954,242 Members — Technology Publication meets Social Media
Username:
Password:
Lost login information?
Have something to say? Contribute New Article Reply to this Article
2 Years Ago
0

Please help

Hi, I think my computer has some problrms.
I have something trying to change my home page when I start IE. More often than not it takes two ir three attempts before IE finally starts.
I also get spurious e mails returned which couldn't be sent, the problem is I never sent any of them.
There are a few other problems like my pc grinds to a halt.
I know I have bearshare which is suspect but I've had it a while with no problems.
I;ve ran adaware which removed stuff but spybot just crashes.
here's hjt log.
Please help if you can.

Logfile of HijackThis v1.99.1
Scan saved at 13:33:38, on 19/12/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\taskmgr.exe
C:\hjt\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.wanadoo.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShareTb\BearShareDx.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: UrlHelper Class - {74322BF9-DF26-493f-B0DA-6D2FC5E6429E} - C:\Program Files\BearShare Applications\BearShare\BearShareIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\swg.dll
O2 - BHO: FreecycleMemberBHO - {C3E5E149-27B7-49D1-8420-B02AC52AF663} - C:\Program Files\Freecycle\FreecycleMember.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_B7C5AC242193BB3E.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Orange - {4E7BD74F-2B8D-469E-A1FB-F862B587B57D} - C:\PROGRA~1\orange3\orange3.dll (file missing)
O3 - Toolbar: MediaBar - {0974BA1E-64EC-11DE-B2A5-E43756D89593} - C:\Program Files\BearShareTb\BearShareDx.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [SUPASTATUS] C:\Program Files\Internet Explorer\Connection Wizard\status.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ZagrebLand] C:\DOCUME~1\Ronnie\LOCALS~1\Temp\b.exe
O4 - HKCU\..\Run: [uvc7jk640c] C:\WINDOWS\msa.exe
O4 - HKCU\..\Run: [WAB] C:\Documents and Settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: orange search - file://C:\Program Files\ORANGE3\Cache\SelectedContextSearch.htm
O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.8.05.cab
O16 - DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} (ImgSizer Control) - file://C:\Documents and Settings\Ronnie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - http://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WI1F86~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: getPlus(R) Helper - Unknown owner - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe (file missing)
O23 - Service: GhostStartService - Symantec Corporation - C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - Unknown owner - C:\DOCUME~1\Ronnie\LOCALS~1\Temp\hpdj.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Unknown owner - C:\Program Files\Java\jre6\bin\jqs.exe" -service -config "C:\Program Files\Java\jre6\lib\deploy\jqs\jqs.conf (file missing)
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service - Unknown owner - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifEng.dll (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Hi, I think my computer has some problrms.
Please help if you can.


You've got some baddies.

-- Please delete your current HJT. It is outdated. No need for new version at this time.

-- Please post the scanlogs requested in the linky below and I or one of the other volunteers will have a look as time permits. http://www.daniweb.com/forums/thread134865.html

Things are a bit hectic this time of year, so responses may be a bit slow.

PP:)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi thanks for your help.
I'm working my way through your suggestions.
I'll get back as
Cheers
Ronnie

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Hi thanks for your help.
I'm working my way through your suggestions.


Allrightythen!

PP:)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

I hope this is what you are looking for. Regards
Ronnie

Malwarebytes' Anti-Malware 1.42
Database version: 3289
Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

22/12/2009 10:35:58
mbam-log-2009-12-22 (10-35-58).txt

Scan type: Quick Scan
Objects scanned: 21681
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
ESETSmartInstaller@High as CAB hook log:
OnlineScanner.ocx - registred OK
# version=7
# iexplore.exe=7.00.6000.16791 (vista_gdr.081217-1620)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=696225a78ba6cf41902dafa4c10469e8
# end=stopped
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-21 12:19:17
# local_time=2009-12-21 12:19:17 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=3586 16764889 100 89 12183 264697567 0 0
# compatibility_mode=8192 67108863 100 0 3735 3735 0 0
# scanned=72187
# found=1
# cleaned=0
# scan_time=3321
C:\Documents and Settings\Ronnie\Desktop\LimeWire Downloads\ready for the weekend [new album].au a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
# version=7
# iexplore.exe=7.00.6000.16791 (vista_gdr.081217-1620)
# OnlineScanner.ocx=1.0.0.6211
# api_version=3.0.2
# EOSSerial=696225a78ba6cf41902dafa4c10469e8
# end=finished
# remove_checked=false
# archives_checked=false
# unwanted_checked=true
# unsafe_checked=false
# antistealth_checked=true
# utc_time=2009-12-22 12:18:30
# local_time=2009-12-22 12:18:30 (+0000, GMT Standard Time)
# country="United Kingdom"
# lang=1033
# osver=5.1.2600 NT Service Pack 2
# compatibility_mode=768 16777215 100 0 0 0 0 0
# compatibility_mode=3586 16764889 100 89 4859 264781363 0 0
# compatibility_mode=8192 67108863 100 0 87531 87531 0 0
# scanned=128255
# found=16
# cleaned=0
# scan_time=5879
C:\Documents and Settings\Ronnie\Desktop\LimeWire Downloads\ready for the weekend [new album].au a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe multiple threats 00000000000000000000000000000000 I
C:\Program Files\Orange\setup\Orange_icons.EXE Win32/Adware.BHO.MegaSearch application 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0118302.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0119302.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0119316.exe a variant of Win32/Kryptik.BIC trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0119321.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0119370.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0120369.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0121369.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0121453.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\System Volume Information\_restore{82B8AF80-9ABC-4FBD-AC5A-2CF4AD5767EA}\RP137\A0121459.exe a variant of Win32/Riern.B trojan 00000000000000000000000000000000 I
C:\My Downloads\wuthering heights kate bush.wma WMA/TrojanDownloader.Wimad.N trojan 00000000000000000000000000000000 I
C:\My Downloads\wuthering heights kate bush(1).wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\My Downloads\avril lavigne dont tell me.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I
C:\My Downloads\pink please dont leave me remix.wma a variant of WMA/TrojanDownloader.GetCodec.gen trojan 00000000000000000000000000000000 I

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-12-01.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 21/02/2007 12:11:16
System Uptime: 22/12/2009 10:07:25 (2 hours ago)

Motherboard: MICRO-STAR INTERNATIONAL CO., LTD | | MS-6340(VT8363)
Processor: AMD Athlon(tm) XP 2000+ | Slot A | 1666/133mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (FAT32) - 73 GiB total, 14.741 GiB free.
D: is CDROM ()
E: is FIXED (NTFS) - 149 GiB total, 140.068 GiB free.
F: is Removable

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP133: 02/10/2009 10:32:19 - Configured OLYMPUS Master
RP134: 02/10/2009 10:40:34 - Removed Samsung Master
RP135: 09/10/2009 21:47:09 - Installed Microsoft Office 2000 Premium
RP136: 09/10/2009 21:54:01 - Installed Microsoft Office Web Components
RP137: 01/11/2009 14:38:16 - Installed DirectX
RP138: 22/12/2009 09:13:41 - Removed eBay Desktop

==== Installed Programs ======================

Acrobat.com
Ad-Aware
Adobe AIR
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Media Player
Adobe Photoshop 6.0
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 9
Adobe Shockwave Player
Adobe SVG Viewer 2.0
Apple Mobile Device Support
Apple Software Update
Applet_App
Applet_Copy
Applet_Creativity
Applet_Email
Applet_Epp
Applet_File
Applet_OCR
Applet_Web
BBC iPlayer Download Manager
BearShare
Bejeweled 1.23
Bonjour
ccCommon
CloneCD
CopyToDVD
Critical Update for Windows Media Player 11 (KB959772)
Design Studio for Kids
Disc2Phone
DVD Decrypter (Remove Only)
DVD Shrink 3.2
EPSON Photo Print
EPSON PhotoQuicker3.0
EPSON Printer Software
EPSON Smart Panel
EPSON TWAIN 5
ESET Online Scanner v3
Freecycle Internet Explorer Plugin
Google Earth
Google Toolbar for Internet Explorer
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
hp deskjet 5100
HP Memories Disc
HP Photo and Imaging 2.0 - Deskjet Series
hp print screen utility
Icatch(IV) Camera Driver
Image Resizer Powertoy for Windows XP
Internet Worm Protection
iPIX ActiveX Viewer
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_11
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Junk Mail filter update
LiveUpdate 3.0 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Messenger Plus! 3
Messenger Plus! Live
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Application Error Reporting
Microsoft Choice Guard
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Office Web Components
Microsoft Search Enhancement Pack
Microsoft Sync Framework Runtime Native v1.0 (x86)
Microsoft Sync Framework Services Native v1.0 (x86)
Microsoft Windows Journal Viewer
MN100 Digital Camera
MSVCRT
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
NAVShortcut
Norton AntiVirus 2006
Norton AntiVirus 2006 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton Ghost
Norton Protection Center
Norton Security Scan
Norton Security Scan (Symantec Corporation)
Norton WMI Update
OneCare Advisor (Windows Live Toolbar)
OpenOffice.org Installer 1.0
Orange Search Toolbar
Popup Blocker (Windows Live Toolbar)
PowerDVD
QuickTime
RealPlayer
SafeCast Shared Components
SAMSUNG Mobile Modem Driver Set
Samsung Mobile phone USB driver Software
SAMSUNG Mobile USB Modem 1.0 Software
SAMSUNG Mobile USB Modem Software
Samsung PC Studio
Samsung PC Studio 3 USB Driver Installer
Samsung Samples Installer
Samsung USB Driver
ScanToWeb
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Segoe UI
Smart Menus (Windows Live Toolbar)
Sony Ericsson PC Suite
SPBBC
Symantec
Symantec KB-DocID:2003093015493306
SymNet
Ulead Photo Express 3.0 SE
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB932823-v3)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VideoEgg Publisher
Visual C++ 2008 x86 Runtime - (v9.0.30729)
Visual C++ 2008 x86 Runtime - v9.0.30729.01
ViviCam 3695B
Wanadoo Search Toolbar
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage v1.3.0254.0
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Favorites for Windows Live Toolbar
Windows Live Mail
Windows Live Messenger
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip
XP Codec Pack
Yahoo! Address AutoComplete
Yahoo! Internet Mail
Yahoo! Toolbar

==== Event Viewer Messages From Past Week ========

22/12/2009 09:32:00, error: Service Control Manager [7034] - The Automatic LiveUpdate Scheduler service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 16:06:53, error: Service Control Manager [7034] - The Windows Image Acquisition (WIA) service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 15:48:39, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the ewido security suite control service to connect.
20/12/2009 15:48:39, error: Service Control Manager [7000] - The Upload Manager service failed to start due to the following error: The account specified for this service is different from the account specified for other services running in the same process.
20/12/2009 15:48:39, error: Service Control Manager [7000] - The OrangeWare USB Enhanced Host Controller Service service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
20/12/2009 15:48:39, error: Service Control Manager [7000] - The hpdj service failed to start due to the following error: The system cannot find the file specified.
20/12/2009 15:48:39, error: Service Control Manager [7000] - The Dual Mode Video Camera Device service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
20/12/2009 15:09:59, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the Application Layer Gateway Service service to connect.
20/12/2009 15:09:59, error: Service Control Manager [7000] - The Application Layer Gateway Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
20/12/2009 13:41:14, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 2 time(s).
20/12/2009 13:35:48, error: Service Control Manager [7034] - The Java Quick Starter service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 13:35:42, error: Service Control Manager [7034] - The GhostStartService service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 13:35:30, error: Service Control Manager [7034] - The Symantec Network Drivers Service service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 13:35:25, error: Service Control Manager [7034] - The SeaPort service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 13:35:11, error: Service Control Manager [7031] - The Apple Mobile Device service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
20/12/2009 13:35:07, error: Service Control Manager [7034] - The Bonjour Service service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 13:34:45, error: Service Control Manager [7034] - The KService service terminated unexpectedly. It has done this 1 time(s).
20/12/2009 13:34:38, error: Service Control Manager [7034] - The LiveUpdate service terminated unexpectedly. It has done this 1 time(s).
19/12/2009 14:10:41, error: Service Control Manager [7000] - The LiveUpdate service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
19/12/2009 14:10:39, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the LiveUpdate service to connect.
19/12/2009 14:10:30, error: DCOM [10005] - DCOM got error "%1053" attempting to start the service LiveUpdate with arguments "" in order to run the server: {03E0E6C2-363B-11D3-B536-00902771A435}
19/12/2009 14:05:34, error: Service Control Manager [7023] - The Computer Browser service terminated with the following error: This operation returned because the timeout period expired.
16/12/2009 16:40:48, error: Print [19] - Sharing printer failed + 1722, Printer hp deskjet 5100 series share name Printer.

==== End Of File ===========================

DDS (Ver_09-12-01.01) - FAT32x86
Run by Ronnie at 12:52:31.51 on 22/12/2009
Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_05
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.479.161 [GMT 0:00]

AV: Norton AntiVirus 2006 *On-access scanning enabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
SVCHOST.EXE
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
SVCHOST.EXE
SVCHOST.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\PROGRA~1\Symantec\NORTON~1\GHOSTS~2.EXE
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Live\Toolbar\wltuser.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Documents and Settings\Ronnie\Local Settings\Temporary Internet Files\Content.IE5\UB3P2VX3\dds[1].scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.google.co.uk/
uSearch Page = hxxp://www.google.com
uWindow Title = Microsoft Internet Explorer provided by Orange UK
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mDefault_Page_URL = hxxp://www.wanadoo.co.uk
mStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
BHO: Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Search Helper: {6ebf7485-159f-4bff-a14f-b9e3aac4465b} - c:\program files\microsoft\search enhancement pack\search helper\SearchHelper.dll
BHO: UrlHelper Class: {74322bf9-df26-493f-b0da-6d2fc5e6429e} - c:\program files\bearshare applications\bearshare\BearShareIEHelper.dll
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: CNavExtBho Class: {a8f38d8d-e480-4d52-b7a2-731bb6995fdd} - c:\program files\norton antivirus\NavShExt.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.2.4204.1700\swg.dll
BHO: FreecycleMemberBHO Class: {c3e5e149-27b7-49d1-8420-b02ac52af663} - c:\program files\freecycle\FreecycleMember.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_B7C5AC242193BB3E.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: Windows Live Toolbar Helper: {e15a8dc0-8516-42a1-81ea-dc94ec1acf10} - c:\program files\windows live\toolbar\wltcore.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Wanadoo: {8b68564d-53fd-4293-b80c-993a9f3988ee} - c:\progra~1\wanadoo\wsbar\WSBar.dll
TB: Norton AntiVirus: {c4069e3a-68f1-403e-b40e-20066696354b} - c:\program files\norton antivirus\NavShExt.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn\yt.dll
TB: Orange: {4e7bd74f-2b8d-469e-a1fb-f862b587b57d} - c:\progra~1\orange3\orange3.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
TB: &Windows Live Toolbar: {21fa44ef-376d-4d53-9b0f-8a89d3229068} - c:\program files\windows live\toolbar\wltcore.dll
TB: {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No File
TB: {2D8D4E2C-4FF9-4ECE-869F-04B3CB7AFD13} - No File
TB: SuperBar: {f0c320cd-9888-4bea-b895-0390c2f00a51} - c:\program files\_superbar\_SUPERBAR.dll
TB: {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - No File
EB: {4528BBE0-4E08-11D5-AD55-00010333D0AD} - No File
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [ZagrebLand] c:\docume~1\ronnie\locals~1\temp\b.exe
uRun: [uvc7jk640c] c:\windows\msa.exe
uRun: [rundll32.exe]
uRun: [WAB] c:\documents and settings\ronnie\application data\macromedia\common\8506002619.exe
mRun: [SUPASTATUS] c:\program files\internet explorer\connection wizard\status.exe
mRun: [HPDJ Taskbar Utility] c:\windows\system32\spool\drivers\w32x86\3\hpztsb08.exe
mRun: [NAV Agent] c:\progra~1\norton~1\navapw32.exe
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [Ad-Watch] c:\program files\lavasoft\ad-aware\AAWTray.exe
mRun: [IMEKRMIG6.1] c:\windows\ime\imkr6_1\IMEKRMIG.EXE
mRun: [HP Software Update] c:\program files\hewlett-packard\hp software update\HPWuSchd.exe
mRun: [DeviceDiscovery] c:\program files\hewlett-packard\digital imaging\bin\hpotdd01.exe
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [rundll32.exe]
dRun: [WAB] c:\documents and settings\ronnie\application data\macromedia\common\8506002619.exe
dRunOnce: [RunNarrator] Narrator.exe
dRunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\micros~1.lnk - c:\program files\microsoft office\office\OSA9.EXE
uPolicies-explorer: NoThemesTab = 0 (0x0)
uPolicies-system: NoDispAppearancePage = 0 (0x0)
uPolicies-system: NoColorChoice = 0 (0x0)
uPolicies-system: NoSizeChoice = 0 (0x0)
uPolicies-system: NoVisualStyleChoice = 0 (0x0)
uPolicies-system: NoDispSettingsPage = 0 (0x0)
mPolicies-system: EnableLUA = 0 (0x0)
IE: &Yahoo! Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: orange search - file://c:\program files\orange3\cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\wanadoo\wsbar\WSBar.dll/VSearch.htm
IE: Yahoo! &Dictionary
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} - hxxp://www.bebo.com/files/BeboUploader.5.8.05.cab
DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} - file://c:\documents and settings\ronnie\local settings\temp\~dlfntmp0\imgSizer.ocx
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-30.cab
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos/OnlineScanner.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?38010.1946064815
DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_15-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: CShellExecuteHookImpl Object: {54d9498b-cf93-414f-8984-8ce7fde0d391} - c:\program files\ewido\security suite\shellhook.dll
LSA: Notification Packages = scecli scecli

============= SERVICES / DRIVERS ===============

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-2-14 64160]
R1 GhPciScan;GhostPciScanner;c:\program files\symantec\norton ghost 2003\GhPciScan.sys [2003-5-28 5632]
R1 SAVRTPEL;SAVRTPEL;c:\program files\norton antivirus\Savrtpel.sys [2005-8-26 53896]
R2 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 191848]
R2 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169320]
R2 navapsvc;Norton AntiVirus Auto-Protect Service;c:\program files\norton antivirus\NAVAPSVC.EXE [2005-9-24 139888]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2006-2-1 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-10-2 102712]
R3 NAVENG;NAVENG;c:\progra~1\common~1\symant~1\virusd~1\20070124.024\NAVENG.Sys [2007-1-24 80472]
R3 NAVEX15;NAVEX15;c:\progra~1\common~1\symant~1\virusd~1\20070124.024\NavEx15.Sys [2007-1-24 852280]
R3 SAVRT;SAVRT;c:\program files\norton antivirus\savrt.sys [2005-8-26 334984]
S1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 Ca533av;Dual Mode Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [2004-12-30 515803]
S2 ewido security suite control;ewido security suite control;c:\program files\ewido\security suite\ewidoctrl.exe [2004-11-12 16448]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [2006-1-9 44928]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\lavasoft\ad-aware\AAWService.exe [2009-1-18 1028432]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [2006-1-9 55936]
S3 SAVScan;Symantec AVScan;c:\program files\norton antivirus\SAVScan.exe [2005-8-26 198368]
S4 ewido security suite guard;ewido security suite guard;c:\program files\ewido\security suite\ewidoguard.exe --> c:\program files\ewido\security suite\ewidoguard.exe [?]

=============== Created Last 30 ================

2009-12-21 11:21:42 0 d-----w- c:\program files\ESET
2009-12-20 18:57:12 0 d-----w- c:\docume~1\ronnie\applic~1\Malwarebytes
2009-12-20 18:57:01 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 18:56:57 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-12-20 18:56:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 18:56:55 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 13:58:40 0 d-sh--w- C:\FOUND.068
2009-12-19 13:24:51 0 d-----w- C:\My Shared Folder
2009-12-18 12:11:58 36 ----a-w- c:\windows\rasqervy.dll
2009-12-18 12:11:45 8 ----a-w- c:\windows\sdfinacs.dll
2009-12-18 12:10:32 5 ----a-w- c:\windows\sdfixwcs.dll
2009-12-17 19:43:01 106 ----a-w- c:\windows\wuasirvy.dll
2009-12-17 19:43:01 105472 ----a-w- c:\windows\msacm32.drv
2009-12-17 12:10:54 0 d-sh--w- C:\FOUND.067

==================== Find3M ====================

2009-12-19 11:12:32 15688 ----a-w- c:\windows\system32\lsdelete.exe
2009-10-11 18:19:02 74080 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2006-09-07 19:21:42 278528 ----a-w- c:\program files\common files\FDEUnInstaller.exe
2004-02-29 22:40:46 9216 --sha-w- c:\program files\common files\Thumbs.db

============= FINISH: 12:53:53.07 ===============

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
I hope this is what you are looking for.


That'll work :)

To start, please go into Add / Remove Programs and Uninstall these:J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 3
J2SE Runtime Environment 5.0 Update 9
Java 2 Runtime Environment Standard Edition v1.3.1_11
Java(TM) 6 Update 15
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1

Messenger Plus! 3
Messenger Plus! Live

Then, please go to http://www.java.com/en/ to download and install the latest version of Java.

--- Has your Norton AV Subscription lapsed? You'll need up to date AV.....

If you already have Combofix on your machine, DELETE it.

Then follow the instructions in the link below to download a fresh copy of Combofix and run it:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to install Recovery Console (if you are able to do so) and disable any other security programs or Anti-Virus programs as per the linky before running Combofix!

Please post the combofix log for me.

Will check back as time permits.

Cheers :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi, thanks for your time.
Here's the log you requested
Cheers,
Ronnie.

ComboFix 09-12-22.03 - Ronnie 23/12/2009 11:15:00.1.1 - FAT32x86
Running from: c:\documents and settings\Ronnie\Desktop\ComboFix.exe
AV: Norton AntiVirus 2006 *On-access scanning disabled* (Outdated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton Internet Worm Protection *enabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\a3kebook.ini
c:\windows\akebook.ini
c:\windows\ANS2000.INI
c:\windows\msacm32.drv
c:\windows\patch.exe
c:\windows\rasqervy.dll
c:\windows\sdfinacs.dll
c:\windows\sdfixwcs.dll
c:\windows\system32\_000229_.tmp.dll
c:\windows\system32\_004352_.tmp.dll
c:\windows\system32\_004353_.tmp.dll
c:\windows\system32\_004354_.tmp.dll
c:\windows\system32\_004355_.tmp.dll
c:\windows\system32\_004362_.tmp.dll
c:\windows\system32\_004363_.tmp.dll
c:\windows\system32\_004364_.tmp.dll
c:\windows\system32\_004365_.tmp.dll
c:\windows\system32\_004366_.tmp.dll
c:\windows\system32\_004367_.tmp.dll
c:\windows\system32\_004368_.tmp.dll
c:\windows\system32\_004369_.tmp.dll
c:\windows\system32\_004370_.tmp.dll
c:\windows\system32\_004371_.tmp.dll
c:\windows\system32\_004372_.tmp.dll
c:\windows\system32\_004373_.tmp.dll
c:\windows\system32\_004374_.tmp.dll
c:\windows\system32\_004375_.tmp.dll
c:\windows\system32\_004376_.tmp.dll
c:\windows\system32\_004378_.tmp.dll
c:\windows\system32\_004381_.tmp.dll
c:\windows\system32\_004382_.tmp.dll
c:\windows\system32\_004386_.tmp.dll
c:\windows\system32\_004387_.tmp.dll
c:\windows\system32\_004388_.tmp.dll
c:\windows\system32\_004389_.tmp.dll
c:\windows\system32\_004390_.tmp.dll
c:\windows\system32\_004391_.tmp.dll
c:\windows\system32\_004392_.tmp.dll
c:\windows\system32\_004394_.tmp.dll
c:\windows\system32\_004395_.tmp.dll
c:\windows\system32\_004396_.tmp.dll
c:\windows\system32\_004397_.tmp.dll
c:\windows\system32\_004398_.tmp.dll
c:\windows\system32\_004399_.tmp.dll
c:\windows\system32\_004400_.tmp.dll
c:\windows\system32\_004401_.tmp.dll
c:\windows\system32\_004402_.tmp.dll
c:\windows\system32\_004403_.tmp.dll
c:\windows\system32\_004404_.tmp.dll
c:\windows\system32\_004405_.tmp.dll
c:\windows\system32\_004408_.tmp.dll
c:\windows\system32\_004409_.tmp.dll
c:\windows\system32\_004410_.tmp.dll
c:\windows\system32\_004412_.tmp.dll
c:\windows\system32\_004413_.tmp.dll
c:\windows\system32\_004414_.tmp.dll
c:\windows\system32\_004415_.tmp.dll
c:\windows\system32\_004416_.tmp.dll
c:\windows\system32\_004418_.tmp.dll
c:\windows\system32\_004421_.tmp.dll
c:\windows\system32\_004422_.tmp.dll
c:\windows\system32\_004426_.tmp.dll
c:\windows\system32\_004427_.tmp.dll
c:\windows\system32\_004429_.tmp.dll
c:\windows\system32\_004432_.tmp.dll
c:\windows\system32\_004434_.tmp.dll
c:\windows\system32\_004435_.tmp.dll
c:\windows\system32\_004436_.tmp.dll
c:\windows\system32\_004437_.tmp.dll
c:\windows\system32\_004440_.tmp.dll
c:\windows\system32\_004441_.tmp.dll
c:\windows\system32\_004442_.tmp.dll
c:\windows\system32\_004443_.tmp.dll
c:\windows\system32\_004444_.tmp.dll
c:\windows\system32\_004449_.tmp.dll
c:\windows\system32\_004451_.tmp.dll
c:\windows\system32\_004452_.tmp.dll
c:\windows\system32\open.ico
c:\windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job
c:\windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job
c:\windows\tmlpcert2005
c:\windows\wuasirvy.dll

Infected copy of c:\windows\system32\DRIVERS\atapi.sys was found and disinfected
Restored copy from - c:\windows\system32\drivers\atapi.sys
.
((((((((((((((((((((((((( Files Created from 2009-11-23 to 2009-12-23 )))))))))))))))))))))))))))))))
.

2009-12-21 11:21 . 2009-12-21 11:21 -------- d-----w- c:\program files\ESET
2009-12-20 18:57 . 2009-12-20 18:57 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Malwarebytes
2009-12-20 18:57 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 18:56 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 13:58 . 2009-12-19 13:58 -------- d-----w- C:\FOUND.068
2009-12-19 13:24 . 2009-12-19 13:24 -------- d-----w- C:\My Shared Folder
2009-12-17 12:10 . 2009-12-17 12:10 -------- d-----w- C:\FOUND.067

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 10:42 . 2008-12-20 10:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-23 10:42 . 2009-12-23 10:42 152576 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-23 10:41 . 2009-12-23 10:41 79488 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 23:56 . 2009-12-17 19:41 24576 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe
2009-12-22 18:02 . 2009-12-17 19:41 103412 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\850600261.dll
2009-12-22 16:34 . 2009-12-22 16:34 24576 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe
2009-10-11 18:19 . 2002-09-05 16:35 74080 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-09 21:50 . 2002-04-24 16:55 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2006-09-07 19:21 . 2006-09-07 19:21 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2004-02-29 22:40 . 2004-02-29 22:40 9216 --sha-w- c:\program files\Common Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2009-05-04 11:56 398776 ----a-w- c:\program files\BearShare Applications\BearShare\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SUPASTATUS"="c:\program files\Internet Explorer\Connection Wizard\status.exe" [2002-02-21 588288]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"NAV Agent"="c:\progra~1\NORTON~1\navapw32.exe" [2003-04-20 0]
"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 53096]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-19 520024]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-23 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Freeserve Connection Kit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Freeserve Connection Kit.lnk
backup=c:\windows\pss\Freeserve Connection Kit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Ronnie\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 15:35 4608 ----a-w- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
2001-12-06 12:09 45056 ----a-w- c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-05-28 19:11 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 06:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 13:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 10:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-28 16:24 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-03-28 01:07 593920 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-03-02 14:54 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Kazaa Lite\\Kazaa.kpp"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/02/2009 16:48 64160]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [28/05/2003 19:01 5632]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [02/10/2009 10:55 102712]
S1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 Ca533av;Dual Mode Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [30/12/2004 20:38 515803]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [09/01/2006 10:14 44928]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 21:34 1028432]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [09/01/2006 10:14 55936]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Yahoo! &Dictionary
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} - file://c:\documents and settings\Ronnie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{2D8D4E2C-4FF9-4ECE-869F-04B3CB7AFD13} - (no file)
WebBrowser-{F0C320CD-9888-4BEA-B895-0390C2F00A51} - c:\program files\_SUPERBAR\_SUPERBAR.dll
HKCU-Run-uvc7jk640c - c:\windows\msa.exe
HKCU-Run-rundll32.exe - (no file)
MSConfigStartUp-BitTorrent - c:\program files\BitTorrent\bittorrent.exe
MSConfigStartUp-NoAds - c:\program files\NoAds\NoAds.exe
MSConfigStartUp-OM_Monitor - c:\program files\OLYMPUS\OLYMPUS Master\FirstStart.exe
MSConfigStartUp-STManager - c:\program files\SpeedTouch\Dr SpeedTouch\drst.exe
MSConfigStartUp-swg - c:\program files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
MSConfigStartUp-updateMgr - c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
MSConfigStartUp-Yahoo! Pager - c:\program files\Yahoo!\Messenger\ypager.exe
AddRemove-HijackThis - c:\docume~1\Ronnie\LOCALS~1\Temp\HijackThis.exe
AddRemove-{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A} - c:\program files\InstallShield Installation Information\{EBA29752-DDD2-4B62-B2E3-9841F92A3E3A}\setup.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-23 11:30
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\htafile\CLSID]
@DACL=(02 0000)
@="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(1500)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\drivers\CDAC11BA.EXE
c:\program files\Common Files\Symantec Shared\ccSetMgr.exe
c:\progra~1\Symantec\NORTON~1\GHOSTS~2.EXE
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Norton AntiVirus\navapsvc.exe
c:\program files\Norton AntiVirus\IWP\NPFMntor.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
c:\program files\Common Files\Symantec Shared\ccEvtMgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\Symantec\LiveUpdate\AUpdate.exe
c:\progra~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
c:\program files\Symantec\LiveUpdate\LuCallbackProxy.exe
.
**************************************************************************
.
Completion time: 2009-12-23 11:39:11 - machine was rebooted
ComboFix-quarantined-files.txt 2009-12-23 11:39

Pre-Run: 15,539,470,336 bytes free
Post-Run: 15,726,346,240 bytes free

- - End Of File - - BF049A4D362D8F54CC73B21C7455A617

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0

I had problem where my internet browsers kept saying dns error. so you would think it was an isp problem but no. i used seacrh and destroy along with avast (slightly better than avg) which actually founf the malware problem and deleted it. So what im saying is use 2 virus searches download here http://download.cnet.com/Spybot-Search-Destroy/3000-8022_4-10289035.html . use that alongside your current .virus scanner and tell me the result/

snitch321
Junior Poster in Training
63 posts since Nov 2007
Reputation Points: 9
Solved Threads: 2
 
2 Years Ago
0

Hi, I already use it and adaware.
What I've been directed to do seems to be working.
Cheers

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Hi, thanks for your time.
Here's the log you requested



OK - That looks better. Still a few steps to do, though.


-- If your Norton has expired, you'll need to renew or replace it.
If you want a free alternative, uninstall Norton and replace it with Comodo Firewall + AV
But, you gotta have an up to date AV!

-- Is this folder still on your machine? --> c:\program files\ewido

-- I recommend uninstalling these as they pose security risks:
c:\\Program Files\Kontiki
c:\\Program Files\Kazaa Lite
c:\\Program Files\BearShare Applications

LASTLY:
-- Please delete your copy of ComboFix and download a fresh one to your Desktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this .

-- Let Combofix run as before and post me that log.

And . . . We'll go from there :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi there, I don't know how to uninstall, they don't show up in add/remove programs. I tried to delete but wouldn't let me. It says can't del. kservice.exe and I get a similar message with ewido.
Shall I carry on with your requests in the meantime.?
Cheers
Ronnie.
PS The comp. is working much better already.

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Shall I carry on with your requests in the meantime.?


Go ahead with the CFScript / Combofix step and we'll deal with the others later.

What's up on the AV front?

PP:)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi, in the process of deleting av and downloading your suggested one.
I'll get back to you soon and let you know how I get on.
Thanks again and merry christmas.

Ronnie

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0

Hi, here's my latest log.
Cheers.

ComboFix 09-12-24.02 - Ronnie 24/12/2009 22:58:55.2.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.479.86 [GMT 0:00]
Running from: c:\documents and settings\Ronnie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ronnie\Desktop\CFScript.txt.url
AV: COMODO Antivirus *On-access scanning enabled* (Outdated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *enabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.
PEV Error: LocalAppDataFile

((((((((((((((((((((((((( Files Created from 2009-11-24 to 2009-12-24 )))))))))))))))))))))))))))))))
.

2009-12-24 22:22 . 2009-12-24 22:22 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Comodo
2009-12-24 22:20 . 2009-12-24 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-12-24 22:20 . 2009-12-24 22:20 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-24 22:20 . 2009-12-24 22:20 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-24 22:20 . 2009-12-24 22:20 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-24 22:20 . 2009-12-24 22:20 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-24 22:20 . 2009-12-24 22:20 -------- d-----w- c:\program files\COMODO
2009-12-23 10:42 . 2009-12-23 10:42 152576 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-23 10:41 . 2009-12-23 10:41 79488 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 16:34 . 2009-12-22 16:34 24576 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe
2009-12-21 11:21 . 2009-12-21 11:21 -------- d-----w- c:\program files\ESET
2009-12-20 18:57 . 2009-12-20 18:57 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Malwarebytes
2009-12-20 18:57 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 18:56 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 13:58 . 2009-12-19 13:58 -------- d-----w- C:\FOUND.068
2009-12-19 13:24 . 2009-12-19 13:24 -------- d-----w- C:\My Shared Folder
2009-12-19 11:12 . 2009-12-19 11:12 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\WSCUpdate.dll
2009-12-19 11:12 . 2009-12-19 11:12 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-12-17 19:41 . 2009-12-22 23:56 24576 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe
2009-12-17 19:41 . 2009-12-22 18:02 103412 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\850600261.dll
2009-12-17 12:10 . 2009-12-17 12:10 -------- d-----w- C:\FOUND.067

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 10:42 . 2008-12-20 10:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-11 18:19 . 2002-09-05 16:35 74080 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-09 21:50 . 2002-04-24 16:55 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2006-09-07 19:21 . 2006-09-07 19:21 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2004-02-29 22:40 . 2004-02-29 22:40 9216 --sha-w- c:\program files\Common Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{74322BF9-DF26-493f-B0DA-6D2FC5E6429E}]
2009-05-04 11:56 398776 ----a-w- c:\program files\BearShare Applications\BearShare\BearShareIEHelper.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SUPASTATUS"="c:\program files\Internet Explorer\Connection Wizard\status.exe" [2002-02-21 588288]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-19 520024]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-23 149280]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-12-24 1800464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Freeserve Connection Kit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Freeserve Connection Kit.lnk
backup=c:\windows\pss\Freeserve Connection Kit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Ronnie\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 15:35 4608 ----a-w- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
2001-12-06 12:09 45056 ----a-w- c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-05-28 19:11 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 06:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 13:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 10:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-28 16:24 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-03-28 01:07 593920 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-03-02 14:54 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\BearShare Applications\\BearShare\\BearShare.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/02/2009 16:48 64160]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [24/12/2009 22:20 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [24/12/2009 22:20 25160]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [28/05/2003 19:01 5632]
S1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 Ca533av;Dual Mode Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [30/12/2004 20:38 515803]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [09/01/2006 10:14 44928]
S3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [02/10/2009 10:55 102712]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 21:34 1028432]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [09/01/2006 10:14 55936]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - CMDAGENT
*NewlyCreated* - CMDGUARD
*NewlyCreated* - CMDHLP
*NewlyCreated* - INSPECT
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Yahoo! &Dictionary
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} - file://c:\documents and settings\Ronnie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-NAV Agent - c:\progra~1\NORTON~1\navapw32.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-24 23:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\htafile\CLSID]
@DACL=(02 0000)
@="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(520)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-24 23:27:40
ComboFix-quarantined-files.txt 2009-12-24 23:27
ComboFix2.txt 2009-12-23 11:39

Pre-Run: 15,330,246,656 bytes free
Post-Run: 15,696,003,072 bytes free

- - End Of File - - 63EBD7B1CA700383E4C87EA4AE7271C1

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Hi, here's my latest log.
Cheers.


Hi Ronnie,

That did not run properly. You must download the CFScript .txt file to the desktop. Once the actual file is on the desktop, then you drag that over the combofix icon to start combofix.

Let's try that step again. I will attach a new CFScript.

-- Please delete your copy of ComboFix and download a fresh one to yourDesktop
-- Download the attached file CFScript.txt to your Desktop as well
-- Close ALL browser windows and then drag CFScript.txt into ComboFix.exe just like this .

-- Let Combofix run as before and post me that log.


Cheers :)
PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi, hope this worked this time.

Cheers,
Ronnie

ComboFix 09-12-26.04 - Ronnie 27/12/2009 11:10:45.3.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.479.290 [GMT 0:00]
Running from: c:\documents and settings\Ronnie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ronnie\Desktop\CFScript.txt.url
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-24 22:22 . 2009-12-24 22:22 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Comodo
2009-12-24 22:20 . 2009-12-24 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-12-24 22:20 . 2009-12-24 22:20 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-24 22:20 . 2009-12-24 22:20 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-24 22:20 . 2009-12-24 22:20 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-24 22:20 . 2009-12-24 22:20 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-24 22:20 . 2009-12-24 22:20 -------- d-----w- c:\program files\COMODO
2009-12-23 10:42 . 2009-12-23 10:42 152576 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-23 10:41 . 2009-12-23 10:41 79488 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 16:34 . 2009-12-22 16:34 24576 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe
2009-12-21 11:21 . 2009-12-21 11:21 -------- d-----w- c:\program files\ESET
2009-12-20 18:57 . 2009-12-20 18:57 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Malwarebytes
2009-12-20 18:57 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 18:56 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 13:58 . 2009-12-19 13:58 -------- d-----w- C:\FOUND.068
2009-12-19 13:24 . 2009-12-19 13:24 -------- d-----w- C:\My Shared Folder
2009-12-19 11:12 . 2009-12-19 11:12 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\WSCUpdate.dll
2009-12-19 11:12 . 2009-12-19 11:12 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-12-17 19:41 . 2009-12-22 23:56 24576 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe
2009-12-17 19:41 . 2009-12-22 18:02 103412 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\850600261.dll
2009-12-17 12:10 . 2009-12-17 12:10 -------- d-----w- C:\FOUND.067

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 10:42 . 2008-12-20 10:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-11 18:19 . 2002-09-05 16:35 74080 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-09 21:50 . 2002-04-24 16:55 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2006-09-07 19:21 . 2006-09-07 19:21 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2004-02-29 22:40 . 2004-02-29 22:40 9216 --sha-w- c:\program files\Common Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SUPASTATUS"="c:\program files\Internet Explorer\Connection Wizard\status.exe" [2002-02-21 588288]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-19 520024]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-23 149280]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-12-24 1800464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Freeserve Connection Kit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Freeserve Connection Kit.lnk
backup=c:\windows\pss\Freeserve Connection Kit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Ronnie\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 15:35 4608 ----a-w- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
2001-12-06 12:09 45056 ----a-w- c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-05-28 19:11 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 06:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 13:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 10:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-28 16:24 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-03-28 01:07 593920 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-03-02 14:54 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/02/2009 16:48 64160]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [24/12/2009 22:20 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [24/12/2009 22:20 25160]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [28/05/2003 19:01 5632]
S1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 Ca533av;Dual Mode Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [30/12/2004 20:38 515803]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [09/01/2006 10:14 44928]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 21:34 1028432]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [09/01/2006 10:14 55936]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Yahoo! &Dictionary
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} - file://c:\documents and settings\Ronnie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
.
- - - - ORPHANS REMOVED - - - -

AddRemove-orange3 - c:\program files\orange3\uninstall.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 11:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\htafile\CLSID]
@DACL=(02 0000)
@="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3592)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
Completion time: 2009-12-27 11:29:01
ComboFix-quarantined-files.txt 2009-12-27 11:28
ComboFix2.txt 2009-12-24 23:27
ComboFix3.txt 2009-12-23 11:39

Pre-Run: 15,770,484,736 bytes free
Post-Run: 15,756,886,016 bytes free

- - End Of File - - C91600FD1FA66D933FE457587A4C3347

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0
Hi, hope this worked this time.
Command switches used :: c:\documents and settings\Ronnie\Desktop\CFScript.txt.url


Nope - Same problem.

RightClick on the attachment and choose to save it to the desktop asCFScript.txt
Then, please try again.

Hang in there - we'll get it :)

PP

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi again,
if this doesn't work I don't know what I'm doing wrong.

Cheers
Ronnie

ComboFix 09-12-26.05 - Ronnie 27/12/2009 22:13:17.4.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.44.1033.18.479.287 [GMT 0:00]
Running from: c:\documents and settings\Ronnie\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Ronnie\Desktop\CFScript.txt
AV: COMODO Antivirus *On-access scanning disabled* (Updated) {043803A5-4F86-4ef7-AFC5-F6E02A79969B}
FW: COMODO Firewall *disabled* {043803A3-4F86-4ef6-AFC5-F6E02A79969B}
.

((((((((((((((((((((((((( Files Created from 2009-11-27 to 2009-12-27 )))))))))))))))))))))))))))))))
.

2009-12-24 22:22 . 2009-12-24 22:22 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Comodo
2009-12-24 22:20 . 2009-12-24 22:20 -------- d-----w- c:\documents and settings\All Users\Application Data\Comodo
2009-12-24 22:20 . 2009-12-24 22:20 87104 ----a-w- c:\windows\system32\drivers\inspect.sys
2009-12-24 22:20 . 2009-12-24 22:20 171552 ----a-w- c:\windows\system32\guard32.dll
2009-12-24 22:20 . 2009-12-24 22:20 25160 ----a-w- c:\windows\system32\drivers\cmdhlp.sys
2009-12-24 22:20 . 2009-12-24 22:20 133064 ----a-w- c:\windows\system32\drivers\cmdguard.sys
2009-12-24 22:20 . 2009-12-24 22:20 -------- d-----w- c:\program files\COMODO
2009-12-23 10:42 . 2009-12-23 10:42 152576 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\lzma.dll
2009-12-23 10:41 . 2009-12-23 10:41 79488 ----a-w- c:\documents and settings\Ronnie\Application Data\Sun\Java\jre1.6.0_17\gtapi.dll
2009-12-22 16:34 . 2009-12-22 16:34 24576 ----a-w- c:\documents and settings\NetworkService\Application Data\Macromedia\Common\8506002619.exe
2009-12-21 11:21 . 2009-12-21 11:21 -------- d-----w- c:\program files\ESET
2009-12-20 18:57 . 2009-12-20 18:57 -------- d-----w- c:\documents and settings\Ronnie\Application Data\Malwarebytes
2009-12-20 18:57 . 2009-12-03 16:14 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-12-20 18:56 . 2009-12-03 16:13 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-12-20 18:56 . 2009-12-20 18:56 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-12-19 13:58 . 2009-12-19 13:58 -------- d-----w- C:\FOUND.068
2009-12-19 13:24 . 2009-12-19 13:24 -------- d-----w- C:\My Shared Folder
2009-12-19 11:12 . 2009-12-19 11:12 17632 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\WSCUpdate.dll
2009-12-19 11:12 . 2009-12-19 11:12 3695616 ----a-w- c:\documents and settings\All Users\Application Data\Lavasoft\Ad-Aware\update\AutoLaunch.exe
2009-12-17 19:41 . 2009-12-22 23:56 24576 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe
2009-12-17 19:41 . 2009-12-22 18:02 103412 ----a-w- c:\documents and settings\Ronnie\Application Data\Macromedia\Common\850600261.dll
2009-12-17 12:10 . 2009-12-17 12:10 -------- d-----w- C:\FOUND.067

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-23 10:42 . 2008-12-20 10:07 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-10-11 18:19 . 2002-09-05 16:35 74080 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-10-09 21:50 . 2002-04-24 16:55 5058 ----a-w- c:\windows\Help\hhcolreg.dat
2006-09-07 19:21 . 2006-09-07 19:21 278528 ----a-w- c:\program files\Common Files\FDEUnInstaller.exe
2004-02-29 22:40 . 2004-02-29 22:40 9216 --sha-w- c:\program files\Common Files\Thumbs.db
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck"="c:\windows\system32\dumprep 0 -u" [X]
"SUPASTATUS"="c:\program files\Internet Explorer\Connection Wizard\status.exe" [2002-02-21 588288]
"HPDJ Taskbar Utility"="c:\windows\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-26 172032]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-12-19 520024]
"IMEKRMIG6.1"="c:\windows\ime\imkr6_1\IMEKRMIG.EXE" [2001-08-18 44032]
"HP Software Update"="c:\program files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"DeviceDiscovery"="c:\program files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"Symantec PIF AlertEng"="c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 583048]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-11-04 413696]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-12-23 149280]
"COMODO Internet Security"="c:\program files\COMODO\COMODO Internet Security\cfp.exe" [2009-12-24 1800464]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-04 15360]
"WAB"="c:\documents and settings\Ronnie\Application Data\Macromedia\Common\8506002619.exe" [2009-12-22 24576]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 53760]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-04 44544]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-2-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=c:\windows\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.exe.lnk
backup=c:\windows\pss\Adobe Gamma Loader.exe.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=c:\windows\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Freeserve Connection Kit.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Freeserve Connection Kit.lnk
backup=c:\windows\pss\Freeserve Connection Kit.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Ronnie^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=c:\documents and settings\Ronnie\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=c:\windows\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CARPService]
2003-05-21 15:35 4608 ----a-w- c:\windows\system32\carpserv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
2001-12-06 12:09 45056 ----a-w- c:\program files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GhostStartTrayApp]
2003-05-28 19:11 94208 ----a-w- c:\program files\Symantec\Norton Ghost 2003\GhostStartTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
2004-08-04 06:32 208952 ----a-w- c:\windows\ime\imjp8_1\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2008-11-20 13:20 290088 ----a-w- c:\program files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
2008-02-27 17:56 1032376 ----a-w- c:\program files\Kontiki\KHost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
2008-11-04 10:30 413696 ----a-w- c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealPlayer]
2006-05-28 16:24 1003520 ----a-w- c:\program files\Real\RealPlayer\realplay.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
2007-03-28 01:07 593920 ----a-r- c:\program files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
2006-03-02 14:54 180269 ----a-w- c:\program files\Common Files\Real\Update_OB\realsched.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\WINDOWS\\system32\\sessmgr.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [14/02/2009 16:48 64160]
R1 cmdGuard;COMODO Internet Security Sandbox Driver;c:\windows\system32\drivers\cmdguard.sys [24/12/2009 22:20 133064]
R1 cmdHlp;COMODO Internet Security Helper Driver;c:\windows\system32\drivers\cmdhlp.sys [24/12/2009 22:20 25160]
R1 GhPciScan;GhostPciScanner;c:\program files\Symantec\Norton Ghost 2003\GhPciScan.sys [28/05/2003 19:01 5632]
S1 ewido security suite driver;ewido security suite driver;\??\c:\program files\ewido\security suite\guard.sys --> c:\program files\ewido\security suite\guard.sys [?]
S2 Ca533av;Dual Mode Video Camera Device;c:\windows\system32\drivers\Ca533av.sys [30/12/2004 20:38 515803]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;c:\windows\system32\drivers\ousbehci.sys [09/01/2006 10:14 44928]
S3 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [18/01/2009 21:34 1028432]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;c:\windows\system32\drivers\ousb2hub.sys [09/01/2006 10:14 55936]
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uSearchMigratedDefaultURL = hxxp://search.orange.co.uk/all?brand=ouk&tab=web&p=_adr&q={searchTerms}
mStart Page = hxxp://uk.yahoo.com/
uInternet Settings,ProxyOverride = *.local;
uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
IE: &Yahoo! Search
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: orange search - file://c:\program files\ORANGE3\Cache\SelectedContextSearch.htm
IE: Search with Wanadoo - c:\progra~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm
IE: Yahoo! &Dictionary
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {3B02AAA2-327C-40ED-A849-4BE819AE5385} - file://c:\documents and settings\Ronnie\Local Settings\Temp\~DlfnTmp0\imgSizer.ocx
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-27 22:26
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwClose, ZwOpenFile

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\htafile\CLSID]
@DACL=(02 0000)
@="{3050f4d8-98B5-11CF-BB82-00AA00BDCE0B}"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(552)
c:\windows\system32\guard32.dll

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\guard32.dll

- - - - - - - > 'explorer.exe'(3352)
c:\program files\iTunes\iTunesMiniPlayer.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\en.lproj\iTunesMiniPlayerLocalized.dll
c:\program files\iTunes\iTunesMiniPlayer.Resources\iTunesMiniPlayer.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\browselc.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.1801_x-ww_5eed8217\MSVCR80.dll
.
Completion time: 2009-12-27 22:31:26
ComboFix-quarantined-files.txt 2009-12-27 22:31
ComboFix2.txt 2009-12-27 11:29
ComboFix3.txt 2009-12-24 23:27
ComboFix4.txt 2009-12-23 11:39

Pre-Run: 15,761,702,912 bytes free
Post-Run: 15,748,956,160 bytes free

- - End Of File - - 966166228315C0533AE080098054984E

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 
2 Years Ago
0

Well . . . For some reason this isn't working.

That last one should've worked.
We'll just go ahead and remove those remaining items manually. I'll put something together to do that as soon as I get a bit of time.

PP:)

PhilliePhan
Central Scrutinizer
Moderator
1,942 posts since Dec 2006
Reputation Points: 184
Solved Threads: 110
 
2 Years Ago
0

Hi there,
I don't understand why it's not working.
Everything seem ok, I drag the .txt file over, the green bar shows then the program runs.
I wait for your instruction.
Cheers
Ronnie

theshotts
Light Poster
42 posts since Jul 2005
Reputation Points: 10
Solved Threads: 0
 

This question has already been solved

Post: Markdown Syntax: Formatting Help
You
 
 
© 2012 DaniWeb® LLC
Home | About Us | Contact Us | Terms of Service | Advertising Opportunities
RSS Feed RSS Feed