-05-17 19:54 632680 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\CEAPI.dll
2009-05-17 19:54 . 2009-05-17 19:54 539512 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareCommand.exe
2009-05-17 19:54 . 2009-05-17 19:54 552808 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-AwareAdmin.exe
2009-05-17 19:54 . 2009-05-17 19:54 2324808 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\Ad-Aware.exe
2009-05-17 19:54 . 2009-05-17 19:54 626000 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWWSC.exe
2009-05-17 19:54 . 2009-05-17 19:54 516440 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWTray.exe
2009-05-17 19:54 . 2009-05-17 19:54 953168 ----a-w- c:\programdata\Lavasoft\Ad-Aware\Update\AAWService.exe
2009-05-17 19:51 . 2009-05-17 19:51 -------- dc-h--w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-05-17 19:51 . 2009-03-12 08:17 2902048 -c--a-w- c:\programdata\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}\Ad-AwareAE.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-14 22:01 . 2009-06-14 22:01 1307 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp7d6c.tmp\cur.scr
2009-06-14 07:45 . 2007-10-21 17:59 158155 ----a-w- c:\users\Peter\AppData\Roaming\nvModes.dat
2009-06-14 07:21 . 2009-02-02 16:41 -------- d-----w- c:\programdata\Google Updater
2009-06-13 16:51 . 2008-01-02 02:39 -------- d-----w- c:\users\Peter\AppData\Roaming\Azureus
2009-06-13 00:00 . 2008-01-22 19:33 -------- d-----w- c:\program files\Norton Security Scan
2009-06-10 07:16 . 2007-10-30 22:12 -------- d-----w- c:\program files\Common Files\Apple
2009-06-10 07:15 . 2007-10-05 11:05 -------- d-----w- c:\program files\Microsoft Works
2009-06-05 20:17 . 2007-12-28 07:26 -------- d-----w- c:\program files\Lavasoft
2009-06-05 20:17 . 2007-10-05 11:04 -------- d-----w- c:\program files\Google
2009-06-05 20:17 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2009-06-04 16:24 . 2009-06-15 03:54 371248 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp3bab.tmp\EECTRL.SYS
2009-06-04 16:24 . 2009-06-15 03:54 259368 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp3bab.tmp\ECMSVR32.DLL
2009-06-04 16:24 . 2009-06-15 03:54 101936 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp3bab.tmp\ERASER.SYS
2009-06-04 16:24 . 2009-06-15 03:54 2414128 ----a-w- c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\tmp3bab.tmp\CCERASER.DLL
2009-05-13 06:18 . 2008-05-12 04:23 181 ----a-w- c:\users\Peter\AppData\Roaming\Azureus\restart.bat
2009-05-07 05:46 . 2008-01-02 02:38 -------- d-----w- c:\program files\Azureus
2009-04-22 16:15 . 2009-03-15 21:02 -------- d-----w- c:\programdata\Lx_cats
2009-04-22 07:25 . 2009-04-22 07:25 -------- d-----w- c:\users\Peter\AppData\Roaming\Uniblue
2009-03-25 22:34 . 2009-01-12 01:57 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-03-25 04:48 . 2007-10-16 18:22 90336 ----a-w- c:\users\Peter\AppData\Local\GDIPFONTCACHEV1.DAT
2009-03-19 22:32 . 2009-03-19 22:32 23400 ----a-w- c:\programdata\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-01-27 01:34 . 2009-01-27 01:34 1044480 ----a-w- c:\program files\mozilla firefox\plugins\libdivx.dll
2009-01-27 01:34 . 2009-01-27 01:34 200704 ----a-w- c:\program files\mozilla firefox\plugins\ssldivx.dll
2007-10-05 10:48 . 2007-10-05 10:48 76 --sh--r- c:\windows\CT4CET.bin
2007-10-05 18:19 . 2007-10-05 18:13 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-10-17 39408]
"ehTray.exe"="c:\windows\ehome\ehTray.exe" [2006-11-02 125440]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ECenter"="c:\dell\E-Center\EULALauncher.exe" [2007-05-25 17920]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-04-28 857648]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"NvSvc"="c:\windows\system32\nvsvc.dll" [2007-06-25 86016]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-06-25 8433664]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-06-25 81920]
"NVHotkey"="c:\windows\system32\nvHotkey.dll" [2007-06-25 67584]
"UpdReg"="c:\windows\UpdReg.EXE" [2000-05-11 90112]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2007-03-21 1548288]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-10-03 81920]
"PCMService"="c:\program files\Dell\MediaDirect\PCMService.exe" [2007-04-16 184320]
"dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2007-11-15 16384]
"Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-10-05 1862144]
"VolPanel"="c:\program files\Creative\SBAudigy\Volume Panel\VolPanlu.exe" [2006-11-27 180224]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-10-03 221184]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2006-11-05 221184]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2008-01-09 185896]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-30 583048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"lxdrmon.exe"="c:\program files\Lexmark 4900 Series\lxdrmon.exe" [2008-05-21 676520]
"EzPrint"="c:\program files\Lexmark 4900 Series\ezprint.exe" [2008-05-21 131752]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-05-17 516440]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"avgnt"="c:\program files\Avira\AntiVir Desktop\avgnt.exe" [2009-03-02 209153]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2007-10-5 50688]
QuickSet.lnk - c:\program files\Dell\QuickSet\quickset.exe [2007-7-20 1180952]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\progra~1\Google\GOOGLE~2\GoogleDesktopNetwork3.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"mixer3"=wdmaud.drv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ lsdelete

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UacDisableNotify"=dword:00000001
"InternetSettingsDisableNotify"=dword:00000001
"AutoUpdateDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc]
"AntiVirusOverride"=dword:00000001
"AntiSpywareOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{2C21194F-D77B-4B42-BBA2-F460015F723A}"= c:\program files\Dell\MediaDirect\PowerCinema.exe:CyberLink PowerCinema
"{8A2D4847-F8B9-41DE-90F2-CF8C38E6197D}"= c:\program files\Dell\MediaDirect\PCMService.exe:CyberLink PowerCinema Resident Program
"{4F6E7D6C-F205-490D-8550-41C7744160EF}"= c:\program files\Dell\MediaDirect\Kernel\DMP\CLBrowserEngine.exe:Cyberlink Media Server Browser Engine
"{30AD1E1A-119F-4343-B73C-29634164DCCC}"= c:\program files\Dell\MediaDirect\Kernel\DMS\CLMSService.exe:CyberLink Media Server
"{CDB9023F-2272-468D-B199-490AC82D40BB}"= UDP:c:\program files\DNA\btdna.exe:DNA
"{D39C334D-C73B-4661-873E-9A4DF81BC98D}"= TCP:c:\program files\DNA\btdna.exe:DNA
"{B979A387-EF0B-4CBF-8AE6-5B26A595667C}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{B062E6AA-03D9-450F-ACEB-1B5A18E94FBC}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes
"{CB73D362-19A5-4804-B219-102BA379A4D6}"= Disabled:UDP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{278B2468-7EAE-43A2-8C68-7013DD8A6DA5}"= Disabled:TCP:c:\program files\Sports Interactive\Football Manager 2008\fm.exe:Football Manager 2008
"{6B6CFC49-B8DE-4C0C-8510-E2EEF345B703}"= UDP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{CC840493-2C6B-412E-8990-536980F6BE12}"= TCP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{4B816B55-0696-4F67-BA5A-6AF70984A46F}"= UDP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{78E1AA1E-30D6-4836-A17D-FE47AFA6B41A}"= TCP:c:\program files\TVersity\Media Server\MediaServer.exe:TVersity Media Server
"{E5EDF111-8C09-4F99-8C35-BA143284453C}"= UDP:c:\program files\Azureus\Azureus.exe:Azureus Vuze
"{E17FBB97-7CB4-4D11-AE9B-9452D6DC759C}"= TCP:c:\program files\Azureus\Azureus.exe:Azureus Vuze
"{76E49010-7141-411C-A99B-FCA91691E575}"= UDP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{721E05FE-73AF-4B3E-B480-9FA7F57077B4}"= TCP:c:\program files\Bonjour\mDNSResponder.exe:Bonjour
"{3408B9FC-44C7-4E48-BC0E-87E1B8B9FD85}"= UDP:c:\windows\System32\lxdrcoms.exe:Lexmark Communications System
"{65C53166-24F9-49EE-A459-755CB0FAE0E5}"= TCP:c:\windows\System32\lxdrcoms.exe:Lexmark Communications System
"{4839EFCF-D8E1-4B50-A814-4F81011F6EC7}"= UDP:c:\windows\System32\spool\drivers\w32x86\3\lxdrpswx.exe:Printer Status Window
"{922CD8D6-DB19-49A5-88EC-FC647FCA75C9}"= TCP:c:\windows\System32\spool\drivers\w32x86\3\lxdrpswx.exe:Printer Status Window
"{DC54259A-8D4F-4DEC-88EF-A591D06DF9F6}"= UDP:c:\program files\Pinnacle\VideoSpin\Programs\RM.exe:Render Manager
"{79A7858F-98FC-4CA4-AE7C-C7154B50FB78}"= TCP:c:\program files\Pinnacle\VideoSpin\Programs\RM.exe:Render Manager
"{C061FADC-F6FF-4E09-BECB-54F009B0D0DB}"= UDP:c:\program files\Pinnacle\VideoSpin\Programs\umi.exe:umi
"{698B46B5-6130-41D1-A62B-6905D56CC1E4}"= TCP:c:\program files\Pinnacle\VideoSpin\Programs\umi.exe:umi
"{3E4D0D6B-1BCB-4ABB-9F78-AC5F0913F795}"= UDP:c:\program files\Pinnacle\VideoSpin\Programs\VideoSpin.exe:Pinnacle VideoSpin
"{BB20B197-B7F9-474D-9096-0DCF5653A7C8}"= TCP:c:\program files\Pinnacle\VideoSpin\Programs\VideoSpin.exe:Pinnacle VideoSpin
"{C5ADF767-5A5B-4F42-ADA2-35E4414082EA}"= UDP:c:\program files\iTunes\iTunes.exe:iTunes
"{A5E729B8-DCA9-45F5-871D-F165AE455228}"= TCP:c:\program files\iTunes\iTunes.exe:iTunes

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\PublicProfile]
"EnableFirewall"= 0 (0x0)
"DoNotAllowExceptions"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\RestrictedServices\Static\System]
"DFSR-1"= RPort=5722|UDP:%SystemRoot%\system32\svchost.exe|Svc=DFSR:Allow inbound TCP traffic|

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\StandardProfile\AuthorizedApplications\List]
"c:\\Program Files\\BitTorrent\\bittorrent.exe"= c:\program files\BitTorrent\bittorrent.exe:*:Enabled:BitTorrent

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [17/05/2009 1:55 PM 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\System32\drivers\NIS\1005000.087\SymEFA.sys [20/03/2009 5:17 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\System32\drivers\NIS\1005000.087\BHDrvx86.sys [20/03/2009 5:17 PM 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\System32\drivers\NIS\1005000.087\cchpx86.sys [20/03/2009 5:16 PM 482352]
R1 IDSVix86;IDSVix86;c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090610.006\IDSvix86.sys [12/06/2009 3:40 PM 292912]
R2 AntiVirSchedulerService;Avira AntiVir Scheduler;c:\program files\Avira\AntiVir Desktop\sched.exe [10/06/2009 1:53 AM 108289]
R2 lxdr_device;lxdr_device;c:\windows\system32\lxdrcoms.exe -service --> c:\windows\system32\lxdrcoms.exe -service [?]
R2 lxdrCATSCustConnectService;lxdrCATSCustConnectService;c:\windows\System32\spool\drivers\w32x86\3\lxdrserv.exe [16/05/2008 9:39 AM 98984]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [20/03/2009 5:16 PM 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [25/02/2009 3:00 AM 101936]
R3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [09/03/2009 1:06 PM 953168]
R3 MusCAudio;MusCAudio;c:\windows\System32\drivers\MusCAudio.sys [24/11/2008 10:25 PM 23096]
R3 MusCVideo;MusCVideo;c:\windows\System32\drivers\MusCVideo.sys [24/11/2008 10:25 PM 3768]
R3 OEM02Dev;Creative Camera OEM002 Driver;c:\windows\System32\drivers\OEM02Dev.sys [05/10/2007 12:19 PM 235584]
R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;c:\windows\System32\drivers\OEM02Vfx.sys [05/10/2007 12:19 PM 7424]
R3 SYMNDISV;Symantec Network Filter Driver;c:\windows\System32\drivers\NIS\1005000.087\symndisv.sys [20/03/2009 5:17 PM 39984]
R3 WSDPrintDevice;WSD Print Support via UMB;c:\windows\System32\drivers\WSDPrint.sys [02/11/2006 4:25 AM 16896]
S2 gupdate1c9855554341dd3;Google Update Service (gupdate1c9855554341dd3);c:\program files\Google\Update\GoogleUpdate.exe [02/02/2009 10:43 AM 133104]
S3 SoundMovieServer;SoundMovieServer;c:\windows\System32\snmvtsvc.exe [24/11/2008 10:25 PM 200704]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\System32\rundll32.exe" "c:\windows\System32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-06-08 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-09 19:54]

2009-06-15 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-10-16 04:32]

2009-06-15 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-02-02 16:42]

2009-06-13 c:\windows\Tasks\Norton Security Scan for Peter.job
- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 11:18]

2009-06-15 c:\windows\Tasks\User_Feed_Synchronization-{C2D83598-AB40-40C1-9308-C08929C350D6}.job
- c:\windows\system32\msfeedssync.exe [2009-02-11 10:01]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-Uniblue RegistryBooster 2 - c:\program files\uniblue\registrybooster 2\StartRegistryBooster.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://football365.com/
uInternet Settings,ProxyOverride = *.local
FF - ProfilePath - c:\users\Peter\AppData\Roaming\Mozilla\Firefox\Profiles\b964485k.default\
FF - prefs.js: browser.search.selectedEngine - Orbit Search (Powered By Google)
FF - prefs.js: browser.startup.homepage - hxxp://football365.com/
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\programdata\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava11.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava12.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava13.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava14.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjava32.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npjpi160.dll
FF - plugin: c:\program files\Java\jre1.6.0\bin\npoji610.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-14 21:50
Windows 6.0.6000 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000
.
Completion time: 2009-06-15 21:58
ComboFix-quarantined-files.txt 2009-06-15 03:58

Pre-Run: 15,739,650,048 bytes free
Post-Run: 16,149,475,328 bytes free

301 --- E O F --- 2009-05-14 04:31


 ComboFix.txt ( 25.49K ) Number of downloads: 76

Looks better now

1. Please open Notepad

• Click Start , then Run
• Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:



3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



THEN

Please download Malwarebytes' Anti-Malware from Here.

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

• Combofix.txt
• A new OTListit log.
• MBAM Log

Hello Essex.


Here are all my logs.

Combo Fix
 ComboFix.txt ( 67.24K ) Number of downloads: 114



MBAM
attachment=31083:mbam_log...0_08_53_.txt]

OTS
 OTS.Txt ( 185.29K ) Number of downloads: 6

That doesn't look to bad - how is your computer running now ?

Quite good actually thank you.

Now i've got a seperate issue. It's on a dell laptop running xp. I've done the self cleaning steps until it asked to rename the mbam file in order for it to work and it will not load after installation.

OK lets clear all my tools and tidy you up before we attack that problem

Now the best part of the day ----- Your log now appears clean

A good workman always cleans up after himself so..Run OTListit and hit the cleanup button. It will remove all the programmes we have used plus itself. MBAM can be uninstalled via control panel add/remove along with ERUNT. But they may be useful tools to keep

We will now confirm that your hidden files are set to that, as some of the tools I use will change that

• Click Start.
• Open My Computer.
• Select the Tools menu and click Folder Options.
• Select the View Tab.
• Under the Hidden files and folders heading select Do not show hidden files and folders.
• Click Yes to confirm.
• Click OK.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Upgrading Java:

• Download the latest version of Java SE Runtime Environment (JRE)JRE 6 Update 14.
• Click the "Download" button to the right.
• Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement.".
• Click on Continue.
• Click on the link to download Windows Offline Installation (jre-6u14-windows-i586-p.exe) and save it to your desktop. Do NOT use the Sun Download Manager..
• Close any programs you may have running - especially your web browser.
• Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java version.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on the download to install the newest version.(Vista users, right click on the jre-6u13-windows-i586-p.exe and select "Run as an Administrator.")

VISTA
To manually create a new Restore Point

• Go to Control Panel and select System and Maintenance
• Select System
• On the left select Advance System Settings and accept the warning if you get one
• Select System Protection Tab
• Select Create at the bottom
• Type in a name i.e. Clean
• Select Create

Now we can purge the infected ones

• Go back to the System and Maintenance page
• Select Performance Information and Tools
• On the left select Open Disk Cleanup
• Select Files from all users and accept the warning if you get one
• In the drop down box select your main drive i.e. C
• For a few moments the system will make some calculations
• Select the More Options tab
• In the System Restore and Shadow Backups select Clean up
• Select Delete on the pop up
• Select OK
• Select Delete

You are now done
SPRING CLEAN

Download TFC to your desktop

• Open the file and close any other windows.
• It will close all programs itself when run, make sure to let it run uninterrupted.
• Click the Start button to begin the process. The program should not take long to finish its job
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

THEN

Download and run Auslogics Disc Defragmenter

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

• SpywareBlaster to help prevent spyware from installing in the first place.
• SuperAntispyware Run weekly to keep your system clean

It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

• Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?
Keep safe

ON COMPLETION

Could you now uninstal MBAM and then download and re-install a new copy. Let me know the result