Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Trojan horse TR/ vundo infection


  • This topic is locked This topic is locked

#1
tisthymonkey

tisthymonkey

    New Member

  • Member
  • Pip
  • 8 posts
Hi all,

Having terrible trouble trying to rid my pc of TR/Vundo.Gen and others
Tried a few standard spyware programmes but still there.

Please help

Hijackthis log and Smitfraud logs below

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:03:58, on 10/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C060FE2-B3CA-47DD-B68E-BD1A6E297226} - C:\WINDOWS\system32\vtUlJbbx.dll
O2 - BHO: (no name) - {994F4ECB-2E87-411B-AEFB-ECC0E2A18CB1} - C:\WINDOWS\system32\geBrqQHw.dll (file missing)
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Microsoft Updates] svehost.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: vtUlJbbx - C:\WINDOWS\SYSTEM32\vtUlJbbx.dll
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 8095 bytes





SmitFraudFix v2.320

Scan done at 21:22:15.20, 10/05/2008
Run from C:\Documents and Settings\User 1\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

hosts file corrupted !

127.0.0.1 www.legal-at-spybot.info
127.0.0.1 legal-at-spybot.info

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\User 1\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\USER1~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» 404Fix
!!!Attention, following keys are not inevitably infected!!!

404Fix
Credits: Malware Analysis & Diagnostic
Code: S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Userinit"="C:\\WINDOWS\\system32\\userinit.exe,"
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: VIA Compatable Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{D0C86024-5914-4BB8-AFA5-7508A9E2CBF5}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{D0C86024-5914-4BB8-AFA5-7508A9E2CBF5}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{D0C86024-5914-4BB8-AFA5-7508A9E2CBF5}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End
  • 0

Advertisements


#2
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello tisthymonkey

Welcome to G2Go. :)

Please uninstall Norton before Proceeding. (Very Important)
=====================
Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum.
=============
Then:
Please visit this web page for instructions for downloading and running Combofix >ComboFix Instructions
We now suggest that you install the Windows Recovery Console.
The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Post the log from ComboFix when you've accomplished all of that, along with a new HijackThis log.
  • 0

#3
tisthymonkey

tisthymonkey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Thank you Kahdah.

I have completed both and added reports. System already working better! Could you explain the windows recovery bit please, unsure of proceedure.

SDFix: Version 1.181
Run by User 1 on 11/05/2008 at 01:33

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\USER1~1\Desktop\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1359.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 01:45:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000004c
"TracesSuccessful"=dword:00000005

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\uTorrent\\utorrent.exe"="C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:æTorrent"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"="C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\DOCUME~1\USER1~1\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Thu 24 Jan 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"
Tue 11 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\0a67b6c406b1d7e0f5c1e6f6d44a3f6e\BIT3.tmp"
Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\26924cbc8132a10b438ce6e2b49d4652\BIT1.tmp"
Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\2769b111678c52099a3b3123b12f2325\BIT5.tmp"
Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\b69c46c5109d0f8b0dee9fab84906813\BIT4.tmp"
Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d77b9b5b8fed23dd91f50d167cce60d3\BIT6.tmp"
Tue 29 Apr 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fa6c916bb150f8a929e7a4ffdfbc120f\BIT2.tmp"
Thu 29 Nov 2007 213,950 ...HR --- "C:\WINDOWS\system32\drivers\etc\Hosts.bak"
Thu 28 Sep 2006 4,348 A..H. --- "C:\Welsh Backup\Laptop Backup\Partition 1\My Documents\My Music\License Backup\drmv1key.bak"
Fri 29 Sep 2006 20 A..H. --- "C:\Welsh Backup\Laptop Backup\Partition 1\My Documents\My Music\License Backup\drmv1lic.bak"
Thu 28 Sep 2006 400 A.SH. --- "C:\Welsh Backup\Laptop Backup\Partition 1\My Documents\My Music\License Backup\drmv2key.bak"

Finished!




ComboFix 08-05-09.1 - User 1 2008-05-11 1:53:10.3 - NTFSx86 MINIMAL
Running from: C:\Documents and Settings\User 1\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 01:29 . 2008-05-11 01:29 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-11 01:13 . 2008-05-09 03:59 <DIR> d-------- C:\SDFix
2008-05-10 23:23 . 2008-05-10 23:23 2,112 --a------ C:\WINDOWS\system32\wfpplvqm.exe
2008-05-10 22:59 . 2008-05-10 22:59 52,840 --a------ C:\WINDOWS\system32\trtnbgub.dll
2008-05-10 21:53 . 2008-05-10 21:53 <DIR> d-------- C:\Program Files\Panda Security
2008-05-10 21:45 . 2008-05-10 21:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 21:32 . 2008-05-10 21:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 21:32 . 2008-05-10 21:32 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\Malwarebytes
2008-05-10 21:32 . 2008-05-10 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 21:32 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 21:32 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 21:22 . 2008-05-11 00:14 1,984 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-10 20:03 . 2008-05-10 20:03 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\Lavasoft
2008-05-10 20:02 . 2008-05-10 20:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 19:59 . 2005-04-14 12:18 <DIR> d-------- C:\Adaware SE Pro and Plug-ins
2008-05-04 22:31 . 2008-05-04 22:31 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\Skype
2008-05-04 15:24 . 2008-05-04 15:24 <DIR> d-------- C:\Program Files\Avira
2008-05-04 00:21 . 2008-05-04 00:23 <DIR> d-------- C:\Program Files\Skype
2008-05-04 00:20 . 2008-05-04 00:21 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-04 00:16 . 2008-05-04 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-03 23:01 . 2008-05-03 23:01 53,312 --a------ C:\WINDOWS\system32\fuqgtifv.dll
2008-05-03 10:01 . 2008-05-03 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-03 09:19 . 2008-05-03 09:19 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-02 22:00 . 2008-05-02 22:00 53,312 --a------ C:\WINDOWS\system32\tsioharl.dll
2008-05-02 21:57 . 2008-05-10 22:56 109,778 --a------ C:\WINDOWS\BM8f9120d8.xml
2008-05-02 19:48 . 2008-05-04 00:29 <DIR> d-------- C:\Program Files\Google
2008-05-02 19:43 . 2008-02-17 19:47 <DIR> d-------- C:\Google Earth Pro v4.2.0205.5730 Final + Patch + Logo Google Remover
2008-05-02 18:41 . 2008-05-02 18:41 <DIR> d-------- C:\Program Files\SBSH
2008-05-02 11:52 . 2008-05-02 11:52 0 --ah----- C:\Documents and Settings\User 1\NTUSER.DAT_TU_53705.LOG
2008-05-02 11:52 . 2008-05-02 11:52 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_24216.LOG
2008-05-02 11:52 . 2008-05-02 11:52 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_16901.LOG
2008-05-02 10:04 . 2007-11-05 23:58 <DIR> d-------- C:\Autodata3.18crack by Zogldi
2008-05-02 09:51 . 2008-05-02 09:51 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\TuneUp Software
2008-05-02 09:51 . 2008-05-02 09:51 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-02 09:51 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-02 09:50 . 2008-05-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-02 09:49 . 2008-05-02 09:53 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-02 09:48 . 2008-05-02 09:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 09:48 . 2008-05-02 11:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 09:46 . 2008-05-02 04:35 <DIR> d-------- C:\Keygen 2
2008-05-02 09:46 . 2008-05-02 04:35 <DIR> d-------- C:\Keygen 1
2008-05-02 09:46 . 2008-05-02 04:34 14,538,804 --a------ C:\TU2008TrialEN.exe
2008-05-01 00:52 . 2007-08-30 02:42 634,661,020 --a------ C:\CDA3.18v6.410GRA_Data.nrg
2008-05-01 00:51 . 2007-08-30 02:36 340,054,172 --a------ C:\CDA3.18_v6.41296_Install.nrg
2008-04-30 23:57 . 2008-04-30 23:57 174 --a------ C:\WINDOWS\isclean.bat
2008-04-30 23:57 . 2008-04-30 23:57 8 --a------ C:\WINDOWS\lan.id
2008-04-30 23:56 . 2008-04-30 23:58 493 --a------ C:\WINDOWS\mbcase.uninst.ini
2008-04-30 23:53 . 2008-04-30 23:53 <DIR> d-------- C:\opt
2008-04-30 23:47 . 2001-08-17 13:53 4,992 --a------ C:\WINDOWS\system32\drivers\loop.sys
2008-04-30 23:47 . 2001-08-17 13:53 4,992 --a--c--- C:\WINDOWS\system32\dllcache\loop.sys
2008-04-30 23:25 . 2008-04-30 23:26 <DIR> d-------- C:\Program Files\EndItAll
2008-04-28 22:37 . 2008-04-28 22:37 <DIR> d-------- C:\fscommand
2008-04-28 22:23 . 2008-04-28 22:35 <DIR> d-------- C:\wis
2008-04-28 22:23 . 2008-04-28 22:23 <DIR> d-------- C:\SNIHOOK
2008-04-28 22:23 . 2008-04-28 22:23 <DIR> d-------- C:\SDSwitch
2008-04-28 22:21 . 2008-04-28 22:23 <DIR> d-------- C:\ewa
2008-04-28 22:12 . 2008-05-11 00:56 12,790 --a------ C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
2008-04-28 13:39 . 2008-01-05 19:03 <DIR> d-------- C:\Autodata3.18 licens mappe
2008-04-28 12:30 . 2008-04-28 12:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 12:30 . 2008-04-28 12:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-28 11:29 . 2008-05-11 00:56 <DIR> d-------- C:\Program Files\Norton 360
2008-04-28 11:26 . 2008-05-11 00:56 <DIR> d-------- C:\Program Files\Symantec
2008-04-28 11:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-28 11:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-28 11:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-28 10:48 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-28 10:44 . 2008-04-28 10:44 <DIR> d-------- C:\Program Files\MSBuild
2008-04-28 10:44 . 2008-04-28 10:44 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-28 10:31 . 2008-04-29 02:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 10:30 . 2008-04-28 10:30 <DIR> dr-h----- C:\MSOCache
2008-04-28 10:28 . 2008-04-28 10:28 <DIR> d-------- C:\Office 2007 Visio
2008-04-28 10:27 . 2008-04-28 10:28 <DIR> d-------- C:\Office 2007 Project
2008-04-28 10:26 . 2008-04-28 10:27 <DIR> d-------- C:\Office 2007 Enterprise
2008-04-28 10:26 . 2008-05-04 15:56 <DIR> d-------- C:\Images
2008-04-28 10:26 . 2008-04-28 10:26 <DIR> d-------- C:\ExpressionWeb
2008-04-28 10:24 . 2008-04-28 10:24 <DIR> d-------- C:\Support
2008-04-28 10:23 . 2008-04-28 10:24 <DIR> d-------- C:\Supp64
2008-04-28 10:23 . 2008-04-28 10:23 <DIR> d-------- C:\N360
2008-04-28 10:23 . 2008-04-28 10:23 <DIR> d-------- C:\Manual
2008-04-21 22:34 . 2008-04-21 22:34 <DIR> d-------- C:\Program Files\Share Cracker
2008-04-21 22:34 . 2008-04-21 22:34 249,856 --------- C:\WINDOWS\Setup1.exe
2008-04-21 22:34 . 2008-04-21 22:34 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-16 21:31 . 2008-04-16 21:38 <DIR> d-------- C:\Program Files\McDonaldsDragons
2008-04-16 21:30 . 2008-04-16 21:30 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-11 13:33 . 2008-04-11 13:33 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 00:27 --------- d-----w C:\Documents and Settings\User 1\Application Data\uTorrent
2008-05-10 23:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-10 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-04 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-03 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-03 07:45 --------- d-----w C:\Program Files\uTorrent
2008-04-30 22:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 22:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-28 21:10 --------- d-----w C:\Program Files\iTunes
2008-04-28 14:32 --------- d-----w C:\Documents and Settings\User 1\Application Data\Symantec
2008-04-21 21:43 --------- d-----w C:\Program Files\Norton Password Manager
2008-04-21 21:08 --------- d-----w C:\Program Files\MagicISO
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( [email protected]_17.55.58.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-10 16:48:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-11 00:52:13 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 17:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 12:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-05-09 02:57:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-11 00:29:57 4,612,096 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-11 00:29:57 159,744 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-09 02:57:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-11 00:29:48 4,612,096 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-11 00:29:48 159,744 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{994F4ECB-2E87-411B-AEFB-ECC0E2A18CB1}]
C:\WINDOWS\system32\geBrqQHw.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-10-07 13:04 2083664]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 17:06 292152]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Support\SymLnch\SymLnch.exe" [2007-08-27 01:04 687976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
"Microsoft Updates"=svehost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=

S2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-02 09:51]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d2dc9e0-c81c-11dc-8724-000b6a9f1550}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL EssentialFiles\index.html

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 00:40:01 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-03 10:35:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 01:55:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tsd32.dll
-> C:\WINDOWS\system32\ac3filter.acm
.
Completion time: 2008-05-11 1:59:25
ComboFix-quarantined-files.txt 2008-05-11 00:58:24
ComboFix2.txt 2008-05-10 23:38:57
ComboFix3.txt 2008-05-10 16:57:45

Pre-Run: 30,492,573,696 bytes free
Post-Run: 30,495,064,064 bytes free

200 --- E O F --- 2008-04-29 01:39:12
  • 0

#4
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
http://support.microsoft.com/kb/314058 <See that link for a description of the Recovery Console.
It would aid in system recovery in case of system damage caused by some malware.
====================================
We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.


Posted Image


Download the file & save it as it's originally named, next to ComboFix.exe.



Posted Image


Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When prompted to scan for infected files chose no, when done a log named CF_RC.txt will open. Please post the contents of that log.


Please do not reboot your machine until we have reviewed the log.
  • 0

#5
tisthymonkey

tisthymonkey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Kahdah,

Log from recovery:

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
  • 0

#6
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\fuqgtifv.dll
C:\WINDOWS\svehost.exe
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\wfpplvqm.exe
C:\WINDOWS\system32\trtnbgub.dll
C:\WINDOWS\system32\tsioharl.dll
C:\WINDOWS\BM8f9120d8.xml
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{994F4ECB-2E87-411B-AEFB-ECC0E2A18CB1}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Microsoft Updates"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#7
tisthymonkey

tisthymonkey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
As instructed, both logs below.

My system is working much better and pop up virus alerts are almost gone.



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:25:46, on 11/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {90222687-F593-4738-B738-FBEE9C7B26DF} - (no file)
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mlJDwwvT - mlJDwwvT.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - (no file)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7019 bytes



ComboFix 08-05-09.1 - User 1 2008-05-11 22:14:01.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.80 [GMT 1:00]
Running from: C:\Documents and Settings\User 1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User 1\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\BM8f9120d8.xml
C:\WINDOWS\svehost.exe
C:\WINDOWS\system32\fuqgtifv.dll
C:\WINDOWS\system32\svehost.exe
C:\WINDOWS\system32\trtnbgub.dll
C:\WINDOWS\system32\tsioharl.dll
C:\WINDOWS\system32\wfpplvqm.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8f9120d8.xml
C:\WINDOWS\system32\fuqgtifv.dll
C:\WINDOWS\system32\trtnbgub.dll
C:\WINDOWS\system32\tsioharl.dll
C:\WINDOWS\system32\wfpplvqm.exe

.
((((((((((((((((((((((((( Files Created from 2008-04-11 to 2008-05-11 )))))))))))))))))))))))))))))))
.

2008-05-11 21:20 . 2008-05-11 21:20 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-11 03:00 . 2008-05-11 03:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-05-11 02:54 . 2008-05-06 15:50 <DIR> dr------- C:\Setup
2008-05-11 02:54 . 2008-05-11 02:55 <DIR> d-------- C:\KASPERSKY FOR LIFETIME!!! READ THIS FIRST
2008-05-11 02:54 . 2008-02-24 20:59 114,605 --a------ C:\Uploads TICI333 Pirate Bay.docx
2008-05-11 02:54 . 2008-02-25 19:25 5,371 --a------ C:\EXTRA 6 KiS KEYS.rar
2008-05-11 02:16 . 2008-05-11 02:20 <DIR> d-------- C:\Program Files\Trojan Remover
2008-05-11 02:16 . 2008-05-11 02:16 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\Simply Super Software
2008-05-11 02:16 . 2008-05-11 02:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-05-11 02:16 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-05-11 02:16 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-05-11 02:16 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-05-11 02:16 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-05-11 02:16 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-05-11 02:13 . 2008-04-13 06:56 <DIR> d-------- C:\TROJAN REMOVER 6.6.9 Build 2525(NEW-with critical fix)
2008-05-11 01:29 . 2008-05-11 01:29 <DIR> d-------- C:\WINDOWS\ERUNT
2008-05-11 01:13 . 2008-05-09 03:59 <DIR> d-------- C:\SDFix
2008-05-10 21:53 . 2008-05-10 21:53 <DIR> d-------- C:\Program Files\Panda Security
2008-05-10 21:45 . 2008-05-10 21:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-10 21:32 . 2008-05-10 21:32 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-10 21:32 . 2008-05-10 21:32 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\Malwarebytes
2008-05-10 21:32 . 2008-05-10 21:32 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-10 21:32 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-10 21:32 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-10 21:22 . 2008-05-11 00:14 1,984 --a------ C:\WINDOWS\system32\tmp.reg
2008-05-10 20:03 . 2008-05-10 20:03 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\Lavasoft
2008-05-10 20:02 . 2008-05-10 20:02 <DIR> d-------- C:\Program Files\Lavasoft
2008-05-10 19:59 . 2005-04-14 12:18 <DIR> d-------- C:\Adaware SE Pro and Plug-ins
2008-05-04 22:31 . 2008-05-04 22:31 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\Skype
2008-05-04 15:24 . 2008-05-04 15:24 <DIR> d-------- C:\Program Files\Avira
2008-05-04 00:21 . 2008-05-04 00:23 <DIR> d-------- C:\Program Files\Skype
2008-05-04 00:20 . 2008-05-04 00:21 <DIR> d-------- C:\Program Files\Common Files\Skype
2008-05-04 00:16 . 2008-05-04 00:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skype
2008-05-03 10:01 . 2008-05-03 10:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-05-03 09:19 . 2008-05-03 09:19 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2008-05-02 19:48 . 2008-05-04 00:29 <DIR> d-------- C:\Program Files\Google
2008-05-02 19:43 . 2008-02-17 19:47 <DIR> d-------- C:\Google Earth Pro v4.2.0205.5730 Final + Patch + Logo Google Remover
2008-05-02 18:41 . 2008-05-02 18:41 <DIR> d-------- C:\Program Files\SBSH
2008-05-02 11:52 . 2008-05-02 11:52 0 --ah----- C:\Documents and Settings\User 1\NTUSER.DAT_TU_53705.LOG
2008-05-02 11:52 . 2008-05-02 11:52 0 --ah----- C:\Documents and Settings\NetworkService\NTUSER.DAT_TU_24216.LOG
2008-05-02 11:52 . 2008-05-02 11:52 0 --ah----- C:\Documents and Settings\LocalService\NTUSER.DAT_TU_16901.LOG
2008-05-02 10:04 . 2007-11-05 23:58 <DIR> d-------- C:\Autodata3.18crack by Zogldi
2008-05-02 09:51 . 2008-05-02 09:51 <DIR> d-------- C:\Documents and Settings\User 1\Application Data\TuneUp Software
2008-05-02 09:51 . 2008-05-02 09:51 354,560 --a------ C:\WINDOWS\system32\TuneUpDefragService.exe
2008-05-02 09:51 . 2008-04-04 14:51 28,416 --a------ C:\WINDOWS\system32\uxtuneup.dll
2008-05-02 09:50 . 2008-05-02 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TuneUp Software
2008-05-02 09:49 . 2008-05-02 09:53 <DIR> d-------- C:\Program Files\TuneUp Utilities 2008
2008-05-02 09:48 . 2008-05-02 09:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-02 09:48 . 2008-05-02 11:54 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-02 09:46 . 2008-05-02 04:35 <DIR> d-------- C:\Keygen 2
2008-05-02 09:46 . 2008-05-02 04:35 <DIR> d-------- C:\Keygen 1
2008-05-02 09:46 . 2008-05-02 04:34 14,538,804 --a------ C:\TU2008TrialEN.exe
2008-05-01 00:52 . 2007-08-30 02:42 634,661,020 --a------ C:\CDA3.18v6.410GRA_Data.nrg
2008-05-01 00:51 . 2007-08-30 02:36 340,054,172 --a------ C:\CDA3.18_v6.41296_Install.nrg
2008-04-30 23:57 . 2008-04-30 23:57 174 --a------ C:\WINDOWS\isclean.bat
2008-04-30 23:57 . 2008-04-30 23:57 8 --a------ C:\WINDOWS\lan.id
2008-04-30 23:56 . 2008-04-30 23:58 493 --a------ C:\WINDOWS\mbcase.uninst.ini
2008-04-30 23:53 . 2008-04-30 23:53 <DIR> d-------- C:\opt
2008-04-30 23:47 . 2001-08-17 13:53 4,992 --a------ C:\WINDOWS\system32\drivers\loop.sys
2008-04-30 23:47 . 2001-08-17 13:53 4,992 --a--c--- C:\WINDOWS\system32\dllcache\loop.sys
2008-04-30 23:25 . 2008-04-30 23:26 <DIR> d-------- C:\Program Files\EndItAll
2008-04-28 22:37 . 2008-04-28 22:37 <DIR> d-------- C:\fscommand
2008-04-28 22:23 . 2008-04-28 22:35 <DIR> d-------- C:\wis
2008-04-28 22:23 . 2008-04-28 22:23 <DIR> d-------- C:\SNIHOOK
2008-04-28 22:23 . 2008-04-28 22:23 <DIR> d-------- C:\SDSwitch
2008-04-28 22:21 . 2008-04-28 22:23 <DIR> d-------- C:\ewa
2008-04-28 22:12 . 2008-05-11 00:56 12,790 --a------ C:\Documents and Settings\All Users\Application Data\LUUnInstall.LiveUpdate
2008-04-28 13:39 . 2008-01-05 19:03 <DIR> d-------- C:\Autodata3.18 licens mappe
2008-04-28 12:30 . 2008-04-28 12:30 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-04-28 12:30 . 2008-04-28 12:30 1,409 --a------ C:\WINDOWS\QTFont.for
2008-04-28 11:29 . 2008-05-11 00:56 <DIR> d-------- C:\Program Files\Norton 360
2008-04-28 11:26 . 2008-05-11 00:56 <DIR> d-------- C:\Program Files\Symantec
2008-04-28 11:14 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-04-28 11:14 . 2007-07-30 19:19 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2008-04-28 11:14 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-04-28 10:48 . 2006-10-26 19:56 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2008-04-28 10:44 . 2008-04-28 10:44 <DIR> d-------- C:\Program Files\MSBuild
2008-04-28 10:44 . 2008-04-28 10:44 <DIR> d-------- C:\Program Files\Microsoft Works
2008-04-28 10:31 . 2008-04-29 02:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-04-28 10:30 . 2008-04-28 10:30 <DIR> dr-h----- C:\MSOCache
2008-04-28 10:28 . 2008-04-28 10:28 <DIR> d-------- C:\Office 2007 Visio
2008-04-28 10:27 . 2008-04-28 10:28 <DIR> d-------- C:\Office 2007 Project
2008-04-28 10:26 . 2008-04-28 10:27 <DIR> d-------- C:\Office 2007 Enterprise
2008-04-28 10:26 . 2008-05-04 15:56 <DIR> d-------- C:\Images
2008-04-28 10:26 . 2008-04-28 10:26 <DIR> d-------- C:\ExpressionWeb
2008-04-28 10:24 . 2008-04-28 10:24 <DIR> d-------- C:\Support
2008-04-28 10:23 . 2008-04-28 10:24 <DIR> d-------- C:\Supp64
2008-04-28 10:23 . 2008-04-28 10:23 <DIR> d-------- C:\N360
2008-04-28 10:23 . 2008-04-28 10:23 <DIR> d-------- C:\Manual
2008-04-21 22:34 . 2008-04-21 22:34 <DIR> d-------- C:\Program Files\Share Cracker
2008-04-21 22:34 . 2008-04-21 22:34 249,856 --------- C:\WINDOWS\Setup1.exe
2008-04-21 22:34 . 2008-04-21 22:34 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-04-16 21:31 . 2008-04-16 21:38 <DIR> d-------- C:\Program Files\McDonaldsDragons
2008-04-16 21:30 . 2008-04-16 21:30 <DIR> d--hs---- C:\WINDOWS\ftpcache
2008-04-11 13:33 . 2008-04-11 13:33 <DIR> d-------- C:\Program Files\Common Files\SupportSoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-11 02:10 --------- d-----w C:\Documents and Settings\User 1\Application Data\uTorrent
2008-05-10 23:58 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-10 23:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-05-04 14:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-05-03 08:48 --------- d-----w C:\Program Files\Common Files\Adobe
2008-05-03 07:45 --------- d-----w C:\Program Files\uTorrent
2008-04-30 22:58 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-30 22:52 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-28 21:10 --------- d-----w C:\Program Files\iTunes
2008-04-28 14:32 --------- d-----w C:\Documents and Settings\User 1\Application Data\Symantec
2008-04-21 21:43 --------- d-----w C:\Program Files\Norton Password Manager
2008-04-21 21:08 --------- d-----w C:\Program Files\MagicISO
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( [email protected]_17.55.58.20 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-10 16:48:27 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-11 11:18:56 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-03-25 17:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 12:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-05-09 02:57:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-05-11 00:29:57 4,612,096 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-05-11 00:29:57 159,744 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-05-09 02:57:57 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-05-11 00:29:48 4,612,096 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-05-11 00:29:48 159,744 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
+ 2008-03-20 17:06:36 1,480,232 ------w C:\WINDOWS\system32\LegitCheckControl.dll
- 2006-09-25 17:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2008-03-20 13:41:20 14,640 ------w C:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-10-07 13:04 2083664]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-10-26 17:06 292152]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-04-07 19:51 873040]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SymLnch"="C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Support\SymLnch\SymLnch.exe" [2007-08-27 01:04 687976]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mlJDwwvT]
mlJDwwvT.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.ac3filter"= ac3filter.acm

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" -atboottime
"Cmaudio"=RunDll32 cmicnfg.cpl,CMICtrlWnd
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Documents and Settings\\All Users\\Application Data\\Kaspersky Lab Setup Files\\Kaspersky Internet Security 7.0.1.325\\English\\setup.exe"=

R2 UxTuneUp;TuneUp Theme Extension;C:\WINDOWS\System32\svchost.exe [2004-08-04 13:00]
S3 msloop;Microsoft Loopback Adapter Driver;C:\WINDOWS\system32\DRIVERS\loop.sys [2001-08-17 13:53]
S3 TuneUp.Defrag;TuneUp Drive Defrag Service;C:\WINDOWS\System32\TuneUpDefragService.exe [2008-05-02 09:51]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8d2dc9e0-c81c-11dc-8724-000b6a9f1550}]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL EssentialFiles\index.html

.
Contents of the 'Scheduled Tasks' folder
"2008-05-11 21:00:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2008\OneClickStarter.exe
"2008-05-03 10:35:06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-11 22:16:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-11 22:21:14
ComboFix-quarantined-files.txt 2008-05-11 21:20:52
ComboFix2.txt 2008-05-11 00:59:26
ComboFix3.txt 2008-05-10 23:38:57
ComboFix4.txt 2008-05-10 16:57:45

Pre-Run: 30,333,472,768 bytes free
Post-Run: 30,335,291,392 bytes free

231 --- E O F --- 2008-04-29 01:39:12
  • 0

#8
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as button:
  • Save the file in txt format to your desktop.
  • Post that information in your next post.

Edited by kahdah, 11 May 2008 - 03:34 PM.
code

  • 0

#9
tisthymonkey

tisthymonkey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello again,

Report as instructed.

KASPERSKY ONLINE SCANNER REPORT
Monday, May 12, 2008 10:40:17 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/05/2008
Kaspersky Anti-Virus database records: 760158


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 184635
Number of viruses found 7
Number of infected objects 31
Number of suspicious objects 0
Duration of the scan process 11:43:24

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\User 1\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix\IEDFix.exe Infected: Constructor.Win32.Binder.bn skipped

C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix.exe/SmitfraudFix/IEDFix.exe Infected: Constructor.Win32.Binder.bn skipped

C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix.exe/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix.exe RAR: infected - 2 skipped

C:\Documents and Settings\User 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\User 1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\User 1\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User 1\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\User 1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\User 1\My Documents\Downloads\Autodata3.18+crack\Autodata3.18crack.rar/Autodata3.18crack by Zogldi/part 1/AdKey.exe Infected: Backdoor.Win32.Blhouse.c skipped

C:\Documents and Settings\User 1\My Documents\Downloads\Autodata3.18+crack\Autodata3.18crack.rar RAR: infected - 1 skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip/TU2008TrialEN.exe Infected: Trojan-Dropper.Win32.Agent.qzl skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip/Keygen 1/TU2008 Keymaker.exe/data0000.cab/is201747.exe Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip/Keygen 1/TU2008 Keymaker.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip/Keygen 1/TU2008 Keymaker.exe Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip/Keygen 2/keygen.exe/data0000.cab/is201747.exe Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip/Keygen 2/keygen.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip/Keygen 2/keygen.exe Infected: Trojan.Win32.Monder.gen skipped

C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg.zip ZIP: infected - 7 skipped

C:\Documents and Settings\User 1\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\User 1\ntuser.dat.LOG Object is locked skipped

C:\Keygen 1\TU2008 Keymaker.exe/data0000.cab/is201747.exe Infected: Trojan.Win32.Monder.gen skipped

C:\Keygen 1\TU2008 Keymaker.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped

C:\Keygen 1\TU2008 Keymaker.exe Rsrc-Package: infected - 2 skipped

C:\Keygen 2\keygen.exe/data0000.cab/is201747.exe Infected: Trojan.Win32.Monder.gen skipped

C:\Keygen 2\keygen.exe/data0000.cab Infected: Trojan.Win32.Monder.gen skipped

C:\Keygen 2\keygen.exe Rsrc-Package: infected - 2 skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\cuenhgti.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\fuqgtifv.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\gnybawvv.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\gpkebubw.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\pmnlihFy.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\prrqhvip.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\trtnbgub.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\tsioharl.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vtUlJbbx.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\xxyyxvtU.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ycqhcbfw.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ywedkwyl.dll.vir Object is locked skipped

C:\QooBox\Quarantine\catchme2008-05-11_ 02432.51.zip/vtUlJbbx.dll Infected: Trojan.Win32.Monder.gen skipped

C:\QooBox\Quarantine\catchme2008-05-11_ 02432.51.zip ZIP: infected - 1 skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP127\A0021312.exe Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP127\A0021662.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP127\A0021673.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP128\A0021676.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP129\A0031266.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP129\A0031313.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP129\A0031328.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP129\A0031329.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031473.exe Infected: Constructor.Win32.Binder.bn skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031475.exe Infected: Constructor.Win32.Binder.bn skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031485.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031486.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031487.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031488.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031489.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031490.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031491.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031499.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0031500.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0032360.exe Infected: Constructor.Win32.Binder.bn skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0032362.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP130\A0032394.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP133\A0033478.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP133\A0033479.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP133\A0033480.dll Object is locked skipped

C:\System Volume Information\_restore{2BDE8BF5-8E71-4878-A04E-B5502DDB2331}\RP133\change.log Object is locked skipped

C:\TU2008TrialEN.exe Infected: Trojan-Dropper.Win32.Agent.qzl skipped

C:\Welsh Backup\Laptop Backup\Partition 1\Desktop\Unused Desktop Shortcuts\Norton AntiVirus 2007 with SERIAL [UPDATES AVAILABLE]\NAV071400.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped

C:\Welsh Backup\Laptop Backup\Partition 1\Norton 360\Norton AntiVirus 2007 with SERIAL [UPDATES AVAILABLE]\NAV071400.exe Infected: not-a-virus:Monitor.Win32.Ardamax.k skipped

C:\Welsh Backup\Laptop Backup\Partition 1\Partition 2\VVSNInst.exe Infected: not-a-virus:AdTool.Win32.WhenU.a skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{954689EB-720A-4889-80D5-DB4B0E2EE02D}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\etc\Hosts.bak Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\TEMP\Cookies\index.dat Object is locked skipped

C:\WINDOWS\TEMP\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#10
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download the OTMoveIt2 by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix
    C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix.exe 
    C:\Documents and Settings\User 1\My Documents\Downloads\Autodata3.18+crack\Autodata3.18crack.rar 
    C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg
    C:\Keygen 1
    C:\Keygen 2
    C:\TU2008TrialEN.exe 
    C:\Welsh Backup\Laptop Backup\Partition 1\Desktop\Unused Desktop Shortcuts\Norton AntiVirus 2007 with SERIAL [UPDATES AVAILABLE]\NAV071400.exe 
    C:\Welsh Backup\Laptop Backup\Partition 1\Partition 2\VVSNInst.exe
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light Yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • OTMoveit2 will create a log of moved files in the C:\_OTMoveIt\MovedFiles folder. The log's name will appear as the date and time it was created, with the format mmddyyyy_hhmmss.log. Open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
================
Also please post a new Hijackthis log as well as the otmove it log and let me know how things are running?
  • 0

Advertisements


#11
tisthymonkey

tisthymonkey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Done.


C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix moved successfully.
C:\Documents and Settings\User 1\Desktop\Security\SmitfraudFix.exe moved successfully.
C:\Documents and Settings\User 1\My Documents\Downloads\Autodata3.18+crack\Autodata3.18crack.rar moved successfully.
C:\Documents and Settings\User 1\My Documents\Downloads\TuneUp Utilities 2008 7.0.8004 + serial, keygen & reg moved successfully.
C:\Keygen 1 moved successfully.
C:\Keygen 2 moved successfully.
File/Folder C:\TU2008TrialEN.exe not found.
< C:\Welsh Backup\Laptop Backup\Partition 1\Desktop\Unused Desktop Shortcuts\Norton AntiVirus 2007 with SERIAL [UPDATES AVAILABLE]\NAV071400.exe >
C:\Welsh Backup\Laptop Backup\Partition 1\Desktop\Unused Desktop Shortcuts\Norton AntiVirus 2007 with SERIAL [UPDATES AVAILABLE]\NAV071400.exe moved successfully.
C:\Welsh Backup\Laptop Backup\Partition 1\Partition 2\VVSNInst.exe moved successfully.

OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05122008_194215
  • 0

#12
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please post a new Hijackthis log and let me know how things are running?
  • 0

#13
tisthymonkey

tisthymonkey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
latest Hijackthis log

System is running fine now. No pop ups today and system is as quick as I can remember it. Still just a bit paranoid that something is in there working away in background.

I downloaded Kaspersky 7.0 after you suggested running the scan as it managed to identify all that others have not. I have deleted each issue but will they simply come back?

What is the best way to check if system is virus free? I ask this as I have over the last week run lots of programs and most dont pick up the issues.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:28:26, on 12/05/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mytalktalk.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {90222687-F593-4738-B738-FBEE9C7B26DF} - (no file)
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\RunOnce: [SymLnch] "C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Support\SymLnch\SymLnch.exe" "C:\Documents and Settings\User 1\Application Data\Symantec\Layouts\Norton Internet Security\15.0\SymAllLanguages\NIS_RETAIL\20070828\Setup.exe" "/REALUPREBOOT /temp /patched"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoft...s/as2stubie.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: mlJDwwvT - mlJDwwvT.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - (no file)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software GmbH - C:\WINDOWS\System32\TuneUpDefragService.exe

--
End of file - 7171 bytes
  • 0

#14
kahdah

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts

I have deleted each issue but will they simply come back?

They will come back if you keep using keygens and cracked software.
That is the reason that you were infected in the first place.

The best way to stay virus free is to do a gull update weekly or bi weekly scan of your entire computer.
Don't download cracks or keygen's because 9 times out of 10 they are infected.
========================
You will need to uninstall Norton Internet security.
As having 2 antivirus programs are not helpful but harmful to the system.
====================
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O3 - Toolbar: (no name) - {90222687-F593-4738-B738-FBEE9C7B26DF} - (no file)
O20 - Winlogon Notify: mlJDwwvT - mlJDwwvT.dll (file missing)



Now click on Fix Checked and then close Hijackthis.
==================================
Cleanup::
  • Make sure you have an Internet Connection.
  • Double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
  • Click on the CleanUp! button
  • A list of tool components used in the Cleanup of malware will be downloaded.
  • If your Firewall or Real Time protection attempts to block OtMoveit2 to reach the Internet, please allow the application to do so.
  • Click Yes to begin the Cleanup process and remove these components, including this application.
  • You will be asked to reboot the machine to finish the Cleanup process. If you are asked to reboot the machine choose Yes.
===============
Delete\uninstall anything else that we have used.

System Restore
Then I will need you to reset your System Restore points.
The link below shows how to create a clean restore point.
How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb/310405/en-us
=====================================
After that your log is clean. :)

The following is a list of tools and utilities that I like to suggest to people.
You do not have to have all or any of them they are only suggestions.
This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy-Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

Ad-Aware-Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

Spyware Blaster - Great prevention tool to keep nasties from installing on your system.

Spywareguard-Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SPYAD- puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Tony Klein article To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Edited by kahdah, 12 May 2008 - 05:41 PM.

  • 0

#15
tisthymonkey

tisthymonkey

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hello Kadah,

All done and system seems to be fine.

Thank you very much for all your help.

Kind regards
Paul.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP