 |  |  |  |  |  |  |  |
Help please
 |
There was just that one that you pointed out that I deleted and the other two were and apple software updater that I always cancel and a task for a adware program that I thought might be worth a shot earlier today...it wasn't it was one of those that you have to buy when you get to the end. The one that you were wondering about had the c:\docume~1\john\applic~1\4file\Tick Scr Ace.exe when I clicked on the properties. I am not sure what you mean by entry line data..
I do wish you'd answer ALL of my questions. I can get to bed earlier.
We've disposed of the Scheduled Task matter for now. But keep ypur eye on this in case it respawns.
When did your problems start? date and approximate time? I want to try and correlate with the ComboFix log if possible.
Next step is to run AVG Spyware and SpyBot to make sure that nothing is reported. Reboot; run Compbfix and HJT and re-post. It'll be around 18 hours before I can look at it again but maybe another of the brainios here can take over!
We've disposed of the Scheduled Task matter for now. But keep ypur eye on this in case it respawns.
When did your problems start? date and approximate time? I want to try and correlate with the ComboFix log if possible.
Next step is to run AVG Spyware and SpyBot to make sure that nothing is reported. Reboot; run Compbfix and HJT and re-post. It'll be around 18 hours before I can look at it again but maybe another of the brainios here can take over!
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
Started 19th october between 1100hrs and 1400hrs.
Then I was away for a while and when I came back I knew I had a problem. I then started running scans from Saturday 27th october and installed the virgin media pc guard software. Sometime in the evening of 27/10 I put my flash drive in got a warning message about that xls thing mentioned earlier and I quarantined it straight away.
I can't remember if I put something on the flash drive on the 19th that the new anti virus picked up when I got back or if that is a wholly different problem from the other pc while I was away.
On the 19th I still had my normal windows explorer interface although I only used it for about 2 hours after when I thought the problem had occured until 27th. Whatever happened when I came back was an exacerbation of what started on 19th. Most of these started happening when I tried to delete what is shown as RB3E.tmp and RB4.tmp from the recycle bin and they wouldn't delete. When I click on either of these and look at the properties it says that the origin is the RECYCLER. The problems I have are two that my navigation around windows is messed up-no address bar File View Options etc and when I open Internet explorer I get the pop ups to ads.
That task is back in the windows task window but it has now changed so that the scheduling of the task if from 18/06/1999. As my pc wasn't even buildable back then it is highly unlikely.
I ran spybot twice today the first run grabbed a few reg entries and cleared them up as well as a few tracking cookies of no consequence. The second run showed no reg entries but there were a few tracking cookies..this is to be expected as I use one on here and one other site I regularly use.
I have run AVG three times over the last two days and it finds similar cookies.
I too am knackered now and thank you for all your help so far..it is much appreciated.... I will follow your instuctions and run the scans overnight
Then I was away for a while and when I came back I knew I had a problem. I then started running scans from Saturday 27th october and installed the virgin media pc guard software. Sometime in the evening of 27/10 I put my flash drive in got a warning message about that xls thing mentioned earlier and I quarantined it straight away.
I can't remember if I put something on the flash drive on the 19th that the new anti virus picked up when I got back or if that is a wholly different problem from the other pc while I was away.
On the 19th I still had my normal windows explorer interface although I only used it for about 2 hours after when I thought the problem had occured until 27th. Whatever happened when I came back was an exacerbation of what started on 19th. Most of these started happening when I tried to delete what is shown as RB3E.tmp and RB4.tmp from the recycle bin and they wouldn't delete. When I click on either of these and look at the properties it says that the origin is the RECYCLER. The problems I have are two that my navigation around windows is messed up-no address bar File View Options etc and when I open Internet explorer I get the pop ups to ads.
That task is back in the windows task window but it has now changed so that the scheduling of the task if from 18/06/1999. As my pc wasn't even buildable back then it is highly unlikely.
I ran spybot twice today the first run grabbed a few reg entries and cleared them up as well as a few tracking cookies of no consequence. The second run showed no reg entries but there were a few tracking cookies..this is to be expected as I use one on here and one other site I regularly use.
I have run AVG three times over the last two days and it finds similar cookies.
I too am knackered now and thank you for all your help so far..it is much appreciated.... I will follow your instuctions and run the scans overnight
•
•
•
•
Originally Posted by Beetlebum 
Started 19th october between 1100hrs and 1400hrs.
----------------------------------------------------------------------------------------------------------
"INTERNETAMEN"="C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe" [2007-10-19 13:16]
-----------------------------------------------------------------------------------------------------------
We only just got rid of that, so it may still have done more damage - hence the overnight scans. It was this one all the time. I thought of songling it out originally, but 4file is a known application for video and radio playing.
Oh well. Later.
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
I removed the one you posted the 4 file one. Interestingly enough I have spybot in time running(tells me about changes to the reg) and shortly after I removed it I got an alert that it was trying to reinstall. Ran AVG again-just a few cookies and 3 cookies with spybot search and destroy. Just posting the logs here for you to have a look at while I am sleeping..lol. It sucks when your pc doesn't work properly.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:21:23, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John\Desktop\imabummy.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [axis web cake second] "C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www4.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by135fd.bay135.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169321153671
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 11367 bytes
ComboFix 07-10-29.1 - John 2007-10-30 2:25:40.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.413 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.
2007-10-29 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 16:04 <DIR> d-------- C:\Documents and Settings\John\Application Data\AdwareAlert
2007-10-29 13:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 13:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-29 12:10 <DIR> d-------- C:\VundoFix Backups
2007-10-28 21:57 <DIR> d-------- C:\Documents and Settings\John\Application Data\Grisoft
2007-10-28 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 21:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-28 21:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-28 17:26 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 20:44 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-27 20:31 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2007-10-27 20:31 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2007-10-27 20:30 <DIR> d-------- C:\Program Files\Raxco
2007-10-27 20:30 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-27 20:30 <DIR> d-------- C:\Program Files\Common Files\Authentium
2007-10-27 20:30 <DIR> d-------- C:\Program Files\CA
2007-10-27 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-27 20:27 <DIR> d-------- C:\Documents and Settings\John\Application Data\InstallShield
2007-10-27 20:26 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-10-27 20:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\Virgin Broadband
2007-10-27 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-27 19:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-27 19:44 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-19 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16 <DIR> d-------- C:\Program Files\4file
2007-10-19 13:16 <DIR> d-------- C:\Documents and Settings\John\Application Data\4file
2007-10-18 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-18 18:11 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-10-18 18:11 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-18 18:10 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-18 18:05 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-04 13:00 <DIR> d-------- C:\Program Files\Real
2007-10-04 13:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-28 12:48 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-26 22:02 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-20 21:54 <DIR> dr-h----- C:\Documents and Settings\John\Application Data\SecuROM
2007-09-20 21:54 <DIR> d-------- C:\Documents and Settings\John\Application Data\Bioshock
2007-09-20 21:33 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-09-20 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-09-20 20:47 <DIR> d-------- C:\Program Files\Steam
2007-09-20 20:47 <DIR> d-------- C:\Program Files\ATI
2007-09-20 20:16 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-09-19 21:55 <DIR> d-------- C:\WINDOWS\BioShock
2007-09-18 22:28 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-09-17 18:23 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 --a------ C:\WINDOWS\system32\DivX.dll
2007-09-12 12:18 <DIR> d-------- C:\spoolerlogs
2007-09-11 23:14 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-11 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 22:47 --------- d-----w C:\Documents and Settings\John\Application Data\uTorrent
2007-10-29 11:12 --------- d-----w C:\Program Files\eMule
2007-10-29 08:11 --------- d-----w C:\Program Files\SPSS Evaluation
2007-10-28 17:53 --------- d-----w C:\Program Files\TVUPlayer
2007-10-28 01:37 --------- d-----w C:\Program Files\PPStream
2007-10-27 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-06 23:07 --------- d-----w C:\Program Files\Java
2007-10-05 23:49 --------- d-----w C:\Program Files\Winamp
2007-10-04 13:00 --------- d-----w C:\Program Files\Common Files\Real
2007-09-28 12:48 --------- d-----w C:\Program Files\ffdshow
2007-09-26 22:17 --------- d-----w C:\Program Files\LucasArts
2007-09-24 15:26 --------- d-----w C:\Program Files\SPSS
2007-09-23 13:22 --------- d-----w C:\Program Files\DivX
2007-09-20 21:54 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-20 20:46 --------- d-----w C:\Program Files\ATI Technologies
2007-09-15 14:13 --------- d-----w C:\Documents and Settings\John\Application Data\TVU networks
2007-09-11 12:50 --------- d-----w C:\Program Files\Apple Software Update
2007-08-22 02:09 352,256 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-22 02:07 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-08-22 02:07 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-08-22 01:59 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-22 01:59 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-08-22 01:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-08-22 01:58 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-08-22 01:57 487,424 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-08-22 01:56 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-08-22 01:48 8,306,688 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-08-22 01:47 3,091,392 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-08-22 01:35 1,586,816 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-08-22 01:21 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-08-22 01:19 266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-08-22 01:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-08-22 01:15 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-08-22 01:11 450,560 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-26 23:06 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 23:06 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 23:06 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-09 13:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-29_13.09.43.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 12:34:40 63,996 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-30 02:18:11 63,996 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 12:34:40 405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-30 02:18:11 405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 12:54 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 16:04 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 11:34 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"CatalystRegistration"="C:\Program Files\ATI\CatalystRegistration\dolce.exe" [2007-07-27 11:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-04 13:00]
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-30 02:16]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 17:49]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 13:10]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13:10]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
R3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
.
Contents of the 'Scheduled Tasks' folder
"2007-10-30 02:00:02 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 02:29:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-30 2:30:23
C:\ComboFix2.txt ... 2007-10-29 19:54
C:\ComboFix3.txt ... 2007-10-29 17:43
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:21:23, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John\Desktop\imabummy.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [axis web cake second] "C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/...x/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework...ex/TmHcmsX.CAB
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www4.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by135fd.bay135.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/.../GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169321153671
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/.../en/crlocx.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary...n.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
--
End of file - 11367 bytes
ComboFix 07-10-29.1 - John 2007-10-30 2:25:40.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.413 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.
2007-10-29 17:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 16:04 <DIR> d-------- C:\Documents and Settings\John\Application Data\AdwareAlert
2007-10-29 13:06 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-29 13:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-29 12:10 <DIR> d-------- C:\VundoFix Backups
2007-10-28 21:57 <DIR> d-------- C:\Documents and Settings\John\Application Data\Grisoft
2007-10-28 21:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 21:57 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-28 21:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-10-28 17:26 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 20:44 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-27 20:31 55,296 --a------ C:\WINDOWS\system32\drivers\rp_skt32.sys
2007-10-27 20:31 48,384 --a------ C:\WINDOWS\system32\drivers\rp_pkt32.sys
2007-10-27 20:30 <DIR> d-------- C:\Program Files\Raxco
2007-10-27 20:30 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-27 20:30 <DIR> d-------- C:\Program Files\Common Files\Authentium
2007-10-27 20:30 <DIR> d-------- C:\Program Files\CA
2007-10-27 20:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-27 20:27 <DIR> d-------- C:\Documents and Settings\John\Application Data\InstallShield
2007-10-27 20:26 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-10-27 20:26 <DIR> d-------- C:\Documents and Settings\John\Application Data\Virgin Broadband
2007-10-27 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-27 19:45 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-27 19:44 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-19 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16 <DIR> d-------- C:\Program Files\4file
2007-10-19 13:16 <DIR> d-------- C:\Documents and Settings\John\Application Data\4file
2007-10-18 18:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-18 18:11 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-10-18 18:11 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-18 18:10 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-10-18 18:05 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-10-04 13:00 <DIR> d-------- C:\Program Files\Real
2007-10-04 13:00 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-28 12:48 5,120 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-09-26 22:02 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-20 21:54 <DIR> dr-h----- C:\Documents and Settings\John\Application Data\SecuROM
2007-09-20 21:54 <DIR> d-------- C:\Documents and Settings\John\Application Data\Bioshock
2007-09-20 21:33 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-09-20 20:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ATI
2007-09-20 20:47 <DIR> d-------- C:\Program Files\Steam
2007-09-20 20:47 <DIR> d-------- C:\Program Files\ATI
2007-09-20 20:16 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-09-19 21:55 <DIR> d-------- C:\WINDOWS\BioShock
2007-09-18 22:28 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2007-09-17 18:23 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22 739,840 --a------ C:\WINDOWS\system32\DivX.dll
2007-09-12 12:18 <DIR> d-------- C:\spoolerlogs
2007-09-11 23:14 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-11 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 22:47 --------- d-----w C:\Documents and Settings\John\Application Data\uTorrent
2007-10-29 11:12 --------- d-----w C:\Program Files\eMule
2007-10-29 08:11 --------- d-----w C:\Program Files\SPSS Evaluation
2007-10-28 17:53 --------- d-----w C:\Program Files\TVUPlayer
2007-10-28 01:37 --------- d-----w C:\Program Files\PPStream
2007-10-27 20:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 11:28 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-06 23:07 --------- d-----w C:\Program Files\Java
2007-10-05 23:49 --------- d-----w C:\Program Files\Winamp
2007-10-04 13:00 --------- d-----w C:\Program Files\Common Files\Real
2007-09-28 12:48 --------- d-----w C:\Program Files\ffdshow
2007-09-26 22:17 --------- d-----w C:\Program Files\LucasArts
2007-09-24 15:26 --------- d-----w C:\Program Files\SPSS
2007-09-23 13:22 --------- d-----w C:\Program Files\DivX
2007-09-20 21:54 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-20 20:46 --------- d-----w C:\Program Files\ATI Technologies
2007-09-15 14:13 --------- d-----w C:\Documents and Settings\John\Application Data\TVU networks
2007-09-11 12:50 --------- d-----w C:\Program Files\Apple Software Update
2007-08-22 02:09 352,256 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-22 02:07 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-08-22 02:07 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-08-22 01:59 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-22 01:59 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-08-22 01:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-08-22 01:58 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-08-22 01:57 487,424 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-08-22 01:56 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-08-22 01:48 8,306,688 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-08-22 01:47 3,091,392 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-08-22 01:35 1,586,816 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-08-22 01:21 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-08-22 01:19 266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-08-22 01:17 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-08-22 01:15 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-08-22 01:11 450,560 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 20:05 593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 18:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 18:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-26 23:06 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 23:06 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 23:06 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-09 13:16 582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
.
((((((((((((((((((((((((((((( snapshot@2007-10-29_13.09.43.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 12:34:40 63,996 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-30 02:18:11 63,996 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 12:34:40 405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-30 02:18:11 405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 12:54 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 16:04 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 11:34 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"CatalystRegistration"="C:\Program Files\ATI\CatalystRegistration\dolce.exe" [2007-07-27 11:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-04 13:00]
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-30 02:16]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 17:49]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 13:10]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13:10]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
R3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}
.
Contents of the 'Scheduled Tasks' folder
"2007-10-30 02:00:02 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
.
**************************************************************************
catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 02:29:11
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
.
Completion time: 2007-10-30 2:30:23
C:\ComboFix2.txt ... 2007-10-29 19:54
C:\ComboFix3.txt ... 2007-10-29 17:43
.
--- E O F ---
bad stuff is still there and needs deleting.
---------------------------------------------------------
2007-10-19 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16 <DIR> d-------- C:\Program Files\4file
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-30 02:16]
---------------------------------------------------------
Have done these specific deletes before?
Also clear your scheduled tasks in respect of this job:
"2007-10-30 02:00:02 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
and any other scheduled event timed today at 02:00. Please confirm that was a time you rebooted.
I hope this'll clear it all out. if it re-appears in the next ComboFix log, then the only method I can advise on is based on looking for clusters around the dates and times shown above and deleting everything I can't account for created at those timestamps.
---------------------------------------------------------
2007-10-19 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16 <DIR> d-------- C:\Program Files\4file
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-30 02:16]
---------------------------------------------------------
Have done these specific deletes before?
Also clear your scheduled tasks in respect of this job:
"2007-10-30 02:00:02 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
and any other scheduled event timed today at 02:00. Please confirm that was a time you rebooted.
I hope this'll clear it all out. if it re-appears in the next ComboFix log, then the only method I can advise on is based on looking for clusters around the dates and times shown above and deleting everything I can't account for created at those timestamps.
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
Been getting some extra help from someone else. The first thing so far was downloading and running the LOP uninstaller which cleared the pop up windows. (The 4file thing was a lop infection) The other steps are the ones that you suggested and then running a scan with Dr Web Cureit that has identified a few more problems mostly in the system restore directory but has fixed my flash drive problem. I will let you know the other steps and post some logs of what I found and what the other person said to fix the problems.
Thanks for your help suspsichio it has been greatly appreciated and we at least managed to get started on getting rid of the problems. Thank good ness it wasn't virtumundo tho.
Thanks for your help suspsichio it has been greatly appreciated and we at least managed to get started on getting rid of the problems. Thank good ness it wasn't virtumundo tho.
You seem to be on your way - but please...
Look in Windows\system32 and c:\windows and c:\ for clusters of stuff created 19-Oct-07 around 13:16 and 30-Oct-07 around 02:16.
You need to be 100% sure noting of the original is there and especially that nothing has been spawned. It's a basic precaution in every case of virus or trojan infection.
Look forward to seeing your final logs.
Look in Windows\system32 and c:\windows and c:\ for clusters of stuff created 19-Oct-07 around 13:16 and 30-Oct-07 around 02:16.
You need to be 100% sure noting of the original is there and especially that nothing has been spawned. It's a basic precaution in every case of virus or trojan infection.
Look forward to seeing your final logs.
Suspishio
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
My advice is at your risk
Qosmio G50-10H; T9400 2.53GHz Core 2 Duo; 4GB RAM; Vista HP (32)
nForce 680i LT; Q6600 Quad Core 2.4GHz; 8GB RAM; XP Pro (64)
Dell XPS M1710; T7200 2GHz Core 2 Duo; 2GB RAM; XP Pro (32)
|
Other Threads in the Viruses, Spyware and other Nasties Forum
- Previous Thread: Problem with dll
- Next Thread: blank pop-ups
| Thread Tools | Search this Thread |
You need to join our community in order to build your list of favorite forums. You can visit the forum index for a listing of all forums.
Related Forum Features
Latest Viruses, Spyware and other Nasties Posts
adware anti-malware anti-virussitesaccessissue antivirus attack audio avg backtoschoolspeech bar blackhat botnet botnets censorship china commercial commercials conficker connect control crosssitescripting cyber cybercrime cyberwarfare ddos domains e-mafia education email europe exam exploit facebook fake fancheckvirus gaming gumblar halloween herss.exe hijack hosting internet iphone kaspersky legal logfiles mail malware mcafee mega-d messagelabs microsoft mobile msn nazi news obama onlinethreats panel parents patch phishing police policeprovirusmba-mblockedinternetaccess president privacy pro problem redirect redirecting reliability report research risk rogueantivirus sans scareware school search security seopoisoning software spam spyware spywareexternalwindows7adminstratortrojans sqlinjection symantec system teen trojan unabletoaccessanti-virussites unwanted update usa virus viruses vista warning windows worm yahoo
