Member Avatar for LadySpurs

Can anyone please help, I turned my pc on today the picture came up that I have on my desktop normally then disappeared to be replaced by a white screen.

AVG said I had a virus called I-Worm/nuwar.u

I tried to get it to delete it but it said it couldn't be found.

It also said the file name was in system32 and called something like dfj8lk.exe (not the exact name), I did a search for that file name and it brought back the file in system32 and also it was attached to a lot of file in C:\WINDOWS\Prefetch

I deleted the Prefetch folder and the exe file, since doing this I don't have AVG saying I have a virus, but what I do have is that I am unable to change from the white background, the box is all greyed out.

Can anyone help??

Thanks
LadySpurs

  • 3 Contributors
  • 15 Replies
  • 238 Views
  • 6 Days Discussion Span
  • Latest Post Latest Post by PhilliePhan

Recommended Answers

All 15 Replies

Member Avatar for PhilliePhan

Can anyone help??

I'd be happy to help as time permits :)

Please follow the steps in my linky below and post the 4 requested logs for me and we'll go from there.

PP's Malware Cleaning Steps

At the very least, I'll need to see the MBA-M and HJT logs.

Best Luck :)
PP

Member Avatar for LadySpurs

Hi Thanks for offering to help I really appreciate it.

I have attached the 4 files as requested.

I would be grateful for any information on how to remove this virus.

Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 15:11:39, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\AOL\1214755702\ee\aolsoftware.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HistoryKill 2008\histkill.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
c:\program files\common files\aol\1214755702\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1214755702\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\analyzer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dcaphotography.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.dcaphotography.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.dcaphotography.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [PDUiP6220DMon] C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1214755702\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [HistoryKill] "C:\Program Files\HistoryKill 2008\histkill.exe" /startup
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - AOL LLC - (no file)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

==

Malwarebytes' Anti-Malware 1.20
Database version: 944
Windows 5.1.2600 Service Pack 2

13:34:12 13/07/2008
mbam-log-7-13-2008 (13-34-12).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 95457
Time elapsed: 28 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\David Anslow\Local Settings\Temp\maxpaynowti.game (Heuristics.Malware) -> Quarantined and deleted successfully.

==

# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3263 (20080711)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ca58d9a87c743940b98b25b280b760de
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-07-13 01:10:20
# local_time=2008-07-13 02:10:20 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=179566
# found=2
# scan_time=1734
C:\Documents and Settings\David Anslow\Application Data\Sun\Java\Deployment\cache\6.0\25\3c4ce159-1a516412 Java/TrojanDownloader.OpenStream.NAB trojan CEC0DD504B18CCC2D97A22CECE9C96E7
C:\Documents and Settings\David Anslow\Application Data\Sun\Java\Deployment\cache\6.0\25\3c4ce159-1a516412 »ZIP »OP.class Java/TrojanDownloader.OpenStream.NAB trojan 00000000000000000000000000000000

==

Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Media Player
Adobe Media Player
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 6.0
Adobe Reader 8.1.2
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Toolbar
AOL Uninstaller
AOL You've Got Pictures Screensaver
AppCore
ArcSoft PhotoStudio 5.5
AVG Free 8.0
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon CanoScan Toolbox 5.0
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
CANON iMAGE GATEWAY Task
Canon Internet Library for ZoomBrowser EX
Canon iP6220D
Canon iP6220D Memory Card Utility
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CanoScan 4400F
ccCommon
Component Framework
Driver Detective
DVD Solution
Easy-WebPrint
ESET Online Scanner
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
HistoryKill 2008
Hotfix for Windows XP (KB935448)
Java(TM) 6 Update 6
Learn2 Player (Uninstall Only)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam
Logitech® Camera Driver
Malwarebytes' Anti-Malware
MediaFACE 4.01
Memory-Map OS Edition Version 5
Microsoft .NET Framework 2.0
Microsoft ActiveSync 3.7
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
Nokia Connectivity Cable Driver
Nokia PC Suite
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
PhotoNow! 1.0
Picasa 2
Power2Go 5.0
PowerDirector
PowerDVD
Presto! PageManager 7.15.14
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
RegCure 1.5.0.1
ScanSoft OmniPage SE 4.0
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
SmartStamp
SPBBC 32bit
TomTom HOME
TrackLogs Digital Mapping v3
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VC_MergeModuleToMSI
VIA/S3G Display Driver 6.14.10.0067
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
XoftSpySE

Logfile of HijackThis v1.99.1
Scan saved at 15:11:39, on 13/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe
C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\AOL\1214755702\ee\aolsoftware.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\S3trayp.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\HistoryKill 2008\histkill.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\PROGRA~1\COMMON~1\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
c:\program files\common files\aol\1214755702\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
c:\program files\common files\aol\1214755702\ee\aolsoftware.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HijackThis\analyzer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.dcaphotography.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.dcaphotography.co.uk
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.dcaphotography.co.uk
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = 
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.0\CoIEPlg.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [PDUiP6220DMon] C:\Program Files\Canon\Memory Card Utility\iP6220D\PDUiP6220DMon.exe
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1214755702\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [OLP-Tray] C:\Program Files\Royal Mail\SmartStamp\BINARY\STRAY.EXE
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -onlytray
O4 - HKLM\..\Run: [DataLayer] C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKCU\..\Run: [HistoryKill] "C:\Program Files\HistoryKill 2008\histkill.exe" /startup
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl.sun.com/webapps/download/AutoDL?BundleId=21871
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3263 (20080711)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=ca58d9a87c743940b98b25b280b760de
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2008-07-13 01:10:20
# local_time=2008-07-13 02:10:20 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=179566
# found=2
# scan_time=1734
C:\Documents and Settings\David Anslow\Application Data\Sun\Java\Deployment\cache\6.0\25\3c4ce159-1a516412	Java/TrojanDownloader.OpenStream.NAB trojan	CEC0DD504B18CCC2D97A22CECE9C96E7
C:\Documents and Settings\David Anslow\Application Data\Sun\Java\Deployment\cache\6.0\25\3c4ce159-1a516412 ZIP OP.class	Java/TrojanDownloader.OpenStream.NAB trojan	00000000000000000000000000000000
Malwarebytes' Anti-Malware 1.20
Database version: 944
Windows 5.1.2600 Service Pack 2

13:34:12 13/07/2008
mbam-log-7-13-2008 (13-34-12).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 95457
Time elapsed: 28 minute(s), 27 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\David Anslow\Local Settings\Temp\maxpaynowti.game (Heuristics.Malware) -> Quarantined and deleted successfully.
Ad-Aware
Adobe Acrobat and Reader 8.1.2 Security Update 1 (KB403742)
Adobe AIR
Adobe AIR
Adobe Flash Player ActiveX
Adobe Help Center 2.1
Adobe Media Player
Adobe Media Player
Adobe Photoshop Elements 5.0
Adobe Photoshop Elements 6.0
Adobe Reader 8.1.2
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL Toolbar
AOL Uninstaller
AOL You've Got Pictures Screensaver
AppCore
ArcSoft PhotoStudio 5.5
AVG Free 8.0
Canon Camera Access Library
Canon Camera Support Core Library
Canon Camera Window DC_DV 5 for ZoomBrowser EX
Canon Camera Window DC_DV 6 for ZoomBrowser EX
Canon Camera Window MC 6 for ZoomBrowser EX
Canon CanoScan Toolbox 5.0
Canon EOS 5D WIA Driver
Canon EOS Kiss_N REBEL_XT 350D WIA Driver
Canon EOS-1D Mark II N WIA Driver
Canon EOS-1Ds Mark II WIA Driver
CANON iMAGE GATEWAY Task
Canon Internet Library for ZoomBrowser EX
Canon iP6220D
Canon iP6220D Memory Card Utility
Canon RAW Image Task for ZoomBrowser EX
Canon RemoteCapture Task for ZoomBrowser EX
Canon Utilities Digital Photo Professional 2.1
Canon Utilities Easy-PhotoPrint
Canon Utilities Easy-PrintToolBox
Canon Utilities EOS Utility
Canon Utilities PhotoStitch
Canon Utilities ZoomBrowser EX
CanoScan 4400F
ccCommon
Component Framework
Driver Detective
DVD Solution
Easy-WebPrint
ESET Online Scanner
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
HistoryKill 2008
Hotfix for Windows XP (KB935448)
Java(TM) 6 Update 6
Learn2 Player (Uninstall Only)
LiveUpdate (Symantec Corporation)
LiveUpdate (Symantec Corporation)
Logitech Desktop Messenger
Logitech Print Service
Logitech QuickCam
Logitech Camera Driver
Malwarebytes' Anti-Malware
MediaFACE 4.01
Memory-Map OS Edition Version 5
Microsoft .NET Framework 2.0
Microsoft ActiveSync 3.7
Microsoft Office XP Professional with FrontPage
Microsoft Visual C++ 2005 Redistributable
MSXML 4.0 SP2 (KB936181)
Nokia Connectivity Cable Driver
Nokia PC Suite
Norton AntiVirus
Norton AntiVirus Help
Norton Confidential Core
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
PhotoNow! 1.0
Picasa 2
Power2Go 5.0
PowerDirector
PowerDVD
Presto! PageManager 7.15.14
QuickTime
RealPlayer Basic
Realtek High Definition Audio Driver
RegCure 1.5.0.1
ScanSoft OmniPage SE 4.0
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB936782)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950759)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
SmartStamp
SPBBC 32bit
TomTom HOME
TrackLogs Digital Mapping v3
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VC_MergeModuleToMSI
VIA/S3G Display Driver 6.14.10.0067
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885295
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
XoftSpySE
Member Avatar for crunchie

Hi LadySpurs. I have pasted your logs into your post. In future, can you please do the same :).

Member Avatar for crunchie

PhilliePhan, you need to update your hijackthis link :).

Member Avatar for PhilliePhan

Hi Thanks for offering to help I really appreciate it. I would be grateful for any information on how to remove this virus.

Happy to help!

It looks like the actual malware is gone. I think you and AVG got it.
MBA-M has dealt with the altered registry key that was keeping you from changing your desktop.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceActiveDesktopOn (Hijack.Desktop) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Are you able to change the desktop now?



Everything else looks OK to me, save for a couple things:

1) Looks like you are running both AVG and Norton Anti-virus at the same time. Not a good idea as they can come into conflict and interfere with each other. This will both slow your machine and make you less safe! You should choose one and uninstall the other.

2) Then, go into Add/Remove Programs and Uninstall Java(TM) 6 Update 6. Then, run ATF-Cleaner again (from the malware cleaning steps) to flush the Java cache, among other things.
Then, go here ---> http://www.java.com/en/ and install the latest version of Java.
Your current version is barely out of date, but it is a good idea to keep on top of this because some baddies such as Vundo target and exploit weaknesses in Java and are able to force execution on older runtime environments. (That is why you must remove all older versions when installing latest version....)

3) Flush your System Restore Points (turn System Restore off and then back on).


Anyhoo, take care of the above and check your desktop to make sure it is back to normal - let me know how things are working.

-- I should note that this particular trojan has employed rootkit-type stealthing capabilities in the past. But it has been around for some time now and I fully expect MBA-M to detect and remove any traces of it if it were still on your machine. The same for your AV. If you like, though, we can take a quick look at the registry to verify than no remnants remain there....

Cheers :)
PP

Member Avatar for PhilliePhan

PhilliePhan, you need to update your hijackthis link :).

Thanks, Crunchie :)

I know - been meaning to do it for a long time. For some reason, I've not cared for the Trend version.... LOL!
It would probably be better to just go ahead and go with Deckard's System Scanner instead.

PP

Member Avatar for crunchie

Doesn't Deckards call up hijackthis from your pc anyway?

Member Avatar for LadySpurs

Hi

I have done all that you have suggested, removed AVG, uninstalled Java, turned off system restore.

My picture has now come back on the desktop but I am still unable to browse (shaded grey) or chose any other the existing wallpapers.

My picture has gone about 5 times the size and it won't let me tile/centre/stretch although it will allow me to chose them but when I apply it does nothing.

Any ideas?

Thanks

Member Avatar for PhilliePhan

Doesn't Deckards call up hijackthis from your pc anyway?

Yes - it will install the latest version of HJT :)

My picture has now come back on the desktop but I am still unable to browse (shaded grey) or chose any other the existing wallpapers. . . . Any ideas?

Sounds like more registry keys were borked than what MBA-M found.
Let's have a look.

-- Please Download PeekDsktop.bat to your Desktop.
-- DoubleClick on it to run it.
-- Notepad should pop up with a log -- > peek.txt
-- Copy&Paste peek.txt into this thread for me please.

Cheers :)
PP

Member Avatar for LadySpurs

Hi

I have the program and this is the result.

Thanks for your help.


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Desktop\General]
"WallpaperFileTime"=hex:04,6e,0f,4a,a9,e3,c8,01
"WallpaperLocalFileTime"=hex:04,d6,d3,ab,b1,e3,c8,01

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoControlPanel"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"=dword:00000001
"{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF}"=dword:40000021
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"=dword:00000020

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall]
"NoAddRemovePrograms"=dword:00000000
"NoRemovePage"=dword:00000000
"NoAddPage"=dword:00000000
"NoWindowsSetupPage"=dword:00000000
"NoAddFromCDorFloppy"=dword:00000000
"NoAddFromInternet"=dword:00000000
"NoAddFromNetwork"=dword:00000000
"NoServices"=dword:00000000
"NoSupportInfo"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop]
"NoChangingWallpaper"=dword:00000000
"NoComponents"=dword:00000000
"NoAddingComponents"=dword:00000000
"NoDeletingComponents"=dword:00000000
"NoEditingComponents"=dword:00000000
"NoHTMLWallPaper"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoControlPanel"=dword:00000000
"NoWindowsUpdate"=dword:00000000
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"DisableRegistryTools"=dword:00000000
"DisableTaskMgr"=dword:00000000
"Wallpaper"=" "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall]
"NoAddRemovePrograms"=dword:00000000
"NoRemovePage"=dword:00000000
"NoAddPage"=dword:00000000
"NoWindowsSetupPage"=dword:00000000
"NoAddFromCDorFloppy"=dword:00000000
"NoAddFromInternet"=dword:00000000
"NoAddFromNetwork"=dword:00000000
"NoServices"=dword:00000000
"NoSupportInfo"=dword:00000000

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,62,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General]
"BackupWallpaper"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,\
49,00,4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,\
00,74,00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,\
63,00,61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,\
00,69,00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,61,00,6c,00,\
6c,00,70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,00,70,00,00,00
"WallpaperFileTime"=hex:04,6e,0f,4a,a9,e3,c8,01
"WallpaperLocalFileTime"=hex:04,d6,d3,ab,b1,e3,c8,01
"TileWallpaper"="0"
"WallpaperStyle"="0"
"Wallpaper"=hex(2):25,00,55,00,53,00,45,00,52,00,50,00,52,00,4f,00,46,00,49,00,\
4c,00,45,00,25,00,5c,00,4c,00,6f,00,63,00,61,00,6c,00,20,00,53,00,65,00,74,\
00,74,00,69,00,6e,00,67,00,73,00,5c,00,41,00,70,00,70,00,6c,00,69,00,63,00,\
61,00,74,00,69,00,6f,00,6e,00,20,00,44,00,61,00,74,00,61,00,5c,00,4d,00,69,\
00,63,00,72,00,6f,00,73,00,6f,00,66,00,74,00,5c,00,57,00,61,00,6c,00,6c,00,\
70,00,61,00,70,00,65,00,72,00,31,00,2e,00,62,00,6d,00,70,00,00,00
"ComponentsPositioned"=dword:00000002

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Old WorkAreas]
"NoOfOldWorkAreas"=dword:00000001
"OldWorkAreaRects"=hex:00,00,00,00,00,00,00,00,a0,05,00,00,62,03,00,00

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\SafeMode\General]
"Wallpaper"=hex(2):25,00,53,00,79,00,73,00,74,00,65,00,6d,00,52,00,6f,00,6f,00,\
74,00,25,00,5c,00,57,00,65,00,62,00,5c,00,53,00,61,00,66,00,65,00,4d,00,6f,\
00,64,00,65,00,2e,00,68,00,74,00,74,00,00,00
"VisitGallery"=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Scheme]
"Edit"=""
"Display"=""

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Control Panel\Desktop]
"ActiveWndTrkTimeout"=dword:00000000
"AutoEndTasks"="0"
"CaretWidth"=dword:00000001
"CoolSwitch"="1"
"CoolSwitchColumns"="7"
"CoolSwitchRows"="3"
"CursorBlinkRate"="530"
"DragFullWindows"="1"
"DragHeight"="4"
"DragWidth"="4"
"FontSmoothing"="2"
"FontSmoothingOrientation"=dword:00000001
"FontSmoothingType"=dword:00000001
"ForegroundFlashCount"=dword:00000003
"ForegroundLockTimeout"=dword:00030d40
"GridGranularity"="0"
"HungAppTimeout"="5000"
"LowPowerActive"="0"
"LowPowerTimeOut"="0"
"MenuShowDelay"="400"
"PaintDesktopVersion"=dword:00000000
"PowerOffActive"="0"
"PowerOffTimeOut"="0"
"ScreenSaverIsSecure"="0"
"ScreenSaveTimeOut"="600"
"ScreenSaveActive"="1"
"SCRNSAVE.EXE"="C:\\WINDOWS\\system32\\ssmypics.scr"
"TileWallpaper"="0"
"UserPreferencesMask"=hex:9e,3e,07,80
"WaitToKillAppTimeout"="20000"
"Wallpaper"="C:\\Documents and Settings\\David Anslow\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp"
"WallpaperStyle"="0"
"OriginalWallpaper"="C:\\Documents and Settings\\David Anslow\\Local Settings\\Application Data\\Microsoft\\Wallpaper1.bmp"
"WheelScrollLines"="3"
"Pattern Upgrade"="TRUE"
"ConvertedWallpaper"="E:\\Safari Park 290508\\IMG_0082.JPG"
"ConvertedWallpaper Last WriteTime"=hex:00,79,08,bc,77,c1,c8,01
"Pattern"=""

[HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics]
"BorderWidth"="0"
"CaptionFont"=hex:f3,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,00,\
00,00,00,01,00,00,00,00,54,00,72,00,65,00,62,00,75,00,63,00,68,00,65,00,74,\
00,20,00,4d,00,53,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"CaptionHeight"="-375"
"CaptionWidth"="-270"
"IconFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"IconSpacing"="-1125"
"IconTitleWrap"="1"
"IconVerticalspacing"="-1125"
"MenuFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,00,\
00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"MenuHeight"="-285"
"MenuWidth"="-285"
"MessageFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"ScrollHeight"="-255"
"ScrollWidth"="-255"
"Shell Icon BPP"="16"
"SmCaptionFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,bc,02,00,\
00,00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"SmCaptionHeight"="-255"
"SmCaptionWidth"="-255"
"StatusFont"=hex:f5,ff,ff,ff,00,00,00,00,00,00,00,00,00,00,00,00,90,01,00,00,\
00,00,00,01,00,00,00,00,54,00,61,00,68,00,6f,00,6d,00,61,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00
"AppliedDPI"=dword:00000060
"Shell Icon Size"="32"
"MinAnimate"="1"

Member Avatar for PhilliePhan

Thanks for your help.

Happy to try to help!

Wow . . . doesn't that seem a bit much for a simple desktop? LOL!

Been a while since I looked at this type of problem and I don't remember so much "clutter."

Anyhoo, lets try this:

-- First, fire up System Restore and Create a New Restore Point

-- Then, please download FixDsktop.reg to your Desktop.
DoubleClick on it and follow the prompt to ALLOW it to merge into the registry.

Reboot for good measure and let me know if that helps.

Best Luck :)
PP

Member Avatar for LadySpurs

Hi

The link doesn't seem to work, it comes up with page not found.

Is there anyother way of getting it I tried google searching it and it come back with nothing.

Thanks

Member Avatar for PhilliePhan

The link doesn't seem to work, it comes up with page not found.
Is there anyother way of getting it I tried google searching it and it come back with nothing.

That's odd - I bet the site was down. Sure wouldn't be the first time!

I will attach the fix to this post. It is something I put together specifically for your machine, though there are probably thousands of similar "fixes" floating around the web due to these malware . . .

Just EXTRACT FixDesktop.reg from the ZIP to your Desktop and then follow the instructions from my previous post - Let me know if it helps.


PP :)

Member Avatar for LadySpurs

Hi

It's worked perfectly, thank you all for all your help.

Member Avatar for PhilliePhan

It's worked perfectly, thank you all for all your help.

You're Welcome! Happy to Help :)

Please mark this thread as Solved and have a look at my "Protect Yourself From Malware" linky below for additional safeguards and advice.

Cheers,
PP

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.