0

Greetings, after attempting to clean this myself and then with a couple of freinds I've decided to seek some expert advice... I can normally work my way through these things however this time..

no way!

Problems started after downloading some autoshapes would you believe it for fireworks....

Basic problems

Programs fail to start, halted with a MS dialoge box stating program XYZ has stopped working... reason APPCRASH. So the program fails on launch.

Note:- it's on some fairly random programs, photomatix, process hacker, and a few others... but nothing mainstream. I would have expected outlook or my spyware programs to be targeted here.

Adobe updater seems to just go mad every so often, updating then crashing.

Intercrash Exploder, seems OK then starts redirecting to various sites.

Interestingly it always does this in a very easy to predict manner in that everything slows for a minute then, a new page opens usually with a video about a get rich quick scheme or parts for a BMW. It seems to do this from virtually any page... so not site specific.

Between Adaware, Spybot Avast and Malwarebytes about 13 infections were found and cleared up... I have the MWB log.

I found and located sdra64.exe which strangely they all missed but I found using the Hijackthis log. Oddly this seemed to be easier to get rid of than I had read.. so far it looks like it's not returned.

Certain programmes are being blocked from opening - different from above... nothing happens at all.

In fact the process starts example fireworks.exe, then after a few seconds werfault.exe opens, then they both close. Once they've both closed for some reason windows update is then left open - however I am assuming that this is a result of the windows fault reporting exe.

Further more I've noticed that this infection whatever it may be is turning off windows firewall, not zone alarm just the windows firewall. I think this is quite important as this is probably the only thing about this infection that seems to be uniform or that makes sense.

Everything else it seems to be doing it quite random.

A more regular symptom... the infection seems to cause IE to temporarily think it's lost a connection... everything s connected and a box pops to say -page not available off line... try again? click try again and all works fine...

Other software used

Combofix - id'd a rootkit, then nothing on the re run
Panda root kit - won't install
Helios lite - scan bombs on process scan
Rootkit revealer - won't install
Dark spy - won't install.

Many thanks to anyone that can have a look at this... I really can normally work around these things but this time... I am at a total loss.

I don't even know where to begin... I I only knew what this was I could find out how to get rid of it... but it leaves no clues as to what it is... well at least not that I can see.

Thanks

D

3
Contributors
23
Replies
24
Views
7 Years
Discussion Span
Last Post by jholland1964
0

I can't seem to find the edit button :-( I guess my glasses have this virus / trojan / rootkit thing as well.

Since the last post... my machine - vista by the way - has resorted to blue screening after restart. I thought this important.

In addition MSOE.dll and comsurrogate are closing down and or failing and my browser home pages have been deleted.

It's chaos...

Safe mode seems to be working OK for the time being, however along with OE mail I seem to be losing programs hand over fist.

Help :-(

0

Hi and welcome to daniweb,
Can you post the MBA-M log and also the Combofix log?
Also the HJT log.

Edited by jholland1964: n/a

0

Thanks for looking at this for me... this was the last HJT log taken before the machine went over to safe mode only - run from C:/HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:47:18, on 02/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\System32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
D:\Programmes\ashDisp.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
D:\Programmes\BitTorrent\bittorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\igfxsrvc.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\HJT\HijackThis.exe
C:\Windows\system32\SearchFilterHost.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PLFSetL] C:\Windows\PLFSetL.exe
O4 - HKLM\..\Run: [WarReg_PopUp] C:\Acer\WR_PopUp\WarReg_PopUp.exe
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BlackBerryAutoUpdate] C:\Program Files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe /background
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [winlogon] C:\Windows\winlogon.exe
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Startup: OpenOffice.org 3.1.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O13 - Gopher Prefix:
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programmes\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Programmes\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Programmes\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Programmes\ashWebSv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\Danny\AppData\Local\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Check Point Software Technologies LTD - C:\Windows\System32\ZoneLabs\vsmon.exe
O23 - Service: ePower Service (WMIService) - Unknown owner - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (file missing)

--
End of file - 7758 bytes

Combo fix log

ComboFix 09-12-02.05 - Danny 02/12/2009 21:58.1.1 - x86
Microsoft® Windows Vista™ Home Basic 6.0.6001.1.1252.44.1033.18.2038.1003 [GMT 0:00]
Running from: c:\users\Danny\Desktop\ComboFix.exe
FW: ZoneAlarm Firewall *disabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}
SP: Spybot - Search and Destroy *disabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}
SP: Windows Defender *enabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
SP: ZoneAlarm Anti-Spyware *enabled* (Outdated) {F245A209-1085-48B4-B927-35D56015EC60}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\$recycle.bin\S-1-5-21-2749466982-662175772-58541265-500
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera
c:\programdata\Microsoft\Windows\Start Menu\Programs\Acer Crystal Eye Webcam Video Class Camera \Uninstall.lnk
c:\users\Danny\AppData\Roaming\Desktopicon
c:\users\Danny\AppData\Roaming\Desktopicon\eBay.ico
c:\users\Danny\AppData\Roaming\Desktopicon\uninst.exe
c:\windows\system32\twain_32.dll

Infected copy of c:\windows\system32\DRIVERS\iaStor.sys was found and disinfected
Restored copy from - Kitty ate it :p
.
((((((((((((((((((((((((( Files Created from 2009-11-02 to 2009-12-02 )))))))))))))))))))))))))))))))
.

2009-12-02 22:24 . 2009-12-02 22:25 -------- d-----w- c:\users\Danny\AppData\Local\temp
2009-12-02 22:24 . 2009-12-02 22:24 -------- d-----w- c:\users\Default\AppData\Local\temp
2009-12-02 12:52 . 2009-12-02 12:52 -------- d-----w- c:\program files\Common Files\Macromedia
2009-12-02 12:52 . 2009-12-02 12:52 -------- d-----w- c:\program files\Macromedia
2009-12-01 11:38 . 2009-12-01 11:38 -------- d-----w- c:\users\Danny\DoctorWeb
2009-11-30 21:49 . 2009-12-02 10:46 -------- dc----w- C:\HJT
2009-11-30 21:09 . 2009-12-02 08:51 8192 d-----w- c:\program files\PhotomatixPro3
2009-11-30 19:37 . 2009-11-30 19:37 4096 d-----w- c:\program files\Unlocker
2009-11-30 18:29 . 2009-11-30 18:29 -------- d-----w- c:\windows\system32\log
2009-11-30 16:15 . 2009-11-30 13:37 15880 ----a-w- c:\windows\system32\lsdelete.exe
2009-11-30 13:38 . 2009-09-23 12:55 64288 ----a-w- c:\windows\system32\drivers\Lbd.sys
2009-11-30 13:34 . 2009-11-30 13:34 4096 dc-h--w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}
2009-11-30 13:34 . 2009-10-03 08:15 2924848 -c--a-w- c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe
2009-11-30 09:41 . 2009-11-24 23:49 48560 ----a-w- c:\windows\system32\drivers\aswTdi.sys
2009-11-30 09:41 . 2009-11-24 23:48 23120 ----a-w- c:\windows\system32\drivers\aswRdr.sys
2009-11-30 09:41 . 2009-11-24 23:47 97480 ----a-w- c:\windows\system32\AvastSS.scr
2009-11-30 09:41 . 2009-11-24 23:50 114768 ----a-w- c:\windows\system32\drivers\aswSP.sys
2009-11-30 09:41 . 2009-11-24 23:50 20560 ----a-w- c:\windows\system32\drivers\aswFsBlk.sys
2009-11-30 09:41 . 2009-11-24 23:49 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-30 09:41 . 2009-11-24 23:54 1280480 ----a-w- c:\windows\system32\aswBoot.exe
2009-11-30 09:39 . 2009-11-30 09:39 -------- d-----w- c:\users\Danny\AppData\Roaming\Malwarebytes
2009-11-30 09:39 . 2009-09-10 14:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-30 09:39 . 2009-11-30 09:39 4096 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-30 09:39 . 2009-11-30 09:39 -------- d-----w- c:\programdata\Malwarebytes
2009-11-30 09:39 . 2009-09-10 14:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-29 18:41 . 2009-11-29 18:41 -------- d-----w- c:\program files\ezLife
2009-11-29 09:22 . 2009-11-29 09:22 7680 ----a-w- c:\users\Danny\AppData\Roaming\Thinstall\Fireworks\1000000600002i\verclsid.exe
2009-11-25 03:01 . 2009-10-29 09:41 2048 ----a-w- c:\windows\system32\tzres.dll
2009-11-24 23:38 . 2009-08-10 11:01 1399296 ----a-w- c:\windows\system32\msxml6.dll
2009-11-24 23:38 . 2009-08-10 11:00 1257472 ----a-w- c:\windows\system32\msxml3.dll
2009-11-21 08:03 . 2009-11-21 08:03 -------- d-----w- c:\programdata\Research In Motion
2009-11-21 08:03 . 2009-11-21 08:03 4096 d-----w- c:\program files\Common Files\Research In Motion
2009-11-16 19:04 . 2009-11-16 19:04 -------- d-----w- c:\users\Danny\AppData\Local\Frameworkx.com
2009-11-16 18:25 . 2009-11-16 18:25 284147 ----a-r- c:\users\Danny\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_93A0BD079836122C39D406.exe
2009-11-16 18:25 . 2009-11-16 18:25 284147 ----a-r- c:\users\Danny\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_6FEFF9B68218417F98F549.exe
2009-11-16 18:25 . 2009-11-16 18:25 284147 ----a-r- c:\users\Danny\AppData\Roaming\Microsoft\Installer\{47609E69-4C5E-48B1-A889-24C6B82B5C04}\_3207B59E601B5F75D71B21.exe
2009-11-16 18:25 . 2009-11-16 18:25 -------- d-----w- c:\program files\Frameworkx
2009-11-14 09:50 . 2009-11-14 09:50 -------- d-----w- c:\users\Danny\AppData\Roaming\Research In Motion
2009-11-14 09:47 . 2009-11-21 08:03 -------- d-----w- c:\program files\Research In Motion
2009-11-11 10:20 . 2006-11-29 13:06 3426072 ----a-w- c:\windows\system32\d3dx9_32.dll
2009-11-11 10:19 . 2009-11-11 10:19 -------- d-----w- c:\program files\Microsoft
2009-11-10 21:49 . 2009-08-14 13:53 2035712 ----a-w- c:\windows\system32\win32k.sys
2009-11-10 21:49 . 2009-08-10 13:05 351232 ----a-w- c:\windows\system32\WSDApi.dll
2009-11-09 07:22 . 2009-11-09 07:22 -------- d-----w- c:\program files\JL_Cmder
2009-11-08 16:55 . 2009-11-08 16:55 -------- d-----w- c:\program files\WinPcap
2009-11-07 11:09 . 2009-11-07 11:09 -------- d-----w- c:\users\Danny\AppData\Local\HP
2009-11-06 10:28 . 2009-11-06 10:28 -------- d-----w- c:\users\Danny\AppData\Roaming\Windows Live Writer
2009-11-06 10:28 . 2009-11-06 10:28 -------- d-----w- c:\users\Danny\AppData\Local\Windows Live Writer
2009-11-06 08:39 . 2007-08-13 14:51 446464 ----a-w- c:\windows\system32\wmvdmoe.dll
2009-11-06 08:38 . 2009-11-06 08:38 -------- d-----w- c:\programdata\PY_Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-12-02 21:54 . 2008-03-06 06:41 350192 ---ha-w- c:\windows\system32\drivers\vsconfig.xml
2009-12-02 21:52 . 2008-04-26 19:26 12 ----a-w- c:\windows\bthservsdp.dat
2009-12-02 12:52 . 2007-08-02 09:23 8192 d--h--w- c:\program files\InstallShield Installation Information
2009-12-02 12:29 . 2008-03-16 10:43 4096 d-----w- c:\program files\Java
2009-12-02 11:13 . 2009-09-21 17:48 16384 d-----w- c:\users\Danny\AppData\Roaming\BitTorrent
2009-12-02 09:04 . 2008-08-11 12:20 4096 d-----w- c:\program files\Common Files\Adobe
2009-12-01 18:48 . 2007-08-02 09:23 304920 -c--a-w- c:\windows\system32\drivers\iaStor.sys
2009-12-01 09:37 . 2008-12-23 17:54 4096 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-30 13:33 . 2009-02-12 23:07 -------- d-----w- c:\program files\Lavasoft
2009-11-30 13:33 . 2008-08-26 17:50 -------- d-----w- c:\programdata\Lavasoft
2009-11-29 21:09 . 2009-09-20 20:39 1 ----a-w- c:\users\Danny\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2009-11-29 20:23 . 2008-12-23 17:54 8192 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-29 20:04 . 2008-03-14 08:03 12959020 ----a-w- c:\windows\Internet Logs\tvDebug.Zip
2009-11-29 19:30 . 2009-09-20 16:49 8192 d-----w- c:\users\Danny\AppData\Roaming\LimeWire
2009-11-27 08:18 . 2009-03-22 00:55 256 ----a-w- c:\windows\system32\pool.bin
2009-11-24 07:39 . 2009-11-24 07:41 2119168 ----a-w- c:\windows\Internet Logs\xDBB9BF.tmp
2009-11-19 09:38 . 2009-11-19 09:39 2114560 ----a-w- c:\windows\Internet Logs\xDB98F9.tmp
2009-11-15 07:54 . 2008-03-05 13:45 81104 ----a-w- c:\users\Danny\AppData\Local\GDIPFONTCACHEV1.DAT
2009-11-14 11:00 . 2009-09-20 10:17 4096 d-----w- c:\users\Danny\AppData\Roaming\Winamp
2009-11-11 10:22 . 2008-03-05 14:32 4096 d-----w- c:\program files\Windows Live
2009-11-05 03:17 . 2009-11-05 03:19 2094592 ----a-w- c:\windows\Internet Logs\xDBA789.tmp
2009-11-02 20:42 . 2009-10-02 15:50 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-10-31 09:01 . 2008-03-05 17:01 680 ----a-w- c:\users\Danny\AppData\Local\d3d9caps.dat
2009-10-30 22:40 . 2009-10-30 22:39 4096 d-----w- c:\program files\LiteStep
2009-10-29 21:58 . 2009-01-29 16:40 -------- d-----w- c:\program files\Opanda
2009-10-23 19:39 . 2009-10-23 19:39 133724 ---ha-w- c:\windows\system32\mlfcache.dat
2009-10-23 19:38 . 2008-03-07 12:56 4096 d-----w- c:\program files\Google
2009-10-20 18:20 . 2009-10-20 18:20 96784 ----a-w- c:\windows\system32\Packet.dll
2009-10-20 18:19 . 2009-10-20 18:19 281104 ----a-w- c:\windows\system32\wpcap.dll
2009-10-20 18:19 . 2009-10-20 18:19 50704 ----a-w- c:\windows\system32\drivers\npf.sys
2009-10-20 18:19 . 2009-10-20 18:19 53299 ----a-w- c:\windows\system32\pthreadVC.dll
2009-10-15 08:31 . 2009-10-15 08:31 -------- d-----w- c:\users\Danny\AppData\Roaming\TomTom
2009-10-14 06:28 . 2009-10-14 06:28 4096 d-----w- c:\program files\Process Hacker
2009-10-12 08:37 . 2009-10-12 08:37 -------- d-----w- c:\users\Danny\AppData\Roaming\Media Player Classic
2009-09-20 18:40 . 2008-03-06 07:07 8224 ----a-w- c:\windows\system32\GDIPFONTCACHEV1.DAT
2009-09-20 17:00 . 2008-12-28 21:12 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-09-14 09:44 . 2009-10-15 04:44 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2009-09-10 17:30 . 2009-10-15 04:45 213504 ----a-w- c:\windows\system32\msv1_0.dll
2009-09-04 12:24 . 2009-10-15 04:44 61440 ----a-w- c:\windows\system32\msasn1.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Sidebar"="c:\program files\Windows Sidebar\sidebar.exe" [2008-01-19 1233920]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2008-10-24 206112]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2008-01-19 202240]
"SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2009-03-05 2260480]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-03-21 174872]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-09 865840]
"PLFSetL"="c:\windows\PLFSetL.exe" [2007-07-05 94208]
"WarReg_PopUp"="c:\acer\WR_PopUp\WarReg_PopUp.exe" [2006-11-05 57344]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2008-02-12 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2008-02-12 166424]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-20 149280]
"ZoneAlarm Client"="c:\program files\Zone Labs\ZoneAlarm\zlclient.exe" [2009-02-15 981384]
"BlackBerryAutoUpdate"="c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe" [2009-08-31 623960]
"avast!"="d:\progra~1\ashDisp.exe" [2009-11-24 81000]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\mbam.exe" [2009-09-10 1312080]
"UnlockerAssistant"="c:\program files\Unlocker\UnlockerAssistant.exe" [2009-10-26 15872]

c:\users\Danny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\
OpenOffice.org 3.1.lnk - c:\program files\OpenOffice.org 3\program\quickstart.exe [2009-8-18 384000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux1"=wdmaud.drv

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKLM\~\startupfolder\C:^Users^Danny^AppData^Roaming^Microsoft^Windows^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=c:\users\Danny\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=c:\windows\pss\LimeWire On Startup.lnk.Startup
backupExtension=.Startup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

R0 Lbd;Lbd;c:\windows\System32\drivers\Lbd.sys [30/11/2009 13:38 64288]
R0 pavboot;pavboot;c:\windows\System32\drivers\pavboot.sys [02/10/2009 09:33 28552]
R1 aswSP;avast! Self Protection;c:\windows\System32\drivers\aswSP.sys [30/11/2009 09:41 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\System32\drivers\aswFsBlk.sys [30/11/2009 09:41 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\System32\drivers\aswMonFlt.sys [30/11/2009 09:41 53328]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [24/09/2009 11:17 1184912]
R2 NPF;NetGroup Packet Filter Driver;c:\windows\System32\drivers\npf.sys [20/10/2009 18:19 50704]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\Spybot - Search & Destroy\SDWinSec.exe [29/11/2009 18:51 1153368]
S4 ASKService;ASKService;c:\program files\AskBarDis\bar\bin\AskService.exe --> c:\program files\AskBarDis\bar\bin\AskService.exe [?]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalServiceNoNetwork REG_MULTI_SZ PLA DPS BFE mpssvc
bthsvcs REG_MULTI_SZ BthServ
HPZ12 REG_MULTI_SZ Pml Driver HPZ12 Net Driver HPZ12
.
Contents of the 'Scheduled Tasks' folder

2009-12-02 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-10-01 13:37]

2009-12-02 c:\windows\Tasks\User_Feed_Synchronization-{1D68AA82-5C3C-4FE5-96F3-8FB21F4DE243}.job
- c:\windows\system32\msfeedssync.exe [2009-10-15 03:41]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = *.local
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - (no file)
HKLM-Run-eRecoveryService - (no file)
AddRemove-Active WebCam - d:\programmes\PY_UNINSTAL.EXE SOFTWARE\PySoft\Act_WebCam
AddRemove-Ad-Aware - c:\programdata\{CFBD8779-FAAB-4357-84F2-1EC8619FADA6}\Ad-AwareInstallation.exe REMOVE=TRUE MODIFY=FALSE
AddRemove-eBay Icon - c:\users\Danny\AppData\Roaming\Desktopicon\uninst.exe
AddRemove-HijackThis - f:\downloads\HijackThis.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-12-02 22:25
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0000\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}\0001\AllUserSettings]
@Denied: (A) (Users)
@Denied: (A) (Everyone)
@Allowed: (B 1 2 3 4 5) (S-1-5-20)
"BlindDial"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{76a65ab9-8e5a-46ce-a536-0cfc92f4de21}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0d0017c4
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{8063b8bf-e98a-4896-b59a-0ac70752649b}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:07001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{8090b7dd-f32b-485a-9ad4-1678df03bbc2}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c0016d3
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{adeb0ee5-2503-499d-919b-1a72ca369385}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:11020054
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{ba9e677f-0ef8-4bb2-a3e5-3ba5c63d1e87}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:06001422
"Dhcpv6State"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip6\Parameters\Interfaces\{f1cff720-a663-4770-8649-f2a005371c56}]
@DACL=(02 0000)
"Dhcpv6Iaid"=dword:0c0016d3
"Dhcpv6State"=dword:00000000
.
Completion time: 2009-12-02 22:31
ComboFix-quarantined-files.txt 2009-12-02 22:31

Pre-Run: 11,170,320,384 bytes free
Post-Run: 12,040,712,192 bytes free

- - End Of File - - 88DD9DF2E4D3890638EEF5F1E2E21B43

And finally Malwarebytes first log - that cleaned located a lot of infections

Malwarebytes' Anti-Malware 1.41
Database version: 3260
Windows 6.0.6001 Service Pack 1

30/11/2009 11:32:39
mbam-log-2009-11-30 (11-32-39).txt

Scan type: Full Scan (C:\|D:\|F:\|)
Objects scanned: 242321
Time elapsed: 1 hour(s), 51 minute(s), 42 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 13

Memory Processes Infected:
C:\Windows\System32\lyjp.exe (Worm.Autorun) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Handle (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cftmon (Worm.Autorun) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sshnas (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Winlogon (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Users\Danny\AppData\Roaming\RegistrySmart (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Roaming\RegistrySmart\Log (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Roaming\RegistrySmart\Registry Backups (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\runit (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions (Adware.SmartAds) -> Quarantined and deleted successfully.
C:\Program Files\Smart-Ads-Solutions\SmartAds (Adware.SmartAds) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\lyjp.exe (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Temp\a.exe (Trojan.FakeAV) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Temp\cv4B2E8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\clju6768.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\dsww06562.exe (Trojan.Clicker) -> Quarantined and deleted successfully.
C:\Windows\phnbb68452.exe (Worm.Autorun) -> Quarantined and deleted successfully.
C:\Windows\System32\sshnas.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Windows\Temp\wntu.tmp\svchost.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Roaming\RegistrySmart\Registry Backups\2008-09-08_10-28-07.reg (Rogue.RegistrySmart) -> Quarantined and deleted successfully.
C:\Program Files\runit\config.txt (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{66BA574B-1E11-49b8-909C-8CC9E0E8E015}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Windows\Tasks\{35DC3473-A719-4d14-B7C1-FD326CA84A0C}.job (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Users\Danny\AppData\Local\Temp\b.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

I have a more recent Malwarebytes log?

Many many thanks for having a look at this... it's total chaos here :-)

0

Hi, thanks for the logs. Is this the log from the FIRST run of Combofix?
I ask this because you said:

Combofix - id'd a rootkit, then nothing on the re run

I don't see a rootkit id'd in this log. There are some removed infections but I don't see where there is a notation of a rootkit.

Further more I've noticed that this infection whatever it may be is turning off windows firewall, not zone alarm just the windows firewall.

Don't know, since I don't use Zone Alarm, but with many 3rd party firewalls this is NORMAL. You should NEVER run two firewalls at the same time on the same computer. You may think this will make you safer but it will not. They end up conflicting with each other and let the bad stuff in. Instructions given for ALL 3rd party firewalls say TURN OFF BUILT IN WINDOWS FIREWALL when enabling another firewall.

I see that both Zone Alarm Anti-spy and Windows Defender were both enabled during the combofix run. Instructions for Combofix is VERY clear, ALL security programs should be turned off as they can interfere with the proper running of the program.

Several things you should turn off and LEAVE turned off...BitTorrent to begin with. Leave it off. Better yet, Uninstall it.
Turn off Windows Defender, Spybot TeaTimer and Lavasoft Ad-Aware Service any or all of those three can interfere with any fixes attempted.

Lavasoft Ad-Aware Service
should be turned off via Services in Administrative Tools. Start, Control Panel, Administrative Tools, Services. Go through the list until you find the Lavasoft Ad-Aware Service, double click to open properties, Press the Stop button to stop the service. Then change the Start Up type to Disabled.

Windows Defender:
Click the Windows Start Menu icon in the bottom corner of the screen. Once "Open" and go to your computer's Control Panel.

Select "Windows Defender" from the available icons. This opens the main Windows Defender interface.

Choose "Tools" from the top of the screen. This takes you to the main Windows Defender control list. Select "Options" from the list.


Scroll down to the bottom of the list. Uncheck the box that says "Use Windows Defender" and click "Save." A confirmation box will pop up so click "Continue" to move past it. One last box will appear telling you that Defender is turned off (and that it doesn't think that was a good idea).

Spybot TeaTimer
* Run Spybot-S&D in Advanced Mode
* If it is not already set to do this, go to the Mode menu
select
Advanced Mode
* On the left hand side, click on Tools
* Then click on the Resident icon in the list
* Uncheck
Resident TeaTimer
and OK any prompts.
* Restart your computer

You said you ran Combofix twice, I need to see the other log.
You also said you had another MBA-M log, I would also like to see that one.

Do all of the above and then update and run MBA-M again, remove all items found.

After that next run of MBA-M, reboot and do a new HJT scan and post the new MBA-M log and the new HJT log.
Judy

0

Hi there... the combofix log is I think the most recent... the first time I ran it, it did mention a rootkit I assumed that it had taken care of it...

Normally I just have Zone alarm, spybot and ad aware I keep uninstalled and use them if and when I need them.

Windows firewall I normally keep off as Zone alarm advises this... however under the current circumstances I simply attacked this thing with every thing I could find :-)

As for bit torrent - you're quite right, but it is the best of a bad bunch.

Right - I'll do all of the above and get you the origional combofix log fingers crossed I can find it.

Can the scans be done in safe mode? I may not have a choice about this.

Many thanks Judy

0

It is preferable that they be done in normal mode if possible. MBA-M will not actually do a complete scan unless all of it's drivers are loaded. If there is no possible way to do it in Normal then attempt in safe mode.
HJT should also be done in normal mode if possible since a true picture of things running in Normal mode cannot be given in safe mode so if the infection won't load in safe mode then we won't see it.

0

OK this is what I have so far.

The origional combofix log I can't find anywhere, the only one I have is named combofix2.txt which would indicate the existance of a combofix.txt, however it's not int he obvious places and a search has been run c*.txt that's turned up nothing.

I'm still trying to run in normal mode.... I get about half of my tray icons, then blue screen or would you believe it... the flying stars screen saver????!!!!

I've attached the basic crash report that displays when it re-starts up in safe.

Interestingly Hijackthis actually crashes when run in safe mode... which to be honest I find disturbing.

Zone alarm was removed, defender stopped, adaware off...

Unfortunalty all times I've run Malwarebytes has been in safe mode apart from that one run I've posted the previous log for.

Anyway... in no particular order we have.

HJT Crash report (typed not copy paste)

An unexpected error has occured at procedure:
moRegistry_IniGetString(sFile=system.ini, sSection=boot, sValue=Shell)

Error /5 - Invalid procedure call or argument

*******

Crash report - Windows

Problem signature:
Problem Event Name: BlueScreen
OS Version: 6.0.6001.2.1.0.768.2
Locale ID: 2057

Additional information about the problem:
BCCode: 100000fc
BCP1: B0E5BD64
BCP2: 17A65963
BCP3: B0E5BCF0
BCP4: 00000002
OS Version: 6_0_6001
Service Pack: 1_0
Product: 768_1

Files that help describe the problem:
C:\Windows\Minidump\Mini120309-08.dmp
C:\Users\Danny\AppData\Local\temp\WER-73741-0.sysdata.xml
C:\Users\Danny\AppData\Local\temp\WER4FA5.tmp.version.txt

***********

Malwarebytes
Zone alarm off
Defender off
Basically everything off
In safe mode

Malwarebytes' Anti-Malware 1.41
Database version: 3284
Windows 6.0.6001 Service Pack 1 (Safe Mode)

03/12/2009 17:56:22
mbam-log-2009-12-03 (17-56-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 5838
Time elapsed: 11 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

**********

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:31:22, on 03/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Safe mode with network support

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Windows\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

(Crashed here)

O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programmes\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Programmes\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Programmes\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Programmes\ashWebSv.exe
O23 - Service: BHAMZEGTQXOOIJXE - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\BHAMZEGTQXOOIJXE.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)
O23 - Service: DiamondCS ProcessGuard Service v3.500 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EAOVVXVITMQ - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\EAOVVXVITMQ.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HZQNRCQ - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\HZQNRCQ.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IHJRGEKFK - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\IHJRGEKFK.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NJBVC - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\NJBVC.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\Danny\AppData\Local\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\Windows\System32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: WGB - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\WGB.exe
O23 - Service: ePower Service (WMIService) - Unknown owner - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (file missing)
O23 - Service: YAUCRHW - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\YAUCRHW.exe
O23 - Service: ZFUTRHBWIR - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\ZFUTRHBWIR.exe

--
End of file - 6465 bytes

I'm trying to get HJT to run in normal mode...

Many thanks again... I don't think I'm being very helpful.

0

Sucess with the HJT log - this is in normal mode and the malwarebytes scanner is running... log to follow :-)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:14:30, on 03/12/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18828)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Windows\System32\hkcmd.exe
D:\Programmes\ashDisp.exe
C:\Program Files\ProcessGuard\pgaccount.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\SearchFilterHost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] D:\PROGRA~1\ashDisp.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [!1_pgaccount] "C:\Program Files\ProcessGuard\pgaccount.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {9191F686-7F0A-441D-8A98-2FE3AC1BD913} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - D:\Programmes\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - D:\Programmes\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - D:\Programmes\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - D:\Programmes\ashWebSv.exe
O23 - Service: BHAMZEGTQXOOIJXE - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\BHAMZEGTQXOOIJXE.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\Acer\Acer Arcade\Kernel\TV\CLSched.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - (no file)
O23 - Service: DiamondCS ProcessGuard Service v3.500 (DCSPGSRV) - DiamondCS - C:\Program Files\ProcessGuard\dcsuserprot.exe
O23 - Service: EAOVVXVITMQ - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\EAOVVXVITMQ.exe
O23 - Service: eLock Service (eLockService) - Acer Inc. - C:\Acer\Empowering Technology\eLock\Service\eLockServ.exe
O23 - Service: eRecovery Service (eRecoveryService) - Acer Inc. - C:\Acer\Empowering Technology\eRecovery\eRecoveryService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: HZQNRCQ - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\HZQNRCQ.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: IHJRGEKFK - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\IHJRGEKFK.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: MobilityService - Unknown owner - C:\Acer\Mobility Center\MobilityService.exe
O23 - Service: NJBVC - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\NJBVC.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: TVersityMediaServer - Unknown owner - C:\Users\Danny\AppData\Local\TVersity\Media Server\MediaServer.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\Windows\System32\ZoneLabs\vsmon.exe (file missing)
O23 - Service: WGB - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\WGB.exe
O23 - Service: ePower Service (WMIService) - Unknown owner - C:\Acer\Empowering Technology\ePower\ePowerSvc.exe (file missing)
O23 - Service: YAUCRHW - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\YAUCRHW.exe
O23 - Service: ZFUTRHBWIR - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\ZFUTRHBWIR.exe

--
End of file - 6577 bytes

0

Couple things, as you can see MBA-M did virtually nothing in safe mode...11 seconds for a Full Scan. As you can see the original one took what is fairly normal, 1 hour and 51 minutes. So in safe mode it really is useless at this point.
I see no place in the combofix log that it is the second run, unless I am missing something. Normally they will be marked in a way that the reader can tell there has been more than one run.
I do need to ask, who told you to run Combofix? This is not recommended unless told to do so by "somebody". It is a very powerful tool and generally not a "first resort" but a last resort.

The HJT log in safe mode doesn't tell us much either, as far as running processes HOWEVER...there ARE some odd entries appearing in this latest one, run in safe mode which do NOT appear in the previous one which was done in Normal mode and those are THESE entries:

O23 - Service: NJBVC - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\NJBVC.exe
O23 - Service: WGB - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\WGB.exe
O23 - Service: YAUCRHW - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\YAUCRHW.exe
O23 - Service: ZFUTRHBWIR - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\ZFUTRHBWIR.exe

Note these are all running from a Temp file, all for some reason lead to systeminternals, though there is nothing on them at all there and NO info can be found for any of these executable files except for one of them and that is listed as a Trojan downloader.
These are all auto starting via services.
Do YOU know what these are, and why they are there?

The other thing I find very odd is why is
C:\Program Files\Windows Media Player\wmpnscfg.exe
running when other auto starts are not? There is no reason for it to be running in auto starts to begin with, much less in Safe Mode.
What was it playing or why was it running?

0

Hi there

Thanks for looking.... yes you're right the MBA was next to useless, however you never know... the one in normal mode is running now. Should be finished shortly.

I used combofix... last resort... I mean I need this machine for work - I'm self employyed.. I had tried everything else... read everything else.. I posted for help on a few forums... in the meantime the PC was getting worse and worse... culminating in the constant crashing this afternoon...

The sysinternals stuff - I have no clue.. I'm fairly sure I've not used anything from them although after a quick look they seems to be affiliated or close to microsoft.

I try to be very careful about software, not that you'd notice - me in the mess here.

The WMP stuff I had noticed, I use TVersity to stream to my TV mainly music for the little boy - he likes the jungle book! I normally use Task Manager to kill the windows media sharing process - this will keep running even after tversity has been turned off. However I've noticed the WMP reference recently as it's one of the process that has been crashing, giving the appcrash error.

The combofix file is the below - filed in C:/ as combofix2.txt

MBA has finished... it doesn't seem very informative.

Malwarebytes' Anti-Malware 1.41
Database version: 3284
Windows 6.0.6001 Service Pack 1

03/12/2009 21:52:48
mbam-log-2009-12-03 (21-52-48).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 234614
Time elapsed: 1 hour(s), 37 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again...

0

One more thing... I'm kind of short on disk space here... my WINSXS folder is about 50 billon GB's (sorry)

I try and keep at least 10GB free to make sure things run properly and I drfrag regularly... however the last few days disk space has been swinging from 7.3 all the way through to 11.5

Now I find that strange as I'm not really using the machine other than to basically watch it internally explode...

Just thought I'd mention it... you are the expert.

0

Just thought I'd mention it... you are the expert.

Not by even the biggest stretch of imagination!!! I am going to ask a couple others to take a look at this and see what they think, ok?
Judy

0

OK Judy - however I'm sure you didn't become a moderator with out being an expert.

My first virus was tequilla and made bright patterns on the screen :-)

My problem here is that I can't fight what I can't see.

You're the expert...

0

OK Judy - however I'm sure you didn't become a moderator with out being an expert.

My first virus was tequilla and made bright patterns on the screen :-)

My problem here is that I can't fight what I can't see.

You're the expert...

Gee...tequilla is one of my favorites...mixed with triple sec and Blue Curacao on the rocks with salt on the rim however I am certain you aren't talking about blue margaritas......:D
Hopefully crunchie or PhilliePhan will check in on this one and have more advice.
Judy

Edited by jholland1964: n/a

0

more fun...

I've just - prior to a crash, had a desktop.ini file created on the desktop.... containing this

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

I'm working back thorugh that list of torjans to try and make sure malwarebytes removed all it said it removed.

The only one on that list that would flag as a rootkit as far as combofix is concerned would be trojan fake...

0

more fun...

I've just - prior to a crash, had a desktop.ini file created on the desktop.... containing this

[.ShellClassInfo]
LocalizedResourceName=@%SystemRoot%\system32\shell32.dll,-21799

I'm working back thorugh that list of torjans to try and make sure malwarebytes removed all it said it removed.

The only one on that list that would flag as a rootkit as far as combofix is concerned would be trojan fake...

This could appear if protected operating system files were "unhidden.
What list of trojans are you talking about? You mean those removed by MBA-M? If one was a rootkit then it would come back, even if MBA-M removed it. To try to find them manually can be nearly impossible.
Have you tried running GMER?

Edited by jholland1964: n/a

0

O23 - Service: EAOVVXVITMQ - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\EAOVVXVITMQ.exe
O23 - Service: IHJRGEKFK - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\IHJRGEKFK.exe
O23 - Service: NJBVC - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\NJBVC.exe
O23 - Service: WGB - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\WGB.exe
O23 - Service: YAUCRHW - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\YAUCRHW.exe
O23 - Service: ZFUTRHBWIR - Sysinternals - www.sysinternals.com - C:\Users\Danny\AppData\Local\Temp\ZFUTRHBWIR.exe

These are Rootkit Revealer remnants - not baddies, but you'd think it'd clean up after itself a bit....

I'm really limited on time at the moment - what issues are remaining?

PP:)

0

Hi there

Well it's still crashing on start up in normal mode... which is the main problem, that and no access to mail, fireworks, and a load of other programs

superspyware found trojan.svchost/fake which would indicate that something is still there dumping it in the system.

I don't want to be negative, but I think this one has won if you get my drift.

However I want to be positive :-)

0

available disk space is back down to 8.3

I find this up and down disk space issue very strange. It was over 11 last night... so over night while little or nothing has been going on I've dropped nearly 3gb????

0

I think the disk space is due to the memory dump files from the crashes...

However the desktop.ini file mentioned above, now appears as a network location in my computer.

0

Thank you both for trying to help... I really appreciate all your effort, I know, probably that given more time this probably could be solved... however I've no more time and can see that the quickest way to get this machine working again will be to either reinstall vista increase my knowledge of linux and start using something that's a little less suseptable to these kind of problems..

Many thanks again....

Danny

0

Finally... while I've not got to the bottom of what the infection was - I have solved one problem

The ini files!

The (lets call is a virus) was dropping ini files all over the place in what I thought were random locations... they were'nt.

This is an example


[.ShellClassInfo]
LocalizedResourceName=@%CommonProgramFiles%\system\wab32res.dll,-10100
InfoTip=@%CommonProgramFiles%\system\wab32res.dll,-10200
IconResource=%SystemRoot%\system32\imageres.dll,-181
[Storage]
kilkenny7@hotmail.com=43003A005C00550073006500720073005C00440061006E006E0079005C0043006F006E00740061006300740073005C006B0069006C006B0065006E006E0079003700400068006F0074006D00610069006C002E0063006F006D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006F
[LocalizedFileNames]
Pictures.lnk=@shell32.dll,-21779

(I'd be interested to know what this actually does... as soon as I removed it outlook started working again)

Outlook or messenger (anything that uses the contacts folder) loads and before it does it spins up the contacts into memory checking for any new ones.. this time it hits the ini file..... result, either a crash or a program faliure, or infection of another folder depending on the command in the ini file.

The problem I guess is that we look for processes that are running all the time... this is a simple text file that sits there until it's used by a seemingly safe program.

For capture NX it was in the thumbnail folder...

The other clue was too many incorrect registry entries on clean up every time.

Who would suspect a desktop ini file...

Next time - I'll make sure I follow up on the things that don't look right... but seem innocent...

The best place to hide is right out in the open :-)

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.