Solved Infostealer.Banker.C and svchost.exe accessing the INternet

SarahB · 2009/08/10

[Resolved] Infostealer.Banker.C and svchost.exe accessing the INternet

In a moment of lapsed concentration and brain switched off I downloaded and ran postcard[1].exe and subsequently jr6-6u13-windows-i586-p-iftw.exe on 26th July.

Immediately I noticed instances of C:\Windows\system32\svchost.exe and C:\Windows\system32\spoolsv.exe accessing the Internet from my system which weren't before. I have Norton Internet Security 2009 installed which was allowing these. It didn't happen before 26th July then has continued to happen daily when I connected to the Internet.

I realised I had make a big error straight away and ran Norton which found what it labelled Infostealer.Banker.C and removed it within about an hour. However, strangely enough, Norton found and removed it again the following day. But nothing since.

Some of the Windows/System32 files were modified on the 26th or 27th July, including rundll32.exe, svchost.exe, alg.exe.

svchost.exe is running 7 instances of processes currently and I was just worried one could be something other than masquerading as a Windows file.

I finally got Malwarebytes to scan. It found 2 infected registry data on 8th Aug and 2 infected registry keys 9th Aug (not found the day before!).

I also ran Microsoft's One Care Safety Scanner yesterday 9th Aug- it found 3 items it removed and a further 15 items it cleaned (although it does not give any information of what these were). It found nothing more on a subsequent scan.

Norton continues to scan twice a day and tells me all is well!

However, several Windows/System32 files are continuing trying to access the Internet including alg.exe, svchost.exe, spoolsv.exe, msfeedssync.exe, rundll32.exe, lsass.exe which Norton is allowing. I don't know if these are now innocent or not.

There's also Application Layer Gateway Service accessing the internet, also allowed by Norton.

However, Norton does continue to block instances of attempted Windows file sharing through the process svchost.exe.

Is my PC still infected or is it clean?

Your thoughts appreciated please!

Requested logs below.

DDS (Ver_09-07-30.01) - NTFSx86
Run by Sarah at 15:21:32.15 on 10/08/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2023.1339 [GMT 1:00]

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\MCUI32.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\Sarah\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mWinlogon: Userinit=c:\windows\system32\userinit.exe
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\adobe\acrobat 7.0\activex\AcroIEHelper.dll
BHO: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.15642\swg.dll
BHO: Google Dictionary Compression sdch: {c84d72fe-e17d-4195-bb24-76c02e2e7c4e} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\coIEPlg.dll
TB: ALOT Toolbar: {5aa2ba46-9913-4dc7-9620-69ab0fa17ae7} - c:\program files\alot\bin\alot.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
uRun: [CTFMON.EXE] c:\windows\system32\ctfmon.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [NBJ] "c:\program files\ahead\nero backitup\NBJ.exe "
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
mRun: [NVRaidService] c:\windows\system32\nvraidservice.exe
mRun: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [SpeedTouch USB Diagnostics] "c:\program files\thomson\speedtouch usb\Dragdiag.exe" /icon
mRun: [IntelliPoint] "c:\program files\microsoft intellipoint\ipoint.exe "
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [Persistence] c:\windows\system32\igfxpers.exe
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [SoundMAX] "c:\program files\analog devices\soundmax\Smax4.exe" /tray
mRun: [JMB36X Configure] c:\windows\system32\JMRaidTool.exe boot
mRun: [Launch PC Probe II] "c:\program files\asus\pc probe ii\Probe2.exe" 1
mRun: [Adobe Photo Downloader] "c:\program files\adobe\adobe photoshop lightroom\apdproxy.exe "
mRun: [Symantec PIF AlertEng] "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\pifsvc.exe" /a /m "c:\program files\common files\symantec shared\pif\{b8e1dd85-8582-4c61-b58f-2f227fca9a08}\AlertEng.dll "
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRunOnce: [RunNarrator] Narrator.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\logoca~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\calibrationloader\CalibrationLoader.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\profil~1.lnk - c:\program files\gretagmacbeth\i1\eye-one match 3\ProfileReminder.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office11\EXCEL.EXE/3000
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~3\office11\REFIEBAR.DLL
DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/5/B/E/5BE645ED-2F2D-4E4D-9C54-AFB56EFCB312/LegitCheckControl.cab
DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} - hxxps://webdl.symantec.com/activex/symdlmgr.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169683246062
DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} - hxxp://www.photodex.com/pxplay.cab
DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - hxxp://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
DPF: {DE22A7AB-A739-4C58-AD52-21F9CD6306B7} - hxxp://download.microsoft.com/download/7/E/6/7E6A8567-DFE4-4624-87C3-163549BE2704/clearadj.cab
TCP: {AD6E9B8B-F0CB-49DA-92C0-F94916EEDB0D} = 194.168.4.100 194.168.8.100
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\google\google toolbar\component\fastsearch_A8904FB862BD9564.dll
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\norton internet security\norton internet security\engine\16.5.0.135\CoIEPlg.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\sarah\applic~1\mozilla\firefox\profiles\9rzdtr1d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\coffplgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\sarah\application data\mozilla\plugins\npPxPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nis\1005000.087\SymEFA.sys [2009-4-3 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nis\1005000.087\BHDrvx86.sys [2009-4-3 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nis\1005000.087\cchpx86.sys [2009-4-3 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090730.003\IDSXpx86.sys [2009-7-30 276344]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-7-27 58728]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-7-27 301928]
R2 Norton Internet Security;Norton Internet Security;c:\program files\norton internet security\norton internet security\engine\16.5.0.135\ccSvcHst.exe [2009-4-3 115560]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [2007-2-19 14416]
R2 RapportMgmtService;Rapport Management Service;c:\program files\trusteer\rapport\bin\RapportMgmtService.exe [2009-7-27 918760]
R2 Symantec Core LC;Symantec Core LC;c:\program files\common files\symantec shared\ccpd-lc\symlcsvc.exe [2007-1-20 1251720]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-4-2 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090809.020\NAVENG.SYS [2009-8-10 87888]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090809.020\NAVEX15.SYS [2009-8-10 875728]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [2007-2-19 44344]
S3 Spyder;ColorVision Spyder2;c:\windows\system32\drivers\SpyderUSB.sys [2006-8-7 12288]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [2007-3-18 40060]

=============== Created Last 30 ================

2009-08-09 08:23 101,376 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-08-07 13:49 <DIR> --d----- c:\docume~1\sarah\applic~1\Malwarebytes
2009-08-07 13:49 38,160 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 13:49 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-08-07 13:49 19,096 a------- c:\windows\system32\drivers\mbam.sys
2009-08-07 13:49 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2009-08-05 11:39 1,089,593 -c------ c:\windows\system32\dllcache\ntprint.cat
2009-08-04 15:15 <DIR> --d----- c:\windows\system32\XPSViewer
2009-08-04 15:15 89,088 -c------ c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-04 15:15 117,760 -------- c:\windows\system32\prntvpt.dll
2009-08-04 15:15 1,676,288 -c------ c:\windows\system32\dllcache\xpssvcs.dll
2009-08-04 15:15 597,504 -c------ c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-04 15:15 575,488 -c------ c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-04 15:15 1,676,288 -------- c:\windows\system32\xpssvcs.dll
2009-08-04 15:15 575,488 -------- c:\windows\system32\xpsshhdr.dll
2009-08-04 15:15 <DIR> --d----- C:\331e7efb5b4b424faae4241b
2009-08-04 14:46 <DIR> --d----- c:\docume~1\sarah\applic~1\Uniblue
2009-07-27 15:20 <DIR> --d----- c:\program files\Norton Support
2009-07-27 13:35 <DIR> --d----- c:\docume~1\sarah\applic~1\Trusteer
2009-07-27 13:35 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Trusteer
2009-07-27 13:35 <DIR> --d----- c:\program files\Trusteer
2009-07-27 00:35 <DIR> --d----- c:\docume~1\sarah\applic~1\Windows Search

==================== Find3M ====================

2009-08-05 12:33 33,280 a------- c:\windows\system32\rundll32.exe
2009-08-04 14:50 14,336 a------- c:\windows\system32\svchost.exe
2009-08-04 14:39 57,856 a------- c:\windows\system32\spoolsv.exe
2009-07-27 09:14 1,033,728 a------- c:\windows\explorer.exe
2009-07-03 18:09 915,456 a------- c:\windows\system32\wininet.dll
2009-06-16 15:36 119,808 a------- c:\windows\system32\t2embed.dll
2009-06-16 15:36 81,920 a------- c:\windows\system32\fontsub.dll
2009-06-03 20:09 1,291,264 a------- c:\windows\system32\quartz.dll
2009-05-25 00:24 350,208 a------- c:\windows\system32\mssph.dll
2007-02-19 15:44 109 ac------ c:\program files\INSTALL.LOG
2006-06-23 07:48 32,768 ac---r-- c:\windows\inf\UpdateUSB.exe
2001-11-23 05:08 712,704 ac---r-- c:\windows\inf\other\AUDIO3D.DLL
2008-08-20 22:15 32,768 a--sh--- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008082020080821\index.dat

============= FINISH: 15:22:06.78 ===============

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-07-30.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume1
Install Date: 19/01/2007 12:29:23
System Uptime: 08/10/2009 15:07:00 (-1416 hours ago)

Motherboard: ASUSTeK Computer INC. | | P5B-VM
Processor: Intel(R) Core(TM)2 CPU 6400 @ 2.13GHz | LGA 775 | 2133/266mhz

==== Disk Partitions =========================

A: is Removable
C: is FIXED (NTFS) - 186 GiB total, 162.205 GiB free.
D: is FIXED (NTFS) - 112 GiB total, 100.816 GiB free.
E: is CDROM ()
F: is CDROM ()
G: is Removable
H: is Removable
I: is Removable
J: is Removable

==== Disabled Device Manager Items =============

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 1394 Net Adapter
Device ID: V1394\NIC1394\E03B2C11D800
Manufacturer: Microsoft
Name: 1394 Net Adapter
PNP Device ID: V1394\NIC1394\E03B2C11D800
Service: NIC1394

==== System Restore Points ===================

RP816: 12/05/2009 11:22:30 - System Checkpoint
RP817: 13/05/2009 11:31:49 - System Checkpoint
RP818: 13/05/2009 19:39:00 - Software Distribution Service 3.0
RP819: 15/05/2009 11:32:16 - System Checkpoint
RP820: 17/05/2009 08:02:32 - System Checkpoint
RP821: 18/05/2009 09:36:08 - System Checkpoint
RP822: 19/05/2009 10:00:13 - System Checkpoint
RP823: 20/05/2009 10:54:37 - System Checkpoint
RP824: 21/05/2009 11:08:00 - System Checkpoint
RP825: 22/05/2009 13:28:26 - System Checkpoint
RP826: 23/05/2009 14:28:41 - System Checkpoint
RP827: 24/05/2009 20:34:36 - System Checkpoint
RP828: 26/05/2009 09:03:11 - System Checkpoint
RP829: 27/05/2009 10:43:35 - System Checkpoint
RP830: 28/05/2009 11:10:51 - System Checkpoint
RP831: 29/05/2009 19:43:50 - System Checkpoint
RP832: 31/05/2009 10:26:52 - System Checkpoint
RP833: 01/06/2009 11:05:22 - System Checkpoint
RP834: 03/06/2009 09:12:39 - System Checkpoint
RP835: 04/06/2009 10:06:39 - System Checkpoint
RP836: 05/06/2009 11:45:56 - System Checkpoint
RP837: 06/06/2009 19:57:14 - System Checkpoint
RP838: 07/06/2009 21:13:52 - System Checkpoint
RP839: 09/06/2009 10:23:42 - System Checkpoint
RP840: 09/06/2009 22:41:37 - Software Distribution Service 3.0
RP841: 11/06/2009 09:27:40 - System Checkpoint
RP842: 11/06/2009 18:56:16 - Software Distribution Service 3.0
RP843: 12/06/2009 18:59:51 - System Checkpoint
RP844: 14/06/2009 09:55:57 - System Checkpoint
RP845: 15/06/2009 11:46:07 - System Checkpoint
RP846: 17/06/2009 11:52:39 - System Checkpoint
RP847: 18/06/2009 12:53:58 - System Checkpoint
RP848: 19/06/2009 13:03:07 - System Checkpoint
RP849: 21/06/2009 10:57:48 - System Checkpoint
RP850: 22/06/2009 11:00:27 - System Checkpoint
RP851: 23/06/2009 11:42:36 - System Checkpoint
RP852: 25/06/2009 09:33:40 - System Checkpoint
RP853: 26/06/2009 09:38:27 - System Checkpoint
RP854: 27/06/2009 10:10:27 - System Checkpoint
RP855: 28/06/2009 11:04:49 - System Checkpoint
RP856: 29/06/2009 11:37:55 - System Checkpoint
RP857: 30/06/2009 12:32:54 - System Checkpoint
RP858: 01/07/2009 16:28:56 - System Checkpoint
RP859: 03/07/2009 11:29:09 - System Checkpoint
RP860: 04/07/2009 12:22:59 - System Checkpoint
RP861: 05/07/2009 12:57:21 - System Checkpoint
RP862: 06/07/2009 13:30:55 - System Checkpoint
RP863: 07/07/2009 13:37:33 - System Checkpoint
RP864: 08/07/2009 14:12:37 - System Checkpoint
RP865: 09/07/2009 14:42:19 - System Checkpoint
RP866: 11/07/2009 11:14:16 - System Checkpoint
RP867: 12/07/2009 11:17:30 - System Checkpoint
RP868: 13/07/2009 11:18:26 - System Checkpoint
RP869: 14/07/2009 12:09:56 - System Checkpoint
RP870: 15/07/2009 10:32:58 - Software Distribution Service 3.0
RP871: 16/07/2009 11:49:22 - System Checkpoint
RP872: 17/07/2009 12:05:26 - System Checkpoint
RP873: 19/07/2009 08:14:34 - System Checkpoint
RP874: 20/07/2009 11:10:26 - System Checkpoint
RP875: 21/07/2009 12:07:34 - System Checkpoint
RP876: 22/07/2009 13:19:28 - System Checkpoint
RP877: 22/07/2009 22:03:47 - Software Distribution Service 3.0
RP878: 24/07/2009 10:53:20 - System Checkpoint
RP879: 25/07/2009 11:05:31 - System Checkpoint
RP880: 26/07/2009 09:44:50 - Installed Java(TM) 6 Update 13
RP881: 26/07/2009 23:43:30 - 26th July 09 2343
RP882: 27/07/2009 00:16:45 - Restore Operation
RP883: 27/07/2009 13:34:58 - Trusteer Rapport Installation
RP884: 29/07/2009 11:19:33 - System Checkpoint
RP885: 29/07/2009 18:09:26 - Software Distribution Service 3.0
RP886: 31/07/2009 11:26:44 - System Checkpoint
RP887: 31/07/2009 13:52:52 - Software Distribution Service 3.0
RP888: 01/08/2009 14:51:19 - System Checkpoint
RP889: 02/08/2009 15:22:45 - System Checkpoint
RP890: 03/08/2009 16:57:26 - System Checkpoint
RP891: 04/08/2009 12:05:40 - Removed Java(TM) 6 Update 10
RP892: 04/08/2009 12:07:20 - Removed Java(TM) 6 Update 3
RP893: 04/08/2009 12:08:12 - Removed Java(TM) 6 Update 5
RP894: 04/08/2009 12:09:03 - Removed Java(TM) 6 Update 7
RP895: 04/08/2009 15:10:27 - Software Distribution Service 3.0
RP896: 05/08/2009 12:34:22 - Software Distribution Service 3.0
RP897: 06/08/2009 12:38:34 - System Checkpoint
RP898: 07/08/2009 12:43:59 - System Checkpoint
RP899: 08/08/2009 21:26:00 - System Checkpoint
RP900: 08/08/2009 22:06:31 - Cleaned registry with Windows Live OneCare safety scanner
RP901: 09/08/2009 08:23:58 - Software Distribution Service 3.0
RP902: 09/08/2009 10:26:39 - Cleaned registry with Windows Live OneCare safety scanner
RP903: 09/08/2009 14:42:32 - Removed ScanToWeb
RP904: 09/08/2009 16:48:03 - Cleaned registry with Windows Live OneCare safety scanner
RP905: 10/08/2009 08:48:35 - Removed IKEA HomePlanner Office
RP906: 10/08/2009 08:49:38 - Removed OpenOffice.org Installer 1.0
RP907: 10/08/2009 08:50:16 - Removed Python
RP908: 10/08/2009 08:50:23 - Removed Applet_Pim
RP909: 10/08/2009 08:50:27 - Removed Applet_Pda
RP910: 10/08/2009 08:50:32 - Removed Applet_Web
RP911: 10/08/2009 08:50:36 - Removed Applet_Epp
RP912: 10/08/2009 08:50:42 - Removed Applet_Creativity
RP913: 10/08/2009 08:50:46 - Removed Applet_App
RP914: 10/08/2009 08:50:51 - Removed Applet_Copy
RP915: 10/08/2009 08:50:56 - Removed Applet_Ocr
RP916: 10/08/2009 08:51:01 - Removed Applet_Email
RP917: 10/08/2009 08:51:06 - Removed Applet_File
RP918: 10/08/2009 08:51:13 - Removed Applet_Bcr
RP919: 10/08/2009 08:51:18 - Removed Smart Panel
RP920: 10/08/2009 08:51:26 - Removed Smart Panel
RP921: 10/08/2009 08:51:49 - Removed EPSON Copy Utility
RP922: 10/08/2009 09:08:39 - Removed 4oD.

==== Installed Programs ======================

ABBYY FineReader 5.0 Sprint
ABBYY FineReader 6.0
Adobe Acrobat 5.0
Adobe Anchor Service CS3
Adobe Asset Services CS3
Adobe Bridge 1.0
Adobe Bridge CS3
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps
Adobe Color - Photoshop Specific
Adobe Color Common Settings
Adobe Color EU Extra Settings
Adobe Color JA Extra Settings
Adobe Color NA Recommended Settings
Adobe Common File Installer
Adobe Default Language CS3
Adobe Device Central CS3
Adobe ExtendScript Toolkit 2
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Fonts All
Adobe Help Center 1.0
Adobe Help Viewer CS3
Adobe Linguistics CS3
Adobe PDF Library Files
Adobe Photoshop CS2
Adobe Photoshop CS3
Adobe Photoshop Lightroom
Adobe Reader 7.0.9
Adobe Setup
Adobe Stock Photos 1.0
Adobe Stock Photos CS3
Adobe Type Support
Adobe Update Manager CS3
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
ALOT Toolbar
ArcSoft PhotoImpression
C-Media 3D Audio
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
CANON iMAGE GATEWAY Task for ZoomBrowser EX
Canon Internet Library for ZoomBrowser EX
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Compatibility Pack for the 2007 Office system
Critical Update for Windows Media Player 11 (KB959772)
DOFMaster
Entriq MediaSphere 3.4.0.10
EPSON LFP Remote Panel
EPSON Photo Print
EPSON Printer Software
ESPR3800 User’s Guide
Eye-One Diagnostics
Eye-One Match 3.6.2
Eye-One Share
Google Earth
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB915800-v4)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
i1ColorPoint 1.0
Intel(R) Graphics Media Accelerator Driver
JMB36X Raid Configurer
LiveUpdate (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Color Control Panel Applet for Windows XP
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint 5.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.1
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft RAW Image Thumbnailer and Viewer for Windows XP Version 1.0 (Build 50)
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.0.12)
Nero OEM
Nikon Scan
Norton Internet Security
NVIDIA Drivers
PC Probe II
PDF Settings
Photodex Presenter
Photomatix Pro version 3.1.3
Rapport
RawShooter essentials 2005
RawShooter premium 2006
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 8 (KB969897)
Security Update for Windows Internet Explorer 8 (KB972260)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows Search 4 - KB963093
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB973346)
SI Pro 1.1.1
SoundMAX
SpeedFan (remove only)
SpeedTouch USB Software
Symantec KB-DocID:2003093015493306
Symantec Technical Support Web Controls
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB972636)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live installer
Windows Live Mail
Windows Live OneCare safety scanner
Windows Live Sign-in Assistant
Windows Media Format 11 runtime
Windows Media Player 11
Windows Search 4.0
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

07/08/2009 21:02:41, error: Service Control Manager [7000] - The Parallel port driver service failed to start due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
05/08/2009 16:04:46, information: Windows File Protection [64001] - File replacement was attempted on the protected system file c:\windows\system32\spoolsv.exe. This file was restored to the original version to maintain system stability. The file version of the bad file is 5.1.2600.2696, the version of the system file is 5.1.2600.5512.
05/08/2009 16:04:05, error: Service Control Manager [7031] - The Print Spooler service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 60000 milliseconds: Restart the service.
05/08/2009 10:50:44, error: Service Control Manager [7034] - The Application Layer Gateway Service service terminated unexpectedly. It has done this 1 time(s).
04/08/2009 14:38:54, information: Windows File Protection [64002] - File replacement was attempted on the protected system file c:\windows\system32\rundll32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
04/08/2009 12:09:41, error: Service Control Manager [7023] - The Application Management service terminated with the following error: The specified module could not be found.

==== End Of File ===========================

broni · 2009/08/10

Please download ComboFix from [color= "Red"]Here[/color] or [color= "#FF0000"]Here[/color] to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.

Close any open browsers.

Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results ".

Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Close any open browsers.

WARNING: Combofix will disconnect your machine from the Internet as soon as it starts

Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.

If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

Double click on combofix.exe & follow the prompts.

When finished, it will produce a report for you.

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

SarahB · 2009/08/11

Broni,
Thank you for your reply. Your help is appreciated.

I have run Combofix with all the components of Norton Internet Security 2009 switched off. I do not know if I have script blocking on or off or how to do this, so I'm not sure if the log below will be correct?

You also ask for a new HijackthisLog. I'm afraid I do not know what this is or where to get you this from! Please expand further for this.

Here is the Combofix scan log as you requested.

ComboFix 09-08-10.04 - Sarah 11/08/2009 10:16.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2023.1487 [GMT 1:00]
Running from: c:\documents and settings\Sarah\Desktop\ComboFix.exe
.
ADS - svchost.exe: deleted 88 bytes in 2 streams.
ADS - explorer.exe: deleted 88 bytes in 2 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Sarah\Application Data\alot
c:\documents and settings\Sarah\Application Data\alot\Button_0\Button_0.xml
c:\documents and settings\Sarah\Application Data\alot\Button_0\Button_0.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_1\Button_1.xml
c:\documents and settings\Sarah\Application Data\alot\Button_1\Button_1.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_10\Button_10.xml
c:\documents and settings\Sarah\Application Data\alot\Button_10\Button_10.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_11\Button_11.xml
c:\documents and settings\Sarah\Application Data\alot\Button_11\Button_11.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_2\Button_2.xml
c:\documents and settings\Sarah\Application Data\alot\Button_2\Button_2.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_3\Button_3.xml
c:\documents and settings\Sarah\Application Data\alot\Button_3\Button_3.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_4\Button_4.xml
c:\documents and settings\Sarah\Application Data\alot\Button_4\Button_4.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_5\Button_5.xml
c:\documents and settings\Sarah\Application Data\alot\Button_5\Button_5.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_6\Button_6.xml
c:\documents and settings\Sarah\Application Data\alot\Button_6\Button_6.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_7\Button_7.xml
c:\documents and settings\Sarah\Application Data\alot\Button_7\Button_7.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_8\Button_8.xml
c:\documents and settings\Sarah\Application Data\alot\Button_8\Button_8.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Button_9\Button_9.xml
c:\documents and settings\Sarah\Application Data\alot\Button_9\Button_9.xml.backup
c:\documents and settings\Sarah\Application Data\alot\configurator\configurator.xml
c:\documents and settings\Sarah\Application Data\alot\configurator\configurator.xml.backup
c:\documents and settings\Sarah\Application Data\alot\postInstallLayout\postInstallLayout.xml
c:\documents and settings\Sarah\Application Data\alot\postInstallLayout\postInstallLayout.xml.backup
c:\documents and settings\Sarah\Application Data\alot\products\products.xml
c:\documents and settings\Sarah\Application Data\alot\products\products.xml.backup
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_0\images\alot_icon_35x16.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_1\images\alot_search_24x16.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_2\images\default_282_alot_map_widget_default.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_3\images\default_275_alot_maps_maptravel.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_4\images\default_283_alot_maps_weather.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_4\images\mcloud.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_5\images\default_276_toolbar_alot_icon_mrkt_fb.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_6\images\default_503_alot_ref_mrkt_world_travel_guides.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Button_7\images\default_502_alot_ref_mrkt_book.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\domains.dat
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\alot_brand.png
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\spinner.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_bottom.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_btnclose0.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_btnclose1.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_btnmin0.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_btnmin1.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_caption.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_error_bg.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_error_close.bmp
c:\documents and settings\Sarah\Application Data\alot\Resources\Shared\images\widget_error_icon.bmp
c:\documents and settings\Sarah\Application Data\alot\TimerManager\TimerManager.xml
c:\documents and settings\Sarah\Application Data\alot\TimerManager\TimerManager.xml.backup
c:\documents and settings\Sarah\Application Data\alot\toolbar.xml
c:\documents and settings\Sarah\Application Data\alot\ToolbarSearch\ToolbarSearch.xml
c:\documents and settings\Sarah\Application Data\alot\Updater\Updater.xml
c:\documents and settings\Sarah\Application Data\alot\Updater\Updater.xml.backup
c:\program files\alot
c:\program files\alot\alotUninst.exe
c:\program files\alot\bin\alot.dll
c:\program files\INSTALL.LOG

.
((((((((((((((((((((((((( Files Created from 2009-07-11 to 2009-08-11 )))))))))))))))))))))))))))))))
.

2009-08-11 08:56 . 2009-07-13 08:00 87888 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\NAVENG.SYS
2009-08-11 08:56 . 2009-07-13 08:00 875728 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\NAVEX15.SYS
2009-08-11 08:56 . 2009-04-02 08:00 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\NAVENG32.DLL
2009-08-11 08:56 . 2009-04-02 08:00 1181040 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\NAVEX32A.DLL
2009-08-11 08:56 . 2009-04-02 08:00 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\EECTRL.SYS
2009-08-11 08:56 . 2009-04-02 08:00 259368 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\ECMSVR32.DLL
2009-08-11 08:56 . 2009-04-02 08:00 2414128 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\CCERASER.DLL
2009-08-11 08:56 . 2009-04-02 08:00 101936 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090810.054\ERASER.SYS
2009-08-11 08:41 . 2009-03-12 08:42 165240 ----a-r- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-08-09 07:23 . 2009-07-01 07:08 101376 -c----w- c:\windows\system32\dllcache\iecompat.dll
2009-08-08 17:33 . 2009-08-10 17:46 -------- d-----w- c:\program files\Windows Live Safety Center
2009-08-07 12:49 . 2009-08-07 12:49 -------- d-----w- c:\documents and settings\Sarah\Application Data\Malwarebytes
2009-08-07 12:49 . 2009-08-03 12:36 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-08-07 12:49 . 2009-08-07 12:49 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-07 12:49 . 2009-08-07 12:49 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-08-07 12:49 . 2009-08-03 12:36 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-08-04 14:15 . 2009-08-04 14:15 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-04 14:15 . 2009-08-04 14:15 -------- d-----w- c:\program files\MSBuild
2009-08-04 14:15 . 2009-08-04 14:15 -------- d-----w- c:\program files\Reference Assemblies
2009-08-04 14:15 . 2008-07-06 12:06 89088 -c----w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-04 14:15 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-04 14:15 . 2008-07-06 12:06 575488 -c----w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-04 14:15 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-04 14:15 . 2008-07-06 12:06 1676288 -c----w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-04 14:15 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-04 14:15 . 2008-07-06 10:50 597504 -c----w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-04 14:15 . 2009-08-04 14:15 -------- d-----w- C:\331e7efb5b4b424faae4241b
2009-08-04 13:46 . 2009-08-04 13:46 -------- d-----w- c:\documents and settings\Sarah\Application Data\Uniblue
2009-07-30 22:51 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys
2009-07-30 22:51 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\Scxpx86.dll
2009-07-30 22:51 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSvix86.sys
2009-07-30 22:51 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSxpx86.dll
2009-07-30 22:51 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSviA64.sys
2009-07-28 07:36 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSXpx86.sys
2009-07-28 07:36 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\Scxpx86.dll
2009-07-28 07:36 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSxpx86.dll
2009-07-28 07:36 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSvix86.sys
2009-07-28 07:35 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090722.001\IDSviA64.sys
2009-07-27 14:20 . 2009-07-27 14:20 -------- d-----w- c:\program files\Norton Support
2009-07-27 14:19 . 2009-07-27 14:19 -------- d-----w- c:\documents and settings\Sarah\Local Settings\Application Data\Symantec
2009-07-27 12:35 . 2009-07-27 12:35 -------- d-----w- c:\documents and settings\Sarah\Application Data\Trusteer
2009-07-27 12:35 . 2009-07-27 12:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Trusteer
2009-07-27 12:35 . 2009-07-27 12:35 -------- d-----w- c:\program files\Trusteer
2009-07-26 23:35 . 2009-07-26 23:35 -------- d-----w- c:\documents and settings\Sarah\Application Data\Windows Search
2009-07-26 08:43 . 2009-07-26 08:43 152576 ----a-w- c:\documents and settings\Sarah\Application Data\Sun\Java\jre1.6.0_13\lzma.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-11 09:19 . 2008-04-27 17:04 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-08-10 14:08 . 2008-04-27 17:04 -------- d-----w- c:\program files\Kontiki
2009-08-10 07:51 . 2007-01-19 12:39 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-10 07:48 . 2007-06-24 08:46 -------- d-----w- c:\program files\IKEA HomePlanner
2009-08-05 11:33 . 2004-08-04 12:00 33280 ----a-w- c:\windows\system32\rundll32.exe
2009-08-05 10:38 . 2007-01-24 16:46 108656 ----a-w- c:\documents and settings\Sarah\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-04 13:50 . 2004-08-04 12:00 14336 ----a-w- c:\windows\system32\svchost.exe
2009-08-04 13:39 . 2004-08-04 12:00 57856 ----a-w- c:\windows\system32\spoolsv.exe
2009-08-01 09:47 . 2008-04-11 17:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-07-27 08:14 . 2004-08-04 12:00 1033728 ----a-w- c:\windows\explorer.exe
2009-07-11 19:34 . 2009-07-11 19:34 276344 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSXpx86.sys
2009-07-11 19:34 . 2009-07-11 19:34 293424 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSvix86.sys
2009-07-11 19:34 . 2009-07-11 19:34 533880 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 451960 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSxpx86.dll
2009-07-11 19:34 . 2009-07-11 19:34 397360 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\IDSviA64.sys
2009-07-03 17:09 . 2004-08-04 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-16 14:36 . 2004-08-04 12:00 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-16 14:36 . 2004-08-04 12:00 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-03 19:09 . 2004-08-04 12:00 1291264 ----a-w- c:\windows\system32\quartz.dll
2009-05-24 23:24 . 2008-05-26 21:18 350208 ----a-w- c:\windows\system32\mssph.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS "= "c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"NBJ "= "c:\program files\Ahead\Nero BackItUp\NBJ.exe" [2004-07-26 1867776]
"swg "= "c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-01-03 68856]
"kdx "= "c:\program files\Kontiki\KHost.exe" [2007-04-23 1032640]
"updateMgr "= "c:\program files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 313472]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVRaidService "= "c:\windows\system32\nvraidservice.exe" [2004-06-11 83968]
"NeroFilterCheck "= "c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"SpeedTouch USB Diagnostics "= "c:\program files\Thomson\SpeedTouch USB\Dragdiag.exe" [2004-01-26 866816]
"IntelliPoint "= "c:\program files\Microsoft IntelliPoint\ipoint.exe" [2005-12-04 461584]
"IgfxTray "= "c:\windows\system32\igfxtray.exe" [2006-07-21 98304]
"HotKeysCmds "= "c:\windows\system32\hkcmd.exe" [2006-07-21 86016]
"Persistence "= "c:\windows\system32\igfxpers.exe" [2006-07-21 81920]
"SoundMAXPnP "= "c:\program files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 843776]
"JMB36X Configure "= "c:\windows\system32\JMRaidTool.exe" [2006-07-12 352256]
"Launch PC Probe II "= "c:\program files\ASUS\PC Probe II\Probe2.exe" [2006-07-28 2129408]
"Adobe Photo Downloader "= "c:\program files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe" [2007-02-06 61440]
"Symantec PIF AlertEng "= "c:\program files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" [2007-11-28 583048]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator "= "Narrator.exe" - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check 2.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2008-4-7 135680]
Logo Calibration Loader.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2008-1-30 708608]
ProfileReminder.lnk - c:\program files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2008-1-30 954368]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5} "= "c:\program files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2009-05-24 304128]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@= "FSFilter Activity Monitor "

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\Kontiki\\KService.exe "=
"c:\\WINDOWS\\system32\\sessmgr.exe "=

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1005000.087\SymEFA.sys [03/04/2009 09:17 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1005000.087\BHDrvx86.sys [03/04/2009 09:16 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1005000.087\cchpx86.sys [03/04/2009 09:16 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090730.003\IDSXpx86.sys [30/07/2009 23:51 276344]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [27/07/2009 13:35 58728]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [27/07/2009 13:35 301928]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe [03/04/2009 09:16 115560]
R2 PDIHWCTL;PDIHWCTL;c:\windows\system32\drivers\pdihwctl.sys [19/02/2007 15:42 14416]
R2 RapportMgmtService;Rapport Management Service;c:\program files\Trusteer\Rapport\bin\RapportMgmtService.exe [27/07/2009 13:35 918760]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [02/04/2009 09:00 101936]
S3 eyeonedp;eye-one display;c:\windows\system32\drivers\EyeOneDp.sys [19/02/2007 15:42 44344]
S3 Spyder;ColorVision Spyder2;c:\windows\system32\drivers\SpyderUSB.sys [07/08/2006 20:28 12288]
S3 Usblink;Usblink Driver;c:\windows\system32\drivers\ulink.sys [18/03/2007 14:04 40060]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll ",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-08-10 c:\windows\Tasks\Norton Internet Security - Sarah - Full System Scan.job
- c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\Navw32.exe [2009-04-03 08:42]

2009-08-11 c:\windows\Tasks\User_Feed_Synchronization-{EB3D653E-5777-4E17-8D5F-D8A53C595730}.job
- c:\windows\system32\msfeedssync.exe [2009-08-04 12:58]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Cmaudio - cmicnfg.cpl

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
DPF: {46431044-1B22-4EF3-B333-863AAF310153} - hxxp://download.five.tv/Download/five_3_4_0_8.cab
FF - ProfilePath - c:\documents and settings\Sarah\Application Data\Mozilla\Firefox\Profiles\9rzdtr1d.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\documents and settings\Sarah\Application Data\Mozilla\plugins\npPxPlay.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-08-11 10:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath "= "\ "c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe\" /s \ "Norton Internet Security\" /m \ "c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\diMaster.dll\" /prefetch:1 "
.
Completion time: 2009-08-11 10:21
ComboFix-quarantined-files.txt 2009-08-11 09:21

Pre-Run: 174,113,296,384 bytes free
Post-Run: 174,332,387,328 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

252 --- E O F --- 2009-08-05 15:14

PeteC · 2009/08/11

Sarah

Get HijackThis here ....

http://www.bleepingcomputer.com/files/hijackthis.php

Install it and run - 'Do a system scan and save a log file' - copy/paste the log contents into your next post.

SarahB · 2009/08/11

Thanks Peter.
Here's the Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:24:49, on 11/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://download.five.tv/Download/five_3_4_0_8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169683246062
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10535 bytes

broni · 2009/08/11

Thanks Pete for HJT link. WindowsBBS has little bit different post requirements, and I keep forgetting about HJT link

Sarah

Unless you willingly installed Kontiki Player....
Go Start>Control Panel>Add\Remove ( "Programs and Features" in Vista), and uninstall Sky Anytime (if present).
Download, and run KClean.exe: http://static.sky.com/kclean/KClean.exe to remove Kontiki from your computer.
NOTE: Kontiki is know resource hog.

================================================================

Uninstall Combofix:
Go Start > Run
Type in:
combofix /u
Note the space between the "combofix" and the "/u "
Restart computer.

=================================================================

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.

This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.

Once the short scan has finished, select Complete scan.

Click the green arrow at the right, and the scan will start.

Click Yes to all if it asks if you want to cure/move the file.

When the scan has finished, in the menu, click File and choose Save report list

Save the report to your desktop. The report will be called DrWeb.csv

Close Dr.Web Cureit.

Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.

Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

SarahB · 2009/08/12

Hi Broni,
Thanks for your last reply.

I think Kontiki would have been installed whilst I was using the BBC TV's I Player. However, I can live without this so I have removed it as you have instructed.

(Incidentally I also have Bonjour doing it's own thing, I don't know where this came from or what it does.)

I have uninstalled Combofix as you have instructed.

The Dr. Web scan log is below. Windows ran the disk check once it was rebooted.

By the way, you told me not to install any new software or make any changes to my PC in your last post. I have not intentionally, but I realised today Windows & Norton (and other e.g. Firefox) automatic updates are still on. Should I have turned these off? Apologies if I should have done. Please let me know.

Dr. Web log:
1196745071jtun_firstexpirationpif.x00\Program Files\Common Files\PIF_B8E1\pifCrawl.exe;C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads\1196745071jtun_firstexpirationpif.x00;Trojan.Swizzor.based;;
1196745071jtun_firstexpirationpif.x00;C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\Downloads;Archive contains infected objects;Moved.;
pifCrawl.exe;C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08};Trojan.Swizzor.based;Deleted.;
A0000029.exe;C:\System Volume Information\_restore{2C3886A4-09E8-49C9-B1CD-BC314CA25708}\RP1;Trojan.Swizzor.based;Deleted.;

The new Hijachthis log is below:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:43, on 12/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\windows-kb890830-v2.13-delta.exe
c:\bc8e627a1e7860ed2bfe8c37b1\mrtstub.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\WINDOWS\system32\MRT.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://download.five.tv/Download/five_3_4_0_8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169683246062
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 10596 bytes

broni · 2009/08/12

I also have Bonjour doing it's own thing, I don't know where this came from or what it does
Click to expand...

It installs along with iTunes. Some extra garbage, but nothing to worry about.

My comment doesn't apply to any Windows, or security programs updates. Those are must have.

How are the issues right now?

=================================================================

Please download JavaRa to your desktop and unzip it to its own folder

Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.

Accept any prompts.

Open JavaRa.exe again and select Search For Updates.

Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

Note 1: UNCHECK any pre-checked toolbar and/or software offered with the Java update. The pre-checked toolbars/software are not part of the Java update.

Note 2: The Java Quick Starter (JQS.exe) adds a service to improve the initial startup time of Java applets and applications. If you don't want to run another extra service, go to Start > Control Panel > Java > Advanced > Miscellaneous and uncheck the box for Java Quick Starter. Click OK and restart your computer.

===============================================================

Print this post out, since you won't have an access to it, at some point.

1. Open HijackThis.

2. Close all windows, except for HijackThis.

3. Put checkmarks next to the following HijackThis entries:

nothing malicious to remove

4. You should also checkmark following entries (these are unnecessary startups; no actual programs will be removed):

- O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
- O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
- O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
- O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
- O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
- O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE

5. Click on Fix checked button.

6. Restart computer.

7. Post new HijackThis log.

SarahB · 2009/08/13

Broni,
I have installed JRE and removed the entries from HijackThis as instructed.

The new HijackThis log is below.

I still have spoolsv.exe, svchost.exe, alg.exe, msfeedssync.exe accessing the Internet (or trying to) on Startup and when connecting to the Internet (which Norton is allowing).

Norton is also still blocking Windows file sharing communication via the svchost.exe process.

Norton also shows connection to several networks including 127.0.0.0/255.0.0.0
0
86.9.250.241/255.255.255.255
82.26.84.65/255.255.255.255
82.25199.182/255.255.255.255
The numbers seem to vary each time I connect.

All of this could be OK of course, but I don't know (and it didn't happen before my big ERR of 26th July) and I've lost trust in my system and its security!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:06:56, on 13/08/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
C:\WINDOWS\system32\nvraidservice.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\ASUS\PC Probe II\Probe2.exe
C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Sarah\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.metoffice.gov.uk/weather/uk/wm/cannock_forecast_weather.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\IPSBHO.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.15642\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NVRaidService] C:\WINDOWS\system32\nvraidservice.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe "
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [Launch PC Probe II] "C:\Program Files\ASUS\PC Probe II\Probe2.exe" 1
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Adobe Photoshop Lightroom\apdproxy.exe "
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe "
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe "
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {46431044-1B22-4EF3-B333-863AAF310153} - http://download.five.tv/Download/five_3_4_0_8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase1140.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1169683246062
O16 - DPF: {CB50428B-657F-47DF-9B32-671F82AA73F7} (Photodex Presenter AX control) - http://www.photodex.com/pxplay.cab
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} (MediaControl Class) - http://download.five.tv/Download/Entriq_3_4_0_10_Silent.cab
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\coIEPlg.dll
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\eEBSVC.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PifSvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.5.0.135\ccSvcHst.exe
O23 - Service: Rapport Management Service (RapportMgmtService) - Trusteer Ltd. - C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 9937 bytes

SarahB · 2009/08/13

Broni,
A P.S........
Add rundll32.exe to the list of Windows\system32 files still accessing the Internet!
Sarah

broni · 2009/08/13

I still have spoolsv.exe, svchost.exe, alg.exe, msfeedssync.exe accessing the Internet (or trying to) on Startup and when connecting to the Internet (which Norton is allowing).

Norton is also still blocking Windows file sharing communication via the svchost.exe process.

Norton also shows connection to several networks including 127.0.0.0/255.0.0.0
0
86.9.250.241/255.255.255.255
82.26.84.65/255.255.255.255
82.25199.182/255.255.255.255
The numbers seem to vary each time I connect.
Click to expand...

I don't see anything strange there, so I don't think, you have any reason to worry.

Especially because.....

Your computer is clean

1. Download Temp File Cleaner (TFC)
Double click on TFC.exe to run the program.
Click on Start button to begin cleaning process.
TFC will close all running programs, and it may ask you to restart computer.

2. Turn off System Restore:

- Windows XP:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore ".
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
- Windows Vista:
1. Click Start.
2. Right-click the Computer icon, and then click Properties.
3. Click on System Protection under the Tasks column on the left side
4. Click on Continue on the "User Account Control" window that pops up
5. Under the System Protection tab, find Available Disks
6. Uncheck the box for any drive you wish to disable system restore on (in most cases, drive "C: ")
7. When turning off System Restore, the existing restore points will be deleted. Click "Turn System Restore Off" on the popup window to do this.
8. Click OK

3. Restart computer.

4. Turn System Restore on.

5. Make sure, Windows Updates are current.

[SIZE= "4"]6. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately![/SIZE]

7. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

8. Run defrag at your convenience.

9. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

10. Please, let me know, how is your computer doing.

SarahB · 2009/08/15

Broni,
Thank you so much fo your help with this. I can't tell you how much I appreciate it. This has been a huge learning curve and an eye opener!

A big thank you to Peter too for bringing me here to sort this out!

I have run the Temp File Cleaner, restarted the System Restore & installed WOT as you have instructed.

I have used the Secunia Software Inspector to update Adobe Reader & Flash.

I read the advice at http://www.bleepingcomputer.com/forums/topic2520.html which I thought was excellent.

I thought Norton Internet Security was the only software I needed for protection and solution of all security problems. Clearly from this experience, it is not adequate on its own.

So I have now installed SpwareBlaster & SpywareGuard, SuperAntiSpyware, Spybot, AdAware & Malwarebytes. Is there anything else I should have or you would recommend?
(Or is all I need now is for me not to do anything stupid again?! )

My secondary D drive is the hard drive from my old computer kept in the system in case I needed anything from it. I think it is time (with all this extra scanning I'm going to be doing) it should be formatted and left as an empty data drive (as the operating system is on my C drive and I need nothing further from the D drive, all it does is double the time of the security scans).

So how would I go about formatting this redundant drive and leaving it empty for purely storing data?

Many many thanks again.
Sarah

PeteC · 2009/08/15

Sarah

Glad to hear you are a happier bunny now Broni, my thanks too - good job as always!

I need nothing further from the D drive, all it does is double the time of the security scans
Click to expand...

You can configure the scanning sofrtware to scan specific drives only.

So how would I go about formatting this redundant drive
Click to expand...

Start > Run > diskmgmt.msc > Enter

Select the D:\ drive, Right click > Format - accept the defaults and choose NTFS if C:\ is NTFS - that will be shown in Disk Management.

broni · 2009/08/15

Thanks Pete

Sarah
Being you, I'd uninstall Spybot, and Ad-aware. They're more, or less tools of the past.
Nothing better, right now, than Super, and 'Bytes.

SarahB · 2009/08/16

Peter,
Format is greyed out on the menu. The D drive has the OS of my old computer still on it although nothing is in use now. Does this mean I will have to use the Windows disk to reformat?

Broni,
Thank you again for your advice. I'll stick with SAS and MB as you suggest.
Anything else I should have?
Many thanks again.
Sarah

PeteC · 2009/08/16

Sarah

Please start another thread in the Hardware Forum stating the 2 OS's - current & old and whether or not you are using dual boot.

Very few people visit this forum unless they have a malware problem - and your problem is not malware related. This will give you more exposure to 'those who know'

broni · 2009/08/16

You're well covered, Sarah

SarahB · 2009/08/16

Many thanks again Broni.
S

broni · 2009/08/16

Sure thing

SarahB · 2009/08/19

Is there any legitimate reason why explorer.exe should be accessing the Internet? (I'm now paraniod about security!)
Sarah

Log in or Sign up

Solved Infostealer.Banker.C and svchost.exe accessing the INternet

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

PeteC SuperGeek Staff

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

Share This Page

Log in or Sign up

Solved Infostealer.Banker.C and svchost.exe accessing the INternet

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

PeteC SuperGeek Staff

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

PeteC SuperGeek Staff

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

broni Moderator Malware Analyst

SarahB Well-Known Member Thread Starter

Share This Page

Useful Searches