==Download this temp file cleaner from http://www.atribune.org/ccount/click.php?id=1 --click in the download window to run it, and when ATF Cleaner opens go Select all, and then Empty Selected.
Next click Firefox [if you have that browser..] at the top, Select All again, and Empty Selected again. Follow that procedure also if you have Opera.
Close ATF.
==Please use IE to do an online scan at panda:- http://www.pandasoftware.com/products/activescan?
-select a link to the scan... free online virus scan...., enter a valid? email and follow through, choosing My Computer for a full system scan.
Post the log it produces here with a hijackthis scan log..
==download hijackthis: http://www.majorgeeks.com/download5554.html
-install it to a new folder alongside your program files and then... rename hijackthis .exe to imabunny.exe
-in that folder start HijackThis by dclicking the .exe; now close ALL other applications and any open windows including the explorer window containing HijackThis.
-click the Scan and Save a Logfile button. Post the log here.
Cant Load Symantec Antivirus
Hi Guys,
I was recently Infected with the BestsellerAntivirus spyware. Since then my Symantec Norton Antivirus 10.1.6.6000 wouldn't load on start up. Please help me as I think the BestsellerAntivirus in still on my system although my AntiSpyware detects nothing. When I manually load Norton and scan my PC, halfway trough is says "Norton has detected and error and needs to be closed" . My AntiSpyware and Norton is up to date. Need Help Desperately ! ! ! ! !
Regards,
gpompeus
Dear gerbil,
Thank you so much for replying, as requested I followed your Instructions and please find below results of the online scan and the hijackthis file.
Activscan:
Incident ------- Status ------- Location
Potentially unwanted tool:application/mywebsearch ------- Not disinfected ------- hkey_current_user\software\MyWebSearch
Potentially unwanted tool:application/funweb ------- Not disinfected ------- hkey_local_machine\software\Fun Web Products
Potentially unwanted tool:Application/RealSpy ------- Not disinfected ------- C:\WINDOWS\system32\actskn45.ocx
Virus:Trj/Hupigon.JUM ------- Disinfected ------- C:\WINDOWS\system32\windowsplug.exe
Highjackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:48:06 PM, on 10/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\Explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\lsass.exe
C:\PROGRA~1\Manager\fdm.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\New Folder\imabunny.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://sg.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.corp.du.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Manager\iefdmcks.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O2 - BHO: Flash Module - {F0CBF6F9-4471-4257-ABC4-BCE4EF2ED5ED} - btasv.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] -"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] -HDAShCut.exe
O4 - HKLM\..\Run: [vptray] -C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NI.UGA6P_0001_N115M0110] "C:\Downloads\Software\install_en.exe" -nag
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [{9B-BD-DF-F9-ZN}] C:\windows\system32\kndsregq.exe OLI001
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\BESTSE~1\ugcw.exe" -start
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] -"C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\bonjour\mdnsnsp.dll' missing
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188026698453
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188026417015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.du.ae
O17 - HKLM\Software\..\Telephony: DomainName = corp.du.ae
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.du.ae
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.du.ae
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.du.ae
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Adobe LM Service - Unknown owner - --"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - --C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - --"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - --"C:\Program Files\Symantec AntiVirus\DefWatch.exe" (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - --"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" (file missing)
O23 - Service: hpqwmiex - Unknown owner - --C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (file missing)
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - --"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - --"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - --"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - --C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - --"C:\Program Files\CyberLink\Shared Files\RichVideo.exe" (file missing)
O23 - Service: SAVRoam (SavRoam) - Unknown owner - --"C:\Program Files\Symantec AntiVirus\SavRoam.exe" (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (file missing)
O23 - Service: SQL Server Browser (SQLBrowser) - Unknown owner - --"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - --"C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (file missing)
--
End of file - 14091 bytes
Hope this information is enough to resolve the problem
Thanks again
gpompeus
Great....
Those O17 entries have meaning for you, I assume? - DomainName = corp.du.ae?
==Check the properties of this one- C:\WINDOWS\system32\actskn45.ocx -if it is not one you want then we shall delete it below.
Start hijackthis, select Scan Only, place checkmarks against all the entries listed below that still exist, and then press Fix Checked.
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Config\lsass.exe
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Flash Module - {F0CBF6F9-4471-4257-ABC4-BCE4EF2ED5ED} - btasv.dll (file missing)
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\BestsellerAntivirus\bm.exe" dm=http://bestsellerantivirus.com; ad=http://bestsellerantivirus.com
O4 - HKLM\..\Run: [{9B-BD-DF-F9-ZN}] C:\windows\system32\kndsregq.exe OLI001
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\BESTSE~1\ugcw.exe" -start
O16 - DPF: {CAFECAFE-0013-0001-0021-ABCDEFABCDEF} (JInitiator 1.3.1.21) -
==Download this file to your desktop: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
==Get CCleaner from http://www.ccleaner.com/ - and put it in a new folder. You should keep this one for general use. I set the installation checkboxes only to open from the recycle bin. It's neater that way.
Now run CCleaner from the recycle bin rclick menu using its default settings [if you set up CCleaner as i suggested, rclicking the bin icon should give you the Open CCleaner option...]. Select the Cleaner icon, press Run Cleaner.
[For future quick temp file cleaning select the options you wish to use via the Windows and Applications tabs ..]
- Now for Combofix: to run it dclick combofix.exe and follow the prompts to start it. When finished, it will produce a log, C:\Combofix.txt - post that log in your next reply.
A word of caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.
=Delete these files:
C:\WINDOWS\system32\actskn45.ocx
C:\WINDOWS\Config\lsass.exe
C:\windows\system32\kndsregq.exe
=Delete this folder:
C:\Program Files\Common Files\BestsellerAntivirus\
Fine, now post the combofix log with a fresh hijackthis scan, please.
Dear gerbil,
Thanks again, did exactly as you requested...
ComboFix Log:
ComboFix 07-10-12.4 - IUSR_WINCLT 2007-10-15 9:34:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.500 [GMT 4:00]
Running from: C:\Documents and Settings\IUSR_WINCLT\Desktop\ComboFix.exe
* Created a new restore point
.
ADS - system32: deleted 12 bytes in 1 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Gavin.Pompeus\Application Data\addon.dat
C:\Documents and Settings\Gavin.Pompeus\Application Data\addon.dat
C:\Documents and Settings\Gavin.Pompeus\Application Data\macromedia\Flash Player\iforex.com
C:\Documents and Settings\Gavin.Pompeus\Application Data\macromedia\Flash Player\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\Gavin.Pompeus\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\Gavin.Pompeus\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
.
((((((((((((((((((((((((( Files Created from 2007-09-15 to 2007-10-15 )))))))))))))))))))))))))))))))
.
2007-10-15 09:33 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-15 09:31 d-------- C:\Program Files\CCleaner
2007-10-14 22:12 d-------- C:\New Folder
2007-10-14 21:01 d-------- C:\WINDOWS\system32\ActiveScan
2007-10-14 18:53 d-------- C:\Program Files\EsetOnlineScanner
2007-10-14 16:28 d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-14 16:28 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-14 15:09 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-10-14 13:58 d-------- C:\Program Files\uTorrent
2007-10-14 13:58 d-------- C:\Documents and Settings\IUSR_WINCLT\Application Data\uTorrent
2007-10-14 13:50 15,647,060 --a------ C:\ZoneAlarm Pro 7.0 + Working Serials.zip
2007-10-14 10:31 d-------- C:\Documents and Settings\IUSR_WINCLT\Application Data\BitTorrent
2007-10-14 10:30 d-------- C:\Program Files\BitTorrent_DNA
2007-10-14 10:30 d-------- C:\Program Files\BitTorrent
2007-10-14 10:30 d-------- C:\Documents and Settings\IUSR_WINCLT\Application Data\BitTorrent DNA
2007-10-13 20:43 d-------- C:\Program Files\Spyware Doctor
2007-10-13 20:43 d-------- C:\Documents and Settings\IUSR_WINCLT\Application Data\PC Tools
2007-10-13 20:43 79,688 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2007-10-13 20:43 62,280 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2007-10-13 20:43 41,288 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2007-10-13 20:43 29,000 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2007-10-13 20:42 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-13 18:16 d-------- C:\WINDOWS\system32\SuperAdBlocker.com
2007-10-13 14:43 13,894 ---hs---- C:\WINDOWS\system32\ilnmp.ini2
2007-10-13 13:46 d-------- C:\Program Files\SUPERAntiSpyware
2007-10-13 13:46 d-------- C:\Documents and Settings\IUSR_WINCLT\Application Data\SUPERAntiSpyware.com
2007-10-13 13:46 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-13 13:37 d-------- C:\WINDOWS\BDOSCAN8
2007-10-13 13:22 6,465 ---hs---- C:\WINDOWS\system32\ilnmp.bak2
2007-10-13 13:11 6,465 ---hs---- C:\WINDOWS\system32\ilnmp.bak1
2007-10-13 13:02 158,432 --a------ C:\WINDOWS\system32\d2d7e210.sys
2007-10-13 12:59 40,832 --a------ C:\WINDOWS\system32\conf.dat
2007-10-13 12:59 1 --a------ C:\WINDOWS\system32\rc.dat
2007-10-13 12:59 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-10-13 12:59 1 --a------ C:\WINDOWS\system32\cookie1.dat
2007-10-13 12:57 d-------- C:\WINDOWS\Web Download
2007-10-12 12:32 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-12 11:23 201,920 --a------ C:\WINDOWS\system32\drivers\SynTP.sys
2007-10-12 11:23 196,608 --a------ C:\WINDOWS\system32\SynCtrl.dll
2007-10-12 11:23 163,840 --a------ C:\WINDOWS\system32\SynCOM.dll
2007-10-12 11:23 143,360 --a------ C:\WINDOWS\system32\SynTPAPI.dll
2007-10-12 11:23 110,592 --a------ C:\WINDOWS\system32\SynTPCo4.dll
2007-10-11 17:05 d-------- C:\Program Files\Google
2007-10-10 14:30 d-------- C:\Documents and Settings\IUSR_WINCLT\dwhelper
2007-10-09 22:37 d-------- C:\Software
2007-10-09 20:59 d-------- C:\Documents and Settings\IUSR_WINCLT\Application Data\dvdcss
2007-10-07 13:24 d-------- C:\Documents and Settings\Gavin.Pompeus\Application Data\vlc
2007-10-06 23:42 d-------- C:\Documents and Settings\IUSR_WINCLT\Application Data\vlc
2007-10-05 23:07 d-------- C:\Program Files\VideoLAN
2007-10-05 15:32 d-------- C:\Program Files\Winamp
2007-10-05 12:29 126,976 -ra------ C:\WINDOWS\system32\V0100Vfw.dll
2007-10-05 12:29 91,155 -ra------ C:\WINDOWS\system32\drivers\V0100Vid.sys
2007-10-05 12:29 69,632 -ra------ C:\WINDOWS\system32\V0100Sti.dll
2007-10-05 12:29 65,536 -ra------ C:\WINDOWS\system32\CtCamMgr.dll
2007-10-05 12:29 49,152 -ra------ C:\WINDOWS\system32\V0100Hwx.dll
2007-10-05 12:29 36,864 -ra------ C:\WINDOWS\system32\V0100Pin.dll
2007-10-05 12:29 20,480 -ra------ C:\WINDOWS\V0100Cfg.exe
2007-10-05 12:29 20,480 -ra------ C:\WINDOWS\system32\V0100Srv.exe
2007-10-04 09:55 d-------- C:\Program Files\DirectVobSub
2007-10-03 17:43 d-------- C:\Program Files\ATI
2007-10-03 10:53 d-------- C:\Program Files\Siemens Subscriber Networks
2007-10-03 10:53 50,934 --------- C:\WINDOWS\system32\drivers\vvpciusb.sys
2007-10-03 10:53 50,911 --------- C:\WINDOWS\system32\drivers\vvbususb.sys
2007-10-03 10:53 28,857 --------- C:\WINDOWS\system32\drivers\enethusb.sys
2007-10-03 10:53 15,332 --------- C:\WINDOWS\system32\drivers\vvbeth.sys
2007-10-03 10:53 15,309 --------- C:\WINDOWS\system32\drivers\vvbetht.sys
2007-10-01 11:30 120,483 --a------ C:\WINDOWS\File Renamer - Basic Uninstaller.exe
2007-09-28 20:08 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-28 20:07 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 20:07 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-09-28 20:07 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2007-09-28 20:07 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-09-24 18:00 274,432 --a------ C:\WINDOWS\TLCUninstall.exe
2007-09-21 00:06 91,392 --a------ C:\WINDOWS\system32\drivers\commsym.sys
2007-09-20 18:41 d-------- C:\WINDOWS\A4W_DATA
2007-09-20 18:41 110,592 --a------ C:\WINDOWS\system32\tsccvid.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 05:12 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-15 05:10 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\Free Download Manager
2007-10-14 21:19 --------- d--h--w C:\Program Files\Microsoft Private Folder 1.0
2007-10-14 21:18 --------- d-----w C:\Program Files\Microsoft ActiveSync
2007-10-14 21:18 --------- d-----w C:\Program Files\Manager
2007-10-14 21:15 --------- d-----w C:\Program Files\File Renamer
2007-10-14 06:30 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\Azureus
2007-10-13 19:00 --------- d-----w C:\Program Files\Symantec
2007-10-11 19:59 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-07 13:58 --------- d-----w C:\Program Files\Java
2007-10-07 13:47 --------- d-----w C:\Documents and Settings\Gavin.Pompeus\Application Data\Azureus
2007-10-05 09:07 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\ATI
2007-10-04 16:29 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-04 16:28 --------- d-----w C:\Documents and Settings\Gavin.Pompeus\Application Data\ATI
2007-10-03 13:33 --------- d-----w C:\Program Files\DivX
2007-10-01 13:27 281,600 ----a-w C:\WINDOWS\system32\drivers\ADIHdAud.sys
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-28 16:05 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-28 16:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 16:05 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-28 16:05 739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-28 16:05 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-09-28 16:05 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-09-28 16:05 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-09-28 16:05 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-09-28 16:05 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-09-28 16:05 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-09-28 16:05 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-09-16 07:20 --------- d-----w C:\Documents and Settings\Gavin.Pompeus\Application Data\Free Download Manager
2007-09-08 12:47 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\iolo
2007-09-08 06:42 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-07 10:49 --------- d-----w C:\Program Files\HPQ
2007-09-06 06:02 --------- d-----w C:\Program Files\Window
2007-09-06 06:01 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\Actual Tools
2007-09-01 07:54 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\Credential Manager
2007-08-25 19:57 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\URSoft
2007-08-25 06:02 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-08-25 06:00 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-24 05:31 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\Download Manager
2007-08-23 13:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-08-23 11:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-08-22 14:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2007-08-22 11:45 --------- d-----w C:\Documents and Settings\IUSR_WINCLT\Application Data\Mobile Master
2007-08-22 11:21 --------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-08-22 11:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\Adobe Systems
2007-08-21 19:18 --------- d-----w C:\Documents and Settings\Gavin.Pompeus\Application Data\iolo
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-16 18:38 --------- d-----w C:\Documents and Settings\Gavin.Pompeus\Application Data\uTorrent
2007-08-15 15:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\iolo
2007-08-15 14:55 --------- d-----w C:\Program Files\iolo
2007-08-08 12:30 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2007-08-02 14:11 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2007-08-02 14:11 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2007-07-30 15:19 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 15:19 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 15:19 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 15:19 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 15:19 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 15:19 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 15:19 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 15:18 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 15:18 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-27 11:49 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
2007-07-27 11:49 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
2007-07-27 07:13 87,608 ----a-w C:\Documents and Settings\IUSR_WINCLT\Application Data\ezpinst.exe
2007-07-27 07:13 47,360 ----a-w C:\Documents and Settings\IUSR_WINCLT\Application Data\pcouffin.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="-C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"High Definition Audio Property Page Shortcut"="-HDAShCut.exe" []
"vptray"="-C:\PROGRA~1\SYMANT~1\VPTray.exe" []
"SoundMAXPnP"="-C:\Program Files\Analog Devices\Core\smax4pnp.exe" []
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2007-06-08 00:47]
"NI.UGA6P_0001_N115M0110"="C:\Downloads\Software\install_en.exe" []
"SDTray"="C:\Program Files\Spyware Doctor\SDTrayApp.exe" [2007-10-13 21:03]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SMSystemAnalyzer"="-C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe" []
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"BitTorrent DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-10-14 10:30]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoAutoUpdate"=0 (0x0)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OneCard]
C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll 2005-07-25 22:41 40960 C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli AsWlnPkg
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=add_admins.cmd
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-4011074587-1879700149-1645015419-10098\Scripts\Logon\0\0]
"Script"=net_drives.cmd
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^DVD Check.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DVD Check.lnk
backup=C:\WINDOWS\pss\DVD Check.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Run Google Web Accelerator.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Run Google Web Accelerator.lnk
backup=C:\WINDOWS\pss\Run Google Web Accelerator.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 8.0]
"C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearFlix]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BearShare]
"C:\Program Files\BearShare\BearShare.exe" /pause
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CognizanceTS]
rundll32.exe C:\PROGRA~1\HPQ\IAM\Bin\AsTsVcc.dll,RegisterModule
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\H/PC Connection Agent]
"C:\Program Files\Microsoft ActiveSync\Wcescomm.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]
"C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Magentic]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
C:\PROGRA~1\Nokia\NOKIAP~1\LAUNCH~1.EXE -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QlbCtrl]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMSystemAnalyzer]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SRS Audio Sandbox]
"C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemGuardAlerter]
"C:\Program Files\iolo\System Mechanic Professional 7\SystemGuardAlerter.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\THGuard]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TrojanScanner]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WirelessMon]
C:\Program Files\WirelessMon\WirelessMon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zzz_ImInstaller_Magentic]
C:\DOCUME~1\IUSR_W~1\LOCALS~1\Temp\ImInstaller\Magentic\magentic_install.exe -startup -product Magentic -skip_dialog language
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"IOLO_SRV"=2 (0x2)
"ioloDMV"=2 (0x2)
"idsvc"=3 (0x3)
"Bonjour Service"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BearShare"="C:\Program Files\BearShare\BearShare.exe" /pause
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
R0 hpdskflt;HP Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\hpdskflt.sys
R2 ASChannel;Local Communication Channel;C:\WINDOWS\System32\svchost.exe -k Cognizance
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 LMIRfsDriver;LogMeIn Remote File System Driver;\??\C:\WINDOWS\system32\drivers\LMIRfsDriver.sys
R2 Prvflder;Prvflder;C:\WINDOWS\system32\DRIVERS\prvflder.sys
R2 Wuser32;SMS Remote Control Agent;C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
R3 Accelerometer;Accelerometer;C:\WINDOWS\system32\DRIVERS\Accelerometer.sys
R3 ATSWPDRV;AuthenTec TruePrint USB Driver (AES2500);C:\WINDOWS\system32\DRIVERS\ATSwpDrv.sys
R3 GTIPCI21;GTIPCI21;C:\WINDOWS\system32\DRIVERS\gtipci21.sys
R3 HBtnKey;HBtnKey;C:\WINDOWS\system32\DRIVERS\cpqbttn.sys
R3 kbstuff;SMS Virtual Keyboard;C:\WINDOWS\system32\DRIVERS\kbstuff5.sys
R3 lmimirr;lmimirr;C:\WINDOWS\system32\DRIVERS\lmimirr.sys
R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
R3 SRS_SSCFilter;SRS Labs Audio Sandbox (WDM);C:\WINDOWS\system32\drivers\srs_sscfilter_i386.sys
S2 {95808DC4-FA4A-4c74-92FE-5B863F82066B};{95808DC4-FA4A-4c74-92FE-5B863F82066B};--\??\C:\Program Files\CyberLink\PowerDVD\000.fcl
S2 LMIInfo;LogMeIn Kernel Information Provider;--\??\C:\Program Files\LogMeIn\x86\RaInfo.sys
S3 COMMSYM;CommView/WiFi Driver by TamoSoft;C:\WINDOWS\system32\DRIVERS\commsym.sys
S3 crtaud;Conexant Riptide WDM Audio Driver;C:\WINDOWS\system32\drivers\crtaud.sys
S3 idisw2km;idisw2km;C:\WINDOWS\system32\DRIVERS\idisw2km.sys
S3 n558;N558 Bluetooth USB Filter Driver;C:\WINDOWS\system32\Drivers\n558.sys
S3 rthwcls;Conexant Riptide Bus / Firmware Downloader;C:\WINDOWS\system32\drivers\rthwcls.sys
S3 V0100VID;Creative WebCam Vista Pro;C:\WINDOWS\system32\DRIVERS\V0100Vid.sys
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Cognizance ASChannel
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}]
AutoRun\command - ntde1ect.com
explore\Command - ntde1ect.com
open\Command - ntde1ect.com
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6a7f1ece-e1d4-11db-b092-0018de3e65a7}]
AutoRun\command - [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}]
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs
*Newly Created Service* - CATCHME
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{15DA01DC-1327-AEEA-0003-020004040303}]
C:\WINDOWS\wlnlogon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{19081054-F27C-28E3-0207-030202010102}]
C:\WINDOWS\system32\windowsplug.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-12 13:15:00 C:\WINDOWS\Tasks\1-Click Maintenance.job"
- C:\Program Files\TuneUp Utilities 2006\SystemOptimizer.exe
.
**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 09:36:23
Windows 5.1.2600 Service Pack 2 NTFS
detected NTDLL code modification:
ZwClose
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-10-15 9:37:17
.
--- E O F ---
New Hijackthis Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:43:04 AM, on 10/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\HPQ\IAM\bin\asghost.exe
C:\WINDOWS\system32\agrsmsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\CCM\CLICOMP\RemCtrl\Wuser32.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\New Folder\imabunny.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://sg.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://sg.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://sg.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.corp.du.ae:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\Program Files\Manager\iefdmcks.dll
O2 - BHO: HP Credential Manager for ProtectTools - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\HPQ\IAM\Bin\ItIeAddIN.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] -"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] -HDAShCut.exe
O4 - HKLM\..\Run: [vptray] -C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SoundMAXPnP] -C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NI.UGA6P_0001_N115M0110] "C:\Downloads\Software\install_en.exe" -nag
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [SMSystemAnalyzer] -"C:\Program Files\iolo\System Mechanic Professional 7\SMSystemAnalyzer.exe"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O4 - Startup: StartupFaster
O4 - Global Startup: Bluetooth.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Manager\dlselected.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1188026698453
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1188026417015
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0) - http://javadl-esd.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.du.ae
O17 - HKLM\Software\..\Telephony: DomainName = corp.du.ae
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.du.ae
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.du.ae
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: Domain = corp.du.ae
O20 - Winlogon Notify: OneCard - C:\Program Files\HPQ\IAM\Bin\AsWlnPkg.dll
O23 - Service: Adobe LM Service - Unknown owner - --"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\WINDOWS\system32\agrsmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Bluetooth Service (btwdins) - Unknown owner - --C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (file missing)
O23 - Service: Symantec Settings Manager (ccSetMgr) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (file missing)
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Unknown owner - --"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe" (file missing)
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - --"C:\Program Files\Symantec AntiVirus\DefWatch.exe" (file missing)
O23 - Service: FLEXnet Licensing Service - Unknown owner - --"C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe" (file missing)
O23 - Service: hpqwmiex - Unknown owner - --C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe (file missing)
O23 - Service: Machine Debug Manager (MDM) - Unknown owner - --"C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" (file missing)
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - --"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: Office Source Engine (ose) - Unknown owner - --"C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\HPZipm12.exe
O23 - Service: Private Folder Service (prfldsvc) - Unknown owner - --C:\Program Files\Microsoft Private Folder 1.0\PrfldSvc.exe (file missing)
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - --"C:\Program Files\CyberLink\Shared Files\RichVideo.exe" (file missing)
O23 - Service: SAVRoam (SavRoam) - Unknown owner - --"C:\Program Files\Symantec AntiVirus\SavRoam.exe" (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" (file missing)
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Unknown owner - --"C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe" (file missing)
O23 - Service: SQL Server Browser (SQLBrowser) - Unknown owner - --"C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe" (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - --"C:\Program Files\Symantec AntiVirus\Rtvscan.exe" (file missing)
--
End of file - 13056 bytes
TC
gpompeus
...and this?: Those O17 entries have meaning for you, I assume? - DomainName = corp.du.ae?
Do you know that domain? I ask only because it is a bit rare.....
Just a couple of things to tidy up, but first a query of your sys:
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as showkey.bat, as type "all files", to your desktop; dclick it to run, then post the file C:\showkey.txt
__________________________________________________________
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}" /s >C:\showkey.txt
reg query "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}" /s >> C:\showkey.txt
reg query "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{19081054-F27C-28E3-0207-030202010102}" /s >> C:\showkey.txt
start C:\showkey.txt
__________________________________________________________
Re Norton/Symantec, all the startup entries have disappeared... you will have to start it manually and reset the default options - I am not familiar with its interface now so you will need to explore it, but just ensure that settings for autostart with windows are selected [it may require reinstallation to achieve this?]
corp.du.ae is the company I work for so thats ok. I will try to navigate through the Norton setting right now.
showkey log :
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000009060000
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell
REG_SZ Open
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\AutoRun
Extended REG_SZ
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\AutoRun\command
REG_SZ ntde1ect.com
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\explore
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\explore\Command
REG_SZ ntde1ect.com
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\open
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\open\Command
REG_SZ ntde1ect.com
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\open\Default
REG_SZ 1
! REG.EXE VERSION 3.0
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}
BaseClass REG_SZ Drive
_AutorunStatus REG_BINARY 01000100000100DFDF5FDF5F5F5F5FDFDF5F5F5FDFDFDF5F5F5FDFDFDF5F5FDF5F5F5F5F5F01000101EEFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000010000009010000
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}\Shell
REG_SZ AutoRun
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}\Shell\Autoplay
MUIVerb REG_SZ @shell32.dll,-8504
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}\Shell\Autoplay\DropTarget
CLSID REG_SZ {f26a669a-bcbb-4e37-abf9-7325da15f931}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}\Shell\AutoRun
REG_SZ Auto&Play
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}\Shell\AutoRun\command
REG_SZ C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs
! REG.EXE VERSION 3.0
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{19081054-F27C-28E3-0207-030202010102}
StubPath REG_SZ C:\WINDOWS\system32\windowsplug.exe
Ok, thanks for that domain info. Did you run Superantispyware; did it clear a vundo infection for you?
=This next removes registry traces; the first 3 are for a quite new bit of malware ntde1ect.com, the last is for that virus that Panda cleaned....
==Please copy the text between the lines to a notepad [format/wordwrap unchecked] and save as delkey.bat, as type "all files", to your desktop; dclick it to run.
__________________________________________________________
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\AutoRun\command" /va /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\explore\Command" /va /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5e3704f0-604b-11dc-b1d5-0018de3e65a7}\Shell\open\Command" /va /f
reg delete "HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{fef15fcc-6aa2-11dc-b1ee-001641b8e844}\Shell\AutoRun\command" /va /f
reg delete "HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{19081054-F27C-28E3-0207-030202010102}" /va /f
__________________________________________________________
=Use msconfig to remove an old startup entry for Google Web accelerator. [go Start, run msconfig, startup tab...]
..and that is about it, but for your re-establishing startup entries for Symantec. Do let me know how that goes.
Thanks gerbil for all your help, I did use Superantispyware first, it showed quit a few infected files, cant recall if anyone of those were vundo infections. Also I tried to search for the Norton Default setting option, but so far No luck. Will I be able to enable it from the gpedit.msc???
Heh! Please don't question me too closely on Norton - I have not used it in ages!
If you cannot find any settings to control its startup options I think you are facing reinstalling it over itself, and then updating from the website.
I use AVG AV - it gives settings to enable/disable its various components but there is no option to set it to start or not at sys startup. In msconfig and other startup control applications there is the option to select whether it does start, but there is no way to write that option in if it is missing.... apart from reinstalling it, of course.
I suggest you go Start, run msconfig, startup tab and see if Norton is represented there...
