1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Solved Explorer shuts down randomly

Discussion in 'Malware and Virus Removal Archive' started by chalkie521, 2008/03/09.

  1. 2008/03/09
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    [Resolved]Explorer shuts down randomly

    Hi team, had/have a virus on my system, i thought i got rid but i now have some strange things happening, on boot i get an error :

    C:\WINDOWS\system32\dvyircmy.dll not found

    or something to that effect, i also find myself staring at a blank screen from time to time, if i go into task manager and key in the explorer.exe it fires up again but i didnt have this problem before, as it stands my system restore is disable but that was after reading som issues on here, but when it was on all my restore points had gone?

    here is my HJT log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:26:15, on 09/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skysports.com/football/teams/liverpool/0,19734,11669,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [f0c81086] rundll32.exe "C:\WINDOWS\system32\dvyircmy.dll ",b
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198256458187
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 8123 bytes

    Thanks in advance for any help, i was going to reformat but i think i could learn something here.
     
    chalkie521,
    #1
  2. 2008/03/09
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi chalkie521
    Welcome to Windowsbbs. :)

    First, we need to get system restore back on.

    A infected restore point is better then no restore point at all.

    To turn on Windows XP System Restore:
    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
    5. Click Apply, and then click OK
    6. Make a new restore point.


    After getting a restore point made then do the following.


    Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall
    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the Combofix log.

    Thanks
    Geri
     
    Geri,
    #2


  3. to hide this advert.

  4. 2008/03/09
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    Hi Geri, thanks for the welcome,

    Here is my Combofix log, i had a job with it though as Norton kept trying to stop the scripts even thought i thought i had disabled it?
    Also, there is more than one account on this machine, does it make a difference?
    Thanks again.

    ComboFix 08-03-09.1 - John 2008-03-09 22:02:29.6 - NTFSx86
    Running from: C:\Documents and Settings\John\Desktop\malware scanners etc\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    ---- Previous Run -------
    .
    C:\Temp\sanR24
    C:\WINDOWS\Fonts\'
    C:\WINDOWS\Fonts\a.zip
    C:\WINDOWS\system32\cccdd.ini
    C:\WINDOWS\system32\cccdd.ini2
    C:\WINDOWS\system32\ddccc.dll
    C:\WINDOWS\system32\khfccyy.dll
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\rtvwa.ini
    C:\WINDOWS\system32\rtvwa.ini2
    C:\winlogon.exe
    C:\x.dat
    C:\z.dat

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
    .

    2008-03-09 12:25 . 2008-03-09 12:25 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Apple Computer
    2008-03-09 12:24 . 2008-03-09 12:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
    2008-03-09 12:24 . 2008-03-09 12:24 1,409 --a------ C:\WINDOWS\QTFont.for
    2008-03-09 12:20 . 2008-03-09 12:20 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Grisoft
    2008-03-08 20:28 . 2008-03-08 20:28 <DIR> d-------- C:\Documents and Settings\John\Application Data\Grisoft
    2008-03-08 20:28 . 2008-03-08 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-03-08 20:28 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-03-08 20:05 . 2008-03-08 20:05 352 --a------ C:\WINDOWS\system32\drivers\kgpfr2.cfg
    2008-03-08 20:00 . 2008-03-08 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-08 19:59 . 2008-03-08 19:59 <DIR> d-------- C:\Program Files\Common Files\iS3
    2008-03-08 19:59 . 2008-03-08 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-03 22:37 . 2008-03-03 22:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-03 22:37 . 2008-03-03 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-03 21:58 . 2008-03-03 22:27 <DIR> d-------- C:\VundoFix Backups
    2008-03-02 16:36 . 2008-03-02 16:36 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-03-02 16:10 . 2008-03-02 16:10 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
    2008-03-02 16:08 . 2008-03-02 16:08 134 --a------ C:\n.bat
    2008-03-02 16:07 . 2008-03-02 18:57 <DIR> d-------- C:\WINDOWS\system32\iDlo18
    2008-03-02 16:07 . 2008-03-09 21:31 <DIR> d-------- C:\Temp
    2008-03-02 16:07 . 2008-03-02 16:07 <DIR> d-------- C:\Program Files\Microsoft Games
    2008-03-02 16:05 . 2008-03-02 16:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-23 13:47 . 2008-02-23 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-21 20:36 . 2008-02-21 20:36 <DIR> d-------- C:\Documents and Settings\John\Application Data\Leadertech
    2008-02-20 18:56 . 2008-02-20 18:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Leadertech
    2008-02-20 16:56 . 2008-02-20 16:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\AdobeUM
    2008-02-20 16:56 . 2008-02-20 16:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\AdobeAUM
    2008-02-20 16:41 . 2005-07-07 14:25 81,728 -ra------ C:\WINDOWS\system32\drivers\k750mgmt.sys
    2008-02-20 16:38 . 2005-07-07 14:25 79,488 -ra------ C:\WINDOWS\system32\drivers\k750obex.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-09 21:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-03-09 14:54 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-03-02 18:18 --------- d-----w C:\Documents and Settings\John\Application Data\LimeWire
    2008-03-02 17:55 --------- d-----w C:\Program Files\Norton Internet Security
    2008-03-02 16:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-02 16:06 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-02-24 14:01 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-22 14:22 --------- d-----w C:\Documents and Settings\John\Application Data\Apple Computer
    2008-01-22 13:57 --------- d-----w C:\Program Files\QuickTime
    2008-01-22 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-01-22 13:56 --------- d-----w C:\Program Files\Apple Software Update
    2008-01-22 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2008-01-16 19:11 --------- d-----w C:\Program Files\MagicISO
    2008-01-16 18:52 --------- d-----w C:\Program Files\Alex Feinman
    2008-01-14 20:06 --------- d-----w C:\Documents and Settings\John\Application Data\Ventrilo
    2008-01-12 20:59 --------- d-----w C:\Program Files\SystemRequirementsLab
    2008-01-10 21:21 --------- d-----w C:\Program Files\MSECache
    2008-01-09 23:07 --------- d-----w C:\Program Files\Microsoft Silverlight
    2008-01-09 23:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-01-09 23:04 --------- d-----w C:\Program Files\Microsoft Visual Studio 9.0
    2008-01-09 23:03 --------- d-----w C:\Program Files\Common Files\Merge Modules
    2008-01-09 23:02 --------- d-----w C:\Program Files\Microsoft SDKs
    2008-01-09 20:47 --------- d-----w C:\Program Files\Activision
    2008-01-05 19:35 737,280 ----a-w C:\WINDOWS\iun6002.exe
    2007-12-21 19:08 22,328 ----a-w C:\Documents and Settings\John\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2005-12-31 15:06 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "nwiz "= "nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 10:20 339968 C:\WINDOWS\stsystra.exe]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-12-22 10:41 100056]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
    "f0c81086 "= "C:\WINDOWS\system32\dvyircmy.dll" [ ]
    "!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2005-12-31 15:06 15360]

    C:\Documents and Settings\John\Start Menu\Programs\Startup\
    Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-24 06:31:35 442368]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=

    R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-23 19:16]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-15 20:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - John.job "
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-09 22:05:39
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    .
    **************************************************************************
    .
    Completion time: 2008-03-09 22:07:58 - machine was rebooted [John]
    ComboFix-quarantined-files.txt 2008-03-09 22:07:56
    .
    2008-03-03 23:00:17 --- E O F ---
     
    chalkie521,
    #3
  5. 2008/03/09
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi chalkie521
    That account will also have to be gone through, after this one is clean remind me to have logs made for that account.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for
C:\WINDOWS\system32\vbzip10.dll
C:\n.bat
C:\WINDOWS\system32\dvyircmy.dll

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\iDlo18

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
f0c81086 "=-
    Please post the CFScript log.

    Let me know how things are running and if you still get the error message.

    Thanks
    Geri
     
    Geri,
    #4
  6. 2008/03/11
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    Hi Geri,

    Here is the log... I still get the error on boot, i will let you know if anything else happens.

    ComboFix 08-03-09.1 - John 2008-03-11 8:13:37.7 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.641 [GMT 0:00]
    Running from: C:\Documents and Settings\John\Desktop\malware scanners etc\ComboFix.exe
    Command switches used :: C:\Documents and Settings\John\Desktop\malware scanners etc\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\n.bat
    C:\WINDOWS\QTFont.for
    C:\WINDOWS\QTFont.qfn
    C:\WINDOWS\system32\dvyircmy.dll
    C:\WINDOWS\system32\vbzip10.dll
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\n.bat
    C:\VundoFix Backups
    C:\VundoFix Backups\awvtu.dll.bad
    C:\VundoFix Backups\dvyircmy.dll.bad
    C:\VundoFix Backups\hixlaggr.dll.bad
    C:\VundoFix Backups\khfccyy.dll.bad
    C:\VundoFix Backups\utvwa.ini.bad
    C:\VundoFix Backups\utvwa.ini2.bad
    C:\VundoFix Backups\ymcriyvd.ini.bad
    C:\WINDOWS\QTFont.for
    C:\WINDOWS\QTFont.qfn
    C:\WINDOWS\system32\iDlo18
    C:\WINDOWS\system32\vbzip10.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
    .

    2008-03-09 12:25 . 2008-03-09 12:25 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Apple Computer
    2008-03-09 12:20 . 2008-03-09 12:20 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Grisoft
    2008-03-08 20:28 . 2008-03-08 20:28 <DIR> d-------- C:\Documents and Settings\John\Application Data\Grisoft
    2008-03-08 20:28 . 2008-03-08 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-03-08 20:28 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-03-08 20:05 . 2008-03-08 20:05 352 --a------ C:\WINDOWS\system32\drivers\kgpfr2.cfg
    2008-03-08 20:00 . 2008-03-08 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-08 19:59 . 2008-03-08 19:59 <DIR> d-------- C:\Program Files\Common Files\iS3
    2008-03-08 19:59 . 2008-03-08 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-03 22:37 . 2008-03-03 22:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-03 22:37 . 2008-03-03 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-02 16:36 . 2008-03-02 16:36 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-03-02 16:07 . 2008-03-09 21:31 <DIR> d-------- C:\Temp
    2008-03-02 16:07 . 2008-03-02 16:07 <DIR> d-------- C:\Program Files\Microsoft Games
    2008-03-02 16:05 . 2008-03-02 16:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-23 13:47 . 2008-02-23 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-21 20:36 . 2008-02-21 20:36 <DIR> d-------- C:\Documents and Settings\John\Application Data\Leadertech
    2008-02-20 18:56 . 2008-02-20 18:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Leadertech
    2008-02-20 16:56 . 2008-02-20 16:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\AdobeUM
    2008-02-20 16:56 . 2008-02-20 16:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\AdobeAUM
    2008-02-20 16:41 . 2005-07-07 14:25 81,728 -ra------ C:\WINDOWS\system32\drivers\k750mgmt.sys
    2008-02-20 16:38 . 2005-07-07 14:25 79,488 -ra------ C:\WINDOWS\system32\drivers\k750obex.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-11 08:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-03-09 14:54 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-03-02 18:18 --------- d-----w C:\Documents and Settings\John\Application Data\LimeWire
    2008-03-02 17:55 --------- d-----w C:\Program Files\Norton Internet Security
    2008-03-02 16:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-02 16:06 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-02-24 14:01 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-22 14:22 --------- d-----w C:\Documents and Settings\John\Application Data\Apple Computer
    2008-01-22 13:57 --------- d-----w C:\Program Files\QuickTime
    2008-01-22 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-01-22 13:56 --------- d-----w C:\Program Files\Apple Software Update
    2008-01-22 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2008-01-16 19:11 --------- d-----w C:\Program Files\MagicISO
    2008-01-16 18:52 --------- d-----w C:\Program Files\Alex Feinman
    2008-01-14 20:06 --------- d-----w C:\Documents and Settings\John\Application Data\Ventrilo
    2008-01-12 20:59 --------- d-----w C:\Program Files\SystemRequirementsLab
    2008-01-05 19:35 737,280 ----a-w C:\WINDOWS\iun6002.exe
    2007-12-21 19:08 22,328 ----a-w C:\Documents and Settings\John\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2005-12-31 15:06 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "nwiz "= "nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 10:20 339968 C:\WINDOWS\stsystra.exe]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-12-22 10:41 100056]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
    "f0c81086 "= "C:\WINDOWS\system32\dvyircmy.dll" [ ]
    "!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2005-12-31 15:06 15360]

    C:\Documents and Settings\John\Start Menu\Programs\Startup\
    Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-24 06:31:35 442368]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=

    R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-23 19:16]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-15 20:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - John.job "
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-11 08:19:14
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Messenger\msmsgs.exe
    .
    **************************************************************************
    .
    Completion time: 2008-03-11 8:21:26 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-03-11 08:21:23
    ComboFix2.txt 2008-03-09 22:07:59
    .
    2008-03-03 23:00:17 --- E O F ---
     
    chalkie521,
    #5
  7. 2008/03/11
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi
    OK lets try this again.

    Please delete the ComboFix you have and download the newer version.
    Download ComboFix from [color= "Red"]Here[/color] to your Desktop.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
 "f0c81086 "=-
    Let me know if you still get the error message on reboot.

    Thanks
    Geri
     
    Geri,
    #6
  8. 2008/03/11
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    Great stuff Geri, the boot error seems to have gone, here are the logs

    ComboFix 08-03-10.1 - John 2008-03-11 18:45:29.8 - NTFSx86
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.657 [GMT 0:00]
    Running from: C:\Documents and Settings\John\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\John\Desktop\CFScript.txt
    * Created a new restore point

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
    .

    2008-03-09 12:25 . 2008-03-09 12:25 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Apple Computer
    2008-03-09 12:20 . 2008-03-09 12:20 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Grisoft
    2008-03-08 20:28 . 2008-03-08 20:28 <DIR> d-------- C:\Documents and Settings\John\Application Data\Grisoft
    2008-03-08 20:28 . 2008-03-08 20:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-03-08 20:28 . 2007-05-30 12:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2008-03-08 20:05 . 2008-03-08 20:05 352 --a------ C:\WINDOWS\system32\drivers\kgpfr2.cfg
    2008-03-08 20:00 . 2008-03-08 20:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-08 19:59 . 2008-03-08 19:59 <DIR> d-------- C:\Program Files\Common Files\iS3
    2008-03-08 19:59 . 2008-03-08 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-03 22:37 . 2008-03-03 22:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-03 22:37 . 2008-03-03 22:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-02 16:36 . 2008-03-02 16:36 <DIR> d-------- C:\Program Files\MSXML 4.0
    2008-03-02 16:07 . 2008-03-09 21:31 <DIR> d-------- C:\Temp
    2008-03-02 16:07 . 2008-03-02 16:07 <DIR> d-------- C:\Program Files\Microsoft Games
    2008-03-02 16:05 . 2008-03-02 16:48 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-23 13:47 . 2008-02-23 13:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-21 20:36 . 2008-02-21 20:36 <DIR> d-------- C:\Documents and Settings\John\Application Data\Leadertech
    2008-02-20 18:56 . 2008-02-20 18:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\Leadertech
    2008-02-20 16:56 . 2008-02-20 16:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\AdobeUM
    2008-02-20 16:56 . 2008-02-20 16:56 <DIR> d-------- C:\Documents and Settings\Mandy\Application Data\AdobeAUM
    2008-02-20 16:41 . 2005-07-07 14:25 81,728 -ra------ C:\WINDOWS\system32\drivers\k750mgmt.sys
    2008-02-20 16:38 . 2005-07-07 14:25 79,488 -ra------ C:\WINDOWS\system32\drivers\k750obex.sys

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-03-11 18:49 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-03-09 14:54 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
    2008-03-02 18:18 --------- d-----w C:\Documents and Settings\John\Application Data\LimeWire
    2008-03-02 17:55 --------- d-----w C:\Program Files\Norton Internet Security
    2008-03-02 16:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-03-02 16:06 --------- d-----w C:\Program Files\Common Files\InstallShield
    2008-02-24 14:01 --------- d-----w C:\Program Files\Common Files\Adobe
    2008-01-22 14:22 --------- d-----w C:\Documents and Settings\John\Application Data\Apple Computer
    2008-01-22 13:57 --------- d-----w C:\Program Files\QuickTime
    2008-01-22 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
    2008-01-22 13:56 --------- d-----w C:\Program Files\Apple Software Update
    2008-01-22 13:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
    2008-01-16 19:11 --------- d-----w C:\Program Files\MagicISO
    2008-01-16 18:52 --------- d-----w C:\Program Files\Alex Feinman
    2008-01-14 20:06 --------- d-----w C:\Documents and Settings\John\Application Data\Ventrilo
    2008-01-12 20:59 --------- d-----w C:\Program Files\SystemRequirementsLab
    2008-01-05 19:35 737,280 ----a-w C:\WINDOWS\iun6002.exe
    2007-12-21 19:08 22,328 ----a-w C:\Documents and Settings\John\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [2005-12-31 15:06 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]
    "nwiz "= "nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp "= "stsystra.exe" [2005-03-22 10:20 339968 C:\WINDOWS\stsystra.exe]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-12-22 10:41 100056]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2008-01-10 15:27 385024]
    "!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\CTFMON.EXE" [2005-12-31 15:06 15360]

    C:\Documents and Settings\John\Start Menu\Programs\Startup\
    Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-24 06:31:35 442368]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "= 0 (0x0)

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Notification Packages REG_MULTI_SZ scecli scecli scecli scecli

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe "=

    R3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys [2003-07-23 19:16]

    .
    Contents of the 'Scheduled Tasks' folder
    "2008-02-15 20:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - John.job "
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-03-11 18:49:48
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Messenger\msmsgs.exe
    .
    **************************************************************************
    .
    Completion time: 2008-03-11 18:51:58 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-03-11 18:51:55
    ComboFix2.txt 2008-03-11 08:21:26
    ComboFix3.txt 2008-03-09 22:07:59
    .
    2008-03-03 23:00:17 --- E O F ---





    and the HJT log


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:05:20, on 11/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
    C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
    C:\Documents and Settings\John\Desktop\malware scanners etc\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skysports.com/football/teams/liverpool/0,19734,11669,00.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198256458187
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 8589 bytes
     
    chalkie521,
    #7
  9. 2008/03/11
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi chalkie521
    OK things look good.

    You Need to open these files in qoobox with notepad and see if any passwords used for anything are listed. If so, those passwords need to be changed.

    C:\qoobox\quarantined-files\C\x.dat.vir
    C:\qoobox\quarantined-files\C\z.dat.vir

    Then please do a full system search for these and see if any are found other then in QOOBOX.
    x.dat.vir
    z.dat.vir

    Here is how.

    Click on Start – Search – All Files and Folders – Put,( x.dat.vir ) in “All or part of the file name” spot. Scroll down and click on “More advanced options” Put a check on “Search system folders”, Search hidden files and Folder” Search SubFolders. Click Search.
    Write down the folder path that is given on the right side so you can find it and delete it,
    Then do this one. z.dat.vir

    Let me know if any were found.


    Lets get a on-line scan to make sure nothing is lurking.

    Please do an online scan with Kaspersky WebScanner

    Click on “Accept” If your pop –up blocker blocks the ActiveX download, allow it, click on “Accept” again

    You will be promted to install an ActiveX component from Kaspersky, Click Yes or Install.
    • The program will launch and then begin downloading the latest definition files:
    • Once the files have been downloaded click on NEXT
    • Now click on Scan Settings
    • In the scan settings make that the following are selected:
      • Scan using the following Anti-Virus database:
      • Extended (if available otherwise Standard)
      • Scan Options:
      • Scan Archives
        Scan Mail Bases
    • Click OK
    • Now under select a target to scan:
      • Select My Computer
    • This will start the program and scan your system.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Now click on the Save as Text button:
    • Save the file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results.

    Thanks
    Geri
     
    Geri,
    #8
  10. 2008/03/12
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    OK i checked the .vir files and changed the passwords, the system search did not find any other copies other than the 2 qoobox, these have been deleted, here is the Kaspersky log

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Wednesday, March 12, 2008 9:35:25 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 12/03/2008
    Kaspersky Anti-Virus database records: 626238
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\

    Scan Statistics:
    Total number of scanned objects: 137891
    Number of viruses found: 2
    Number of infected objects: 6
    Number of suspicious objects: 0
    Duration of the scan process: 01:10:53

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-03-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
    C:\Documents and Settings\John\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
    C:\Documents and Settings\John\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
    C:\Documents and Settings\John\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\John\Desktop\malware scanners etc\backups\backup-20080308-203951-106.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\John\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\John\Local Settings\History\History.IE5\MSHist012008031220080313\index.dat Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Temp\Perflib_Perfdata_a08.dat Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Temp\~DF5857.tmp Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Temp\~DF5862.tmp Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Temp\~DFD946.tmp Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped
    C:\Documents and Settings\John\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\John\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\John\UserData\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
    C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
    C:\QooBox\Quarantine\C\VundoFix Backups\awvtu.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\VundoFix Backups\khfccyy.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\khfccyy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{8D876EDF-39F0-4992-BBD8-8D1710234EE1}\RP3\A0000008.exe Infected: not-a-virus:pSWTool.Win32.PassView.ac skipped
    C:\System Volume Information\_restore{8D876EDF-39F0-4992-BBD8-8D1710234EE1}\RP3\A0000009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
    C:\System Volume Information\_restore{8D876EDF-39F0-4992-BBD8-8D1710234EE1}\RP6\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
    chalkie521,
    #9
  11. 2008/03/12
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi chalkie521

    OK please do this search again, the .vir should have been taken off, Sorry.

    Click on Start "“ Search "“ All Files and Folders "“ Put,( x.dat ) in "All or part of the file name" spot. Scroll down and click on "More advanced options" Put a check on "Search system foldersâ€, Search hidden files and Folder" Search SubFolders. Click Search.
    Write down the folder path that is given on the right side so you can find it and delete it,
    Then do this one. z.dat

    Let me know if any were found.

    OK Kaspersky looks good, lets clean it up.

    Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created.

    Please delete this, Not sure what you have in the folder?
    C:\Documents and Settings\John\Desktop\malware scanners etc\backups\backup-20080308-203951-106.dll

    Now please log into the other account you have on the machine and run Deckerds system scanner while logged onto that account and post the dss log.

    Thanks
    Geri
     
    Geri,
    #10
  12. 2008/03/13
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    Hey Geri, no problem, still no more found and the file has been deleted, here are the logs from DSS

    Deckard's System Scanner v20071014.68
    Run by Mandy on 2008-03-13 08:10:18
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 2 Restore Point(s) --
    2: 2008-03-13 08:10:22 UTC - RP8 - Deckard's System Scanner Restore Point
    1: 2008-03-13 07:57:28 UTC - RP7 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Mandy.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:11:52, on 13/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Mandy\Desktop\dss.exe
    C:\DOCUME~1\John\Desktop\MALWAR~1\Mandy.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-602162358-1343024091-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'John')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-21-602162358-1343024091-725345543-1004 Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe (User 'John')
    O4 - S-1-5-21-602162358-1343024091-725345543-1004 User Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe (User 'John')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198256458187
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 8888 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    All drivers whitelisted.


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    S3 Creative Labs Licensing Service - "c:\program files\common files\creative labs shared\service\creativelicensing.exe" <Not Verified; Creative Labs; Creative Labs Licensing Service>
    S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&18F0
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&18F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01D21028&REV_01\3&172E68DD&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01D21028&REV_01\3&172E68DD&0&FB
    Service:


    -- Scheduled Tasks -------------------------------------------------------------

    2008-02-15 20:00:00 546 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - John.job


    -- Files created between 2008-02-13 and 2008-03-13 -----------------------------

    2008-03-09 12:25:22 0 d-------- C:\Documents and Settings\Mandy\Application Data\Apple Computer
    2008-03-09 12:20:40 0 d-------- C:\Documents and Settings\Mandy\Application Data\Grisoft
    2008-03-08 20:28:17 0 d-------- C:\Documents and Settings\John\Application Data\Grisoft
    2008-03-08 20:28:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-03-08 20:10:35 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
    2008-03-08 20:00:32 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-08 19:59:24 0 d-------- C:\Program Files\Common Files\iS3
    2008-03-08 19:59:24 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-03 22:37:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-03 22:37:00 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-02 16:36:39 0 d-------- C:\Program Files\MSXML 4.0
    2008-03-02 16:07:52 0 d-------- C:\Program Files\Microsoft Games
    2008-03-02 16:07:47 0 d-------- C:\Temp
    2008-03-02 16:05:23 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-23 13:47:04 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-21 20:36:30 0 d-------- C:\Documents and Settings\John\Application Data\Leadertech
    2008-02-20 18:56:04 0 d-------- C:\Documents and Settings\Mandy\Application Data\Leadertech
    2008-02-20 16:56:07 0 d-------- C:\Documents and Settings\Mandy\Application Data\AdobeUM
    2008-02-20 16:56:07 0 d-------- C:\Documents and Settings\Mandy\Application Data\AdobeAUM


    -- Find3M Report ---------------------------------------------------------------

    2008-03-13 08:12:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
    2008-03-13 08:07:48 0 d-------- C:\Program Files\Common Files
    2008-03-02 17:55:27 0 d-------- C:\Program Files\Norton Internet Security
    2008-03-02 16:36:49 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-03-02 16:06:29 0 d-------- C:\Program Files\Common Files\InstallShield
    2008-02-24 14:01:30 0 d-------- C:\Program Files\Common Files\Adobe
    2008-02-20 16:56:07 0 d-------- C:\Documents and Settings\Mandy\Application Data\Adobe
    2008-01-22 13:57:43 0 d-------- C:\Program Files\QuickTime
    2008-01-22 13:56:56 0 d-------- C:\Program Files\Apple Software Update
    2008-01-18 18:12:11 0 d-------- C:\Program Files\Messenger
    2008-01-18 18:07:37 0 d-------- C:\Program Files\Windows NT
    2008-01-18 18:07:32 0 d-------- C:\Program Files\Movie Maker
    2008-01-16 19:11:06 0 d-------- C:\Program Files\MagicISO
    2008-01-16 18:52:15 0 d-------- C:\Program Files\Alex Feinman
    2008-01-12 23:42:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
    2008-01-05 19:35:20 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
    2008-01-04 20:55:44 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
    2007-12-22 18:38:44 203264 --a------ C:\WINDOWS\system32\COD4MW Screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
    2007-12-21 15:24:31 8 --a------ C:\WINDOWS\system32\nvModes.dat
    2007-12-21 15:09:50 0 -rahs---- C:\MSDOS.SYS
    2007-12-21 15:09:50 0 -rahs---- C:\IO.SYS
    2007-12-21 15:09:50 0 --a------ C:\CONFIG.SYS
    2007-12-21 15:09:50 0 --a------ C:\AUTOEXEC.BAT
    2007-12-21 15:07:22 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
    2007-12-21 14:56:31 62 --ahs---- C:\Documents and Settings\Mandy\Application Data\desktop.ini


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 01:41]
    "nwiz "= "nwiz.exe" [05/12/2007 01:41 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp "= "stsystra.exe" [22/03/2005 10:20 C:\WINDOWS\stsystra.exe]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [17/01/2008 11:42]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [22/12/2007 10:41]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 01:41]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [10/01/2008 15:27]
    "!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 09:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [31/12/2005 15:06]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages "= scecli scecli scecli scecli

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    eapsvcs eaphost
    dot3svc dot3svc




    -- End of Deckard's System Scanner: finished at 2008-03-13 08:13:01 ------------



    And




    Deckard's System Scanner v20071014.68
    Run by Mandy on 2008-03-13 08:10:18
    Computer is in Normal Mode.
    --------------------------------------------------------------------------------

    -- System Restore --------------------------------------------------------------

    Successfully created a Deckard's System Scanner Restore Point.


    -- Last 2 Restore Point(s) --
    2: 2008-03-13 08:10:22 UTC - RP8 - Deckard's System Scanner Restore Point
    1: 2008-03-13 07:57:28 UTC - RP7 - System Checkpoint


    Backed up registry hives.
    Performed disk cleanup.



    -- HijackThis (run as Mandy.exe) -----------------------------------------------

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:11:52, on 13/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16608)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Norton Internet Security\ISSVC.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\Mandy\Desktop\dss.exe
    C:\DOCUME~1\John\Desktop\MALWAR~1\Mandy.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: Norton Internet Security - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe "
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
    O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-21-602162358-1343024091-725345543-1004\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe (User 'John')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - S-1-5-21-602162358-1343024091-725345543-1004 Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe (User 'John')
    O4 - S-1-5-21-602162358-1343024091-725345543-1004 User Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe (User 'John')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownload/srl/2.0.0.1/sysreqlab2.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1198256458187
    O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Labs Licensing Service - Creative Labs - C:\Program Files\Common Files\Creative Labs Shared\Service\CreativeLicensing.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
    O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

    --
    End of file - 8888 bytes

    -- File Associations -----------------------------------------------------------

    All associations okay.


    -- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

    All drivers whitelisted.


    -- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

    S3 Creative Labs Licensing Service - "c:\program files\common files\creative labs shared\service\creativelicensing.exe" <Not Verified; Creative Labs; Creative Labs Licensing Service>
    S3 Imapi Helper - "c:\program files\alex feinman\iso recorder\imapihelper.exe" <Not Verified; Alex Feinman; ISO Recorder>


    -- Device Manager: Disabled ----------------------------------------------------

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: PCI Modem
    Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&18F0
    Manufacturer:
    Name: PCI Modem
    PNP Device ID: PCI\VEN_8086&DEV_1080&SUBSYS_10001028&REV_04\4&5855BE9&0&18F0
    Service:

    Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
    Description: SM Bus Controller
    Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01D21028&REV_01\3&172E68DD&0&FB
    Manufacturer:
    Name: SM Bus Controller
    PNP Device ID: PCI\VEN_8086&DEV_27DA&SUBSYS_01D21028&REV_01\3&172E68DD&0&FB
    Service:


    -- Scheduled Tasks -------------------------------------------------------------

    2008-02-15 20:00:00 546 --a------ C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - John.job


    -- Files created between 2008-02-13 and 2008-03-13 -----------------------------

    2008-03-09 12:25:22 0 d-------- C:\Documents and Settings\Mandy\Application Data\Apple Computer
    2008-03-09 12:20:40 0 d-------- C:\Documents and Settings\Mandy\Application Data\Grisoft
    2008-03-08 20:28:17 0 d-------- C:\Documents and Settings\John\Application Data\Grisoft
    2008-03-08 20:28:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
    2008-03-08 20:10:35 0 d-------- C:\Documents and Settings\Default User\Application Data\Adobe
    2008-03-08 20:00:32 0 d-------- C:\Documents and Settings\All Users\Application Data\SITEguard
    2008-03-08 19:59:24 0 d-------- C:\Program Files\Common Files\iS3
    2008-03-08 19:59:24 0 d-------- C:\Documents and Settings\All Users\Application Data\STOPzilla!
    2008-03-03 22:37:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2008-03-03 22:37:00 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
    2008-03-02 16:36:39 0 d-------- C:\Program Files\MSXML 4.0
    2008-03-02 16:07:52 0 d-------- C:\Program Files\Microsoft Games
    2008-03-02 16:07:47 0 d-------- C:\Temp
    2008-03-02 16:05:23 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2008-02-23 13:47:04 0 d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
    2008-02-21 20:36:30 0 d-------- C:\Documents and Settings\John\Application Data\Leadertech
    2008-02-20 18:56:04 0 d-------- C:\Documents and Settings\Mandy\Application Data\Leadertech
    2008-02-20 16:56:07 0 d-------- C:\Documents and Settings\Mandy\Application Data\AdobeUM
    2008-02-20 16:56:07 0 d-------- C:\Documents and Settings\Mandy\Application Data\AdobeAUM


    -- Find3M Report ---------------------------------------------------------------

    2008-03-13 08:12:23 0 d-------- C:\Program Files\Common Files\Symantec Shared
    2008-03-13 08:07:48 0 d-------- C:\Program Files\Common Files
    2008-03-02 17:55:27 0 d-------- C:\Program Files\Norton Internet Security
    2008-03-02 16:36:49 0 d--h----- C:\Program Files\InstallShield Installation Information
    2008-03-02 16:06:29 0 d-------- C:\Program Files\Common Files\InstallShield
    2008-02-24 14:01:30 0 d-------- C:\Program Files\Common Files\Adobe
    2008-02-20 16:56:07 0 d-------- C:\Documents and Settings\Mandy\Application Data\Adobe
    2008-01-22 13:57:43 0 d-------- C:\Program Files\QuickTime
    2008-01-22 13:56:56 0 d-------- C:\Program Files\Apple Software Update
    2008-01-18 18:12:11 0 d-------- C:\Program Files\Messenger
    2008-01-18 18:07:37 0 d-------- C:\Program Files\Windows NT
    2008-01-18 18:07:32 0 d-------- C:\Program Files\Movie Maker
    2008-01-16 19:11:06 0 d-------- C:\Program Files\MagicISO
    2008-01-16 18:52:15 0 d-------- C:\Program Files\Alex Feinman
    2008-01-12 23:42:23 2560 --a------ C:\WINDOWS\_MSRSTRT.EXE
    2008-01-05 19:35:20 737280 --a------ C:\WINDOWS\iun6002.exe <Not Verified; Indigo Rose Corporation; Setup Factory 6.0 Runtime Module>
    2008-01-04 20:55:44 151552 --a------ C:\WINDOWS\system32\nvRegDev.dll
    2007-12-22 18:38:44 203264 --a------ C:\WINDOWS\system32\COD4MW Screensaver.scr <Not Verified; ScreenTime Media; ScreenTime For Flash>
    2007-12-21 15:24:31 8 --a------ C:\WINDOWS\system32\nvModes.dat
    2007-12-21 15:09:50 0 -rahs---- C:\MSDOS.SYS
    2007-12-21 15:09:50 0 -rahs---- C:\IO.SYS
    2007-12-21 15:09:50 0 --a------ C:\CONFIG.SYS
    2007-12-21 15:09:50 0 --a------ C:\AUTOEXEC.BAT
    2007-12-21 15:07:22 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
    2007-12-21 14:56:31 62 --ahs---- C:\Documents and Settings\Mandy\Application Data\desktop.ini


    -- Registry Dump ---------------------------------------------------------------

    *Note* empty entries & legit default entries are not shown


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NvCplDaemon "= "C:\WINDOWS\system32\NvCpl.dll" [05/12/2007 01:41]
    "nwiz "= "nwiz.exe" [05/12/2007 01:41 C:\WINDOWS\system32\nwiz.exe]
    "SigmatelSysTrayApp "= "stsystra.exe" [22/03/2005 10:20 C:\WINDOWS\stsystra.exe]
    "SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25/09/2007 01:11]
    "ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [17/01/2008 11:42]
    "Symantec NetDriver Monitor "= "C:\PROGRA~1\SYMNET~1\SNDMon.exe" [22/12/2007 10:41]
    "NvMediaCenter "= "C:\WINDOWS\system32\NvMcTray.dll" [05/12/2007 01:41]
    "QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [10/01/2008 15:27]
    "!AVG Anti-Spyware "= "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 09:25]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE "= "C:\WINDOWS\system32\ctfmon.exe" [31/12/2005 15:06]
    "MSMSGS "= "C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 16:24]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
    "DisableRegistryTools "=0 (0x0)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Notification Packages "= scecli scecli scecli scecli

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
    @= "Service "

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
    @= "Volume shadow copy "

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
    eapsvcs eaphost
    dot3svc dot3svc




    -- End of Deckard's System Scanner: finished at 2008-03-13 08:13:01 ------------
     
    chalkie521,
    #11
  13. 2008/03/13
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi chalkie521

    I'm not seeing anything in those logs.

    How are things running?

    Let me know,

    Geri
     
    Geri,
    #12
  14. 2008/03/14
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    Hi Geri,

    I have to admit that all seems well, i have no errors and explorer is behaving, by now you know my protection system quite well but do you have any recomends, could i be running something better or a combination of things?

    Thanks for taking the time.

    John
     
    chalkie521,
    #13
  15. 2008/03/14
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi John
    That's good to hear.

    We need to clean out your system restore points, there are infections in it and if you did a system restore it would reinfect you.

    Here is how.

    You must be logged in as an Administrator to do this. If you are not logged in as an Administrator, the System Restore tab will not be displayed.
    Turning off System Restore will clear out all previous restore points.

    To turn off Windows XP System Restore:
    NOTE: These instructions assume that you are using the default Windows XP Start Menu and have not changed to the Classic Start menu. To re-enable the default menu, right-click Start, click Properties, click Start menu (not Classic) and then click OK.
    1. Click Start.
    2. Right-click the My Computer icon, and then click Properties.
    3. Click the System Restore tab.
    4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
    5. Click Apply.
    6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
    7. Click OK.
    8. Restart the computer and follow the instructions in the next section to turn on System Restore.

    To turn on Windows XP System Restore:
    1. Click Start.
    2. Right-click My Computer, and then click Properties.
    3. Click the System Restore tab.
    4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives. "
    5. Click Apply, and then click OK
    6. Make a new restore point.
    7. Click Start, All Programs, Accessories, System Tools, System Restore.
    Choose Create a restore point and clicked Next, Under "Type a description for your restore point…â€put a name in the box,. Click Create. In the next window click Close.


    Please look at this link for some preventive recommendations, It could keep you from ending up back here to the Spyware and Virus Removal Forums.
    http://www.windowsbbs.com/showthread.php?t=67958

    I'll mark this one resolved, in a day or so if you have no problems.

    Surf Safely.
    Geri
     
    Geri,
    #14
  16. 2008/03/23
    chalkie521

    chalkie521 Inactive Thread Starter

    Joined:
    2008/03/03
    Messages:
    8
    Likes Received:
    0
    Hi Geri,

    It's been a week or so and no problems, thankyou, i have submitted a membership subscription, it's the least i could do.

    Thanks again.

    Chalkie.
    :D
     
    chalkie521,
    #15
  17. 2008/03/23
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi chalkie521

    Great that's good to hear. :D

    I'll mark this one resolved.

    Geri
     
    Geri,
    #16

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...