Solved It must be a virus

[Resolved] It must be a virus

I return from holiday to find that my PC is well and truly compromised. Both of my sons say that they have only opened emails from people they know but it's a fair bet they opened an .exe file. The symptoms are : On "Start up "button, no "Run" or "Control panel" functions. Pressing start repeatedly reloads the desktop.
Some of my desktop icons are missing and 3 new ones have been added "System Error Fixer ", "Malware Defender" and "Protect Your Privacy ". My desktop wallpaper has defaulted to a white background
The system will not allow me to click on "Task manager ".
Have started in Safe Modee and managed to enter "System Restore" but that will not let me choose a previous restore point, unable to move through the calender.
I am sure, as always, that the Windows BBS will be able to help me to sort this problem out.
TIA

 

It musty be a virus

Which instructions in particular ? I haven't posted to another forum and do not know enough to add bits of information to a previously posted resume of a problem. I though the extra information might help. ---------Sorry.

 

Read this

perhaps not but you did effectively double post.

You are able to edit a post but failing that you could always reply

 

I don't doubt the qualifications of you or any of the other knowledgeable contributors and I did, in fact, subscribe voluntarily a few years ago, the only time I have subscribed to any free website simply because I felt that the help given to me with a number of problems by those at WindowsBBS was worth a degree of recognition. I will certainly be subscribing for a year if you are able to help me out on this one. Incidentally I have recommended WindowsBBS to many friends whose intimate knowledge of the workings of a PC are at the same level as mine, as the computer equivalent of the Red Cross.
ps. I now know that the little book icon is for reply.

 

Trying to help get you started.

There are required logs we need to aid in the help, they can be found by reading the below link.
http://www.windowsbbs.com/malware-virus-removal/announcements.html

 

It must be a virus

 

I forgot to add that whilst running RSIT, a box appeared with the message.
"Program failed to start because MSVBM60.dll was not found "

 

Hi bg9208,

Lets get to work cleaning you up. You need to get a tool downloaded to the desktop of your PC.

Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click ComboFix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

It must be a virus

Once again WINDOWSBBS come up trumps?
I ran Combofix as suggested and everything is back to normal (almost). My icons have returned (welcome back! ") and everything else seems to be working OK with one exception -- my desktop which I always had as a BLACK background has now defaulted to a WHITE background with the exception that the icon text is on a black background. I can't seem to change that back either thru control panel or desktop properties.
I attach Combofix and Hijack logs.
I am most grateful for your invaluable assistance.

Brian Owen

PS. Please tell me how I subscribe by credit card
ComboFix 08-11-11.01 - Brian Owen 2008-11-12 19:23:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT 1:00]
Running from: c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\privacy_danger
c:\windows\privacy_danger\images\body.gif
c:\windows\privacy_danger\images\capt.gif
c:\windows\privacy_danger\images\capt2.gif
c:\windows\privacy_danger\images\red.gif
c:\windows\privacy_danger\images\text.gif
c:\windows\privacy_danger\index.html
c:\windows\system32\dao350.dll
c:\windows\system32\lTBacccf.ini
c:\windows\system32\lTBacccf.ini2
c:\windows\system32\WHiSBJlm.ini
c:\windows\system32\WHiSBJlm.ini2
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-07 19:22 . 2008-11-07 19:23 <DIR> d-------- C:\rsit
2008-11-07 19:22 . 2008-11-09 14:41 <DIR> d-------- c:\program files\trend micro
2008-11-07 13:53 . 2008-11-07 13:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 13:53 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 13:53 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-07 13:31 . 2008-11-07 13:31 <DIR> d-------- c:\program files\Exterminate It!
2008-11-07 12:04 . 2008-11-07 06:47 393,216 --a------ c:\windows\xdsfqroepox.dll
2008-11-07 12:04 . 2008-11-07 06:47 282,624 --a------ c:\windows\mqxvbdwk.dll
2008-11-07 11:56 . 2008-11-07 12:04 37 --a------ c:\windows\iltwain.ini
2008-11-07 11:55 . 2008-11-07 11:55 <DIR> d-------- c:\program files\Fugawi
2008-11-07 11:55 . 2008-11-07 11:55 <DIR> d-------- c:\program files\Earth Resource Mapping
2008-11-07 11:55 . 2008-11-07 11:56 <DIR> d-------- c:\program files\Common Files\Fugawi
2008-11-07 11:55 . 2008-11-07 11:55 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Fugawi
2008-11-07 11:53 . 2008-11-07 11:54 <DIR> d-------- C:\bucket
2008-11-04 11:04 . 2008-11-04 11:04 <DIR> d-------- c:\program files\Common Files\Transas Shared
2008-11-04 10:35 . 2008-11-04 10:35 806 --a------ c:\windows\sfxthumb.ini
2008-11-04 10:34 . 2008-11-04 10:38 <DIR> d-------- c:\program files\Ssfxpro
2008-11-04 10:34 . 1998-03-30 08:54 398,336 --a------ c:\windows\system32\Ltocx90n.ocx
2008-11-04 10:34 . 1996-06-13 07:19 274,432 --a------ c:\windows\system32\Btn32x10.OCX
2008-11-04 10:34 . 1997-07-29 02:54 273,920 --a------ c:\windows\system32\Rivet100.OCX
2008-11-04 10:34 . 1995-07-11 01:50 26,624 --a------ c:\windows\system32\AWRESX32.DLL
2008-11-04 10:34 . 1995-07-11 01:50 24,576 --a------ c:\windows\system32\AWCODC32.DLL
2008-11-04 10:34 . 1995-10-05 16:02 24,064 --a------ c:\windows\system\regsvr32.exe
2008-11-04 10:34 . 1995-11-16 10:39 11,776 --a------ c:\windows\system32\AWDENC32.DLL
2008-11-04 10:34 . 1995-10-09 08:58 10,240 --a------ c:\windows\system32\AWVIEW32.DLL
2008-11-04 10:34 . 1995-07-11 01:50 6,144 --a------ c:\windows\system32\AWDCXC32.DLL
2008-11-04 10:34 . 2008-11-04 10:35 302 --a------ c:\windows\sfxalbum.ini
2008-11-04 10:27 . 2008-11-04 10:27 <DIR> d-------- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Cyberlink
2008-11-03 10:26 . 2008-11-03 10:26 <DIR> d-------- C:\tcwf
2008-11-03 10:26 . 2008-11-03 10:26 <DIR> d-------- c:\program files\Transas
2008-11-03 10:19 . 2008-11-03 10:24 <DIR> d-------- C:\Tsunamis
2008-10-31 09:22 . 2008-10-31 09:22 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-30 12:14 . 2008-10-30 17:21 <DIR> d-------- C:\blk
2008-10-30 12:13 . 2008-10-30 12:13 <DIR> d-------- C:\New Folder (3)
2008-10-21 18:16 . 2008-10-21 18:25 <DIR> d-------- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\.JTides
2008-10-21 18:15 . 2008-10-21 18:15 <DIR> d-------- c:\program files\JTides
2008-10-21 15:46 . 2008-10-21 15:46 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-17 20:20 . 2008-10-17 20:20 <DIR> d--hs---- c:\program files\NetworkService.NT AUTHORITY.003
2008-10-16 11:50 . 2000-08-28 22:00 516,173 --a------ c:\windows\system32\Msvcp60d.dll
2008-10-16 11:50 . 2000-03-06 23:00 434,252 --a------ c:\windows\system32\Msvcrtd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.

2008-11-07 12:56 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\AVG7
2008-11-02 14:46 --------- d-----w c:\program files\FreeCard
2008-11-02 14:36 --------- d-----w c:\program files\SMS Sender
2008-10-31 08:21 --------- d-----w c:\program files\Common Files\Adobe
2008-10-25 13:12 --------- d-----w c:\program files\Ahead
2008-10-18 08:57 --------- d-----w c:\program files\AceBIT
2008-10-17 18:55 --------- d-----w c:\program files\Audacity
2008-10-16 09:26 --------- d-----w c:\program files\SimpleOCR
2008-10-13 15:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-02 05:34 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\gtk-2.0
2008-09-29 10:43 --------- d-----w c:\program files\c-mapecs
2008-09-23 07:01 --------- d-----w c:\program files\FolderSize
2008-09-22 16:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-22 16:10 --------- d-----w c:\program files\C-Map
2008-09-22 16:03 --------- d-----w c:\program files\I&M
2008-09-22 15:08 --------- d-----w c:\program files\SentEmul
2008-09-22 11:47 --------- d-----w c:\program files\TextBridge Pro 9.0
2008-09-22 11:47 --------- d-----w c:\program files\Common Files\ScanSoft Shared

2008-09-21 13:58 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Free Download Manager
2008-09-21 07:37 --------- d-----w c:\program files\Real
2008-09-21 07:37 --------- d-----w c:\program files\Common Files\Real
2008-09-19 06:31 --------- d-----w c:\program files\Belarc
2008-09-19 06:30 --------- d-----w c:\program files\TomTom HOME 2
2008-09-19 06:30 --------- d-----w c:\program files\MSECACHE
2008-09-19 06:28 --------- d-----w c:\program files\OrangeHSS
2008-09-19 06:22 --------- d-----w c:\program files\Securitoo
2008-09-19 06:22 --------- d-----w c:\program files\Common Files\France Telecom
2008-09-19 06:22 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\MailFrontier
2008-09-19 06:22 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG
2008-09-18 08:11 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Media Player Classic
2008-09-16 16:47 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\TomTom
2008-09-05 07:05 59,949 ---ha-w C:\jpeggeri.dat
2008-08-04 11:12 353,840 ----a-w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\RealPlayer11GOLD.exe
2008-08-04 07:29 3,288,104 ----a-w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Diino_4.2_Setup.exe
2008-07-26 17:04 15,736 ----a-w c:\program files\JkDefrag.log
2007-10-31 12:16 872 -c--a-w c:\program files\CloneSpy.ini
2007-10-31 12:15 5,435 -c--a-w c:\program files\CloneSpy.log
2004-12-11 07:23 3,918 -c--a-w c:\program files\Readme.txt
2004-12-11 07:20 49,173 -c--a-w c:\program files\winsetup.exe
2004-12-11 07:20 220 -c--a-w c:\program files\acsetup.cfg
2004-12-11 07:07 184,701 -c--a-w c:\program files\speech.vox
2004-12-11 07:07 1,943,049 -c--a-w c:\program files\music.vox
2004-08-07 14:14 187,904 -c--a-w c:\program files\HijackThis.exe
2004-06-06 06:19 238,481 -c--a-w c:\program files\CloneSpy.chm
2004-06-06 06:05 966,656 -c--a-w c:\program files\CloneSpy.exe
2004-03-11 11:27 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
2003-10-13 15:02 262 -c--a-w c:\program files\file_id.diz
2003-09-08 00:49 507 -c--a-w c:\program files\DWG.BA_
2003-09-08 00:49 38 -c--a-w c:\program files\TFC.BAT
2003-09-08 00:49 23,428 -c--a-w c:\program files\ARCHIVER.BB2
2003-09-08 00:49 123 -c--a-w c:\program files\SAM.BA_
2001-09-10 07:10 61,440 -c--a-w c:\windows\inf\i386\onetUSD.dll
2001-09-06 07:58 139,264 -c--a-w c:\windows\inf\i386\Rtscan.dll
2001-08-17 17:43 32,768 -c--a-w c:\windows\inf\i386\Wiamicro.dll
2001-06-29 07:10 163,840 -c--a-w c:\windows\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D393614C-357A-4E4F-8D67-3761F35452B1}]
2008-11-07 06:47 393216 --a------ c:\windows\xdsfqroepox.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"RemoteControl "= "c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"AVG7_CC "= "c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-18 590848]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4 "= "c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"ORAHSSSessionManager "= "c:\program files\OrangeHSS\SessionManager\SessionManager.exe" [2007-06-12 94208]
"QuickTime Task "= "c:\program files\QuickTime Alternative\qttask.exe" [2007-10-19 286720]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"InstantAccess "= "c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [2000-06-19 31744]
"RegisterDropHandler "= "c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan "= "SOUNDMAN.EXE" [2004-06-18 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler "= "c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
"AVG7_Run "= "c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]

c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Start Menu\Programs\Startup\
aFotoReg.lnk - c:\program files\Ssfxpro\afotoreg.exe [2008-11-04 164864]
reminder-ScanSoft Product Registration.lnk - c:\program files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe [2008-09-22 45056]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-07-06 487424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///c:\windows\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mqxvbdwk "= {D09B8B8C-00F0-4BB0-A60D-CE5879262D71} - c:\windows\mqxvbdwk.dll [2008-11-07 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc "= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.ACDV "= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a------ 2003-10-13 03:04 184320 c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotkey]
--a------ 2004-04-03 17:38 36864 c:\program files\Hotkey\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2003-12-22 21:15 86016 c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 18:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Avant Browser\\avant.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe "=
"c:\\Program Files\\Azureus\\Azureus.exe "=
"c:\\Program Files\\OrangeHSS\\Connectivity\\ConnectivityManager.exe "=
"c:\\Program Files\\Free Download Manager\\fdm.exe "=
"c:\\Program Files\\I&M\\MaxSea\\MaxSea.exe "=

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2007-08-25 90112]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2006-11-30 446976]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-08 20608]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-29 42512]
S3 sentemul;sentemul;c:\windows\system32\drivers\sentemul.sys [2003-03-24 11812]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-11-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{2518E164-5B09-401F-8C78-A175A4890882} - c:\windows\system32\tuvUKDVo.dll
BHO-{3B266001-5B78-484E-AC16-41C1FE3FB152} - c:\windows\system32\fcccaBTl.dll
BHO-{8A55C5F4-3052-4799-A178-C43624326D2C} - c:\windows\system32\mlJBSiHW.dll
Toolbar-{3A74A614-1657-4533-B1FE-DCFBA2895828} - c:\windows\mstoanrd.dll
HKCU-Run-Power2GoExpress - (no file)
HKCU-Run-Cute Password Manager - (no file)
HKLM-Run-PC Alarm Clock - c:\progra~1\PC Alarm Clock\pac.exe
ShellExecuteHooks-{2518E164-5B09-401F-8C78-A175A4890882} - c:\windows\system32\tuvUKDVo.dll
Notify-tuvUKDVo - tuvUKDVo.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-InCD - c:\program files\Ahead\InCD\InCD.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Mozilla\Firefox\Profiles\ytyrl0nq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.co.uk
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Opera\program\plugins\nppdf32.dll
FF -: plugin - c:\program files\Opera\program\plugins\nppl3260.dll
FF -: plugin - c:\program files\Opera\program\plugins\nprjplug.dll
FF -: plugin - c:\program files\Opera\program\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 19:38:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Crypserv.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\OrangeHSS\Launcher\Launcher.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe
c:\program files\OrangeHSS\Systray\SystrayApp.exe
c:\program files\OrangeHSS\Deskboard\Deskboard.exe
c:\program files\OrangeHSS\Connectivity\ConnectivityManager.exe
c:\program files\OrangeHSS\Connectivity\corecom\CoreCom.exe
c:\program files\OrangeHSS\Connectivity\corecom\OraConfigRecover.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTCOMModule\0\FTCOMModule.exe
.
**************************************************************************
.
Completion time: 2008-11-12 20:50:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 19:50:26

Pre-Run: 27,755,745,280 bytes free
Post-Run: 27,904,565,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect
c:\wubildr.mbr= "Ubuntu "

293 --- E O F --- 2007-12-04 16:29:53


Logfile of random's system information tool 1.04 (written by random/random)
Run by Brian Owen at 2008-11-12 21:32:31
Microsoft Windows XP Professional Service Pack 2
System drive C: has 27 GB (34%) free of 78 GB
Total RAM: 511 MB (10% free)


======Scheduled tasks folder======

C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\GoogleUpdateTaskUser.job

======Registry dump======

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{02478D38-C3F9-4efb-9B51-7695ECA05670}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
Adobe PDF Reader Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll [2008-06-11 61816]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
Adobe PDF Link Helper - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll [2008-06-11 75128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
Yahoo! IE Services Button - C:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 198136]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
SSVHelper Class - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll [2008-06-10 509328]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CC59E0F9-7E43-44FA-9FAA-8377850BF205}]
FDMIECookiesBHO Class - C:\Program Files\Free Download Manager\iefdm2.dll [2007-11-26 94208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D393614C-357A-4E4F-8D67-3761F35452B1}]
QXK Olive - C:\WINDOWS\xdsfqroepox.dll [2008-11-07 393216]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DC5F9604-C6E2-47D0-8E0F-E60FCCB334C7}]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "=C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe [2004-05-15 339968]
"SoundMan "=C:\WINDOWS\SOUNDMAN.EXE [2004-06-18 67584]
"RemoteControl "=C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe [2003-10-31 32768]
"AVG7_CC "=C:\PROGRA~1\Grisoft\AVG7\avgcc.exe [2008-10-18 590848]
"SSBkgdUpdate "=C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe [2006-09-28 185896]
"OpwareSE4 "=C:\Program Files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe [2006-10-11 75304]
"ORAHSSSessionManager "=C:\Program Files\OrangeHSS\SessionManager\SessionManager.exe [2007-06-12 94208]
"QuickTime Task "=C:\Program Files\QuickTime Alternative\qttask.exe [2007-10-19 286720]
"SunJavaUpdateSched "=C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe [2008-06-10 144784]
"InstantAccess "=C:\PROGRA~1\TEXTBR~1.0\Bin\INSTAN~1.EXE [2000-06-19 31744]
"RegisterDropHandler "=C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE [2000-06-19 22528]
"Adobe Reader Speed Launcher "=C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe [2008-06-12 34672]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "=C:\WINDOWS\system32\ctfmon.exe [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
C:\Program Files\Creative\Shared Files\CamTray.exe [2003-10-13 184320]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotkey]
C:\Program Files\Hotkey\Hotkey.exe [2004-04-03 36864]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe [2003-12-22 86016]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
C:\Program Files\Unlocker\UnlockerAssistant.exe [2006-09-07 15872]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
C:\PROGRA~1\MI1933~1\Office\OSA9.EXE [1999-02-17 65588]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup
ZDWLan Utility.lnk - C:\Program Files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe

C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Start Menu\Programs\Startup
aFotoReg.lnk - C:\Program Files\Ssfxpro\afotoreg.exe
reminder-ScanSoft Product Registration.lnk - C:\Program Files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
C:\WINDOWS\system32\Ati2evxx.dll [2004-05-15 86016]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
mqxvbdwk - {D09B8B8C-00F0-4BB0-A60D-CE5879262D71} - C:\WINDOWS\mqxvbdwk.dll [2008-11-07 282624]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\nm.sys]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\UploadMgr]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\network\vsmon]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
"dontdisplaylastusername "=0
"legalnoticecaption "=
"legalnoticetext "=
"shutdownwithoutlogon "=1
"undockwithoutlogon "=1

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoDrives "=0

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\explorer]
"NoResolveSearch "=
"NoDriveTypeAutoRun "=
"NoDrives "=
"NoDriveAutoRun "=

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\WINDOWS\system32\mmc.exe "= "C:\WINDOWS\system32\mmc.exe:*isabled:Microsoft Management Console "
"C:\WINDOWS\system32\dpvsetup.exe "= "C:\WINDOWS\system32\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test "
"C:\Program Files\Grisoft\AVG7\avginet.exe "= "C:\Program Files\Grisoft\AVG7\avginet.exe:*:Enabled:avginet.exe "
"C:\Program Files\Grisoft\AVG7\avgamsvr.exe "= "C:\Program Files\Grisoft\AVG7\avgamsvr.exe:*:Enabled:avgamsvr.exe "
"C:\Program Files\Grisoft\AVG7\avgcc.exe "= "C:\Program Files\Grisoft\AVG7\avgcc.exe:*:Enabled:avgcc.exe "
"C:\Program Files\Grisoft\AVG7\avgemc.exe "= "C:\Program Files\Grisoft\AVG7\avgemc.exe:*:Enabled:avgemc.exe "
"C:\Program Files\Skype\Phone\Skype.exe "= "C:\Program Files\Skype\Phone\Skype.exe:*:Enabled:Skype. Take a deep breath "
"C:\Program Files\Avant Browser\avant.exe "= "C:\Program Files\Avant Browser\avant.exe:*:Enabled:Avant Browser "
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe "= "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe:*:Enabled:Yahoo! Messenger "
"C:\Program Files\Yahoo!\Messenger\YServer.exe "= "C:\Program Files\Yahoo!\Messenger\YServer.exe:*:Enabled:Yahoo! FT Server "
"C:\Program Files\Bonjour\mDNSResponder.exe "= "C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour "
"C:\Program Files\MSI\i-Speeder\i-Speeder.exe "= "C:\Program Files\MSI\i-Speeder\i-Speeder.exe:*:Enabled:i-Speeder "
"C:\Program Files\Azureus\Azureus.exe "= "C:\Program Files\Azureus\Azureus.exe:*:Enabled:Azureus "
"C:\Program Files\OrangeHSS\Connectivity\ConnectivityManager.exe "= "C:\Program Files\OrangeHSS\Connectivity\ConnectivityManager.exe:*:enabled:CSS "
"C:\Program Files\Free Download Manager\fdm.exe "= "C:\Program Files\Free Download Manager\fdm.exe:*isabled:Free Download Manager "
"C:\Program Files\I&M\MaxSea\MaxSea.exe "= "C:\Program Files\I&M\MaxSea\MaxSea.exe:*:Enabled:MaxSea "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\system32\sessmgr.exe "= "%windir%\system32\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\Program Files\Windows Live\Messenger\msnmsgr.exe "= "C:\Program Files\Windows Live\Messenger\msnmsgr.exe:*:Enabled:Windows Live Messenger "
"C:\Program Files\Windows Live\Messenger\livecall.exe "= "C:\Program Files\Windows Live\Messenger\livecall.exe:*:Enabled:Windows Live Messenger (Phone) "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
shell\AutoRun\command - E:\setupSNK.exe


======File associations======

.reg - edit -
.reg - open - c:\Winnt\Regedit.exe %1

======List of files/folders created in the last 1 months======

2008-11-12 20:59:27 ----SHD---- C:\RECYCLER
2008-11-12 20:50:43 ----D---- C:\WINDOWS\temp
2008-11-12 20:50:36 ----A---- C:\ComboFix.txt
2008-11-12 19:15:59 ----A---- C:\Boot.bak
2008-11-12 19:15:45 ----RASHD---- C:\cmdcons
2008-11-12 19:07:51 ----A---- C:\WINDOWS\zip.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\VFIND.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\SWXCACLS.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\SWSC.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\SWREG.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\sed.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\NIRCMD.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\grep.exe
2008-11-12 19:07:51 ----A---- C:\WINDOWS\fdsv.exe
2008-11-12 19:07:38 ----D---- C:\Qoobox
2008-11-07 19:22:14 ----D---- C:\rsit
2008-11-07 19:22:14 ----D---- C:\Program Files\trend micro
2008-11-07 16:18:37 ----D---- C:\Program Files\HijackThis
2008-11-07 13:53:13 ----D---- C:\Program Files\Malwarebytes' Anti-Malware
2008-11-07 13:31:15 ----D---- C:\Program Files\Exterminate It!
2008-11-07 12:14:46 ----A---- C:\WINDOWS\system32\0f3b8530-.txt
2008-11-07 12:04:35 ----A---- C:\WINDOWS\xdsfqroepox.dll
2008-11-07 12:04:35 ----A---- C:\WINDOWS\mqxvbdwk.dll
2008-11-07 11:56:34 ----A---- C:\WINDOWS\iltwain.ini
2008-11-07 11:55:58 ----D---- C:\Program Files\Earth Resource Mapping
2008-11-07 11:55:48 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Fugawi
2008-11-07 11:55:44 ----D---- C:\Program Files\Common Files\Fugawi
2008-11-07 11:55:42 ----D---- C:\Program Files\Fugawi
2008-11-07 11:53:34 ----D---- C:\bucket
2008-11-04 11:04:26 ----D---- C:\Program Files\Common Files\Transas Shared
2008-11-04 10:35:22 ----A---- C:\WINDOWS\sfxthumb.ini
2008-11-04 10:34:42 ----A---- C:\WINDOWS\system32\AWVIEW32.DLL
2008-11-04 10:34:42 ----A---- C:\WINDOWS\system32\AWRESX32.DLL
2008-11-04 10:34:42 ----A---- C:\WINDOWS\system32\AWDENC32.DLL
2008-11-04 10:34:42 ----A---- C:\WINDOWS\system32\AWDCXC32.DLL
2008-11-04 10:34:42 ----A---- C:\WINDOWS\system32\AWCODC32.DLL
2008-11-04 10:34:30 ----A---- C:\WINDOWS\sfxalbum.ini
2008-11-04 10:34:19 ----D---- C:\Program Files\Ssfxpro
2008-11-04 10:27:03 ----D---- C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Cyberlink
2008-11-03 10:26:32 ----D---- C:\Program Files\Transas
2008-11-03 10:26:29 ----D---- C:\tcwf
2008-11-03 10:19:30 ----D---- C:\Tsunamis
2008-10-31 09:22:07 ----D---- C:\Program Files\Common Files\Adobe AIR
2008-10-31 09:20:54 ----D---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Adobe
2008-10-30 12:14:28 ----D---- C:\blk
2008-10-30 12:13:03 ----D---- C:\New Folder (3)
2008-10-21 18:15:25 ----D---- C:\Program Files\JTides
2008-10-21 15:46:21 ----D---- C:\Program Files\Microsoft Silverlight
2008-10-17 20:20:36 ----SHD---- C:\Program Files\NetworkService.NT AUTHORITY.003
2008-10-16 11:50:09 ----A---- C:\WINDOWS\system32\Msvcrtd.dll
2008-10-16 11:50:09 ----A---- C:\WINDOWS\system32\Msvcp60d.dll

======List of files/folders modified in the last 1 months======

2008-11-12 21:20:23 ----D---- C:\WINDOWS\Prefetch
2008-11-12 21:20:14 ----D---- C:\Program Files\Mozilla Firefox
2008-11-12 20:59:30 ----D---- C:\WINDOWS
2008-11-12 20:50:46 ----D---- C:\WINDOWS\system32\drivers
2008-11-12 20:50:46 ----D---- C:\WINDOWS\system32
2008-11-12 20:50:19 ----D---- C:\WINDOWS\ERDNT
2008-11-12 19:38:53 ----D---- C:\WINDOWS\system32\CatRoot2
2008-11-12 19:38:44 ----A---- C:\WINDOWS\system.ini
2008-11-12 19:36:43 ----D---- C:\WINDOWS\system32\config
2008-11-12 19:29:04 ----RHD---- C:\$VAULT$.AVG
2008-11-12 19:28:47 ----D---- C:\WINDOWS\AppPatch
2008-11-12 19:28:47 ----D---- C:\Program Files\Common Files
2008-11-12 19:15:59 ----RASH---- C:\boot.ini
2008-11-12 19:09:30 ----A---- C:\WINDOWS\SchedLgU.Txt
2008-11-12 18:56:10 ----SHD---- C:\WINDOWS\CSC
2008-11-07 19:22:14 ----RD---- C:\Program Files
2008-11-07 18:08:41 ----A---- C:\WINDOWS\ntbtlog.txt
2008-11-07 13:56:41 ----D---- C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\AVG7
2008-11-07 12:20:26 ----D---- C:\WINDOWS\system32\wbem
2008-11-07 12:20:24 ----D---- C:\WINDOWS\Registration
2008-11-07 11:55:57 ----RSD---- C:\WINDOWS\Fonts
2008-11-07 11:53:29 ----D---- C:\basket
2008-11-07 11:28:35 ----D---- C:\!b(2)(2)
2008-11-07 10:49:45 ----D---- C:\!b
2008-11-07 10:16:31 ----D---- C:\BOAT

2008-11-06 16:58:12 ----A---- C:\WINDOWS\Maxsea.ini
2008-11-06 16:58:11 ----A---- C:\WINDOWS\SeaDriver.ini
2008-11-06 16:58:11 ----A---- C:\WINDOWS\Predictor.ini
2008-11-06 16:58:03 ----A---- C:\WINDOWS\CMapConfig.ini
2008-11-04 11:25:28 ----RSHDC---- C:\WINDOWS\system32\dllcache
2008-11-04 11:02:39 ----SHD---- C:\WINDOWS\Installer
2008-11-04 11:02:39 ----SHD---- C:\Config.Msi
2008-11-04 10:34:30 ----D---- C:\WINDOWS\system
2008-11-04 10:33:30 ----A---- C:\WINDOWS\Install.ini
2008-11-04 10:27:25 ----D---- C:\MyWorks
2008-11-03 09:43:45 ----A---- C:\WINDOWS\scrncapt.ini
2008-11-02 15:46:19 ----D---- C:\Program Files\FreeCard
2008-11-02 15:36:13 ----D---- C:\Program Files\SMS Sender
2008-10-31 09:29:48 ----D---- C:\Program Files\Adobe
2008-10-31 09:21:13 ----D---- C:\Program Files\Common Files\Adobe
2008-10-30 17:21:02 ----D---- C:\!b(2)
2008-10-30 14:18:49 ----D---- C:\ash
2008-10-30 14:17:57 ----D---- C:\1a
2008-10-30 12:48:40 ----D---- C:\clovis
2008-10-30 12:12:58 ----D---- C:\be
2008-10-29 11:53:46 ----AC---- C:\WINDOWS\SoftWriting.ini
2008-10-29 11:50:04 ----D---- C:\DOCUMENTS
2008-10-28 16:58:11 ----A---- C:\WINDOWS\system32\PerfStringBackup.INI
2008-10-28 16:57:04 ----HD---- C:\WINDOWS\inf
2008-10-28 16:45:05 ----D---- C:\WINDOWS\system32\Adobe
2008-10-25 14:12:38 ----D---- C:\Program Files\Ahead
2008-10-22 16:25:01 ----A---- C:\WINDOWS\SeaDriver2000.ini
2008-10-18 09:57:53 ----D---- C:\Program Files\AceBIT
2008-10-18 09:26:16 ----D---- C:\Chenauds-gallery
2008-10-18 09:24:28 ----D---- C:\!!
2008-10-17 20:21:58 ----D---- C:\CM93
2008-10-17 19:55:26 ----D---- C:\Program Files\Audacity
2008-10-16 10:26:01 ----D---- C:\Program Files\SimpleOCR
2008-10-15 11:07:23 ----D---- C:\WINDOWS\WinSxS
2008-10-15 11:07:11 ----SD---- C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft
2008-10-15 11:05:36 ----A---- C:\WINDOWS\imsins.BAK
2008-10-13 16:11:56 ----D---- C:\Program Files\Spybot - Search & Destroy

======List of drivers (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R1 AmdK7;AMD K7 Processor Driver; C:\WINDOWS\System32\DRIVERS\amdk7.sys [2004-08-03 37376]
R1 Avg7Core;AVG7 Kernel; C:\WINDOWS\System32\Drivers\avg7core.sys [2007-10-25 821856]
R1 Avg7RsW;AVG7 Wrap Driver; C:\WINDOWS\System32\Drivers\avg7rsw.sys [2007-10-09 4224]
R1 Avg7RsXP;AVG7 Resident Driver XP; C:\WINDOWS\System32\Drivers\avg7rsxp.sys [2007-10-09 27776]
R1 AvgClean;AVG7 Clean Driver; C:\WINDOWS\System32\Drivers\avgclean.sys [2007-12-21 10760]
R1 BANTExt;Belarc SMBios Access; C:\WINDOWS\System32\Drivers\BANTExt.sys [2005-04-07 3840]
R1 cdrbsvsd;cdrbsvsd; C:\WINDOWS\system32\drivers\cdrbsvsd.sys [2003-07-16 13056]
R1 FileDisk;FileDisk; C:\WINDOWS\system32\drivers\FileDisk.sys [2005-10-16 12928]
R1 NetworkX;NetworkX; C:\WINDOWS\system32\ckldrv.sys [2000-02-03 24608]
R2 AvgTdi;AVG Network Redirector; C:\WINDOWS\System32\Drivers\avgtdi.sys [2007-10-09 4960]
R3 ALCXSENS;Service for WDM 3D Audio Driver; C:\WINDOWS\system32\drivers\ALCXSENS.SYS [2004-02-24 400384]
R3 ALCXWDM;Service for Realtek AC97 Audio (WDM); C:\WINDOWS\system32\drivers\ALCXWDM.SYS [2004-06-21 626204]
R3 ati2mtag;ati2mtag; C:\WINDOWS\System32\DRIVERS\ati2mtag.sys [2004-05-15 745984]
R3 HCF_MSFT;HCF_MSFT; C:\WINDOWS\System32\DRIVERS\HCF_MSFT.sys [2001-08-17 907456]
R3 hidusb;Microsoft HID Class Driver; C:\WINDOWS\System32\DRIVERS\hidusb.sys [2002-09-03 9600]
R3 mouhid;Mouse HID Driver; C:\WINDOWS\System32\DRIVERS\mouhid.sys [2002-09-03 12160]
R3 PCANDIS5;PCANDIS5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCANDIS5.SYS []
R3 pfc;Padus ASPI Shell; C:\WINDOWS\system32\drivers\pfc.sys [2003-12-05 10368]
R3 RTL8023xp;Realtek RTL8139/810x/8169/8110 all in one NDIS XP Driver; C:\WINDOWS\System32\DRIVERS\Rtlnicxp.sys [2004-04-13 70144]
R3 SbieDrv;SbieDrv; \??\C:\Program Files\Sandboxie\SbieDrv.sys []
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbehci.sys [2004-08-03 26624]
R3 usbhub;Microsoft USB Standard Hub Driver; C:\WINDOWS\System32\DRIVERS\usbhub.sys [2004-08-03 57600]
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver; C:\WINDOWS\System32\DRIVERS\usbuhci.sys [2004-08-03 20480]
R3 ZDPSp50;ZDPSp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\ZDPSp50.sys [2004-10-25 17664]
R4 catchme;catchme; \??\C:\ComboFix\catchme.sys []
S1 InCDPass;InCdPass; C:\WINDOWS\System32\DRIVERS\InCDPass.sys []
S2 SENTINEL;Sentinel driver; C:\WINDOWS\system32\drivers\SENTINEL.sys []
S3 athrusb;Atheros Wireless LAN USB device driver; C:\WINDOWS\system32\DRIVERS\athrusb.sys [2006-11-30 446976]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver; C:\WINDOWS\System32\Drivers\BRGSp50.sys [2005-06-08 20608]
S3 CCDECODE;Closed Caption Decoder; C:\WINDOWS\system32\DRIVERS\CCDECODE.sys [2004-08-03 17024]
S3 CnxTrLan;Conexant USB Network Adapter Driver; C:\WINDOWS\system32\DRIVERS\CnxTrLan.sys [2002-10-14 22656]
S3 CnxTrUsb;Conexant USB Network Interface Device Driver; C:\WINDOWS\system32\DRIVERS\CnxTrUsb.sys [2002-10-16 47360]
S3 E100B;Intel(R) PRO Adapter Driver; C:\WINDOWS\system32\DRIVERS\e100b325.sys [2001-08-17 117760]
S3 FETND5BV;VIA Rhine-Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\system32\DRIVERS\fetnd5bv.sys [2004-12-16 42496]
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\fetnd5.sys [2001-08-17 27165]
S3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service; C:\WINDOWS\System32\DRIVERS\fetnd5b.sys [2003-09-04 41984]
S3 GMSIPCI;GMSIPCI; \??\D:\INSTALL\GMSIPCI.SYS []
S3 GT680x;GrandTechICNameNT; C:\WINDOWS\System32\Drivers\gt680x.sys [2003-02-18 17504]
S3 MBAMSwissArmy;MBAMSwissArmy; \??\C:\WINDOWS\system32\drivers\mbamswissarmy.sys []
S3 MSTEE;Microsoft Streaming Tee/Sink-to-Sink Converter; C:\WINDOWS\system32\drivers\MSTEE.sys [2004-08-03 5504]
S3 NABTSFEC;NABTS/FEC VBI Codec; C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys [2004-08-03 85376]
S3 NdisIP;Microsoft TV/Video Connection; C:\WINDOWS\system32\DRIVERS\NdisIP.sys [2004-08-03 10880]
S3 nm;Network Monitor Driver; C:\WINDOWS\system32\DRIVERS\NMnt.sys [2004-08-03 40320]
S3 NPF;NetGroup Packet Filter Driver; C:\WINDOWS\system32\drivers\npf.sys [2007-06-29 42512]
S3 NTACCESS;NTACCESS; \??\D:\NTACCESS.sys []
S3 P1131VID;Creative WebCam NX Pro (WDM); C:\WINDOWS\system32\DRIVERS\P1131Vid.sys [2004-03-26 91241]
S3 PCAMPR5;PCAMPR5 NDIS Protocol Driver; \??\C:\WINDOWS\system32\PCAMPR5.SYS []
S3 rtl8139;Realtek RTL8139(A/B/C)-based PCI Fast Ethernet Adapter NT Driver; C:\WINDOWS\System32\DRIVERS\RTL8139.SYS [2004-08-03 20992]
S3 sentemul;sentemul; \??\C:\WINDOWS\system32\drivers\sentemul.sys []
S3 SetupNTGLM7X;SetupNTGLM7X; \??\D:\NTGLM7X.sys []
S3 SLIP;BDA Slip De-Framer; C:\WINDOWS\system32\DRIVERS\SLIP.sys [2004-08-03 11136]
S3 streamip;BDA IPSink; C:\WINDOWS\system32\DRIVERS\StreamIP.sys [2004-08-03 15360]
S3 usbscan;USB Scanner Driver; C:\WINDOWS\system32\DRIVERS\usbscan.sys [2004-08-03 15104]
S3 USBSTOR;USB Mass Storage Driver; C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS [2004-08-03 26496]
S3 WSTCODEC;World Standard Teletext Codec; C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS [2004-08-03 19328]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS); C:\WINDOWS\System32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]
S4 InCDfs;InCD File System; C:\WINDOWS\system32\drivers\InCDfs.sys []
S4 IntelIde;IntelIde; C:\WINDOWS\system32\drivers\IntelIde.sys []

======List of services (R=Running, S=Stopped, 0=Boot, 1=System, 2=Auto, 3=Demand, 4=Disabled)======

R2 Ati HotKey Poller;Ati HotKey Poller; C:\WINDOWS\System32\Ati2evxx.exe [2004-05-15 376832]
R2 Avg7Alrt;AVG7 Alert Manager Server; C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe [2007-10-25 418816]
R2 Avg7UpdSvc;AVG7 Update Service; C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe [2007-09-12 49664]
R2 AVGEMS;AVG E-mail Scanner; C:\PROGRA~1\Grisoft\AVG7\avgemc.exe [2007-12-21 406528]
R2 Bonjour Service;Bonjour Service; C:\Program Files\Bonjour\mDNSResponder.exe [2007-07-24 229376]
R2 Crypkey License;Crypkey License; C:\WINDOWS\system32\crypserv.exe [2000-06-29 52224]
R2 FolderSize;Folder Size; C:\Program Files\FolderSize\FolderSizeSvc.exe [2006-03-24 98304]
R2 FTRTSVC;France Telecom Routing Table Service; C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe [2007-06-12 65536]
R2 MDM;Machine Debug Manager; C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE [2003-06-19 322120]
R2 SbieSvc;Sandboxie Service; C:\Program Files\Sandboxie\SbieSvc.exe [2007-08-25 35840]
R2 UMWdf;Windows User Mode Driver Framework; C:\WINDOWS\system32\wdfmgr.exe [2005-01-28 38912]
S2 ATI Smart;ATI Smart; C:\WINDOWS\system32\ati2sgag.exe [2004-05-15 516096]
S2 InCDsrv;InCD File System Service; C:\Program Files\Ahead\InCD\InCDsrv.exe []
S3 Imapi Helper;Imapi Helper; C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe [2006-01-04 163840]
S3 ose;Office Source Engine; C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE [2003-07-28 89136]
S3 rpcapd;Remote Packet Capture Protocol v.0 (experimental); C:\Program Files\WinPcap\rpcapd.exe [2007-06-29 92792]

-----------------EOF-----------------

 

Hi Brian,

All the information needed for subscribing is here.

A bit more work to do. Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

File::
c:\windows\xdsfqroepox.dll
c:\windows\mqxvbdwk.dll
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D393614C-357A-4E4F-8D67-3761F35452B1}]
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
 "mqxvbdwk "=-

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and give me an update on your machine's status.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

**NOTE - Allow ComboFix to update if prompted.

 

Must be a virus

Thanks for the info Noah,
I copied and ran the patch as suggested and it seems to have sorted out the problems. I would mention,however that the first time I ran it, after it fiinshed and I tried to copy the log, the screen blanked to black and the keyboard etc. became inactive. The second time running, everithing seemed OK but I had lost my ISP connection and had to re-instal the software but seems OK now. Generated the following log :-

Very much appreciate your help and when I get my 40ft Yacht, I'll name it after yours "The Ark ".

ComboFix 08-11-11.01 - Brian Owen 2008-11-14 14:50:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222 [GMT 1:00]
Running from: c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Desktop\CFScript.txt c:\documents and settings\All Users.WINDOWS\Desktop\Gestionnaire Internet.lnk
* Created a new restore point

FILE ::
c:\windows\mqxvbdwk.dll
c:\windows\xdsfqroepox.dll
.

((((((((((((((((((((((((( Files Created from 2008-10-14 to 2008-11-14 )))))))))))))))))))))))))))))))
.

2008-11-07 19:22 . 2008-11-07 19:23 <DIR> d-------- C:\rsit
2008-11-07 19:22 . 2008-11-12 21:32 <DIR> d-------- c:\program files\trend micro
2008-11-07 13:53 . 2008-11-07 13:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 13:53 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 13:53 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-07 13:31 . 2008-11-12 21:55 <DIR> d-------- c:\program files\Exterminate It!
2008-11-07 11:56 . 2008-11-07 12:04 37 --a------ c:\windows\iltwain.ini
2008-11-07 11:55 . 2008-11-07 11:55 <DIR> d-------- c:\program files\Earth Resource Mapping
2008-11-07 11:53 . 2008-11-14 10:58 <DIR> d-------- C:\bucket
2008-11-04 11:04 . 2008-11-04 11:04 <DIR> d-------- c:\program files\Common Files\Transas Shared
2008-11-04 10:35 . 2008-11-04 10:35 806 --a------ c:\windows\sfxthumb.ini
2008-11-04 10:34 . 2008-11-04 10:38 <DIR> d-------- c:\program files\Ssfxpro
2008-11-04 10:34 . 1998-03-30 08:54 398,336 --a------ c:\windows\system32\Ltocx90n.ocx
2008-11-04 10:34 . 1996-06-13 07:19 274,432 --a------ c:\windows\system32\Btn32x10.OCX
2008-11-04 10:34 . 1997-07-29 02:54 273,920 --a------ c:\windows\system32\Rivet100.OCX
2008-11-04 10:34 . 1995-07-11 01:50 26,624 --a------ c:\windows\system32\AWRESX32.DLL
2008-11-04 10:34 . 1995-07-11 01:50 24,576 --a------ c:\windows\system32\AWCODC32.DLL
2008-11-04 10:34 . 1995-10-05 16:02 24,064 --a------ c:\windows\system\regsvr32.exe
2008-11-04 10:34 . 1995-11-16 10:39 11,776 --a------ c:\windows\system32\AWDENC32.DLL
2008-11-04 10:34 . 1995-10-09 08:58 10,240 --a------ c:\windows\system32\AWVIEW32.DLL
2008-11-04 10:34 . 1995-07-11 01:50 6,144 --a------ c:\windows\system32\AWDCXC32.DLL
2008-11-04 10:34 . 2008-11-04 10:35 302 --a------ c:\windows\sfxalbum.ini
2008-11-04 10:27 . 2008-11-04 10:27 <DIR> d-------- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Cyberlink
2008-11-03 10:26 . 2008-11-03 10:26 <DIR> d-------- C:\tcwf
2008-11-03 10:26 . 2008-11-03 10:26 <DIR> d-------- c:\program files\Transas
2008-11-03 10:19 . 2008-11-03 10:24 <DIR> d-------- C:\Tsunamis
2008-10-31 09:22 . 2008-10-31 09:22 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-30 12:14 . 2008-10-30 17:21 <DIR> d-------- C:\blk
2008-10-30 12:13 . 2008-10-30 12:13 <DIR> d-------- C:\New Folder (3)
2008-10-21 18:16 . 2008-10-21 18:25 <DIR> d-------- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\.JTides
2008-10-21 18:15 . 2008-10-21 18:15 <DIR> d-------- c:\program files\JTides
2008-10-21 15:46 . 2008-10-21 15:46 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-17 20:20 . 2008-10-17 20:20 <DIR> d--hs---- c:\program files\NetworkService.NT AUTHORITY.003
2008-10-16 11:50 . 2000-08-28 22:00 516,173 --a------ c:\windows\system32\Msvcp60d.dll
2008-10-16 11:50 . 2000-03-06 23:00 434,252 --a------ c:\windows\system32\Msvcrtd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.

2008-11-14 13:13 --------- d-----w
2008-11-07 12:56 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\AVG7
2008-11-02 14:46 --------- d-----w c:\program files\FreeCard
2008-11-02 14:36 --------- d-----w c:\program files\SMS Sender
2008-10-31 08:21 --------- d-----w c:\program files\Common Files\Adobe
2008-10-25 13:12 --------- d-----w c:\program files\Ahead
2008-10-18 08:57 --------- d-----w c:\program files\AceBIT
2008-10-17 18:55 --------- d-----w c:\program files\Audacity
2008-10-16 09:26 --------- d-----w c:\program files\SimpleOCR
2008-10-13 15:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-02 05:34 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\gtk-2.0
2008-09-29 10:43 --------- d-----w c:\program files\c-mapecs
2008-09-23 07:01 --------- d-----w c:\program files\FolderSize
2008-09-22 16:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-22 16:10 --------- d-----w c:\program files\C-Map
2008-09-22 16:03 --------- d-----w c:\program files\I&M
2008-09-22 15:08 --------- d-----w c:\program files\SentEmul
2008-09-22 11:47 --------- d-----w c:\program files\TextBridge Pro 9.0
2008-09-22 11:47 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-09-21 13:58 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Free Download Manager
2008-09-21 07:37 --------- d-----w c:\program files\Real
2008-09-21 07:37 --------- d-----w c:\program files\Common Files\Real
2008-09-19 06:31 --------- d-----w c:\program files\Belarc
2008-09-19 06:30 --------- d-----w c:\program files\TomTom HOME 2
2008-09-19 06:30 --------- d-----w c:\program files\MSECACHE
2008-09-19 06:28 --------- d-----w c:\program files\OrangeHSS
2008-09-19 06:22 --------- d-----w c:\program files\Securitoo
2008-09-19 06:22 --------- d-----w c:\program files\Common Files\France Telecom
2008-09-19 06:22 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\MailFrontier
2008-09-19 06:22 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG
2008-09-18 08:11 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Media Player Classic
2008-09-16 16:47 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\TomTom
2008-09-05 07:05 59,949 ---ha-w C:\jpeggeri.dat
2008-08-04 11:12 353,840 ----a-w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\RealPlayer11GOLD.exe
2008-08-04 07:29 3,288,104 ----a-w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Diino_4.2_Setup.exe
2008-07-26 17:04 15,736 ----a-w c:\program files\JkDefrag.log
2007-10-31 12:16 872 -c--a-w c:\program files\CloneSpy.ini
2007-10-31 12:15 5,435 -c--a-w c:\program files\CloneSpy.log
2004-12-11 07:23 3,918 -c--a-w c:\program files\Readme.txt
2004-12-11 07:20 49,173 -c--a-w c:\program files\winsetup.exe
2004-12-11 07:20 220 -c--a-w c:\program files\acsetup.cfg
2004-12-11 07:07 184,701 -c--a-w c:\program files\speech.vox
2004-12-11 07:07 1,943,049 -c--a-w c:\program files\music.vox
2004-08-07 14:14 187,904 -c--a-w c:\program files\HijackThis.exe
2004-06-06 06:19 238,481 -c--a-w c:\program files\CloneSpy.chm
2004-06-06 06:05 966,656 -c--a-w c:\program files\CloneSpy.exe
2004-03-11 11:27 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
2003-10-13 15:02 262 -c--a-w c:\program files\file_id.diz
2003-09-08 00:49 507 -c--a-w c:\program files\DWG.BA_
2003-09-08 00:49 38 -c--a-w c:\program files\TFC.BAT
2003-09-08 00:49 23,428 -c--a-w c:\program files\ARCHIVER.BB2
2003-09-08 00:49 123 -c--a-w c:\program files\SAM.BA_
2001-09-10 07:10 61,440 -c--a-w c:\windows\inf\i386\onetUSD.dll
2001-09-06 07:58 139,264 -c--a-w c:\windows\inf\i386\Rtscan.dll
2001-08-17 17:43 32,768 -c--a-w c:\windows\inf\i386\Wiamicro.dll
2001-06-29 07:10 163,840 -c--a-w c:\windows\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((( snapshot@2008-11-12_20.49.48.93 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-06 19:53:17 239,173 ----a-w c:\windows\Preferences\PySol\Brian Owen\statistics.dat
+ 2008-11-14 13:21:56 239,666 ----a-w c:\windows\Preferences\PySol\Brian Owen\statistics.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"RemoteControl "= "c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"AVG7_CC "= "c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-18 590848]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4 "= "c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"ORAHSSSessionManager "= "c:\program files\OrangeHSS\SessionManager\SessionManager.exe" [2007-06-12 94208]
"QuickTime Task "= "c:\program files\QuickTime Alternative\qttask.exe" [2007-10-19 286720]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"InstantAccess "= "c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [2000-06-19 31744]
"RegisterDropHandler "= "c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan "= "SOUNDMAN.EXE" [2004-06-18 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler "= "c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
"AVG7_Run "= "c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-07-06 487424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc "= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.ACDV "= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a------ 2003-10-13 03:04 184320 c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotkey]
--a------ 2004-04-03 17:38 36864 c:\program files\Hotkey\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2003-12-22 21:15 86016 c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 18:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Avant Browser\\avant.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe "=
"c:\\Program Files\\Azureus\\Azureus.exe "=
"c:\\Program Files\\OrangeHSS\\Connectivity\\ConnectivityManager.exe "=
"c:\\Program Files\\Free Download Manager\\fdm.exe "=
"c:\\Program Files\\I&M\\MaxSea\\MaxSea.exe "=

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2007-08-25 90112]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2006-11-30 446976]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-08 20608]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-29 42512]
S3 sentemul;sentemul;c:\windows\system32\drivers\sentemul.sys [2003-03-24 11812]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-11-14 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-14 14:55:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
Completion time: 2008-11-14 15:04:15
ComboFix-quarantined-files.txt 2008-11-14 14:04:12
ComboFix2.txt 2008-11-14 13:41:49
ComboFix3.txt 2008-11-12 19:50:36

Pre-Run: 27,669,180,416 bytes free
Post-Run: 27,656,941,568 bytes free

214 --- E O F --- 2007-12-04 16:29:53

 

Glad to hear the problem appears to be sorted. Appreciate the namesake

Please post the contents of C:\Qoobox\ComboFix2.txt and C:\Qoobox\ComboFix-quarantined-files.txt

Then, lets get an online scan. Please do an online scan with Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.


Post the Kaspersky log here.

 

Hi Dave,

I am at present running Kapersky scanner - looks like a long haul. In the meantime, I'm attaching the 2 scans from Qoobox.
I have noticed one other problem after I shut down the PC last night without "Hibernating ". On restart I have the option of "XP Recovery Console ", "XP Pro" or my "Ubuntu" partition but when I try to select either the Recovery or Linux, I cannot move the selector bar and XP Pro continues with the boot sequence!

ComboFix 08-11-11.01 - Brian Owen 2008-11-12 19:23:46.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.113 [GMT 1:00]
Running from: c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\privacy_danger
c:\windows\privacy_danger\images\body.gif
c:\windows\privacy_danger\images\capt.gif
c:\windows\privacy_danger\images\capt2.gif
c:\windows\privacy_danger\images\red.gif
c:\windows\privacy_danger\images\text.gif
c:\windows\privacy_danger\index.html
c:\windows\system32\dao350.dll
c:\windows\system32\lTBacccf.ini
c:\windows\system32\lTBacccf.ini2
c:\windows\system32\WHiSBJlm.ini
c:\windows\system32\WHiSBJlm.ini2
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2008-10-12 to 2008-11-12 )))))))))))))))))))))))))))))))
.

2008-11-07 19:22 . 2008-11-07 19:23 <DIR> d-------- C:\rsit
2008-11-07 19:22 . 2008-11-09 14:41 <DIR> d-------- c:\program files\trend micro
2008-11-07 13:53 . 2008-11-07 13:55 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2008-11-07 13:53 . 2008-10-22 16:10 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-07 13:53 . 2008-10-22 16:10 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2008-11-07 13:31 . 2008-11-07 13:31 <DIR> d-------- c:\program files\Exterminate It!
2008-11-07 12:04 . 2008-11-07 06:47 393,216 --a------ c:\windows\xdsfqroepox.dll
2008-11-07 12:04 . 2008-11-07 06:47 282,624 --a------ c:\windows\mqxvbdwk.dll
2008-11-07 11:56 . 2008-11-07 12:04 37 --a------ c:\windows\iltwain.ini
2008-11-07 11:55 . 2008-11-07 11:55 <DIR> d-------- c:\program files\Fugawi
2008-11-07 11:55 . 2008-11-07 11:55 <DIR> d-------- c:\program files\Earth Resource Mapping
2008-11-07 11:55 . 2008-11-07 11:56 <DIR> d-------- c:\program files\Common Files\Fugawi
2008-11-07 11:55 . 2008-11-07 11:55 <DIR> d-------- c:\documents and settings\All Users.WINDOWS\Application Data\Fugawi
2008-11-07 11:53 . 2008-11-07 11:54 <DIR> d-------- C:\bucket
2008-11-04 11:04 . 2008-11-04 11:04 <DIR> d-------- c:\program files\Common Files\Transas Shared
2008-11-04 10:35 . 2008-11-04 10:35 806 --a------ c:\windows\sfxthumb.ini
2008-11-04 10:34 . 2008-11-04 10:38 <DIR> d-------- c:\program files\Ssfxpro
2008-11-04 10:34 . 1998-03-30 08:54 398,336 --a------ c:\windows\system32\Ltocx90n.ocx
2008-11-04 10:34 . 1996-06-13 07:19 274,432 --a------ c:\windows\system32\Btn32x10.OCX
2008-11-04 10:34 . 1997-07-29 02:54 273,920 --a------ c:\windows\system32\Rivet100.OCX
2008-11-04 10:34 . 1995-07-11 01:50 26,624 --a------ c:\windows\system32\AWRESX32.DLL
2008-11-04 10:34 . 1995-07-11 01:50 24,576 --a------ c:\windows\system32\AWCODC32.DLL
2008-11-04 10:34 . 1995-10-05 16:02 24,064 --a------ c:\windows\system\regsvr32.exe
2008-11-04 10:34 . 1995-11-16 10:39 11,776 --a------ c:\windows\system32\AWDENC32.DLL
2008-11-04 10:34 . 1995-10-09 08:58 10,240 --a------ c:\windows\system32\AWVIEW32.DLL
2008-11-04 10:34 . 1995-07-11 01:50 6,144 --a------ c:\windows\system32\AWDCXC32.DLL
2008-11-04 10:34 . 2008-11-04 10:35 302 --a------ c:\windows\sfxalbum.ini
2008-11-04 10:27 . 2008-11-04 10:27 <DIR> d-------- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Cyberlink
2008-11-03 10:26 . 2008-11-03 10:26 <DIR> d-------- C:\tcwf
2008-11-03 10:26 . 2008-11-03 10:26 <DIR> d-------- c:\program files\Transas
2008-11-03 10:19 . 2008-11-03 10:24 <DIR> d-------- C:\Tsunamis
2008-10-31 09:22 . 2008-10-31 09:22 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-10-30 12:14 . 2008-10-30 17:21 <DIR> d-------- C:\blk
2008-10-30 12:13 . 2008-10-30 12:13 <DIR> d-------- C:\New Folder (3)
2008-10-21 18:16 . 2008-10-21 18:25 <DIR> d-------- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\.JTides
2008-10-21 18:15 . 2008-10-21 18:15 <DIR> d-------- c:\program files\JTides
2008-10-21 15:46 . 2008-10-21 15:46 <DIR> d-------- c:\program files\Microsoft Silverlight
2008-10-17 20:20 . 2008-10-17 20:20 <DIR> d--hs---- c:\program files\NetworkService.NT AUTHORITY.003
2008-10-16 11:50 . 2000-08-28 22:00 516,173 --a------ c:\windows\system32\Msvcp60d.dll
2008-10-16 11:50 . 2000-03-06 23:00 434,252 --a------ c:\windows\system32\Msvcrtd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2008-11-07 12:56 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\AVG7
2008-11-02 14:46 --------- d-----w c:\program files\FreeCard
2008-11-02 14:36 --------- d-----w c:\program files\SMS Sender
2008-10-31 08:21 --------- d-----w c:\program files\Common Files\Adobe
2008-10-25 13:12 --------- d-----w c:\program files\Ahead
2008-10-18 08:57 --------- d-----w c:\program files\AceBIT
2008-10-17 18:55 --------- d-----w c:\program files\Audacity
2008-10-16 09:26 --------- d-----w c:\program files\SimpleOCR
2008-10-13 15:11 --------- d-----w c:\program files\Spybot - Search & Destroy
2008-10-02 05:34 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\gtk-2.0
2008-09-29 10:43 --------- d-----w c:\program files\c-mapecs
2008-09-23 07:01 --------- d-----w c:\program files\FolderSize
2008-09-22 16:10 --------- d--h--w c:\program files\InstallShield Installation Information
2008-09-22 16:10 --------- d-----w c:\program files\C-Map
2008-09-22 16:03 --------- d-----w c:\program files\I&M
2008-09-22 15:08 --------- d-----w c:\program files\SentEmul
2008-09-22 11:47 --------- d-----w c:\program files\TextBridge Pro 9.0
2008-09-22 11:47 --------- d-----w c:\program files\Common Files\ScanSoft Shared
2008-09-21 13:58 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Free Download Manager
2008-09-21 07:37 --------- d-----w c:\program files\Real
2008-09-21 07:37 --------- d-----w c:\program files\Common Files\Real
2008-09-19 06:31 --------- d-----w c:\program files\Belarc
2008-09-19 06:30 --------- d-----w c:\program files\TomTom HOME 2
2008-09-19 06:30 --------- d-----w c:\program files\MSECACHE
2008-09-19 06:28 --------- d-----w c:\program files\OrangeHSS
2008-09-19 06:22 --------- d-----w c:\program files\Securitoo
2008-09-19 06:22 --------- d-----w c:\program files\Common Files\France Telecom
2008-09-19 06:22 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\MailFrontier
2008-09-19 06:22 --------- d-----w c:\documents and settings\All Users.WINDOWS\Application Data\FreeDownloadManager.ORG
2008-09-18 08:11 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Media Player Classic
2008-09-16 16:47 --------- d-----w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\TomTom
2008-09-05 07:05 59,949 ---ha-w C:\jpeggeri.dat
2008-08-04 11:12 353,840 ----a-w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\RealPlayer11GOLD.exe
2008-08-04 07:29 3,288,104 ----a-w c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Diino_4.2_Setup.exe
2008-07-26 17:04 15,736 ----a-w c:\program files\JkDefrag.log
2007-10-31 12:16 872 -c--a-w c:\program files\CloneSpy.ini
2007-10-31 12:15 5,435 -c--a-w c:\program files\CloneSpy.log
2004-12-11 07:23 3,918 -c--a-w c:\program files\Readme.txt
2004-12-11 07:20 49,173 -c--a-w c:\program files\winsetup.exe
2004-12-11 07:20 220 -c--a-w c:\program files\acsetup.cfg
2004-12-11 07:07 184,701 -c--a-w c:\program files\speech.vox
2004-12-11 07:07 1,943,049 -c--a-w c:\program files\music.vox
2004-08-07 14:14 187,904 -c--a-w c:\program files\HijackThis.exe
2004-06-06 06:19 238,481 -c--a-w c:\program files\CloneSpy.chm
2004-06-06 06:05 966,656 -c--a-w c:\program files\CloneSpy.exe
2004-03-11 11:27 40,960 -c--a-w c:\program files\Uninstall_CDS.exe
2003-10-13 15:02 262 -c--a-w c:\program files\file_id.diz
2003-09-08 00:49 507 -c--a-w c:\program files\DWG.BA_
2003-09-08 00:49 38 -c--a-w c:\program files\TFC.BAT
2003-09-08 00:49 23,428 -c--a-w c:\program files\ARCHIVER.BB2
2003-09-08 00:49 123 -c--a-w c:\program files\SAM.BA_
2001-09-10 07:10 61,440 -c--a-w c:\windows\inf\i386\onetUSD.dll
2001-09-06 07:58 139,264 -c--a-w c:\windows\inf\i386\Rtscan.dll
2001-08-17 17:43 32,768 -c--a-w c:\windows\inf\i386\Wiamicro.dll
2001-06-29 07:10 163,840 -c--a-w c:\windows\inf\i386\viceo.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D393614C-357A-4E4F-8D67-3761F35452B1}]
2008-11-07 06:47 393216 --a------ c:\windows\xdsfqroepox.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\ctfmon.exe" [2004-08-03 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA "= "c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 339968]
"RemoteControl "= "c:\program files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"AVG7_CC "= "c:\progra~1\Grisoft\AVG7\avgcc.exe" [2008-10-18 590848]
"SSBkgdUpdate "= "c:\program files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-09-28 185896]
"OpwareSE4 "= "c:\program files\ScanSoft\OmniPageSE4.0\OpwareSE4.exe" [2006-10-11 75304]
"ORAHSSSessionManager "= "c:\program files\OrangeHSS\SessionManager\SessionManager.exe" [2007-06-12 94208]
"QuickTime Task "= "c:\program files\QuickTime Alternative\qttask.exe" [2007-10-19 286720]
"SunJavaUpdateSched "= "c:\program files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"InstantAccess "= "c:\progra~1\TEXTBR~1.0\Bin\INSTAN~1.EXE" [2000-06-19 31744]
"RegisterDropHandler "= "c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]
"Adobe Reader Speed Launcher "= "c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan "= "SOUNDMAN.EXE" [2004-06-18 c:\windows\SOUNDMAN.EXE]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"RegisterDropHandler "= "c:\progra~1\TEXTBR~1.0\Bin\REGIST~1.EXE" [2000-06-19 22528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]
"AVG7_Run "= "c:\progra~1\Grisoft\AVG7\avgw.exe" [2007-10-25 219136]

c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Start Menu\Programs\Startup\
aFotoReg.lnk - c:\program files\Ssfxpro\afotoreg.exe [2008-11-04 164864]
reminder-ScanSoft Product Registration.lnk - c:\program files\TextBridge Pro 9.0\Bin\Ereg\Remind32.exe [2008-09-22 45056]

c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\
ZDWLan Utility.lnk - c:\program files\ZyDAS Technology Corporation\ZyDAS_802.11g_Utility\ZDWlan.exe [2008-07-06 487424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch "= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= file:///c:\windows\privacy_danger\index.htm
FriendlyName= Privacy Protection

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"mqxvbdwk "= {D09B8B8C-00F0-4BB0-A60D-CE5879262D71} - c:\windows\mqxvbdwk.dll [2008-11-07 282624]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.clmp3enc "= c:\progra~1\CYBERL~1\Power2Go\CLMP3Enc.ACM
"VIDC.ACDV "= ACDV.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users.WINDOWS^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=c:\documents and settings\All Users.WINDOWS\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
--a------ 2003-10-13 03:04 184320 c:\program files\Creative\Shared Files\CamTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hotkey]
--a------ 2004-04-03 17:38 36864 c:\program files\Hotkey\Hotkey.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerBar]
--------- 2003-12-22 21:15 86016 c:\program files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UnlockerAssistant]
--a------ 2006-09-07 18:19 15872 c:\program files\Unlocker\UnlockerAssistant.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\system32\\mmc.exe "=
"c:\\WINDOWS\\system32\\dpvsetup.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe "=
"c:\\Program Files\\Grisoft\\AVG7\\avgemc.exe "=
"c:\\Program Files\\Skype\\Phone\\Skype.exe "=
"c:\\Program Files\\Avant Browser\\avant.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe "=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\MSI\\i-Speeder\\i-Speeder.exe "=
"c:\\Program Files\\Azureus\\Azureus.exe "=
"c:\\Program Files\\OrangeHSS\\Connectivity\\ConnectivityManager.exe "=
"c:\\Program Files\\Free Download Manager\\fdm.exe "=
"c:\\Program Files\\I&M\\MaxSea\\MaxSea.exe "=

R3 SbieDrv;SbieDrv;c:\program files\Sandboxie\SbieDrv.sys [2007-08-25 90112]
S3 athrusb;Atheros Wireless LAN USB device driver;c:\windows\system32\DRIVERS\athrusb.sys [2006-11-30 446976]
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;c:\windows\system32\Drivers\BRGSp50.sys [2005-06-08 20608]
S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2008-10-22 38496]
S3 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2007-06-29 42512]
S3 sentemul;sentemul;c:\windows\system32\drivers\sentemul.sys [2003-03-24 11812]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);c:\windows\system32\DRIVERS\zd1211Bu.sys [2006-08-24 477696]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder

2008-07-30 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []

2008-11-09 c:\windows\Tasks\GoogleUpdateTaskUser.job
- c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Local Settings\Application Data\Google\Update\GoogleUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -

BHO-{2518E164-5B09-401F-8C78-A175A4890882} - c:\windows\system32\tuvUKDVo.dll
BHO-{3B266001-5B78-484E-AC16-41C1FE3FB152} - c:\windows\system32\fcccaBTl.dll
BHO-{8A55C5F4-3052-4799-A178-C43624326D2C} - c:\windows\system32\mlJBSiHW.dll
Toolbar-{3A74A614-1657-4533-B1FE-DCFBA2895828} - c:\windows\mstoanrd.dll
HKCU-Run-Power2GoExpress - (no file)
HKCU-Run-Cute Password Manager - (no file)
HKLM-Run-PC Alarm Clock - c:\progra~1\PC Alarm Clock\pac.exe
ShellExecuteHooks-{2518E164-5B09-401F-8C78-A175A4890882} - c:\windows\system32\tuvUKDVo.dll
Notify-tuvUKDVo - tuvUKDVo.dll
Notify-WgaLogon - (no file)
MSConfigStartUp-InCD - c:\program files\Ahead\InCD\InCD.exe


.
------- Supplementary Scan -------
.
FireFox -: Profile - c:\documents and settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Mozilla\Firefox\Profiles\ytyrl0nq.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - www.google.co.uk
FF -: plugin - c:\program files\Microsoft Silverlight\2.0.31005.0\npctrl.dll
FF -: plugin - c:\program files\Opera\program\plugins\nppdf32.dll
FF -: plugin - c:\program files\Opera\program\plugins\nppl3260.dll
FF -: plugin - c:\program files\Opera\program\plugins\nprjplug.dll
FF -: plugin - c:\program files\Opera\program\plugins\nprpjplug.dll
FF -: plugin - c:\program files\Yahoo!\Shared\npYState.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-12 19:38:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: c:\windows\system32\winlogon.exe
-> c:\windows\system32\Ati2evxx.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\progra~1\Grisoft\AVG7\avgamsvr.exe
c:\progra~1\Grisoft\AVG7\avgupsvc.exe
c:\progra~1\Grisoft\AVG7\avgemc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\windows\system32\Crypserv.exe
c:\program files\FolderSize\FolderSizeSvc.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTRTSVC\0\FTRTSVC.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Sandboxie\SbieSvc.exe
c:\windows\system32\wdfmgr.exe
c:\windows\system32\wscntfy.exe
c:\program files\OrangeHSS\Launcher\Launcher.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe
c:\program files\OrangeHSS\Systray\SystrayApp.exe
c:\program files\OrangeHSS\Deskboard\Deskboard.exe
c:\program files\OrangeHSS\Connectivity\ConnectivityManager.exe
c:\program files\OrangeHSS\Connectivity\corecom\CoreCom.exe
c:\program files\OrangeHSS\Connectivity\corecom\OraConfigRecover.exe
c:\progra~1\COMMON~1\France Telecom\Shared Modules\FTCOMModule\0\FTCOMModule.exe
.
**************************************************************************
.
Completion time: 2008-11-12 20:50:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-12 19:50:26

Pre-Run: 27,755,745,280 bytes free
Post-Run: 27,904,565,248 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
multi(0)disk(0)rdisk(1)partition(1)\WINDOWS= "Microsoft Windows XP Professional" /fastdetect
c:\wubildr.mbr= "Ubuntu "

293 --- E O F --- 2007-12-04 16:29:53


2008-08-15 21:29:39 A------- 793 C:\Qoobox\Quarantine\C\WINDOWS\IE4 Error Log.txt.vir
2008-09-22 12:47:25 A------- 582,144 C:\Qoobox\Quarantine\C\WINDOWS\system32\dao350.dll.vir
2008-09-30 22:14:34 A------- 1,112 C:\Qoobox\Quarantine\C\WINDOWS\privacy_danger\images\red.gif.vir
2008-09-30 22:24:00 A------- 19,890 C:\Qoobox\Quarantine\C\WINDOWS\privacy_danger\images\capt.gif.vir
2008-09-30 22:25:36 A------- 6,580 C:\Qoobox\Quarantine\C\WINDOWS\privacy_danger\images\capt2.gif.vir
2008-09-30 22:29:20 A------- 13,309 C:\Qoobox\Quarantine\C\WINDOWS\privacy_danger\images\body.gif.vir
2008-09-30 22:31:20 A------- 5,991 C:\Qoobox\Quarantine\C\WINDOWS\privacy_danger\images\text.gif.vir
2008-11-05 19:24:02 A------- 1,575 C:\Qoobox\Quarantine\C\WINDOWS\privacy_danger\index.html.vir
2008-11-07 12:04:35 A------- 282,624 C:\Qoobox\Quarantine\C\WINDOWS\mqxvbdwk.dll.vir
2008-11-07 12:04:35 A------- 393,216 C:\Qoobox\Quarantine\C\WINDOWS\xdsfqroepox.dll.vir
2008-11-07 12:13:31 A------- 510,260 C:\Qoobox\Quarantine\C\WINDOWS\system32\WHiSBJlm.ini.vir
2008-11-07 12:13:31 A------- 513,332 C:\Qoobox\Quarantine\C\WINDOWS\system32\WHiSBJlm.ini2.vir
2008-11-09 14:42:16 A------- 488,646 C:\Qoobox\Quarantine\C\WINDOWS\system32\lTBacccf.ini.vir
2008-11-09 14:42:16 A------- 495,402 C:\Qoobox\Quarantine\C\WINDOWS\system32\lTBacccf.ini2.vir
2008-11-12 19:07:38 A------- 162 C:\Qoobox\Quarantine\catchme.log
2008-11-12 19:30:23 A------- 13,124 C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2008-11-12 20:49:49 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-CFSServ.exe.reg.dat
2008-11-12 20:49:49 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-NDSTray.exe.reg.dat
2008-11-12 20:49:49 A------- 2 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-TFncKy.reg.dat
2008-11-12 20:49:52 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{2518E164-5B09-401F-8C78-A175A4890882}.reg.dat
2008-11-12 20:49:53 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{3B266001-5B78-484E-AC16-41C1FE3FB152}.reg.dat
2008-11-12 20:49:53 A------- 374 C:\Qoobox\Quarantine\Registry_backups\BHO-{8A55C5F4-3052-4799-A178-C43624326D2C}.reg.dat
2008-11-12 20:49:54 A------- 1,301 C:\Qoobox\Quarantine\Registry_backups\Toolbar-{3A74A614-1657-4533-B1FE-DCFBA2895828}.reg.dat
2008-11-12 20:49:56 A------- 101 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Power2GoExpress.reg.dat
2008-11-12 20:49:56 A------- 107 C:\Qoobox\Quarantine\Registry_backups\HKCU-Run-Cute Password Manager.reg.dat
2008-11-12 20:49:58 A------- 138 C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-PC Alarm Clock.reg.dat
2008-11-12 20:50:06 A------- 363 C:\Qoobox\Quarantine\Registry_backups\ShellExecuteHooks-{2518E164-5B09-401F-8C78-A175A4890882}.reg.dat
2008-11-12 20:50:08 A------- 332 C:\Qoobox\Quarantine\Registry_backups\Notify-WgaLogon.reg.dat
2008-11-12 20:50:08 A------- 498 C:\Qoobox\Quarantine\Registry_backups\Notify-tuvUKDVo.reg.dat
2008-11-12 20:50:09 A------- 566 C:\Qoobox\Quarantine\Registry_backups\MSConfigStartUp-InCD.reg.dat


regards

Brian Owen
www.leschenauds.com

 

Hi Dave,

Attached is the Kapersky scan, do I need to do anything else?

Brian Owen.




--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Saturday, November 15, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Friday, November 14, 2008 20:14:58
Records in database: 1385149
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 281970
Threat name: 9
Infected objects: 52
Suspicious objects: 0
Duration of the scan: 05:38:45


File name / Threat name / Threats count
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\evdm.exe Infected: Trojan.Win32.Vapsup.nma 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\mqxvbdwk.dll Infected: Trojan.Win32.Vapsup.nmb 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\system32\ifsndu.dll Infected: Trojan.Win32.BHO.hwv 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\drive\C\WINDOWS\xdsfqroepox.dll Infected: Trojan.Win32.Vapsup.nmi 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\ac8zt2\evdm.exe Infected: Trojan.Win32.Vapsup.nma 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\ac8zt2\mqxvbdwk.dll Infected: Trojan.Win32.Vapsup.nmb 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\ac8zt2\xdsfqroepox.dll Infected: Trojan.Win32.Vapsup.nmi 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmi 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmc 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmb 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmg 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nme 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nma 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmi 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmc 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmb 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmg 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nme 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nma 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmi 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmc 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmb 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmg 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nme 1
C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox\DefaultBox\user\current\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nma 1
C:\Qoobox\Quarantine\C\WINDOWS\mqxvbdwk.dll.vir Infected: Trojan.Win32.Vapsup.nmb 1
C:\Qoobox\Quarantine\C\WINDOWS\xdsfqroepox.dll.vir Infected: Trojan.Win32.Vapsup.nmi 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc12\WINDOWS\evdm.exe Infected: Trojan.Win32.Vapsup.nma 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc12\WINDOWS\mqxvbdwk.dll Infected: Trojan.Win32.Vapsup.nmb 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc12\WINDOWS\system32\ifsndu.dll Infected: Trojan.Win32.BHO.hwv 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc12\WINDOWS\xdsfqroepox.dll Infected: Trojan.Win32.Vapsup.nmi 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\ac8zt2\evdm.exe Infected: Trojan.Win32.Vapsup.nma 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\ac8zt2\mqxvbdwk.dll Infected: Trojan.Win32.Vapsup.nmb 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\ac8zt2\xdsfqroepox.dll Infected: Trojan.Win32.Vapsup.nmi 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmi 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmc 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmb 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nmg 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nme 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temp\s1402.php Infected: Trojan.Win32.Vapsup.nma 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmi 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmc 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmb 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmg 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nme 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\6L9ENATK\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nma 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmi 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmc 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmb 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nmg 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nme 1
C:\RECYCLER\S-1-5-21-1614895754-839522115-725345543-1003\Dc9\Local Settings\Temporary Internet Files\Content.IE5\FGHR1BLM\WebSoftCodecDrivern[1].exe Infected: Trojan.Win32.Vapsup.nma 1

The selected area was scanned.

 

Are you running a sandbox environment?

Download ATF Cleaner by Atribune and save it to your Desktop.

• Double click ATF-Cleaner.exe to run the program.
• Check the boxes to the left of:
  
  
  • Windows Temp
  • Current User Temp
  • All Users Temp
  • Temporary Internet Files
  • Prefetch
  • Java Cache
  • Recycle bin
  
  
• The rest are optional - if you want it to remove everything check "Select All ".
• Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK then exit.

Reboot

 

I have deleted Sandiebox already, seemed like a waste of time.
Downloaded ATF Cleaner but my system won't let me run it, I get the message "Failed to start because MSVBVM60.dll was not found "-
I seem to remember that I came across this before when I tried to run an app.

 

Delete the following folder.

C:\Documents and Settings\Brian Owen.BRIAN-5KBUIEUHT\Application Data\Sandbox

Just empty the recycle bin manually then. Run another Kaspersky scan to be sure everything is cleared.

 

I had removed Sandboxie thru Control Panel but I have now found a number of .dll and.ini files which were very sticky, eventually MoveOnBoot seems to have dealt with them. I can now move up and down the boot menu. I now get a box on screen on startup saying Connectivity Manager has a problem with a choice to either debug or cancel - cancelling doesn't seem to cause any problem.
ATF still refuses to run cos of the "Missing MSVBM60.dll" file (Visual Basic?).
I will run Kaspersky again later today and send you the result.

Thanks
Brian Owen