Solved New problem - Browsers closing/redirects to spam

Hi Juliet - the VA install worked.

I continued following your instructions so:

1/ Dial-a-fix is complete
2/ Hostsexpert is complete
3/ I've just completed the Rootkit scanner - the log is below

thanks

Rootkikt

GMER 1.0.15.14966 - http://www.gmer.net
Rootkit scan 2009-03-29 17:49:14
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT d347bus.sys (PnP BIOS Extension/ ) ZwClose [0xF84CC818]
SSDT 8237A380 ZwConnectPort
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreateKey [0xF84CC7D0]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xF84C0A20]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xF84C12A8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xF84CC910]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwOpenKey [0xF84CC794]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xF84C12C8]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xF84CC866]
SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xF84CC0B0]

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 82F2C230

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec

Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Cdrom \Device\CdRom0 82D6B378
Device \FileSystem\Rdbss \Device\FsWrap 82274578
Device \Driver\Cdrom \Device\CdRom1 82D6B378
Device \Driver\atapi \Device\Ide\IdePort0 82D6B480
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82D6B480
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82D6B480
Device \FileSystem\Srv \Device\LanmanServer FF301B20

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82273758
Device \FileSystem\MRxSmb \Device\LanmanRedirector 82273758
Device \FileSystem\Npfs \Device\NamedPipe 82DD1938
Device \FileSystem\Msfs \Device\Mailslot 82D4AD48
Device \Driver\d347prt \Device\Scsi\d347prt1Port1Path0Target0Lun0 82D6B1B8
Device \Driver\d347prt \Device\Scsi\d347prt1 82D6B1B8
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82426EA8
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82426EA8
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82426EA8
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82426EA8
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82426EA8
Device \FileSystem\Cdfs \Cdfs 822CC2C0

---- Modules - GMER 1.0.15 ----

Module _________ F842B000-F8443000 (98304 bytes)

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000
Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1

---- EOF - GMER 1.0.15 ----

 

Please try to use the instructions for worksnow again since resetting a few things.
Disable Nortons and Windows Defender so the programs wont interfere.

 

Hi Juliet, I think there has been a positive change.

I've surfed around various websites and pages from search results and the pages are no longer going to spam sites

CPU performace has also decreased, and things, fingers crossed, seem to be back to normal.

Do you still need me to try worksnow?

 

So far I got fingers and toes crossed!!
Yes, please run worksnow and post the log.

 

Hi Juliet, the worksnow script is complete, the log is below. I don't really understand it, so will let you interpret it

Worksnow

ComboFix 09-03-29.02 - user user 2009-03-29 22:22:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.54 [GMT 1:00]
Running from: c:\documents and settings\user user\Desktop\worksnow.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\cache329
c:\windows\system32\cache329\B_329_0_0_105300.htm
c:\windows\system32\cache329\B_329_0_0_106800.htm
c:\windows\system32\cache329\B_329_0_0_107400.htm
c:\windows\system32\cache329\B_329_1_0_449200.gif
c:\windows\system32\cache329\B_329_1_0_449200.htm
c:\windows\system32\cache329\B_329_1_0_449600.gif
c:\windows\system32\cache329\B_329_1_0_449600.htm
c:\windows\system32\cache329\B_329_1_0_454300.gif
c:\windows\system32\cache329\B_329_1_0_454300.htm
c:\windows\system32\cache329\B_329_2_0_105300.htm
c:\windows\system32\cache329\B_329_2_0_106800.htm
c:\windows\system32\cache329\B_329_2_0_107400.htm
c:\windows\system32\cache329\B_329_3_0_105300.htm
c:\windows\system32\cache329\B_329_3_0_106800.htm
c:\windows\system32\cache329\B_329_3_0_107400.htm
c:\windows\system32\cache329\B_329_4_0_111600.htm
c:\windows\system32\cache329\B_329_4_0_152400.htm
c:\windows\system32\cache329\B_329_4_0_155300.htm
c:\windows\system32\cache329\B_329_4_0_164100.htm
c:\windows\system32\cache329\t_B_329_0_0_105300.htm
c:\windows\system32\cache329\t_B_329_0_0_106800.htm
c:\windows\system32\cache329\t_B_329_0_0_107400.htm
c:\windows\system32\cache329\t_B_329_1_0_449200.htm
c:\windows\system32\cache329\t_B_329_1_0_449600.htm
c:\windows\system32\cache329\t_B_329_1_0_454300.htm
c:\windows\system32\cache329\t_B_329_2_0_105300.htm
c:\windows\system32\cache329\t_B_329_2_0_106800.htm
c:\windows\system32\cache329\t_B_329_2_0_107400.htm
c:\windows\system32\cache329\t_B_329_3_0_105300.htm
c:\windows\system32\cache329\t_B_329_3_0_106800.htm
c:\windows\system32\cache329\t_B_329_3_0_107400.htm
c:\windows\system32\cache329\t_B_329_4_0_111600.htm
c:\windows\system32\cache329\t_B_329_4_0_152400.htm
c:\windows\system32\cache329\t_B_329_4_0_155300.htm
c:\windows\system32\cache329\t_B_329_4_0_164100.htm
c:\windows\system32\tmp.reg
c:\windows\system32\w32apiw.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-29 )))))))))))))))))))))))))))))))
.

2009-03-29 16:47 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-29 16:47 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-29 16:47 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-29 15:41 . 2009-03-29 15:41 353,485 --a------ C:\HostsXpert.zip
2009-03-29 14:10 . 2009-03-29 14:09 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-29 14:10 . 2009-03-29 14:09 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-27 21:49 . 2009-03-27 22:04 <DIR> d-------- c:\documents and settings\user user\DoctorWeb
2009-03-27 00:53 . 2009-03-27 00:53 <DIR> d-------- c:\program files\Windows Defender
2009-03-26 21:43 . 2009-03-26 21:43 <DIR> d-------- C:\_OTMoveIt
2009-03-26 15:57 . 2009-03-26 16:07 62,729,728 --a------ C:\avg_free_stf_en_85_283a1450.exe
2009-03-25 16:54 . 2009-03-27 15:22 <DIR> d-------- c:\documents and settings\user user\Tracing
2009-03-25 16:49 . 2009-03-25 16:49 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-25 13:43 . 2009-03-29 13:48 <DIR> d-------- C:\MGtools
2009-03-25 13:41 . 2009-03-25 13:41 1,339,834 --a------ C:\MGtools.exe
2009-03-25 11:18 . 2009-03-25 11:18 126,976 --a------ C:\zip.exe
2009-03-25 09:31 . 2009-03-25 09:31 <DIR> d-------- C:\VundoFix Backups
2009-03-24 16:37 . 2009-03-26 21:21 <DIR> d-------- c:\program files\Avast4
2009-03-24 16:08 . 2009-03-24 16:08 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-24 15:47 . 2009-03-24 15:47 <DIR> d-------- c:\documents and settings\user user\Application Data\Malwarebytes
2009-03-24 15:47 . 2009-03-24 15:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-24 15:47 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 15:47 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-24 15:46 . 2009-03-24 15:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-29 14:42 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-29 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 13:09 --------- d-----w c:\program files\Java
2009-03-26 20:39 --------- d-----w c:\program files\backups
2009-03-26 11:33 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 18:23 --------- d-----w c:\program files\Lx_cats
2009-03-25 11:25 15,063 ----a-w c:\program files\hijackthis.log
2009-03-25 10:04 --------- d-----w c:\program files\MSN Messenger
2009-03-25 08:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 15:09 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 15:09 --------- d-----w c:\documents and settings\user user\Application Data\SUPERAntiSpyware.com
2009-03-24 12:37 --------- d-----w c:\program files\RogueRemover FREE
2009-02-26 22:00 --------- d-----w c:\documents and settings\user user\Application Data\FileZilla
2008-12-21 14:21 7,590,400 ----a-w c:\program files\ica32web.msi
2008-12-12 19:29 186 ----a-w c:\documents and settings\user user\Application Data\wklnhst.dat
2008-06-15 12:27 59,839,784 ----a-w c:\program files\iTunesSetup.exe
2008-04-10 21:17 1,495,112 ----a-w c:\program files\install_flash_player.exe
2007-07-22 15:59 41,384 ----a-w c:\program files\basiccms.zip
2007-07-22 15:43 22,312,757 ----a-w c:\program files\wamp5_1.7.2.exe
2007-07-21 17:38 1,126 ----a-w c:\documents and settings\user user\Application Data\filterclsid.dat
2007-01-01 15:28 4,308,596 ----a-w c:\program files\BitTornado-0.3.17-w32install.exe
2006-12-29 16:19 899,414 ----a-w c:\program files\DVDDecrypter_3.5.4.0.exe
2006-12-28 20:01 734,160 ----a-w c:\program files\VobSub_2.23.exe
2006-12-20 20:59 9,918,872 ----a-w c:\program files\WMEncoder.exe
2006-12-20 20:52 878,896 ----a-w c:\program files\WGAPluginInstall.exe
2006-12-20 15:13 4,865,728 ----a-w c:\program files\rminstall.exe
2006-12-19 13:14 1,035,271 ----a-w c:\program files\wrar362.exe
2006-12-02 14:16 1,480,862 ----a-w c:\program files\aresregular196_installer.exe
2006-12-02 14:15 1,480,862 ----a-w c:\program files\Ares.exe
2005-02-16 11:06 218,112 ----a-w c:\program files\HijackThis.exe
2005-05-13 17:12 217,073 --sha-r c:\windows\meta4.exe
2005-07-14 12:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r c:\windows\system32\cygz.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2004-01-25 00:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2005-02-28 13:16 240,128 --sha-r c:\windows\system32\x.264.exe
2004-01-25 00:00 70,656 --sha-r c:\windows\system32\yv12vfw.dll
2008-12-24 12:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122420081225\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck "= "c:\windows\system32\dumprep 0 -u" [X]
"Apoint "= "c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel "= "c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"SonyPowerCfg "= "c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe "= "c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2 "= "c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-08 49768]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]
"Symantec NetDriver Monitor "= "c:\progra~1\SYMNET~1\SNDMon.exe" [2007-10-18 100056]
"SsAAD.exe "= "c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 81920]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon "= "c:\windows\system32\nvcpl.dll" [2005-06-09 6746112]
"LXCCCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-07-20 73728]
"FaxCenterServer "= "c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"Mouse Suite 98 Daemon "= "ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 13:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420 "= i420vfw.dll
"VIDC.dvsd "= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll
"aux2 "= c:\windows\system32\..\siodk.xnb

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001
"FirewallDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009 Demo\\fm.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-07-06 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e8f7237-7fcc-11dc-a66c-0013ce72c456}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0e991fc-b53d-11dc-a6cc-0013ce72c456}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-29 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]

2009-03-27 c:\windows\Tasks\Norton AntiVirus - Scan my computer - user user.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 14:47]

2009-03-24 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2009-03-29 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-MSMSGS - files\messenger\msmsgs.exe
HKCU-Run-TomTomHOME.exe - files\tomtom home 2\homerunner.exe
HKLM-Run-PDService.exe - files\utimaco\safeguard privatedisk\pdservice.exe
HKLM-Run-lxccmon.exe - files\lexmark 3300 series\lxccmon.exe


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
FF - ProfilePath - c:\documents and settings\user user\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-29 23:04:59
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...


c:\windows\TEMP\TMP00000042BA930B3E15434917 524288 bytes executable

scan completed successfully
hidden files: 1

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\DefaultPreset]
@DACL=(02 0000)
@SACL=
@= "c:\\Program Files\\Adobe\\Premiere Standard\\Settings\\DV - NTSC\\Standard 48kHz.prpreset "

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\Help]
@DACL=(02 0000)
@SACL=
"AdobeMediaEncoder "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html "
"Contents "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html "
"ExportToDVD "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_13_2_0.html "
"HowToUse "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\0_0_0_0.html "
"Keyboard "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_4_15_0.html "
"Search "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\search.html "
"Support "= "http://www.adobe.com/support/products/premiere.html "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Common Files\Symantec Shared\CCPROXY.EXE
c:\program files\Common Files\Symantec Shared\CCSETMGR.EXE
c:\program files\Norton Internet Security\ISSVC.exe
c:\program files\Common Files\Symantec Shared\SNDSrvc.exe
c:\program files\Common Files\Symantec Shared\CCEVTMGR.EXE
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe
c:\program files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
c:\windows\system32\nvsvc32.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Sony\VAIO Event Service\VESMgr.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
c:\program files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
c:\program files\Common Files\Symantec Shared\Security Center\symwsc.exe
c:\program files\Apoint\ApntEx.exe
c:\program files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
c:\ipod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2009-03-29 23:12:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-29 22:11:56

Pre-Run: 11,959,656,448 bytes free
Post-Run: 11,842,834,432 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT= "Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS= "Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

290 --- E O F --- 2009-03-29 16:09:31

 

Good deal!!

We'll see if we're on a roll.

Print this topic or save to notepad, it will make it easier for you to follow the instructions and complete all of the necessary steps as we will need to close all windows that are open later in the fix.





Go to My Computer->Tools->Folder Options->View tab:

• Under the Hidden files and folders heading:
  
• Select - Show hidden files and folders.
  
• Uncheck- Hide protected operating system files (recommended) option.
  
• Also, make sure there is no checkmark beside Hide file extensions for known file types.
  
• Click OK. (Remember to Hide files and folders once done)

I want you to go to Search, search all files and folders
Type (or copy and paste) in the open tab
siodk.xnb <--delete!!, do not reboot till the next scan runs.

Next: Please disable all onboard security programs (all running with back ground protection) as it may hinder the scanner from working.
This includes Antivirus, Firewall, and any Spyware scanners that run in the background.

Click on this link Here to see a list of programs that should be disabled.
The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

Please open Notepad *Do Not Use Wordpad!* or use any other text editor than Notepad or the script will fail. (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the CODE box below:
Save this as "CFScript.txt " including quotes and change the "Save as type" to "All Files" and place it on your desktop.

Code:

File:: 
c:\windows\system32\yv12vfw.dll
c:\windows\meta4.exe
c:\windows\system32\x.264.exe
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
 "aux2 "=" "

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.



NEXT**
Please download Malwarebytes' Anti-Malware to your desktop

Additional Link

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform quick scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location.
* You can also access the log by doing the following:

o Click on the Malwarebytes' Anti-Malware icon to launch the program.
o Click on the Logs tab.
o Click on the log at the bottom of those listed to highlight it.
o Click Open.

Tutorial if needed
http://thespykiller.co.uk/index.php/topic,5946.0.html

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.




Let's see if we can get an online scan now.

• Download the latest version of Java Runtime Environment (JRE)
• Second install down listed on the page
  
  *** be sure that when you update Java, to uncheck any toolbars for OpenOffice.org if you don't want those added to you computer***
  
  Click on the Accept License Agreement button Next Select your Platform and check the box that says: "I agree to the Java SE Runtime Environment License Agreement. ".
  Download Now! Windows Offline Installation, Multi-language
  
  Now close all windows, including your browser.
  Double click on the Java installation that you downloaded and follow the prompts.
  
  NEXT-remove all older versions of Java Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... ) Select it and click Remove.
• Close any programs you may have running - especially your web browser.
• Repeat as many times as necessary to remove each older Java versions.

Please download ATF Cleaner by Atribune From Here and save it to your Desktop.
Follow the instructions for the browser you use.
Read the instructions about the cookies. Delete what you do not need.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:
Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
The rest are optional - if you want to remove the lot, check "Select All ".
Finally click Empty Selected. When you get the "Done Cleaning " message, click OK.
If you use the Firefox or Opera browsers, you can use this program
as a quick way to tidy those up as well.
When you have finished, click on the Exit button in the Main menu.
========================



NEXT**
I'd like for you to run this next online scan to check for remnants or anything that might be hidden.
The below scan can take up to an hour or longer, please be patient.

*Note
It is recommended to disable onboard antivirus program and antispyware programs while performing scans so no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware app you use.


Using Internet Explorer, visit http://www.kaspersky.com/service?chapter=161739400

Other available links
Kaspersky Online Scanner or from here
http://www.kaspersky.com/virusscanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition
  files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run. (At times it may appear to stall)
  * Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  * Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  * Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  
• Once the scan is complete, click on View scan report To obtain the report:

Click on: Save Report As
Next, in the Save as prompt, Save in area, select: Desktop
In the File name area, use KScan, or something similar In Save as type, click the drop arrow and select:
Text file [*.txt]
Then, click: Save
Please post the Kaspersky Online Scanner Report in
your reply.

Animated tutorial
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif

(Note.. for Internet Explorer 7 users:
If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)
Or use Firefox with IE-Tab plugin
https://addons.mozilla.org/en-US/firefox/addon/1419





In your next reply post:
ComboFix.txt
MBAM log
Kaspersky log


You may need several replies to post the requested logs, otherwise they might get cut off.

 

Hi Juliet, sorry for the late reply.

I have done as requested, but encountered problems with Kaspersky - I've ran a scan a few times but it keeps freezing at random points. It's showing threats detected though

Combofix

ComboFix 09-03-29.04 - user user 2009-03-30 22:08:26.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.83 [GMT 1:00]
Running from: c:\documents and settings\user user\Desktop\worksnow.exe
Command switches used :: c:\documents and settings\user user\Desktop\CFScript.txt
AV: Norton Internet Security *On-access scanning disabled* (Outdated)
FW: Norton Internet Security *disabled*
* Created a new restore point

FILE ::
c:\windows\meta4.exe
c:\windows\system32\x.264.exe
c:\windows\system32\yv12vfw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\meta4.exe
c:\windows\system32\w32apiw.dll
c:\windows\system32\x.264.exe
c:\windows\system32\yv12vfw.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-28 to 2009-03-30 )))))))))))))))))))))))))))))))
.

2009-03-30 00:00 . 2009-03-30 00:00 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-29 16:47 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-29 16:47 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-29 16:47 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-29 15:41 . 2009-03-29 15:41 353,485 --a------ C:\HostsXpert.zip
2009-03-29 14:10 . 2009-03-29 14:09 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-29 14:10 . 2009-03-29 14:09 73,728 --a------ c:\windows\system32\javacpl.cpl
2009-03-27 21:49 . 2009-03-27 22:04 <DIR> d-------- c:\documents and settings\user user\DoctorWeb
2009-03-27 00:53 . 2009-03-27 00:53 <DIR> d-------- c:\program files\Windows Defender
2009-03-26 21:43 . 2009-03-26 21:43 <DIR> d-------- C:\_OTMoveIt
2009-03-26 15:57 . 2009-03-26 16:07 62,729,728 --a------ C:\avg_free_stf_en_85_283a1450.exe
2009-03-25 16:54 . 2009-03-27 15:22 <DIR> d-------- c:\documents and settings\user user\Tracing
2009-03-25 16:49 . 2009-03-25 16:49 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-25 13:43 . 2009-03-29 13:48 <DIR> d-------- C:\MGtools
2009-03-25 13:41 . 2009-03-25 13:41 1,339,834 --a------ C:\MGtools.exe
2009-03-25 11:18 . 2009-03-25 11:18 126,976 --a------ C:\zip.exe
2009-03-25 09:31 . 2009-03-25 09:31 <DIR> d-------- C:\VundoFix Backups
2009-03-24 16:37 . 2009-03-26 21:21 <DIR> d-------- c:\program files\Avast4
2009-03-24 16:08 . 2009-03-24 16:08 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2009-03-24 15:47 . 2009-03-24 15:47 <DIR> d-------- c:\documents and settings\user user\Application Data\Malwarebytes
2009-03-24 15:47 . 2009-03-24 15:47 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-24 15:47 . 2009-02-11 11:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-24 15:47 . 2009-02-11 11:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-24 15:46 . 2009-03-24 15:47 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-03-15 17:30 . 2009-03-15 17:30 <DIR> d-------- c:\program files\File Scanner Library (Spybot - Search & Destroy)

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-30 11:50 --------- d-----w c:\program files\Lx_cats
2009-03-29 14:42 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-03-29 14:30 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-29 13:09 --------- d-----w c:\program files\Java
2009-03-26 20:39 --------- d-----w c:\program files\backups
2009-03-26 11:33 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-25 11:25 15,063 ----a-w c:\program files\hijackthis.log
2009-03-25 10:04 --------- d-----w c:\program files\MSN Messenger
2009-03-25 08:20 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-03-24 15:09 --------- d-----w c:\program files\SUPERAntiSpyware
2009-03-24 15:09 --------- d-----w c:\documents and settings\user user\Application Data\SUPERAntiSpyware.com
2009-03-24 12:37 --------- d-----w c:\program files\RogueRemover FREE
2009-02-26 22:00 --------- d-----w c:\documents and settings\user user\Application Data\FileZilla
2009-02-09 11:13 1,846,784 ----a-w c:\windows\system32\win32k.sys
2008-12-21 14:21 7,590,400 ----a-w c:\program files\ica32web.msi
2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll
2008-12-12 19:29 186 ----a-w c:\documents and settings\user user\Application Data\wklnhst.dat
2008-12-05 06:54 144,896 ----a-w c:\windows\system32\schannel.dll
2008-06-15 12:27 59,839,784 ----a-w c:\program files\iTunesSetup.exe
2008-04-10 21:17 1,495,112 ----a-w c:\program files\install_flash_player.exe
2007-07-22 15:59 41,384 ----a-w c:\program files\basiccms.zip
2007-07-22 15:43 22,312,757 ----a-w c:\program files\wamp5_1.7.2.exe
2007-07-21 17:38 1,126 ----a-w c:\documents and settings\user user\Application Data\filterclsid.dat
2007-01-01 15:28 4,308,596 ----a-w c:\program files\BitTornado-0.3.17-w32install.exe
2006-12-29 16:19 899,414 ----a-w c:\program files\DVDDecrypter_3.5.4.0.exe
2006-12-28 20:01 734,160 ----a-w c:\program files\VobSub_2.23.exe
2006-12-20 20:59 9,918,872 ----a-w c:\program files\WMEncoder.exe
2006-12-20 20:52 878,896 ----a-w c:\program files\WGAPluginInstall.exe
2006-12-20 15:13 4,865,728 ----a-w c:\program files\rminstall.exe
2006-12-19 13:14 1,035,271 ----a-w c:\program files\wrar362.exe
2006-12-02 14:16 1,480,862 ----a-w c:\program files\aresregular196_installer.exe
2006-12-02 14:15 1,480,862 ----a-w c:\program files\Ares.exe
2005-02-16 11:06 218,112 ----a-w c:\program files\HijackThis.exe
2005-07-14 12:31 27,648 --sha-r c:\windows\system32\AVSredirect.dll
2005-06-26 15:32 616,448 --sha-r c:\windows\system32\cygwin1.dll
2005-06-21 22:37 45,568 --sha-r c:\windows\system32\cygz.dll
2006-05-03 09:06 163,328 --sh--r c:\windows\system32\flvDX.dll
2004-01-25 00:00 70,656 --sha-r c:\windows\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sh--r c:\windows\system32\msfDX.dll
2008-12-24 12:01 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008122420081225\index.dat
.

((((((((((((((((((((((((((((( SnapShot@2009-03-29_23.09.15.15 )))))))))))))))))))))))))))))))))))))))))
.
+ 2006-10-26 20:12:56 396,592 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MOC.EXE
+ 2007-05-08 11:10:18 16,874,376 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\MSO.DLL
+ 2007-03-21 18:56:50 8,425,856 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OARTCONV.DLL
+ 2006-10-27 15:18:34 1,658,152 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OGL.DLL
+ 2007-05-10 09:04:28 846,248 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\OICE.EXE
+ 2007-05-10 10:11:42 1,767,256 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PPCNV.DLL
+ 2007-03-21 19:00:06 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\PXBCOM.EXE
+ 2007-03-21 18:58:40 4,145,520 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12CNV.DLL
+ 2007-03-21 18:58:46 24,416 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\WRD12EXE.EXE
+ 2007-05-10 10:25:40 14,677,368 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6021\XL12CNV.EXE
+ 2007-09-14 20:45:58 16,901,168 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\MSO.DLL
+ 2007-08-28 23:19:24 1,654,648 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\OGL.DLL
+ 2007-08-24 04:00:34 1,767,768 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PPCNV.DLL
+ 2007-08-24 04:00:48 72,096 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\PXBCOM.EXE
+ 2007-10-02 19:00:06 14,708,760 ----a-r c:\windows\Installer\$PatchCache$\Managed\00002109020090400000000000F01FEC\12.0.6215\XL12CNV.EXE
+ 2003-07-07 13:36:00 2,058,343 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DAT
+ 2003-07-08 11:48:00 115,288 ----a-r c:\windows\Installer\$PatchCache$\Managed\9040110900063D11C8EF10054038389C\11.0.5614\OUTLFLTR.DLL
- 2005-11-21 19:09:52 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2009-03-29 23:01:19 593,920 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2005-11-21 19:09:52 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2009-03-29 23:01:19 12,288 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2005-11-21 19:09:52 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2009-03-29 23:01:19 86,016 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2005-11-21 19:09:52 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-03-29 23:01:19 135,168 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2005-11-21 19:09:52 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2009-03-29 23:01:20 11,264 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2005-11-21 19:09:52 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2009-03-29 23:01:20 27,136 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2005-11-21 19:09:52 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-03-29 23:01:20 4,096 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2005-11-21 19:09:52 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2009-03-29 23:01:20 794,624 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2005-11-21 19:09:52 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2009-03-29 23:01:19 249,856 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2005-11-21 19:09:52 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2009-03-29 23:01:19 61,440 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2005-11-21 19:09:52 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2009-03-29 23:01:20 23,040 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2005-11-21 19:09:52 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2009-03-29 23:01:19 286,720 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2005-11-21 19:09:52 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2009-03-29 23:01:19 409,600 ----a-r c:\windows\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
- 2007-12-16 00:33:05 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-03-29 23:01:34 38,240 ----a-r c:\windows\Installer\{90120000-0020-0409-0000-0000000FF1CE}\O12ConvIcon.exe
+ 2009-03-30 20:31:22 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_2d8.dat
+ 2009-03-30 20:31:26 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_728.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UserFaultCheck "= "c:\windows\system32\dumprep 0 -u" [X]
"Apoint "= "c:\program files\Apoint\Apoint.exe" [2003-11-07 114688]
"AzMixerSel "= "c:\program files\Realtek\InstallShield\AzMixerSel.exe" [2005-04-29 45056]
"SonyPowerCfg "= "c:\program files\Sony\VAIO Power Management\SPMgr.exe" [2005-05-15 184320]
"ISBMgr.exe "= "c:\program files\Sony\ISB Utility\ISBMgr.exe" [2004-02-20 32768]
"VAIO Update 2 "= "c:\program files\Sony\VAIO Update 2\VAIOUpdt.exe" [2005-01-14 151552]
"ccApp "= "c:\program files\Common Files\Symantec Shared\ccApp.exe" [2007-01-08 49768]
"Acrobat Assistant 7.0 "= "c:\program files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2005-03-03 483328]
"Symantec NetDriver Monitor "= "c:\progra~1\SYMNET~1\SNDMon.exe" [2007-10-18 100056]
"SsAAD.exe "= "c:\progra~1\Sony\SONICS~1\SsAAD.exe" [2005-06-03 81920]
"NeroFilterCheck "= "c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"NvCplDaemon "= "c:\windows\system32\nvcpl.dll" [2005-06-09 6746112]
"LXCCCATS "= "c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll" [2005-07-20 73728]
"FaxCenterServer "= "c:\program files\Lexmark Fax Solutions\fm3032.exe" [2005-07-12 299008]
"iTunesHelper "= "c:\program files\iTunes\iTunesHelper.exe" [2008-06-02 267048]
"SunJavaUpdateSched "= "c:\program files\Java\jre6\bin\jusched.exe" [2009-03-29 148888]
"Mouse Suite 98 Daemon "= "ICO.EXE" [2002-03-14 c:\windows\system32\ico.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE "= "c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-12-22 13:05 356352 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420 "= i420vfw.dll
"VIDC.dvsd "= c:\progra~1\COMMON~1\SONYSH~1\VideoLib\sonydv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"c:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe "=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"c:\\Program Files\\iTunes\\iTunes.exe "=
"c:\\Program Files\\Sports Interactive\\Football Manager 2009 Demo\\fm.exe "=
"%windir%\\Network Diagnostic\\xpnetdiag.exe "=

R1 PrivateDisk;PrivateDisk;c:\windows\system32\drivers\privatediskm.sys [2004-07-06 45627]
R1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\sasdifsv.sys [2009-03-23 9968]
R1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2009-03-23 72944]
R2 AdobeActiveFileMonitor;Adobe Active File Monitor;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsFileAgent.exe [2004-10-04 98304]
R2 MSSQL$VAIO_VEDB;MSSQL$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlservr.exe -sVAIO_VEDB [?]
R2 PhotoshopElementsDeviceConnect;Photoshop Elements Device Connect;c:\program files\Adobe\Photoshop Elements 3.0\PhotoshopElementsDeviceConnect.exe [2004-10-04 118784]
R2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-03 13592]
S3 SASENUM;SASENUM;c:\program files\SUPERAntiSpyware\SASENUM.SYS [2009-03-23 7408]
S3 SQLAgent$VAIO_VEDB;SQLAgent$VAIO_VEDB;c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB --> c:\program files\Microsoft SQL Server\MSSQL$VAIO_VEDB\Binn\sqlagent.EXE -i VAIO_VEDB [?]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8e8f7237-7fcc-11dc-a66c-0013ce72c456}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c0e991fc-b53d-11dc-a6cc-0013ce72c456}]
\Shell\AutoRun\command - H:\InstallTomTomHOME.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-30 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-03 20:20]

2009-03-27 c:\windows\Tasks\Norton AntiVirus - Scan my computer - user user.job
- c:\progra~1\NORTON~1\NORTON~1\Navw32.exe [2005-10-07 14:47]

2009-03-24 c:\windows\Tasks\Pareto UNS.job
- c:\program files\Common Files\ParetoLogic\UUS\UUS.dll\Pareto_Update.exe []

2009-03-30 c:\windows\Tasks\Symantec NetDetect.job
- c:\program files\Symantec\LiveUpdate\NDETECT.EXE [2004-12-14 12:24]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Settings,ProxyOverride = <local>;*.local
IE: &Translate English Word - c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
IE: Backward Links - c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
IE: Similar Pages - c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
IE: Translate Page into English - c:\program files\google\GoogleToolbar2.dll/cmtrans.html
Trusted Zone: sony-europe.com
Trusted Zone: sonystyle-europe.com
Trusted Zone: vaio-link.com
FF - ProfilePath - c:\documents and settings\user user\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk
.

**************************************************************************

catchme 0.3.1375 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-30 22:11:35
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCCCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCCtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\DefaultPreset]
@DACL=(02 0000)
@SACL=
@= "c:\\Program Files\\Adobe\\Premiere Standard\\Settings\\DV - NTSC\\Standard 48kHz.prpreset "

[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Std\7.0\Help]
@DACL=(02 0000)
@SACL=
"AdobeMediaEncoder "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html "
"Contents "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_0_0_0.html "
"ExportToDVD "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_13_2_0.html "
"HowToUse "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\0_0_0_0.html "
"Keyboard "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\1_4_15_0.html "
"Search "= "c:\\Program Files\\Adobe\\Premiere Standard\\Help\\search.html "
"Support "= "http://www.adobe.com/support/products/premiere.html "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(904)
c:\program files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2009-03-30 22:15:27
ComboFix-quarantined-files.txt 2009-03-30 21:14:55
ComboFix2.txt 2009-03-29 22:12:04

Pre-Run: 11,294,355,456 bytes free
Post-Run: 11,279,659,008 bytes free

274 --- E O F --- 2009-03-29 23:01:34

MBAM

Malwarebytes' Anti-Malware 1.35
Database version: 1921
Windows 5.1.2600 Service Pack 3

30/03/2009 23:25:50
mbam-log-2009-03-30 (23-25-50).txt

Scan type: Quick Scan
Objects scanned: 75463
Time elapsed: 4 minute(s), 6 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

 

Actually expecting that, doesn't always mean infection.
Depending on how long it was taking, Norton was probably at fault here.

Last logs look better but would still like an online scan to confirm.


Would like for you to try this next scanner.
Try to disable Norton while this downloads and runs so that it is not disrupted.
Do not attempt any surfing while scanning.



Perform an online scan with Panda ActiveScan
* Click on Scan Your PC Now
* A "pop up" window will appear, or a new tab will open.
* Click on Register
* Choose the option you like most, but we recommend the Free Registration.

Click on Register
# Enter your e-mail address, and create a password.
# Select "I do not want to receive any type of information ". (unless you want to receive such information)
# Click on Send
# Confirm registration, and continue by entering your user name and password, then click on Enter
# Select Full Scan, then Click on Scan Now
# Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
# If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
# Please ignore the offer to buy the program. Click on Export To


* Export the log and save it to your desktop.
* Please attach the contents of that log in your next reply.
* Turn off the real time scanner of any existing antivirus program while performing the online scan


Post the Panda log.


How's the computer now?

 

Hi Juliet, I completed the Pandascan earlier and disinfected a few things. The full log is below:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-31 17:02:44
PROTECTIONS: 1
MALWARE: 7
SUSPECTS: 2
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
Norton Internet Security 2005 Yes No
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00020994 W32/Bagle.pwdzip Virus No 0 Yes Yes C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSvchost1.zip
00029258 application/altnet HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD}
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.settingsplugin
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.settingsplugin.1
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.toolbarplugin
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\need2findbar.toolbarplugin.1
00169752 application/need2find HackTools No 0 Yes No hkey_classes_root\clsid\{630d6140-04c5-4db0-b27a-020d766ff09b}
00169752 application/need2find HackTools No 0 Yes No hkey_local_machine\software\need2find
00169752 application/need2find HackTools No 0 Yes No HKEY_LOCAL_MACHINE\software\classes\CLSID\{630D6140-04C5-4db0-B27A-020D766FF09B}
00169752 application/need2find HackTools No 0 Yes No HKEY_CLASSES_ROOT\Interface\{4D1C4E8A-A32A-416B-BCDB-33B3EF3617D3}
00169752 application/need2find HackTools No 0 Yes No hkey_current_user\software\need2find
00447834 Adware/Lop Adware No 0 Yes No C:\Documents and Settings\user user\DoctorWeb\Quarantine\A0039678.dll
02519515 Trj/Rebooter.J Virus/Trojan No 0 Yes Yes C:\Documents and Settings\user user\DoctorWeb\Quarantine\A0041821.exe
02519515 Trj/Rebooter.J Virus/Trojan No 0 Yes Yes C:\Documents and Settings\user user\DoctorWeb\Quarantine\SmitfraudFix.exe
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP575\A0046050.sys
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes Yes C:\System Volume Information\_restore{EE8B4CBF-618C-47CB-973B-B509954157CB}\RP577\A0047221.sys
03541233 HackTool/Rebooter HackTools No 0 Yes No C:\Documents and Settings\user user\Desktop\Virus killers\SmitfraudFix\Reboot.exe
;===================================================================================================================================================================================
SUSPECTS
Sent Location l
;===================================================================================================================================================================================
No C:\Documents and Settings\user user\Desktop\worksnow.exe l
No C:\Documents and Settings\user user\DoctorWeb\Quarantine\A0040631.exe l
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description l
;===================================================================================================================================================================================
;===================================================================================================================================================================================

 

OK, let's see if we can finish this up.


OTMoveIt still on desktop?


Double click OTMoveIt to open the program

[*]Copy the lines in the codebox below. ( Make sure you include rocesses )

Code:

:Processes
explorer.exe
:reg
[-hkey_classes_root\clsid\{630d6140-04c5-4db0-b27a-020d766ff09b}]
[-HKEY_LOCAL_MACHINE\software\classes\CLSID\{630D6140-04C5-4db0-B27A-020D766FF09B}]
[-HKEY_CLASSES_ROOT\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD}]
[-hkey_classes_root\need2findbar.settingsplugin]
[-hkey_classes_root\need2findbar.settingsplugin.1]
[-hkey_classes_root\need2findbar.toolbarplugin]
[-hkey_classes_root\need2findbar.toolbarplugin.1]
[-hkey_classes_root\clsid\{630d6140-04c5-4db0-b27a-020d766ff09b}]
:Commands
[Purity]
[EmptyTemp]
[Start Explorer]
[Reboot]

• Return to OTMoveIt3, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.

• - Close ALL open windows (especially Internet Explorer!)-
• Click the red Moveit! button.
• Copy everything in the Results window (under the green bar), and paste it in your next reply.
• Close OTMoveIt3

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

If the machine reboots, the Results log can be found here:

c:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date of the tool run.

Post the OTMoveIt log.


How's the computer now?

 

Hi Juliet, just completed the OTMoveIt process. The results are below. It didn't reboot so I'm about to do that manually now.

The computer is generally good and seems to be back to normal, although at the beginning of a boot the CPU usage is high thanks to SVCHost.exe and taking a look at my processes right now there's 7 of these running under different user names like 'LOCAL SERVICE', 'SYSTEM' and 'NETWORK SERVICE'. I'm not sure what these are attributed to as I only have a Firefox browser open right now. The CPU on all these at the moment is '00' and memory usage varies from 356k to 23,176k - is this anything to worry about?

thanks

OTMOVEIT

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== REGISTRY ==========
Registry key hkey_classes_root\clsid\{630d6140-04c5-4db0-b27a-020d766ff09b}\\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\classes\CLSID\{630D6140-04C5-4db0-B27A-020D766FF09B}\\ not found.
Registry key HKEY_CLASSES_ROOT\Interface\{700DC0DD-F409-42E0-9DE5-21EE1A2BA9FD}\\ deleted successfully.
Registry key hkey_classes_root\need2findbar.settingsplugin\\ deleted successfully.
Registry key hkey_classes_root\need2findbar.settingsplugin.1\\ deleted successfully.
Registry key hkey_classes_root\need2findbar.toolbarplugin\\ deleted successfully.
Registry key hkey_classes_root\need2findbar.toolbarplugin.1\\ deleted successfully.
Registry key hkey_classes_root\clsid\{630d6140-04c5-4db0-b27a-020d766ff09b}\\ not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\RABIND~1\LOCALS~1\Temp\etilqs_Zpy33nIea567MCUWmFWv scheduled to be deleted on reboot.
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat scheduled to be deleted on reboot.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp\JET770F.tmp scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_6ec.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_7f4.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\user user\Local Settings\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\Cache\_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user user\Local Settings\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\Cache\_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user user\Local Settings\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\Cache\_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user user\Local Settings\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\Cache\_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user user\Local Settings\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\user user\Local Settings\Application Data\Mozilla\Firefox\Profiles\9h1aav5x.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.9.0 log created on 04012009_102020

 

Yes

It's hard to say whats normal and whats not.
I know for the computer to connect to the internet it will use those processes, then settle down.
There are applications on the computer that require daily updates, again calling upon the items mentioned.


Let's do some final clean up measures, we can leave this topic open for a few days in case we need more diagnostic work.



Don't miss or skip this next step, this will remove malicious files from quarantine and set a clean restore point.

• Click START then RUN
• Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

Example below





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

NEXT**
Next open OTMoveIt, then click on "CleanUp! ".
If you receive a warning from your Firewall please allow...
In the left pane, it will display a list of tools and other related files which you may have downloaded/used during our cleanup + backup folders that were created with the bad files present.
They are not needed anymore, so OTMoveIt will delete them.
Do not edit anything in that Window!
Don't worry if it displays some tools you didn't download/use.
Click Yes when it asks to Begin cleanup process.
Then reboot your computer.



Please take the time to read over a few of my preventive tips.


Please navigate to Microsoft Windows Updates and download all the "Critical Updates " for Windows.


Firefox 3
The award-winning Web browser is now faster, more secure, and fully customizable to your online life. With Firefox 2, added powerful new features that make your online experience even better. It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.
*NoScript - Addon for Firefox that stops all scripts from running on websites. Stops malicious software from invading via flash, java, javascript, and many other entry points.

How to prevent Malware: Created by Miekiemoes

Here are some additional utilities that will further enhance your safety.
# http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)


Read this article 'Safe Computing Practices'.
So how did I get infected in the first place.

Secure My Computer: A Layered Approach

Strong passwords: How to create and use them

Free Antivirus-AntiSpyware-Firewall Software
Slow Computer May Not Be Malware Related, Help! My computer is slow!
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html


PC Safety and Security--What Do I Need?
http://www.techsupportforum.com/sec...115548-pc-safety-security-what-do-i-need.html

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
This site offers people who have been (or are) victims of malware the opportunity to document their story.

Extra note:
Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan. http://secunia.com/software_inspector/

 

Hi Juliet, I've followed your clean-up points for Combofix/MoveIt.

I still have other applications on my desktop like Dr Web, Dial-A-Fix and VArestore. Do I still need these and the logs?

Thanks for the advice, I've downloaded some updates for programmes.

A couple of questions -

1/ Do you know what infected my PC? Was it a virus/malware?
2/ Which od the applications worked? Dial-A-Fix seemed to have an impact.

Thank you for your help, I'm happy to donate to any fund you have running.

 

Good deal

No, these are no longer needed.

IF.....I had to give it a name, thats a hard call.
Whatever it was had similarities to ConFicker..Now if the machine did have the actual infection......can't say, some things where NOT identified or found on your computer that would had given it a positive ID.

Dial-A-Fix and VArestore both work at resetting specific settings back to default.
Some are permissions to file associations.

My time is free, you can support WindowsBBS.