Solved Detected Win32/Adware.Virtumonde and Win32/Privac

cmd log

Hi Geri.

Carried out your cmd command.

Text file produced blank results after notifying me that a file did not exist and did I want to create it. Clicked yes and got empty text file.

Hope this is ok as nothing to post back.

Regards.

Steve.

 

Hi Steve

No you should have gotten a log.

Please do this.

Highlight and copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: check.bat
Save as type: All Files (*.*)

Double click check.bat to run it. It will open check.txt when it completes. Please post it's contents if anything is listed.

Thanks
Geri

 

Check.bat log

Hi Geri.

Carried out your instructions.

Please find below the resultant log.

Regards.

Steve.

~~winlogon backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 512,000 winlogon.exe
1 File(s) 512,000 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 502,272 winlogon.exe
1 File(s) 502,272 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 507,904 winlogon.exe
1 File(s) 507,904 bytes

~~services backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 111,104 services.exe
1 File(s) 111,104 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 108,032 services.exe
1 File(s) 108,032 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 108,544 services.exe
1 File(s) 108,544 bytes

~~lsass backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 14,848 lsass.exe
1 File(s) 14,848 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 13,312 lsass.exe
1 File(s) 13,312 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 13,312 lsass.exe
1 File(s) 13,312 bytes

~~svchost backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 17,408 svchost.exe
1 File(s) 17,408 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 14,336 svchost.exe
1 File(s) 14,336 bytes

~~explorer backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS

14/04/2008 01:12 1,036,288 explorer.exe
1 File(s) 1,036,288 bytes

Directory of C:\WINDOWS\$hf_mig$\KB938828\SP2QFE

13/06/2007 12:26 1,033,216 explorer.exe
1 File(s) 1,033,216 bytes

Directory of C:\WINDOWS\$NtUninstallKB938828$

10/08/2004 20:00 1,032,192 explorer.exe
1 File(s) 1,032,192 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

13/06/2007 11:23 1,033,216 explorer.exe
1 File(s) 1,033,216 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 1,033,728 explorer.exe
1 File(s) 1,033,728 bytes

~~spoolsv backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 58,880 spoolsv.exe
1 File(s) 58,880 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896423\SP2QFE

11/06/2005 00:17 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\$NtUninstallKB896423$

10/08/2004 20:00 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/06/2005 23:53 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 57,856 spoolsv.exe
1 File(s) 57,856 bytes

 

Hi
OK Paste this in a command window.

Code:

@echo off
copy C:\WINDOWS\ServicePackFiles\i386\explorer.exe C:\WINDOWS\system32\dllcache
copy C:\WINDOWS\ServicePackFiles\i386\lsass.exe C:\WINDOWS\system32\dllcache
copy C:\WINDOWS\ServicePackFiles\i386\services.exe C:\WINDOWS\system32\dllcache
copy C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe C:\WINDOWS\system32\dllcache
copy C:\WINDOWS\ServicePackFiles\i386\svchost.exe C:\WINDOWS\system32\dllcache
copy C:\WINDOWS\ServicePackFiles\i386\winlogon.exe C:\WINDOWS\system32\dllcache
if exist C:\WINDOWS\system32\dllcache\winlogon.exe ren C:\WINDOWS\system32\winlogon.exe winlogon.exe.old& echo winlogon renamed>done.txt
if exist C:\WINDOWS\system32\dllcache\services.exe ren C:\WINDOWS\system32\services.exe services.exe.old& echo services renamed>>done.txt
if exist C:\WINDOWS\system32\dllcache\lsass.exe ren C:\WINDOWS\system32\lsass.exe lsass.exe.old& echo lsass renamed>>done.txt
if exist C:\WINDOWS\system32\dllcache\svchost.exe ren C:\WINDOWS\system32\svchost.exe svchost.exe.old& echo svchost renamed>>done.txt
if exist C:\WINDOWS\system32\dllcache\explorer.exe ren C:\WINDOWS\explorer.exe explorer.exe.old& echo explorer renamed>>done.txt
if exist C:\WINDOWS\system32\dllcache\spoolsv.exe ren C:\WINDOWS\system32\spoolsv.exe spoolsv.exe.old& echo spoolsv renamed>>done.txt
start notepad done.txt
exit
cls

Now hit F5, run check.bat again and post both logs.

Thanks
Geri

 

Hi Geri.

Think I have done this the right way.

Log follows.

Regards

Steve.

~~winlogon backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 507,904 winlogon.exe
1 File(s) 507,904 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 01:12 507,904 winlogon.exe
1 File(s) 507,904 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 502,272 winlogon.exe
1 File(s) 502,272 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 507,904 winlogon.exe
1 File(s) 507,904 bytes

~~services backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 108,544 services.exe
1 File(s) 108,544 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 01:12 108,544 services.exe
1 File(s) 108,544 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 108,032 services.exe
1 File(s) 108,032 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 108,544 services.exe
1 File(s) 108,544 bytes

~~lsass backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 13,312 lsass.exe
1 File(s) 13,312 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 01:12 13,312 lsass.exe
1 File(s) 13,312 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 13,312 lsass.exe
1 File(s) 13,312 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 13,312 lsass.exe
1 File(s) 13,312 bytes

~~svchost backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 01:12 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/08/2004 20:00 14,336 svchost.exe
1 File(s) 14,336 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 14,336 svchost.exe
1 File(s) 14,336 bytes

~~explorer backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS

14/04/2008 01:12 1,033,728 explorer.exe
1 File(s) 1,033,728 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 01:12 1,033,728 explorer.exe
1 File(s) 1,033,728 bytes

Directory of C:\WINDOWS\$hf_mig$\KB938828\SP2QFE

13/06/2007 12:26 1,033,216 explorer.exe
1 File(s) 1,033,216 bytes

Directory of C:\WINDOWS\$NtUninstallKB938828$

10/08/2004 20:00 1,032,192 explorer.exe
1 File(s) 1,032,192 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

13/06/2007 11:23 1,033,216 explorer.exe
1 File(s) 1,033,216 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 1,033,728 explorer.exe
1 File(s) 1,033,728 bytes

~~spoolsv backups~~

Volume in drive C is ACER
Volume Serial Number is 1D0F-11D5

Directory of C:\WINDOWS\system32

14/04/2008 01:12 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\system32\dllcache

14/04/2008 01:12 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\$hf_mig$\KB896423\SP2QFE

11/06/2005 00:17 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\$NtUninstallKB896423$

10/08/2004 20:00 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\$NtServicePackUninstall$

10/06/2005 23:53 57,856 spoolsv.exe
1 File(s) 57,856 bytes

Directory of C:\WINDOWS\ServicePackFiles\i386

14/04/2008 01:12 57,856 spoolsv.exe
1 File(s) 57,856 bytes

 

Hi
Was there another log?

 

Hi.

Yes there was another log which I lost before copying to this post. I think it was composed of about 5 lines of confirmations.

Steve.

 

Geri.

Have found done.txt --- see below...

Steve

winlogon renamed
services renamed
lsass renamed
svchost renamed
explorer renamed
spoolsv renamed

 

OK thanks Steve.

I'll get back to you, making sure this is OKed by noahdfear.

 

Hi Steve
Says it looks good to him.

So now lets get another Panda scan.

Thanks

 

Hi.

New Kaspersky scan done. Log shown below...

Steve.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, September 2, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Monday, September 01, 2008 21:57:20
Records in database: 1175380
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 78703
Threat name: 5
Infected objects: 13
Suspicious objects: 0
Duration of the scan: 00:47:49


File name / Threat name / Threats count
C:\WINDOWS\system32\lsass.exe.old Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\winlogon.exe.old Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\services.exe.old Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\svchost.exe.old Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\system32\spoolsv.exe.old Infected: Trojan.Win32.Patched.aa 1
C:\WINDOWS\explorer.exe.old Infected: Trojan.Win32.Patched.aa 1
C:\System Volume Information\_restore{3B5EBD63-0BA3-4CB6-8D46-0666EE4E44F9}\RP17\A0000437.sys Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\System Volume Information\_restore{3B5EBD63-0BA3-4CB6-8D46-0666EE4E44F9}\RP17\A0000477.exe Infected: Trojan-Downloader.Win32.Small.abpq 1
C:\System Volume Information\_restore{3B5EBD63-0BA3-4CB6-8D46-0666EE4E44F9}\RP17\A0000478.exe Infected: not-a-virus:FraudTool.Win32.MalwareProtector.s 1
C:\QooBox\Quarantine\C\WINDOWS\system32\sysrest.sys.vir Infected: Email-Worm.Win32.Zhelatin.vl 1
C:\QooBox\Quarantine\C\WINDOWS\system32\lphc9u9j0evge.exe.vir Infected: Trojan-Downloader.Win32.Small.abpq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\pphc9u9j0evge.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.s 1
C:\QooBox\Quarantine\catchme2008-08-28_165036.23.zip Infected: Trojan-Downloader.Win32.Agent.vsh 1

The selected area was scanned.

 

Hi Steve,

Would you please right click any one of these files and Send To>Compressed (zipped) Folder, then drag-n-drop the others onto the zip. Once done, please upload that zip file to my submission channel for analysis. Leave a link back to this topic.


C:\WINDOWS\system32\lsass.exe.old
C:\WINDOWS\system32\winlogon.exe.old
C:\WINDOWS\system32\services.exe.old
C:\WINDOWS\system32\svchost.exe.old
C:\WINDOWS\system32\spoolsv.exe.old
C:\WINDOWS\explorer.exe.old

 

Hi Steve
OK great.

Please do as noahdfear asked it will help them to be added to a malware fix tool and be deleted by it. after he has confirmed that he got them and they can be deleted then do this.

They are of no threat as they are.


Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Code:

File::
C:\WINDOWS\system32\lsass.exe.old
C:\WINDOWS\system32\winlogon.exe.old
C:\WINDOWS\system32\services.exe.old
C:\WINDOWS\system32\svchost.exe.old
C:\WINDOWS\system32\spoolsv.exe.old
C:\WINDOWS\explorer.exe.old 

Now this.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.

Then run Panda again to make sure it comes up clean.

Let me know.

Thanks
Geri

 

Zipfiles....

Hi Noahdfear.

Thanks for your help.

Unfortunately I do not know how to carry out your instructions.

I am afraid I need blow by blow instructions as I have no experience of what you are asking of me.

Regards

Steve.

 

Lets just do it this way Steve.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

http://www.windowsbbs.com/malware-virus-removal/76176-windows-warning-message-detected-win32-adware-virtumonde-win32-privac-2.html#post414542

Collect::[22]
C:\WINDOWS\system32\lsass.exe.old
C:\WINDOWS\system32\winlogon.exe.old
C:\WINDOWS\system32\services.exe.old
C:\WINDOWS\system32\svchost.exe.old
C:\WINDOWS\system32\spoolsv.exe.old
C:\WINDOWS\explorer.exe.old

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt

Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

I have instructed CFScript to quarantine those files and then collect them. This means that when ComboFix finishes, you will be prompted to allow ComboFix to upload a zip file that was created. The zip contains the aforementioned files. Please copy the path shown in the prompt and paste it into the box, then click Send.

Thanks!


Note - you can disregard Geri's instructions above in regards to creating and executing the CFScript ... this will take care of it.

 

Zipfile creation.....

Hi noahdfear.

Thanks for your help.

I have carried out your instructions and sent the Zip. Please find below the combofix log and a new highjackthis log as requested.

Regards

Steve.

ComboFix 08-09-01.04 - Steve 2008-09-03 7:46:40.5 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.628 [GMT 1:00]
Running from: C:\Documents and Settings\Steve\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Steve\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\explorer.exe.old
C:\WINDOWS\system32\lsass.exe.old
C:\WINDOWS\system32\services.exe.old
C:\WINDOWS\system32\spoolsv.exe.old
C:\WINDOWS\system32\svchost.exe.old
C:\WINDOWS\system32\winlogon.exe.old

.
((((((((((((((((((((((((( Files Created from 2008-08-03 to 2008-09-03 )))))))))))))))))))))))))))))))
.

2008-08-27 07:38 . 2008-08-27 07:38 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-27 07:38 . 2008-08-27 07:38 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\Malwarebytes
2008-08-27 07:38 . 2008-08-27 07:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-27 07:38 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-27 07:38 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-26 16:07 . 2008-08-26 16:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-26 08:01 . 2008-08-26 08:01 <DIR> d-------- C:\Program Files\CCleaner
2008-08-22 12:39 . 2006-08-07 11:33 1,929,216 --a------ C:\WINDOWS\system32\cdintf250.dll
2008-08-22 08:38 . 2008-08-22 08:38 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-08-22 08:38 . 2008-08-22 08:38 <DIR> d-------- C:\Documents and Settings\Steve\Application Data\PC Tools
2008-08-22 08:38 . 2008-08-22 08:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-22 08:38 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-08-22 08:38 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-08-22 08:38 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-08-22 08:38 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-08-21 15:28 . 2008-09-01 08:47 508 --a------ C:\WINDOWS\wininit.ini
2008-08-13 14:30 . 2008-05-01 15:33 331,776 --------- C:\WINDOWS\system32\dllcache\msadce.dll
2008-08-13 14:29 . 2008-04-11 20:04 691,712 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2008-08-13 10:13 . 2008-08-13 10:13 <DIR> d-------- C:\WINDOWS\Crystal
2008-08-13 10:13 . 2008-08-13 10:13 <DIR> d-------- C:\Program Files\Seagate Software
2008-08-13 10:13 . 2008-08-13 10:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\HBOS
2008-08-08 15:21 . 2008-08-08 15:21 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-08-08 15:21 . 2008-08-08 15:21 <DIR> d-------- C:\WINDOWS\system32\en
2008-08-08 15:21 . 2008-08-08 15:21 <DIR> d-------- C:\WINDOWS\system32\bits
2008-08-08 15:21 . 2008-08-08 15:21 <DIR> d-------- C:\WINDOWS\l2schemas
2008-08-08 15:17 . 2008-08-08 15:17 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-08-08 15:01 . 2008-04-14 01:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-08-08 15:00 . 2004-08-03 22:29 1,897,408 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-08-05 14:52 . 2007-07-31 11:29 344,064 --a------ C:\WINDOWS\system32\dzsactx.dll
2008-08-05 14:52 . 2007-07-31 11:29 327,680 --a------ C:\WINDOWS\system32\duzsactx.dll
2008-08-05 09:34 . 2007-08-08 12:12 101,120 --a------ C:\WINDOWS\system32\drivers\ewusbmdm.sys
2008-08-05 09:34 . 2008-04-13 19:45 32,128 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-08-05 09:34 . 2007-08-08 12:13 24,448 --a------ C:\WINDOWS\system32\drivers\ewdcsc.sys
2008-08-05 09:33 . 2008-08-05 09:34 <DIR> d-------- C:\Program Files\Huawei technologies
2008-08-04 15:47 . 2008-08-04 15:47 <DIR> d-------- C:\Program Files\Mortgage Brain
2008-08-04 15:45 . 2008-08-04 15:45 <DIR> d-------- C:\Program Files\Common Files\Business Objects

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 07:01 21,512 ----a-w C:\Documents and Settings\Steve\Application Data\wklnhst.dat
2008-07-30 16:42 23,888 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-07-30 16:28 706 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-07-30 16:28 10,537 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-07-18 18:34 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-07-11 06:29 --------- d-----w C:\Program Files\Common Files\Skype
2008-07-11 06:29 --------- d-----w C:\Documents and Settings\Steve\Application Data\skypePM
2008-07-07 20:26 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-07-07 20:26 253,952 ------w C:\WINDOWS\system32\dllcache\es.dll
2008-07-07 13:12 --------- d-----w C:\Program Files\VeriSign
2008-07-07 13:05 --------- d-----w C:\Program Files\MSECache
2008-06-24 16:43 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-24 16:43 74,240 ------w C:\WINDOWS\system32\dllcache\mscms.dll
2008-06-24 09:57 3,592,192 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-06-23 09:20 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2008-06-23 09:20 625,664 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2008-06-23 09:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-06-21 05:23 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2008-06-20 17:46 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 17:46 245,248 ------w C:\WINDOWS\system32\dllcache\mswsock.dll
2008-06-20 17:46 147,968 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-06-20 11:51 361,600 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
2008-06-20 11:40 138,496 ------w C:\WINDOWS\system32\dllcache\afd.sys
2008-06-20 11:08 225,856 ------w C:\WINDOWS\system32\dllcache\tcpip6.sys
2008-06-13 11:05 272,128 ------w C:\WINDOWS\system32\dllcache\bthport.sys
2007-06-21 15:22 61,480 ----a-w C:\Documents and Settings\Steve\GoToAssistDownloadHelper.exe
.

((((((((((((((((((((((((((((( snapshot@2008-08-22_10.00.57.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-14 00:12:20 1,036,288 ----a-w C:\WINDOWS\explorer.exe
+ 2008-04-14 00:12:20 1,033,728 ----a-w C:\WINDOWS\explorer.exe
- 2008-08-08 14:29:48 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-08-27 06:06:34 16,384 ------w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-08-08 14:29:48 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-08-27 06:06:34 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2008-08-08 14:29:48 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-08-27 06:06:34 32,768 ------w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2008-04-14 00:12:20 1,033,728 ----a-w C:\WINDOWS\system32\dllcache\explorer.exe
+ 2008-04-14 00:12:24 13,312 ----a-w C:\WINDOWS\system32\dllcache\lsass.exe
+ 2008-04-13 18:30:46 61,440 ----a-w C:\WINDOWS\system32\dllcache\msvcrt40.dll
+ 2008-04-14 00:12:34 108,544 ----a-w C:\WINDOWS\system32\dllcache\services.exe
+ 2008-04-14 00:12:36 57,856 ----a-w C:\WINDOWS\system32\dllcache\spoolsv.exe
+ 2008-04-14 00:12:36 14,336 ----a-w C:\WINDOWS\system32\dllcache\svchost.exe
+ 2008-04-14 00:12:40 507,904 ----a-w C:\WINDOWS\system32\dllcache\winlogon.exe
- 2008-04-14 00:12:24 14,848 ----a-w C:\WINDOWS\system32\lsass.exe
+ 2008-04-14 00:12:24 13,312 ----a-w C:\WINDOWS\system32\lsass.exe
- 2008-04-14 00:12:34 111,104 ----a-w C:\WINDOWS\system32\services.exe
+ 2008-04-14 00:12:34 108,544 ----a-w C:\WINDOWS\system32\services.exe
- 2008-04-14 00:12:36 58,880 ----a-w C:\WINDOWS\system32\spoolsv.exe
+ 2008-04-14 00:12:36 57,856 ----a-w C:\WINDOWS\system32\spoolsv.exe
- 2008-04-14 00:12:36 17,408 ----a-w C:\WINDOWS\system32\svchost.exe
+ 2008-04-14 00:12:36 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
- 2008-04-14 00:12:40 512,000 ----a-w C:\WINDOWS\system32\winlogon.exe
+ 2008-04-14 00:12:40 507,904 ----a-w C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"swg "= "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 68856]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-08-18 1832272]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray "= "C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 94208]
"igfxhkcmd "= "C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 77824]
"igfxpers "= "C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 118784]
"ehTray "= "C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 64512]
"IMJPMIG8.1 "= "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-10 208952]
"MSPY2002 "= "C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-10 59392]
"PHIME2002ASync "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"PHIME2002A "= "C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-10 455168]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-09 115816]
"osCheck "= "C:\Program Files\Norton Internet Security\osCheck.exe" [2006-09-06 26248]
"ePower_DMC "= "C:\Acer\Empowering Technology\ePower\ePower_DMC.exe" [2006-08-10 352256]
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" [2006-10-12 98304]
"SynTPEnh "= "C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-03 761946]
"eRecoveryService "= "C:\Acer\Empowering Technology\eRecovery\Monitor.exe" [2006-01-24 397312]
"eDataSecurity Loader "= "C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe" [2005-12-27 69632]
"AzMixerSel "= "C:\Program Files\Realtek\InstallShield\AzMixerSel.exe" [2005-12-21 53248]
"ADMTray.exe "= "C:\Acer\Empowering Technology\admtray.exe" [2005-10-24 2462208]
"Acer ePower Management "= "C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe" [2006-05-22 3080704]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 583048]
"OxigenClientAdmin "= "C:\Program Files\Oxigen\bin\Oxigen.exe" [2007-06-23 887264]
"Easy-PrintToolBox "= "C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE" [2004-01-14 409600]
"BluetoothAuthenticationAgent "= "bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]
"RTHDCPL "= "RTHDCPL.EXE" [2006-06-28 C:\WINDOWS\RTHDCPL.exe]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle "= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme "= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LaunchApp]
Alaunch [X]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a------ 2005-12-29 11:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a------ 2006-07-31 20:00 19857408 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LManager]
--a------ 2006-07-20 22:15 593920 C:\PROGRA~1\LAUNCH~1\LManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-10-18 11:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
-rahs---- 2008-08-18 18:41 1832272 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2007-03-14 03:43 83608 C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
--a------ 2007-07-27 09:51 68856 C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SkyTel]
--a------ 2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\Messenger\\msmsgs.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe "=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

R1 OsaFsLoc;OsaFsLoc;C:\WINDOWS\system32\drivers\OsaFsLoc.sys [2005-10-15 12106]
R2 EpmPsd;Acer EPM Power Scheme Driver;C:\WINDOWS\system32\drivers\epm-psd.sys [2006-01-23 4096]
R2 EpmShd;Acer EPM System Hardware Driver;C:\WINDOWS\system32\drivers\epm-shd.sys [2006-01-23 78208]
R2 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 69632]
R2 osaio;osaio;C:\WINDOWS\system32\drivers\osaio.sys [2005-06-30 7296]
R2 osanbm;osanbm;C:\WINDOWS\system32\drivers\osanbm.sys [2005-01-14 4010]
R3 NdisFilt;OSA NdisFilter Protocol;C:\WINDOWS\system32\Drivers\NdisFilt.sys [2005-09-13 4392]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13041f6e-62c9-11dd-b30e-0016d44f0752}]
\Shell\AutoRun\command - F:\AutoRun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{13041f6f-62c9-11dd-b30e-0016d44f0752}]
\Shell\AutoRun\command - F:\AutoRun.exe

*Newly Created Service* - CATCHME
*Newly Created Service* - COMHOST
*Newly Created Service* - INT15.SYS
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-09-03 07:48:52
Windows 5.1.2600 Service Pack 3 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-09-03 7:49:22
ComboFix-quarantined-files.txt 2008-09-03 06:49:20
ComboFix4.txt 2008-08-22 10:58:36
ComboFix3.txt 2008-08-28 09:06:40
ComboFix5.txt 2008-09-03 06:46:00
ComboFix2.txt 2008-08-28 15:58:24

Pre-Run: 38,479,429,632 bytes free
Post-Run: 38,471,598,080 bytes free

236 --- E O F --- 2008-09-02 18:34:03


HighJackThis log.........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:59:30, on 03/09/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
C:\Acer\Empowering Technology\admServ.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Acer\Empowering Technology\eRecovery\Monitor.exe
C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Acer\Empowering Technology\admtray.exe
C:\Program Files\Oxigen\bin\Oxigen.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://www.mynortonaccount.com/amsweb/default.do
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\NppBho.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Acer eDataSecurity Management - {5CBE3B7C-1E47-477e-A7DD-396DB0476E29} - C:\WINDOWS\system32\eDStoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn2\yt.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.0\UIBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe "
O4 - HKLM\..\Run: [ePower_DMC] C:\Acer\Empowering Technology\ePower\ePower_DMC.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\Monitor.exe
O4 - HKLM\..\Run: [eDataSecurity Loader] C:\Acer\Empowering Technology\eDataSecurity\eDSloader.exe
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [ADMTray.exe] "C:\Acer\Empowering Technology\admtray.exe "
O4 - HKLM\..\Run: [Acer ePower Management] C:\Acer\Empowering Technology\ePower\Acer ePower Management.exe boot
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [OxigenClientAdmin] "C:\Program Files\Oxigen\bin\Oxigen.exe "
O4 - HKLM\..\Run: [Easy-PrintToolBox] C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\YAHOO!\COMMON\yiesrvc.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AdminWorks Agent X6 (AWService) - Avocent Inc. - C:\Acer\Empowering Technology\admServ.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 14058 bytes

 

Received. Thank you!

 

Thanks for you help Dave.

Hi
Ok Great thanks.

Now please do this.

Open "Notepad†Copy the contents of the code box below to the blank Notepad.
Click "File" > "Save as "
In the "Save In" box at the top click the down arrow and select DeskTop

In the "File name" type in: fix.reg
In the "Save As Type" select: All Files
Once saved, Go to your desktop double click "fix.reg file" and let it merge with the registry.

Code:

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
 "SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll" 

Let me know that it merged OK.

Click Start>Run in the run box copy and paste or type ComboFix /u then hit Enter to uninstall ComboFix and remove the files/folders it created. This action will also reset the System Restore points, removing any infected files there as well.

Then run Panda again to make sure it comes up clean.

Let me know.

Thanks
Geri

 

fix.reg & uninstall combofix

Hi Geri.

Did the fix.reg and system merged ok.

Did the uninstall but forgot to stop my protection programs & spyware doctor would not allow it to work.

Did it again after stopping the doctor and it successfully uninstalled.

Thanks again for all your help guys.

Is there anything further to do or any advice to avoid these problems again?

I have spybot and spyware doctor on my system to block malware etc. at present and since the problem occured. Should I have both or just one.

Regards

Steve.

 

Kaspersky Scan

Geri

Sorry forgot to paste Kaspersky scan result.....

Regards

Steve.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, September 4, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, September 04, 2008 05:41:13
Records in database: 1190247
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 75511
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 00:45:00

No malware has been detected. The scan area is clean.

The selected area was scanned.