0

I think I installed some kind of Trojan by mistake (which I think I have removed) and it is now bringing pop up internet explorer windows to all kinds of advertising. Rather more worryingly it has had a strange effect on windows explorer and when I double click on the main drive it doesn't open and I have to click explore instead. As yet I haven't done a sys restore as have a lot of stuff on my pc I don't want to lose.
HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:29:40, on 28/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\John\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =

http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program

Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} -

C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program

Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite

6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft

Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI

Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program

Files\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKLM\..\Run: [axis web cake second] "C:\Documents and Settings\All Users\Application

Data\Book Slow Axis Web\rule mode.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin

Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin

Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [MsServer] msfir80.exe
O4 - HKCU\..\Run: [INTERNETAMEN] "C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

/NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User

'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} -

C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network

Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) -

http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) -

http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) -

http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) -

http://www4.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) -

http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) -

http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169321

153671
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) -

http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) -

http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) -

http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) -

http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} -

C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program

Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG

Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common

Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe

(file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program

Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program

Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program

Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media -

C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin

Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity

Solution\ServiceLayer.exe

--
End of file - 10955 bytes

2
Contributors
27
Replies
28
Views
10 Years
Discussion Span
Last Post by Suspishio
0

I have run the trend online virus scanner (left it running hen I went to sleep as was taking so long) and it identified three things:

Adware_savenow

EXPL_CabFile

TSPY_WinTrim.AJ

Will post back when I have fixed what I can. Unfortunately there is nothing in the database for the EXPL_cabfile. Will post another HJT log after I have fixed this stuff and done a restart.

0

before you post the log, check that the stuff I pointed out beklow isn't still there.
------------------------------------------------------
O4 - HKLM\..\Run: [IMJPMIG8.2] msime80.exe

O4 - HKCU\..\Run: [MsServer] msfir80.exe
------------------------------------------------------

Get rid of that first. My method wouldbe to go to the RUN section of the two Registry sections named in the above extract; look at the key and go to the location stated. I would delete those files from the location so that they cannot be run at startup. Then reboot and do your HJT.

0

http://vgrep.viruspool.net/virus.cms?&id=674544

Look at this link for EXPL_CabFile.

Virtumonde - not the best news. This forum is full of getting rid of Virtumonde. You could read those posts, download the fixes (including Combofix) and work through what the other postsers have done under crunchie's guidance. It'll be quicker if you do all this yourself rather than trail back and forth to the forum as it'll otherwise take days.

You could, of course, use my own famous method for getting rid of Virtumonde which I posted here on around 27th August.

BUT FIRST do the bits and pieces already agreed to and post your HJT. Also read up on my method as it'll give you aninsight as to how to find out how deep in ddo doo your PC has got.

0

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:50:37, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\John\My Documents\My Received Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [axis web cake second] "C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [INTERNETAMEN] "C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www4.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169321153671
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 11174 bytes

I deleted the two things you said from the reg. Still getting the pop up windows and still got RB3.tmp and now RB6.tmp in the recycle bin. Will have a look at that link in the meantime.

0

Having a few problems booting into safemode but I have run Vundofix and Virtumundobegone as suggested by Crunchie and neither of them detected anything. Don't suppose you have a link to your post of 27 august? Had a look at your previous posts but couldn't find it.

0

Found it in the meantime. I, like another poster, don't have the facilities to remove the hd or put it in a secure connection like you suggest. Any other suggestions?

0

Found it in the meantime. I, like another poster, don't have the facilities to remove the hd or put it in a secure connection like you suggest. Any other suggestions?

Yeah - what I said further up:

Virtumonde - not the best news. This forum is full of getting rid of Virtumonde. You could read those posts, download the fixes (including Combofix) and work through what the other postsers have done under crunchie's guidance. It'll be quicker if you do all this yourself rather than trail back and forth to the forum as it'll otherwise take days.

It's an iterative process. Suspect Registry keys with "No File".

0

I should add - you can get quite far on the infected PC with my method. It really is a good idea to get a handle on what's going on and locating the clumps of files associated with the trojan will give you surefire dimension to the scale of your problem.

Everything in these clumps will delete OK except the active file; the one currently running and possibly the one it may have already spawned. By this manual method you shold be lefty to the rock bottom set of stuff you need to remove, if necessary by the methods I've referred to in this forum.

Do please llok for these clumps and report.

0

I have run HJT and Combofix and removed one BHO that had 'no file' listed with it. I have posted the HJT and Combofix logs beneath.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:37:18, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\Office12\WINWORD.EXE
C:\Documents and Settings\John\Desktop\imabummy.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://luminis.leedsmet.ac.uk/cp/home/loginf[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://go.microsoft.com/fwlink/?LinkId=69157[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com[/url]
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [axis web cake second] "C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [INTERNETAMEN] "C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - [url]http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab[/url]
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - [url]http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB[/url]
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - [url]http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB[/url]
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - [url]http://www.couponreport.net/ftp/v3123/csauie1.cab[/url]
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - [url]http://dl.tvunetworks.com/TVUAx.cab[/url]
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - [url]http://www4.king.com/ctl/kingcomie.cab[/url]
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - [url]http://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab[/url]
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - [url]http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab[/url]
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - [url]http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab[/url]
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - [url]http://upload.facebook.com/controls/FacebookPhotoUploader.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169321153671[/url]
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - [url]http://www.systemrequirementslab.com/sysreqlab2.cab[/url]
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab[/url]
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - [url]http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab[/url]
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - [url]http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx[/url]
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - [url]http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab[/url]
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10990 bytes


ComboFix 07-10-29.1 - John 2007-10-29 17:38:47.2 - NTFSx86 
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.

(((((((((((((((((((((((((   Files Created from 2007-09-28 to 2007-10-29  )))))))))))))))))))))))))))))))
.

2007-10-29 16:04    <DIR>    d--------   C:\Documents and Settings\John\Application Data\AdwareAlert
2007-10-29 13:06    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-29 13:02    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-29 12:10    <DIR>    d--------   C:\VundoFix Backups
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Grisoft
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 21:57    10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-28 21:14    <DIR>    d--------   C:\Program Files\Spyware Doctor
2007-10-28 17:26    <DIR>    d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 20:44    <DIR>    d--h-----   C:\WINDOWS\PIF
2007-10-27 20:31    55,296  --a------   C:\WINDOWS\system32\drivers\rp_skt32.sys
2007-10-27 20:31    48,384  --a------   C:\WINDOWS\system32\drivers\rp_pkt32.sys
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Raxco
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Scanner
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Authentium
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\CA
2007-10-27 20:30    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-27 20:27    <DIR>    d--------   C:\Documents and Settings\John\Application Data\InstallShield
2007-10-27 20:26    <DIR>    d--------   C:\Program Files\Virgin Broadband
2007-10-27 20:26    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Virgin Broadband
2007-10-27 20:26    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-27 19:45    <DIR>    d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-27 19:44    626,688 --a------   C:\WINDOWS\system32\msvcr80.dll
2007-10-19 13:17    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16    <DIR>    d--------   C:\Program Files\4file
2007-10-19 13:16    <DIR>    d--------   C:\Documents and Settings\John\Application Data\4file
2007-10-18 18:11    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-18 18:11    11,264  --a------   C:\WINDOWS\system32\SpOrder.dll
2007-10-18 18:11    4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2007-10-18 18:10    <DIR>    d--------   C:\WINDOWS\system32\ZoneLabs
2007-10-18 18:05    <DIR>    d--------   C:\WINDOWS\Internet Logs
2007-10-04 13:00    <DIR>    d--------   C:\Program Files\Real
2007-10-04 13:00    <DIR>    d--------   C:\Program Files\Common Files\xing shared

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 08:11    ---------   d-----w C:\Program Files\SPSS Evaluation
2007-10-28 17:53    ---------   d-----w C:\Program Files\TVUPlayer
2007-10-28 01:37    ---------   d-----w C:\Program Files\PPStream
2007-10-27 20:28    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-18 18:44    ---------   d-----w C:\Program Files\Steam
2007-10-10 11:28    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-06 23:07    ---------   d-----w C:\Program Files\Java
2007-10-05 23:49    ---------   d-----w C:\Program Files\Winamp
2007-10-04 13:00    ---------   d-----w C:\Program Files\Common Files\Real
2007-09-28 19:19    ---------   d-----w C:\Documents and Settings\John\Application Data\Bioshock
2007-09-28 12:48    ---------   d-----w C:\Program Files\ffdshow
2007-09-26 22:17    ---------   d-----w C:\Program Files\LucasArts
2007-09-26 22:11    43,520  ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-24 15:26    ---------   d-----w C:\Program Files\SPSS
2007-09-23 13:22    ---------   d-----w C:\Program Files\DivX
2007-09-20 21:54    107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-20 21:54    ---------   d--h--r C:\Documents and Settings\John\Application Data\SecuROM
2007-09-20 20:50    ---------   d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-09-20 20:47    ---------   d-----w C:\Program Files\ATI
2007-09-20 20:46    ---------   d-----w C:\Program Files\ATI Technologies
2007-09-18 22:28    ---------   d-----w C:\Program Files\SystemRequirementsLab
2007-09-17 18:23    823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23    823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22    802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22    739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-15 14:13    ---------   d-----w C:\Documents and Settings\John\Application Data\TVU networks
2007-09-11 23:14    156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-11 12:50    ---------   d-----w C:\Program Files\Apple Software Update
2007-09-11 12:50    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-08-22 02:09    352,256 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-22 02:07    307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-08-22 02:07    268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-08-22 01:59    26,112  ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-22 01:59    143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-08-22 01:58    43,520  ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-08-22 01:58    122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-08-22 01:57    487,424 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-08-22 01:56    53,248  ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-08-22 01:48    8,306,688   ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-08-22 01:47    3,091,392   ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-08-22 01:35    1,586,816   ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-08-22 01:21    5,435,392   ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-08-22 01:19    266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-08-22 01:17    17,408  ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-08-22 01:15    172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-08-22 01:11    450,560 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 20:05    593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 06:15    683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26    81,920  ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26    196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33    524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33    3,596,288   ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33    200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33    1,044,480   ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31    593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31    57,344  ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31    53,248  ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31    344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31    294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31    294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30    12,288  ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 18:19    92,504  ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19    549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19    53,080  ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19    43,352  ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19    325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19    271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19    207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 18:19    203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19    1,712,984   ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18    33,624  ----a-w C:\WINDOWS\system32\wups.dll
.

(((((((((((((((((((((((((((((   snapshot@2007-10-29_13.09.43.70   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 12:34:40   63,996  ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-29 13:30:41   63,996  ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 12:34:40   405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-29 13:30:41   405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 12:54 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 16:04 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 11:34 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"CatalystRegistration"="C:\Program Files\ATI\CatalystRegistration\dolce.exe" [2007-07-27 11:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-04 13:00]
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-29 17:19]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 17:49]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 13:10]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"INTERNETAMEN"="C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe" [2007-10-19 13:16]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

R3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6f4e191-a188-11db-a13d-0017316a33df}]
Auto\command - sal.xls.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-10-29 16:04:56 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-10-29 17:00:01 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
"2007-10-29 07:36:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, [url]http://www.gmer.net[/url]
Rootkit scan 2007-10-29 17:42:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ... 

scanning hidden autostart entries ...

scanning hidden files ... 

**************************************************************************
.
Completion time: 2007-10-29 17:43:12
C:\ComboFix2.txt ... 2007-10-29 13:10
.
    --- E O F ---

What should I do next? Most of the other posts that I have looked at in the forum are specific for that users pc and it is a little hard to know which bits of generic fixes to take from them. Vundofix is not returning anything still.

Edited by Nick Evan: Fixed formatting

0

Combofix has found this little bugger:
---------------------------------------------------------
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6f4e191-a188-11db-a13d-0017316a33df}]
Auto\command - sal.xls.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
---------------------------------------------------------

which explains (via the mountpoint) why you are getting the popups, I'd say.

This is what Trend has to say about this case:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FVB%2ECII&VSect=P


Now you'll have to make allowances for me.

As you know, I avoid this approach. So you'll have to work it out from the steps taken in other posts. The cycle is always the same. Better still if someone took over from me on this part of the diagnosis.

There is an outside chance that the Trend recommendations will remove the infection. But these things spawn and there's a lot of potential work still to do.

One of the things you definitely could do now is to recall date and time when things started going wrong and look through the timestamps in the Combofix log. See if there's anything new happened at around the same time.

My usefulness to you is probably at an end now since between us we have managed to identify what you've been infected with and you are unable to use my surefire method.

Good luck.

0

Is there any chance that the pc the flash drive was in before was the source? If it was that means big probs for my mum. God knows how I am going to tell her to fix it. Thanks for your help so far Suspishio. It was 27th october when I saw a notification of this.

0

Combofix has found this little bugger:
---------------------------------------------------------
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b6f4e191-a188-11db-a13d-0017316a33df}]
Auto\command - sal.xls.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sal.xls.exe
---------------------------------------------------------

If anyone knows should I delete this from the reg? I have tried following the trend advice but can't seem to open anything with the autorun.inf

I typed:
'HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b6f4e191-a188-11db-a13d-0017316a33df}\autorun.inf' but don't think this is correct.

The trend advice is here: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FVB%2ECII&VSect=Sn

I already did the first bit where I removed the two reg entries but haven't done anything else yet due to my lack of knowledge...

0

ok. I deleted the mountpoint and that worked and it hasn't come back after a restart. Something positive has now happened and I can double click the main drive and move into it without having to right click and press explore. The navigation buttons and address bar are still not there tho. My new HJT and Combofix logs are below....they both look pretty clean now...next steps anyone please? Thansk again suspishio.
ComboFix 07-10-29.1 - John 2007-10-29 19:49:33.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.470 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe

(((((((((((((((((((((((((   Files Created from 2007-09-28 to 2007-10-29  )))))))))))))))))))))))))))))))

2007-10-29 17:57    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 16:04    <DIR>    d--------   C:\Documents and Settings\John\Application Data\AdwareAlert
2007-10-29 13:06    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-29 13:02    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-29 12:10    <DIR>    d--------   C:\VundoFix Backups
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Grisoft
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 21:57    10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-28 21:14    <DIR>    d--------   C:\Program Files\Spyware Doctor
2007-10-28 17:26    <DIR>    d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 20:44    <DIR>    d--h-----   C:\WINDOWS\PIF
2007-10-27 20:31    55,296  --a------   C:\WINDOWS\system32\drivers\rp_skt32.sys
2007-10-27 20:31    48,384  --a------   C:\WINDOWS\system32\drivers\rp_pkt32.sys
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Raxco
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Scanner
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Authentium
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\CA
2007-10-27 20:30    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-27 20:27    <DIR>    d--------   C:\Documents and Settings\John\Application Data\InstallShield
2007-10-27 20:26    <DIR>    d--------   C:\Program Files\Virgin Broadband
2007-10-27 20:26    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Virgin Broadband
2007-10-27 20:26    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-27 19:45    <DIR>    d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-27 19:44    626,688 --a------   C:\WINDOWS\system32\msvcr80.dll
2007-10-19 13:17    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16    <DIR>    d--------   C:\Program Files\4file
2007-10-19 13:16    <DIR>    d--------   C:\Documents and Settings\John\Application Data\4file
2007-10-18 18:11    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-18 18:11    11,264  --a------   C:\WINDOWS\system32\SpOrder.dll
2007-10-18 18:11    4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2007-10-18 18:10    <DIR>    d--------   C:\WINDOWS\system32\ZoneLabs
2007-10-18 18:05    <DIR>    d--------   C:\WINDOWS\Internet Logs
2007-10-04 13:00    <DIR>    d--------   C:\Program Files\Real
2007-10-04 13:00    <DIR>    d--------   C:\Program Files\Common Files\xing shared


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 11:12    ---------   d-----w C:\Program Files\eMule
2007-10-29 08:11    ---------   d-----w C:\Program Files\SPSS Evaluation
2007-10-29 00:03    ---------   d-----w C:\Documents and Settings\John\Application Data\uTorrent
2007-10-28 17:53    ---------   d-----w C:\Program Files\TVUPlayer
2007-10-28 01:37    ---------   d-----w C:\Program Files\PPStream
2007-10-27 20:28    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-18 18:44    ---------   d-----w C:\Program Files\Steam
2007-10-10 11:28    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-06 23:07    ---------   d-----w C:\Program Files\Java
2007-10-05 23:49    ---------   d-----w C:\Program Files\Winamp
2007-10-04 13:00    ---------   d-----w C:\Program Files\Common Files\Real
2007-09-28 19:19    ---------   d-----w C:\Documents and Settings\John\Application Data\Bioshock
2007-09-28 12:48    ---------   d-----w C:\Program Files\ffdshow
2007-09-26 22:17    ---------   d-----w C:\Program Files\LucasArts
2007-09-26 22:11    43,520  ----a-w C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-24 15:26    ---------   d-----w C:\Program Files\SPSS
2007-09-23 13:22    ---------   d-----w C:\Program Files\DivX
2007-09-20 21:54    107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-20 21:54    ---------   d--h--r C:\Documents and Settings\John\Application Data\SecuROM
2007-09-20 20:50    ---------   d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-09-20 20:47    ---------   d-----w C:\Program Files\ATI
2007-09-20 20:46    ---------   d-----w C:\Program Files\ATI Technologies
2007-09-18 22:28    ---------   d-----w C:\Program Files\SystemRequirementsLab
2007-09-17 18:23    823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23    823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22    802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22    739,840 ----a-w C:\WINDOWS\system32\DivX.dll
2007-09-15 14:13    ---------   d-----w C:\Documents and Settings\John\Application Data\TVU networks
2007-09-11 23:14    156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-11 12:50    ---------   d-----w C:\Program Files\Apple Software Update
2007-09-11 12:50    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-08-22 02:09    352,256 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-22 02:07    307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-08-22 02:07    268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-08-22 01:59    26,112  ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-22 01:59    143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-08-22 01:58    43,520  ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-08-22 01:58    122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-08-22 01:57    487,424 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-08-22 01:56    53,248  ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-08-22 01:48    8,306,688   ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-08-22 01:47    3,091,392   ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-08-22 01:35    1,586,816   ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-08-22 01:21    5,435,392   ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-08-22 01:19    266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-08-22 01:17    17,408  ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-08-22 01:15    172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-08-22 01:11    450,560 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 20:05    593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 06:15    683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26    81,920  ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26    196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33    524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33    3,596,288   ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33    200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33    1,044,480   ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31    593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31    57,344  ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31    53,248  ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31    344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31    294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31    294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30    12,288  ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 18:19    92,504  ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19    549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19    53,080  ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19    43,352  ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19    325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19    271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19    207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 18:19    203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19    1,712,984   ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18    33,624  ----a-w C:\WINDOWS\system32\wups.dll
.


(((((((((((((((((((((((((((((   snapshot@2007-10-29_13.09.43.70   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 12:34:40   63,996  ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-29 19:46:54   63,996  ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 12:34:40   405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-29 19:46:54   405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 12:54 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 16:04 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 11:34 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"CatalystRegistration"="C:\Program Files\ATI\CatalystRegistration\dolce.exe" [2007-07-27 11:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-04 13:00]
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-29 19:43]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 17:49]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 13:10]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13:10]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"INTERNETAMEN"="C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe" [2007-10-19 13:16]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe


R3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}


.
Contents of the 'Scheduled Tasks' folder
"2007-10-29 16:04:56 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.exe
"2007-10-29 19:00:01 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
"2007-10-29 07:36:24 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************


catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-29 19:52:58
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


**************************************************************************
.
Completion time: 2007-10-29 19:54:10
C:\ComboFix2.txt ... 2007-10-29 17:43
C:\ComboFix3.txt ... 2007-10-29 13:10
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:48:53, on 29/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\regedit.exe
C:\Documents and Settings\John\Desktop\imabummy.exe.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [axis web cake second] "C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [INTERNETAMEN] "C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www4.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169321153671
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


--
End of file - 11424 bytes

Edited by pritaeas: Fixed formatting

0

Well done.

Combofix showed this:
---------------------------------------------------------
"2007-10-29 19:00:01 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
---------------------------------------------------------

I really dunno what this is but instinct rings an alarm bell.

Go to Windows\Tasks and tell us what is scheduled for this task. In fact, reproduce the entry line data. Then go into Properties and report what it points to. If it's any of the stuff we've been deleting, go there and delete it!!

When did your problems start? date and approximate time?

0

"c:\docume~1\john\applic~1\4file\Tick Scr Ace.exe"

I have no idea what it is so I have deleted it. It runs every hour from midnight on 00:00 on 19th. this is just before I went away for a couple of weeks and I have a feeling it may have been after I clicked on something called winzix that has some kind of trojan bundled in it. This was the mistake that I referred to earlier in this thread. I onle had 3 scheduled tasks and have got rid of them all. I will do a reboot and see what happens. Do you want some more scans?

0

There was just that one that you pointed out that I deleted and the other two were and apple software updater that I always cancel and a task for a adware program that I thought might be worth a shot earlier today...it wasn't it was one of those that you have to buy when you get to the end. The one that you were wondering about had the c:\docume~1\john\applic~1\4file\Tick Scr Ace.exe when I clicked on the properties. I am not sure what you mean by entry line data..

0

I do wish you'd answer ALL of my questions. I can get to bed earlier.
We've disposed of the Scheduled Task matter for now. But keep ypur eye on this in case it respawns.

When did your problems start? date and approximate time? I want to try and correlate with the ComboFix log if possible.

Next step is to run AVG Spyware and SpyBot to make sure that nothing is reported. Reboot; run Compbfix and HJT and re-post. It'll be around 18 hours before I can look at it again but maybe another of the brainios here can take over!

0

Started 19th october between 1100hrs and 1400hrs.

Then I was away for a while and when I came back I knew I had a problem. I then started running scans from Saturday 27th october and installed the virgin media pc guard software. Sometime in the evening of 27/10 I put my flash drive in got a warning message about that xls thing mentioned earlier and I quarantined it straight away.

I can't remember if I put something on the flash drive on the 19th that the new anti virus picked up when I got back or if that is a wholly different problem from the other pc while I was away.

On the 19th I still had my normal windows explorer interface although I only used it for about 2 hours after when I thought the problem had occured until 27th. Whatever happened when I came back was an exacerbation of what started on 19th. Most of these started happening when I tried to delete what is shown as RB3E.tmp and RB4.tmp from the recycle bin and they wouldn't delete. When I click on either of these and look at the properties it says that the origin is the RECYCLER. The problems I have are two that my navigation around windows is messed up-no address bar File View Options etc and when I open Internet explorer I get the pop ups to ads.

That task is back in the windows task window but it has now changed so that the scheduling of the task if from 18/06/1999. As my pc wasn't even buildable back then it is highly unlikely.

I ran spybot twice today the first run grabbed a few reg entries and cleared them up as well as a few tracking cookies of no consequence. The second run showed no reg entries but there were a few tracking cookies..this is to be expected as I use one on here and one other site I regularly use.

I have run AVG three times over the last two days and it finds similar cookies.

I too am knackered now and thank you for all your help so far..it is much appreciated.... I will follow your instuctions and run the scans overnight

0

Started 19th october between 1100hrs and 1400hrs.

Again, well done. I hope we're nearly there. ComboFixh, lo and behold, shows this entry in the origin timeframe:
----------------------------------------------------------------------------------------------------------
"INTERNETAMEN"="C:\DOCUME~1\John\APPLIC~1\4file\Bike Name.exe" [2007-10-19 13:16]
-----------------------------------------------------------------------------------------------------------

We only just got rid of that, so it may still have done more damage - hence the overnight scans. It was this one all the time. I thought of songling it out originally, but 4file is a known application for video and radio playing.

Oh well. Later.

0

I removed the one you posted the 4 file one. Interestingly enough I have spybot in time running(tells me about changes to the reg) and shortly after I removed it I got an alert that it was trying to reinstall. Ran AVG again-just a few cookies and 3 cookies with spybot search and destroy. Just posting the logs here for you to have a look at while I am sleeping..lol. It sucks when your pc doesn't work properly.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 02:21:23, on 30/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\Fws.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\John\Desktop\imabummy.exe.exe


R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://luminis.leedsmet.ac.uk/cp/home/loginf
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/fuji/defaults/su/*http://www.yahoo.com
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~3\Office12\GRA8E1~1.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_3_19_0.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -startup
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [amd_dc_opt] "C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe"
O4 - HKLM\..\Run: [ANIWZCS2Service] "C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [CatalystRegistration] "C:\Program Files\ATI\CatalystRegistration\dolce.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [axis web cake second] "C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe"
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe"
O4 - HKLM\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [IndexCleaner] "C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} (TmHcmsX Control) - http://www.trendsecure.com/framework/control/en-US/activex/TmHcmsX.CAB
O16 - DPF: {3B5E9B23-7537-4601-A9E8-FA0D956DEA16} (csauie1 Control) - http://www.couponreport.net/ftp/v3123/csauie1.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www4.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by135fd.bay135.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1169321153671
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~3\Office12\GR99D3~1.DLL
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe
O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


--
End of file - 11367 bytes
ComboFix 07-10-29.1 - John 2007-10-30  2:25:40.4 - NTFSx86
Microsoft Windows XP Home Edition  5.1.2600.2.1252.1.1033.18.413 [GMT 0:00]
Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
.


(((((((((((((((((((((((((   Files Created from 2007-09-28 to 2007-10-30  )))))))))))))))))))))))))))))))
.


2007-10-29 17:57    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-29 16:04    <DIR>    d--------   C:\Documents and Settings\John\Application Data\AdwareAlert
2007-10-29 13:06    51,200  --a------   C:\WINDOWS\NirCmd.exe
2007-10-29 13:02    <DIR>    d--------   C:\Documents and Settings\Administrator\Application Data\ATI
2007-10-29 12:10    <DIR>    d--------   C:\VundoFix Backups
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Grisoft
2007-10-28 21:57    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Grisoft
2007-10-28 21:57    10,872  --a------   C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-10-28 21:14    <DIR>    d--------   C:\Program Files\Spyware Doctor
2007-10-28 17:26    <DIR>    d--------   C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-27 20:44    <DIR>    d--h-----   C:\WINDOWS\PIF
2007-10-27 20:31    55,296  --a------   C:\WINDOWS\system32\drivers\rp_skt32.sys
2007-10-27 20:31    48,384  --a------   C:\WINDOWS\system32\drivers\rp_pkt32.sys
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Raxco
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Scanner
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\Common Files\Authentium
2007-10-27 20:30    <DIR>    d--------   C:\Program Files\CA
2007-10-27 20:30    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Raxco
2007-10-27 20:27    <DIR>    d--------   C:\Documents and Settings\John\Application Data\InstallShield
2007-10-27 20:26    <DIR>    d--------   C:\Program Files\Virgin Broadband
2007-10-27 20:26    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Virgin Broadband
2007-10-27 20:26    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Virgin Broadband
2007-10-27 19:45    <DIR>    d-a------   C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-27 19:44    626,688 --a------   C:\WINDOWS\system32\msvcr80.dll
2007-10-19 13:17    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16    <DIR>    d--------   C:\Program Files\4file
2007-10-19 13:16    <DIR>    d--------   C:\Documents and Settings\John\Application Data\4file
2007-10-18 18:11    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-18 18:11    11,264  --a------   C:\WINDOWS\system32\SpOrder.dll
2007-10-18 18:11    4,212   ---h-----   C:\WINDOWS\system32\zllictbl.dat
2007-10-18 18:10    <DIR>    d--------   C:\WINDOWS\system32\ZoneLabs
2007-10-18 18:05    <DIR>    d--------   C:\WINDOWS\Internet Logs
2007-10-04 13:00    <DIR>    d--------   C:\Program Files\Real
2007-10-04 13:00    <DIR>    d--------   C:\Program Files\Common Files\xing shared
2007-09-28 12:48    5,120   --a------   C:\WINDOWS\system32\ff_vfw.dll
2007-09-26 22:02    43,520  --a------   C:\WINDOWS\system32\CmdLineExt03.dll
2007-09-20 21:54    <DIR>    dr-h-----   C:\Documents and Settings\John\Application Data\SecuROM
2007-09-20 21:54    <DIR>    d--------   C:\Documents and Settings\John\Application Data\Bioshock
2007-09-20 21:33    68,888  --a------   C:\WINDOWS\system32\xinput1_3.dll
2007-09-20 20:50    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\ATI
2007-09-20 20:47    <DIR>    d--------   C:\Program Files\Steam
2007-09-20 20:47    <DIR>    d--------   C:\Program Files\ATI
2007-09-20 20:16    3,495,784   --a------   C:\WINDOWS\system32\d3dx9_33.dll
2007-09-19 21:55    <DIR>    d--------   C:\WINDOWS\BioShock
2007-09-18 22:28    <DIR>    d--------   C:\Program Files\SystemRequirementsLab
2007-09-17 18:23    823,296 --a------   C:\WINDOWS\system32\divx_xx0c.dll
2007-09-17 18:23    823,296 --a------   C:\WINDOWS\system32\divx_xx07.dll
2007-09-17 18:22    802,816 --a------   C:\WINDOWS\system32\divx_xx11.dll
2007-09-17 18:22    739,840 --a------   C:\WINDOWS\system32\DivX.dll
2007-09-12 12:18    <DIR>    d--------   C:\spoolerlogs
2007-09-11 23:14    156,992 --a------   C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2007-09-11 12:50    <DIR>    d--------   C:\Documents and Settings\All Users\Application Data\Apple


.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 22:47    ---------   d-----w C:\Documents and Settings\John\Application Data\uTorrent
2007-10-29 11:12    ---------   d-----w C:\Program Files\eMule
2007-10-29 08:11    ---------   d-----w C:\Program Files\SPSS Evaluation
2007-10-28 17:53    ---------   d-----w C:\Program Files\TVUPlayer
2007-10-28 01:37    ---------   d-----w C:\Program Files\PPStream
2007-10-27 20:28    ---------   d--h--w C:\Program Files\InstallShield Installation Information
2007-10-10 11:28    ---------   d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-10-06 23:07    ---------   d-----w C:\Program Files\Java
2007-10-05 23:49    ---------   d-----w C:\Program Files\Winamp
2007-10-04 13:00    ---------   d-----w C:\Program Files\Common Files\Real
2007-09-28 12:48    ---------   d-----w C:\Program Files\ffdshow
2007-09-26 22:17    ---------   d-----w C:\Program Files\LucasArts
2007-09-24 15:26    ---------   d-----w C:\Program Files\SPSS
2007-09-23 13:22    ---------   d-----w C:\Program Files\DivX
2007-09-20 21:54    107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-09-20 20:46    ---------   d-----w C:\Program Files\ATI Technologies
2007-09-15 14:13    ---------   d-----w C:\Documents and Settings\John\Application Data\TVU networks
2007-09-11 12:50    ---------   d-----w C:\Program Files\Apple Software Update
2007-08-22 02:09    352,256 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-08-22 02:07    307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-08-22 02:07    268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-08-22 01:59    26,112  ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-08-22 01:59    143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-08-22 01:58    43,520  ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-08-22 01:58    122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-08-22 01:57    487,424 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-08-22 01:56    53,248  ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-08-22 01:48    8,306,688   ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-08-22 01:47    3,091,392   ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-08-22 01:35    1,586,816   ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-08-22 01:21    5,435,392   ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-08-22 01:19    266,240 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-08-22 01:17    17,408  ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-08-22 01:15    172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-08-22 01:11    450,560 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-08-21 20:05    593,920 ------w C:\WINDOWS\system32\ati2sgag.exe
2007-08-21 06:15    683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 00:26    81,920  ----a-w C:\WINDOWS\system32\dpl100.dll
2007-08-21 00:26    196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-08-15 22:33    524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-08-15 22:33    3,596,288   ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-08-15 22:33    200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-08-15 22:33    1,044,480   ----a-w C:\WINDOWS\system32\libdivx.dll
2007-08-15 22:31    593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-08-15 22:31    57,344  ----a-w C:\WINDOWS\system32\dpv11.dll
2007-08-15 22:31    53,248  ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-08-15 22:31    344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-08-15 22:31    294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-08-15 22:31    294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-08-15 22:30    12,288  ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-07-30 18:19    92,504  ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 18:19    549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 18:19    53,080  ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 18:19    43,352  ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 18:19    325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 18:19    271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-07-30 18:19    207,736 ----a-w C:\WINDOWS\system32\muweb.dll
2007-07-30 18:19    203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 18:19    1,712,984   ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 18:18    33,624  ----a-w C:\WINDOWS\system32\wups.dll
2007-07-26 23:06    129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-07-26 23:06    120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-07-26 23:06    118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
2007-07-09 13:16    582,656 ----a-w C:\WINDOWS\system32\rpcrt4.dll
.


(((((((((((((((((((((((((((((   snapshot@2007-10-29_13.09.43.70   )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-29 12:34:40   63,996  ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-30 02:18:11   63,996  ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-29 12:34:40   405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-30 02:18:11   405,506 ----a-w C:\WINDOWS\system32\perfh009.dat
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-06-28 12:54 C:\WINDOWS\RTHDCPL.EXE]
"SkyTel"="SkyTel.EXE" [2006-05-16 16:04 C:\WINDOWS\SkyTel.exe]
"SMSERIAL"="sm56hlpr.exe" [2006-01-20 11:34 C:\WINDOWS\sm56hlpr.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50]
"PCSuiteTrayApplication"="C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" [2006-11-08 13:27]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 16:49]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2005-10-19 18:19]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 02:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 11:35]
"CatalystRegistration"="C:\Program Files\ATI\CatalystRegistration\dolce.exe" [2007-07-27 11:04]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-04 13:00]
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-30 02:16]
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 17:49]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-09-05 13:10]
"-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 13:10]


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"IndexCleaner"="C:\Program Files\Virgin Broadband\PCguard\IdxClnR.exe"


[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"PcSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe


R3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
S1 SABKUTIL;SABKUTIL;\??\C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys
S3 BVRPMPR5;BVRPMPR5 NDIS Protocol Driver;\??\D:\INSTAL~E\Core\BVRPMPR5.SYS
S3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe /Processid:{80098F68-1220-4F43-80A8-15C7395B8874}


.
Contents of the 'Scheduled Tasks' folder
"2007-10-30 02:00:02 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
.
**************************************************************************


catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 02:29:11
Windows 5.1.2600 Service Pack 2 NTFS


scanning hidden processes ...


scanning hidden autostart entries ...


scanning hidden files ...


**************************************************************************
.
Completion time: 2007-10-30  2:30:23
C:\ComboFix2.txt ... 2007-10-29 19:54
C:\ComboFix3.txt ... 2007-10-29 17:43
.
--- E O F ---

Edited by pritaeas: Fixed formatting

0

bad stuff is still there and needs deleting.
---------------------------------------------------------
2007-10-19 13:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web
2007-10-19 13:16 <DIR> d-------- C:\Program Files\4file
"axis web cake second"="C:\Documents and Settings\All Users\Application Data\Book Slow Axis Web\rule mode.exe" [2007-10-30 02:16]

---------------------------------------------------------

Have done these specific deletes before?

Also clear your scheduled tasks in respect of this job:
"2007-10-30 02:00:02 C:\WINDOWS\Tasks\AEEE2C6F9279A60F.job"
and any other scheduled event timed today at 02:00. Please confirm that was a time you rebooted.


I hope this'll clear it all out. if it re-appears in the next ComboFix log, then the only method I can advise on is based on looking for clusters around the dates and times shown above and deleting everything I can't account for created at those timestamps.

0

Been getting some extra help from someone else. The first thing so far was downloading and running the LOP uninstaller which cleared the pop up windows. (The 4file thing was a lop infection) The other steps are the ones that you suggested and then running a scan with Dr Web Cureit that has identified a few more problems mostly in the system restore directory but has fixed my flash drive problem. I will let you know the other steps and post some logs of what I found and what the other person said to fix the problems.

Thanks for your help suspsichio it has been greatly appreciated and we at least managed to get started on getting rid of the problems. Thank good ness it wasn't virtumundo tho.

0

You seem to be on your way - but please...

Look in Windows\system32 and c:\windows and c:\ for clusters of stuff created 19-Oct-07 around 13:16 and 30-Oct-07 around 02:16.

You need to be 100% sure noting of the original is there and especially that nothing has been spawned. It's a basic precaution in every case of virus or trojan infection.

Look forward to seeing your final logs.

This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.