1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Strange Virus I haven't seen before

Discussion in 'Malware and Virus Removal Archive' started by JonG86, 2008/08/18.

  1. 2008/08/18
    JonG86

    JonG86 Inactive Thread Starter

    Joined:
    2008/08/17
    Messages:
    6
    Likes Received:
    0
    I removed a Sasser virus from my computer just last week and thought all was going well until I uninstalled my out of date Norton and tried to install AVG until I can get a new full anti virus. During the install AVG tried to auto close several programs but could not close an instance of Iexplorer, which I couldn't understand as I didn't have any instances running.

    Also hyperlinks and drop down boxes stopped working correctly on websites that I frequent. Then I noticed that task manager and system restore had both been disabled (an ominous sign in my books).

    On top of these two symptoms for some reason when I have a program running in the main window it will suddenly be minimized, closed or de-selected without warning so while I could be typing on the screen nothing is typing on the forum (It took me an extra 2 minutes to type this message out because of this strange effect).

    I have noticed that a warning box does pop up every now and again but I am not sure what it says as it disappears rapidly (although I am sure it says something about Iexplorer).

    I did the virus scan recommended on the forum (panda scan) and it found and disinfected a trojan virus, however the problem still remains (spybot and Malware have both been run as well).

    Here are the HijackThis! logs:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 21:32:19, on 18/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\vxto7cj3.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.skybroadband.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {930247B4-16BE-48d2-87DD-86D7FB314639} - (no file)
    O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\VXTOmCJk.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-21-776561741-162531612-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - http://www.ppmate.com/search/downcab.jsp
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
     
  2. 2008/08/18
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi JonG86
    Welcome to Windowsbbs.

    You said you ran Malwarebytes' Anti-Malware ? If so did you make sure you updated it before you ran it?
    If not please update it and run. and post the log.


    Please do the following in the order given.

    Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - {930247B4-16BE-48d2-87DD-86D7FB314639} - (no file)
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1


    Now close all windows other than HiJackThis, then click Fix Checked.

    Close HJT.

    Now do this.

    Download ComboFix from Here to your Desktop.

    It's best to disable realtime protection applications as they sometimes interfere with the tool.
    Check this link for any applicable programs you may have.
    • Close all open programs and windows
    • Double click combofix.exe and follow the prompts.
    • Vista users right click Combofix.exe and select Run As Administrator.
    • When finished, it shall produce a log for you. Post the Combofix log
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

    Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

    Please post the combofix log and the MBAM log (if it's a new one).

    Thanks
    Geri
     
    Geri,
    #2

  3. to hide this advert.

  4. 2008/08/19
    JonG86

    JonG86 Inactive Thread Starter

    Joined:
    2008/08/17
    Messages:
    6
    Likes Received:
    0
    Thanks for your quick reply.

    Combofix log:

    ComboFix 08-08-18.05 - Jon 2008-08-19 18:37:53.2 - NTFSx86

    Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\#SharedObjects\RWAXN3ZC\interclick.com
    C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\#SharedObjects\RWAXN3ZC\interclick.com\ud.sol
    C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
    C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
    C:\Documents and Settings\Jon\UserData
    C:\Documents and Settings\Jon\UserData\index.dat
    C:\Documents and Settings\Jon\UserData\S5IB4HI7\oXMLStore[1].xml
    C:\WINDOWS\system32\VXTOmCJk.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
    .

    2008-08-17 21:21 . 2008-08-17 21:21 <DIR> d-------- C:\Program Files\Panda Security
    2008-08-17 21:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
    2008-08-17 21:20 . 2008-08-17 21:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-08-17 21:07 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
    2008-08-17 20:19 . 2008-08-17 20:49 <DIR> d-------- C:\VundoFix Backups
    2008-08-17 19:18 . 2008-08-17 19:18 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-17 19:14 . 2008-08-17 19:14 <DIR> d-------- C:\Program Files\CleanUp!
    2008-08-17 15:58 . 2008-08-17 15:58 <DIR> d-------- C:\Program Files\Veetle
    2008-08-17 15:58 . 2008-08-17 15:59 48,396 --a------ C:\WINDOWS\UninstVeetleTVPlayer.exe
    2008-08-15 00:54 . 2008-08-15 00:54 0 --a------ C:\WINDOWS\system32\vxto7cj3.exe.a_a
    2008-08-15 00:46 . 2008-08-15 00:49 <DIR> d-------- C:\My Pics
    2008-08-15 00:21 . 2008-08-15 01:00 <DIR> d-------- C:\Hopton drunk
    2008-08-15 00:19 . 2008-08-15 00:20 <DIR> d-------- C:\EXEs
    2008-08-15 00:00 . 2008-01-09 15:50 230,428,730 --a------ C:\bbstudent.avi
    2008-08-14 22:04 . 2008-08-17 18:21 80,898 --a------ C:\WINDOWS\system32\vxto7cj3.exe
    2008-08-14 21:48 . 2008-08-14 21:47 29,760 --a------ C:\WINDOWS\system32\0wQsPcwK.exe
    2008-08-14 21:48 . 2008-08-14 21:48 0 --a------ C:\WINDOWS\system32\0wQsPcwK.exe.a_a
    2008-08-14 20:07 . 2008-08-14 20:07 <DIR> d-------- C:\Program Files\PC Inspector File Recovery
    2008-08-14 20:07 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\INT13EXT.VXD
    2008-08-05 20:20 . 2005-11-10 19:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
    2008-08-03 22:41 . 2008-08-03 22:41 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
    2008-08-03 22:41 . 2008-08-03 22:41 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
    2008-08-03 22:41 . 2008-08-03 22:41 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
    2008-08-03 22:41 . 2008-08-03 22:41 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
    2008-08-03 22:21 . 2008-08-03 22:21 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
    2008-07-27 13:29 . 2008-05-31 22:59 4,096 --ahs---- C:\Thumbs.db
    2008-07-27 13:26 . 2008-05-30 16:34 1 --ah----- C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
    2008-07-27 13:26 . 2008-05-30 17:11 1 --ah----- C:\e3f91452-1541-4677-9bf1-8c746794078d
    2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
    2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
    2008-07-27 13:26 . 2008-05-30 16:54 1 --ah----- C:\a9679fed-50db-4665-ae2c-691be92b2d79
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\22c35db8-d162-4a92-b534-9c039a99b804
    2008-07-27 01:50 . 2008-05-16 17:07 2,473,112,328 --a------ C:\MGBfinished.avi
    2008-07-26 22:24 . 2008-07-26 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
    2008-07-26 21:54 . 2008-07-26 21:54 <DIR> d-------- C:\Program Files\GetData
    2008-07-26 21:31 . 2008-08-17 19:31 81,920 --a------ C:\WINDOWS\inform.dat
    2008-07-26 21:31 . 2008-07-26 21:31 2 --a------ C:\1417323579
    2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Common Files\Acronis
    2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Acronis
    2008-07-26 21:22 . 2008-07-26 21:22 97,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
    2008-07-26 20:58 . 2008-07-26 20:58 <DIR> d-------- C:\Program Files\PowerQuest
    2008-07-26 17:20 . 2008-08-19 17:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
    2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-26 17:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-07-26 17:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-07-26 15:16 . 2008-06-02 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-07-26 15:16 . 2008-07-26 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-07-26 15:12 . 2008-07-26 15:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-07-24 19:32 . 2008-07-24 19:32 <DIR> d-------- C:\Program Files\BinaryBiz

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-19 16:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-08-18 19:39 --------- d-----w C:\Documents and Settings\Jon\Application Data\OpenOffice.org2
    2008-08-17 19:16 --------- d-----w C:\Documents and Settings\Jon\Application Data\uTorrent
    2008-08-17 18:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-08-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-08-17 18:27 --------- d-----w C:\Program Files\Symantec
    2008-08-17 17:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-14 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-10 14:51 --------- d-----w C:\Program Files\SopCast
    2008-08-10 14:46 --------- d-----w C:\Documents and Settings\Jon\Application Data\SopCast
    2008-08-05 19:25 --------- d-----w C:\Program Files\Belkin
    2008-08-01 15:26 --------- d-----w C:\Program Files\Bonjour
    2008-07-26 15:53 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-30 19:34 --------- d-----w C:\Program Files\PKR
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2007-11-09 17:59 22,328 ----a-w C:\Documents and Settings\Jon\Application Data\PnkBstrK.sys
    2007-09-17 10:14 1,136 ----a-w C:\Documents and Settings\Jon\Application Data\filterclsid.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-17_19.34.30.46 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
    + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
    + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
    "IntelliPoint "= "C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 00:41 163840]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12 "= yv12vfw.dll
    "vidc.CDVC "= cdvccodc.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
    backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
    backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
    backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
    backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\Jon\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
    --a--c--- 2005-12-29 11:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    --a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
    --a--c--- 2006-09-22 05:01 139264 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBVE.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
    --a--c--- 2006-07-31 20:00 19857408 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
    --a--c--- 2007-02-27 15:55 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    --a--c--- 2006-02-06 18:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    --a--c--- 2007-01-22 17:22 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
    --a------ 2005-11-14 20:11 1544099 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKR Pal]
    --a------ 2008-06-29 23:41 2273896 C:\Program Files\PKR\pkrpal.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
    --a------ 2005-06-28 20:15 642560 c:\Program Files\PowerStrip\pstrip.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    -ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-01-02 14:02 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    -----c--- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    --a--c--- 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    --a------ 2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
    --a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "C:\\Program Files\\PPMate\\PPMate\\ppmate.exe "=
    "C:\\Program Files\\PPLive\\PPLive.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\Program Files\\LimeWire\\LimeWire.exe "=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\uTorrent\\uTorrent.exe "=
    "C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\WINDOWS\\system32\\winver.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\Launch.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d16fcb4-e973-11dc-8036-00173fc657ea}]
    \Shell\AutoRun\command - E:\setupSNK.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9988775D-4368-4857-871A-D01D66CA3A71}]
    rundll32 dcrick.dll,InitO
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\k7jyfkq4.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
    .
    .
    ------- File Associations (Beta) -------
    .
    inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-19 18:40:19
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-19 18:41:24
    ComboFix-quarantined-files.txt 2008-08-19 17:41:09
    ComboFix2.txt 2008-08-17 18:34:54

    Pre-Run: 91,436,408,832 bytes free
    Post-Run: 91,426,058,240 bytes free

    249 --- E O F --- 2008-08-14 19:34:47

    Malware log after the scan:

    Malwarebytes' Anti-Malware 1.25
    Database version: 1062
    Windows 5.1.2600 Service Pack 2

    19:20:57 19/08/2008
    mbam-log-08-19-2008 (19-20-57).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 125321
    Time elapsed: 27 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9988775d-4368-4857-871a-d01d66ca3a71} (Trojan.Agent) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\QooBox\Quarantine\C\WINDOWS\system32\VXTOmCJk.dll.vir (Trojan.BHO) -> Delete on reboot.
    C:\System Volume Information\_restore{12F93191-5295-4DC8-9D2E-4D7A78D90D75}\RP39\A0011990.dll (Trojan.BHO) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\0wQsPcwK.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
    C:\WINDOWS\system32\vxto7cj3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
     
  5. 2008/08/19
    JonG86

    JonG86 Inactive Thread Starter

    Joined:
    2008/08/17
    Messages:
    6
    Likes Received:
    0
    Thanks for the quick reply.

    Combofix log:

    ComboFix 08-08-18.05 - Jon 2008-08-19 19:52:55.4 - NTFSx86

    Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
    .

    ((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
    .

    2008-08-19 19:21 . 2008-08-19 19:21 61,440 --a------ C:\WINDOWS\system32\drivers\ptgor.sys
    2008-08-17 21:21 . 2008-08-17 21:21 <DIR> d-------- C:\Program Files\Panda Security
    2008-08-17 21:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
    2008-08-17 21:20 . 2008-08-17 21:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-08-17 21:07 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
    2008-08-17 20:19 . 2008-08-17 20:49 <DIR> d-------- C:\VundoFix Backups
    2008-08-17 19:18 . 2008-08-17 19:18 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-17 19:14 . 2008-08-17 19:14 <DIR> d-------- C:\Program Files\CleanUp!
    2008-08-17 15:58 . 2008-08-17 15:58 <DIR> d-------- C:\Program Files\Veetle
    2008-08-17 15:58 . 2008-08-17 15:59 48,396 --a------ C:\WINDOWS\UninstVeetleTVPlayer.exe
    2008-08-15 00:46 . 2008-08-15 00:49 <DIR> d-------- C:\My Pics
    2008-08-15 00:21 . 2008-08-15 01:00 <DIR> d-------- C:\Hopton drunk
    2008-08-15 00:19 . 2008-08-15 00:20 <DIR> d-------- C:\EXEs
    2008-08-15 00:00 . 2008-01-09 15:50 230,428,730 --a------ C:\bbstudent.avi
    2008-08-14 22:04 . 2008-08-17 18:21 80,898 --a------ C:\WINDOWS\system32\vxto7cj3.exe
    2008-08-14 21:48 . 2008-08-14 21:47 29,760 --a------ C:\WINDOWS\system32\0wQsPcwK.exe
    2008-08-14 20:07 . 2008-08-14 20:07 <DIR> d-------- C:\Program Files\PC Inspector File Recovery
    2008-08-14 20:07 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\INT13EXT.VXD
    2008-08-05 20:20 . 2005-11-10 19:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
    2008-08-03 22:41 . 2008-08-03 22:41 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
    2008-08-03 22:41 . 2008-08-03 22:41 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
    2008-08-03 22:41 . 2008-08-03 22:41 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
    2008-08-03 22:41 . 2008-08-03 22:41 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
    2008-08-03 22:21 . 2008-08-03 22:21 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
    2008-07-27 13:29 . 2008-05-31 22:59 4,096 --ahs---- C:\Thumbs.db
    2008-07-27 13:26 . 2008-05-30 16:34 1 --ah----- C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
    2008-07-27 13:26 . 2008-05-30 17:11 1 --ah----- C:\e3f91452-1541-4677-9bf1-8c746794078d
    2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
    2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
    2008-07-27 13:26 . 2008-05-30 16:54 1 --ah----- C:\a9679fed-50db-4665-ae2c-691be92b2d79
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\22c35db8-d162-4a92-b534-9c039a99b804
    2008-07-27 01:50 . 2008-05-16 17:07 2,473,112,328 --a------ C:\MGBfinished.avi
    2008-07-26 22:24 . 2008-07-26 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
    2008-07-26 21:54 . 2008-07-26 21:54 <DIR> d-------- C:\Program Files\GetData
    2008-07-26 21:31 . 2008-08-17 19:31 81,920 --a------ C:\WINDOWS\inform.dat
    2008-07-26 21:31 . 2008-07-26 21:31 2 --a------ C:\1417323579
    2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Common Files\Acronis
    2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Acronis
    2008-07-26 21:22 . 2008-07-26 21:22 97,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
    2008-07-26 20:58 . 2008-07-26 20:58 <DIR> d-------- C:\Program Files\PowerQuest
    2008-07-26 17:20 . 2008-08-19 17:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
    2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-26 17:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-07-26 17:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-07-26 15:16 . 2008-06-02 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-07-26 15:16 . 2008-07-26 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-07-26 15:12 . 2008-07-26 15:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-07-24 19:32 . 2008-07-24 19:32 <DIR> d-------- C:\Program Files\BinaryBiz

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-19 16:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-08-18 19:39 --------- d-----w C:\Documents and Settings\Jon\Application Data\OpenOffice.org2
    2008-08-17 19:16 --------- d-----w C:\Documents and Settings\Jon\Application Data\uTorrent
    2008-08-17 18:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-08-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-08-17 18:27 --------- d-----w C:\Program Files\Symantec
    2008-08-17 17:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-14 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-10 14:51 --------- d-----w C:\Program Files\SopCast
    2008-08-10 14:46 --------- d-----w C:\Documents and Settings\Jon\Application Data\SopCast
    2008-08-05 19:25 --------- d-----w C:\Program Files\Belkin
    2008-08-01 15:26 --------- d-----w C:\Program Files\Bonjour
    2008-07-26 15:53 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-30 19:34 --------- d-----w C:\Program Files\PKR
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2007-11-09 17:59 22,328 ----a-w C:\Documents and Settings\Jon\Application Data\PnkBstrK.sys
    2007-09-17 10:14 1,136 ----a-w C:\Documents and Settings\Jon\Application Data\filterclsid.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-17_19.34.30.46 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
    + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
    + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
    "IntelliPoint "= "C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 00:41 163840]
    "Malwarebytes Anti-Malware (reboot) "= "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-08-17 15:01 1195640]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12 "= yv12vfw.dll
    "vidc.CDVC "= cdvccodc.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
    backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
    backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
    backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
    backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\Jon\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
    --a--c--- 2005-12-29 11:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    --a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
    --a--c--- 2006-09-22 05:01 139264 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBVE.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
    --a--c--- 2006-07-31 20:00 19857408 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
    --a--c--- 2007-02-27 15:55 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    --a--c--- 2006-02-06 18:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    --a--c--- 2007-01-22 17:22 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
    --a------ 2005-11-14 20:11 1544099 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKR Pal]
    --a------ 2008-06-29 23:41 2273896 C:\Program Files\PKR\pkrpal.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
    --a------ 2005-06-28 20:15 642560 c:\Program Files\PowerStrip\pstrip.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    -ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-01-02 14:02 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    -----c--- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    --a--c--- 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    --a------ 2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
    --a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall "= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "C:\\Program Files\\PPMate\\PPMate\\ppmate.exe "=
    "C:\\Program Files\\PPLive\\PPLive.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\Program Files\\LimeWire\\LimeWire.exe "=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\uTorrent\\uTorrent.exe "=
    "C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\WINDOWS\\system32\\winver.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\Launch.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d16fcb4-e973-11dc-8036-00173fc657ea}]
    \Shell\AutoRun\command - E:\setupSNK.exe
    .
    Contents of the 'Scheduled Tasks' folder
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\k7jyfkq4.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
    .
    .
    ------- File Associations (Beta) -------
    .
    inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-19 19:53:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-19 19:55:02
    ComboFix-quarantined-files.txt 2008-08-19 18:54:33
    ComboFix2.txt 2008-08-19 18:26:36
    ComboFix3.txt 2008-08-19 17:41:25
    ComboFix4.txt 2008-08-17 18:34:54

    Pre-Run: 91,410,984,960 bytes free
    Post-Run: 91,399,847,936 bytes free

    240 --- E O F --- 2008-08-14 19:34:47


    Mbam log:


    Malwarebytes' Anti-Malware 1.25
    Database version: 1062
    Windows 5.1.2600 Service Pack 2

    19:20:50 19/08/2008
    mbam-log-08-19-2008 (19-20-47).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 125321
    Time elapsed: 27 minute(s), 40 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 5
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 4

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> No action taken.
    HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> No action taken.
    HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> No action taken.
    HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9988775d-4368-4857-871a-d01d66ca3a71} (Trojan.Agent) -> No action taken.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\QooBox\Quarantine\C\WINDOWS\system32\VXTOmCJk.dll.vir (Trojan.BHO) -> No action taken.
    C:\System Volume Information\_restore{12F93191-5295-4DC8-9D2E-4D7A78D90D75}\RP39\A0011990.dll (Trojan.BHO) -> No action taken.
    C:\WINDOWS\system32\0wQsPcwK.exe.a_a (Trojan.Agent) -> No action taken.
    C:\WINDOWS\system32\vxto7cj3.exe.a_a (Trojan.Agent) -> No action taken.
     
    Last edited: 2008/08/19
  6. 2008/08/19
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi JonG86
    Ok you're not doing the step with MBAM to fix what it finds.
    C:\WINDOWS\system32\0wQsPcwK.exe.a_a (Trojan.Agent) -> No action taken.

    Here are the instructions to do that.

    Launch Malwarebytes' Anti-Malware and click on the Update tab then click Check for updates.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select 'Perform Quick Scan', then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Post the entire report in your next reply along with a fresh HijackThis log.

    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.


    Do you know what these are? If you do not know please delete them.
    C:\EXEs
    C:\bbstudent.avi
    C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
    C:\e3f91452-1541-4677-9bf1-8c746794078d
    C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
    C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
    C:\a9679fed-50db-4665-ae2c-691be92b2d79
    C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
    C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
    C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
    C:\22c35db8-d162-4a92-b534-9c039a99b804
    C:\MGBfinished.avi

    Now please do this.

    Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

    Filename: CFScript.txt
    Save As Type: All Files (*.*)

    Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
    Click here to see how to use CFScript.txt
    Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

    Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

    Code:
    File::
    C:\WINDOWS\system32\drivers\ptgor.sys
    C:\WINDOWS\system32\vxto7cj3.exe
    C:\WINDOWS\system32\0wQsPcwK.exe
    C:\WINDOWS\system32\INT13EXT.VXD
    C:\WINDOWS\system32\rrt_is.wav
    C:\WINDOWS\system32\rrt_vf.wav
    C:\WINDOWS\system32\rrt_tv.wav
    C:\WINDOWS\system32\rrt_tn.wav 
    Please post the combofix log the new MBAM log and a new HJT log.

    Let me know about those files.

    Thanks
    Geri

    I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

    Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

    References for the risk of these programs are here,
    here and here.

    I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

    Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Malware and Virus removal.
     
    Geri,
    #5
  7. 2008/08/20
    JonG86

    JonG86 Inactive Thread Starter

    Joined:
    2008/08/17
    Messages:
    6
    Likes Received:
    0
    Again, many thanks for the quick reply. The files you mentioned are my film making files and also my EXE backups taken from my portable hard drive, they will be removed by tomorrow but don't pose any kind of threat.

    I removed the P2P programs as per your instruction, I would hate to lose such a valuable source of information as this because of something I rarely use anyway.

    The Malware log I posted was an old one :eek:

    Here is the new one with the combofix log and the new hijack this log:

    ----------------------------------------------------------------------------------------------------

    MBAM


    Malwarebytes' Anti-Malware 1.25
    Database version: 1062
    Windows 5.1.2600 Service Pack 2

    19:07:19 20/08/2008
    mbam-log-08-20-2008 (19-07-19).txt

    Scan type: Full Scan (C:\|)
    Objects scanned: 125432
    Time elapsed: 33 minute(s), 36 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 0
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 0

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    (No malicious items detected)

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    (No malicious items detected)

    ----------------------------------------------------------------------------------------------------

    Combofix Log:

    ComboFix 08-08-19.02 - Jon 2008-08-20 19:11:04.5 - NTFSx86

    Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\Jon\Desktop\CFScript.txt

    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

    FILE ::
    C:\WINDOWS\system32\0wQsPcwK.exe
    C:\WINDOWS\system32\drivers\ptgor.sys
    C:\WINDOWS\system32\INT13EXT.VXD
    C:\WINDOWS\system32\rrt_is.wav
    C:\WINDOWS\system32\rrt_tn.wav
    C:\WINDOWS\system32\rrt_tv.wav
    C:\WINDOWS\system32\rrt_vf.wav
    C:\WINDOWS\system32\vxto7cj3.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\0wQsPcwK.exe
    C:\WINDOWS\system32\INT13EXT.VXD
    C:\WINDOWS\system32\rrt_is.wav
    C:\WINDOWS\system32\rrt_tn.wav
    C:\WINDOWS\system32\rrt_tv.wav
    C:\WINDOWS\system32\rrt_vf.wav
    C:\WINDOWS\system32\vxto7cj3.exe

    .
    ((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
    .

    2008-08-17 21:21 . 2008-08-17 21:21 <DIR> d-------- C:\Program Files\Panda Security
    2008-08-17 21:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
    2008-08-17 21:20 . 2008-08-17 21:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
    2008-08-17 21:07 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
    2008-08-17 20:19 . 2008-08-17 20:49 <DIR> d-------- C:\VundoFix Backups
    2008-08-17 19:18 . 2008-08-17 19:18 <DIR> d-------- C:\Program Files\Trend Micro
    2008-08-17 19:14 . 2008-08-17 19:14 <DIR> d-------- C:\Program Files\CleanUp!
    2008-08-17 15:58 . 2008-08-17 15:58 <DIR> d-------- C:\Program Files\Veetle
    2008-08-17 15:58 . 2008-08-17 15:59 48,396 --a------ C:\WINDOWS\UninstVeetleTVPlayer.exe
    2008-08-15 00:46 . 2008-08-15 00:49 <DIR> d-------- C:\My Pics
    2008-08-15 00:21 . 2008-08-15 01:00 <DIR> d-------- C:\Hopton drunk
    2008-08-15 00:19 . 2008-08-15 00:20 <DIR> d-------- C:\EXEs
    2008-08-15 00:00 . 2008-01-09 15:50 230,428,730 --a------ C:\bbstudent.avi
    2008-08-14 20:07 . 2008-08-14 20:07 <DIR> d-------- C:\Program Files\PC Inspector File Recovery
    2008-08-05 20:20 . 2005-11-10 19:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
    2008-08-03 22:21 . 2008-08-03 22:21 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
    2008-07-27 13:29 . 2008-05-31 22:59 4,096 --ahs---- C:\Thumbs.db
    2008-07-27 13:26 . 2008-05-30 16:34 1 --ah----- C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
    2008-07-27 13:26 . 2008-05-30 17:11 1 --ah----- C:\e3f91452-1541-4677-9bf1-8c746794078d
    2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
    2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
    2008-07-27 13:26 . 2008-05-30 16:54 1 --ah----- C:\a9679fed-50db-4665-ae2c-691be92b2d79
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
    2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\22c35db8-d162-4a92-b534-9c039a99b804
    2008-07-27 01:50 . 2008-05-16 17:07 2,473,112,328 --a------ C:\MGBfinished.avi
    2008-07-26 22:24 . 2008-07-26 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
    2008-07-26 21:54 . 2008-07-26 21:54 <DIR> d-------- C:\Program Files\GetData
    2008-07-26 21:31 . 2008-08-17 19:31 81,920 --a------ C:\WINDOWS\inform.dat
    2008-07-26 21:31 . 2008-07-26 21:31 2 --a------ C:\1417323579
    2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Common Files\Acronis
    2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Acronis
    2008-07-26 21:22 . 2008-07-26 21:22 97,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
    2008-07-26 20:58 . 2008-07-26 20:58 <DIR> d-------- C:\Program Files\PowerQuest
    2008-07-26 17:20 . 2008-08-19 17:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
    2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
    2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-07-26 17:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-07-26 17:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
    2008-07-26 15:16 . 2008-06-02 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
    2008-07-26 15:16 . 2008-07-26 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
    2008-07-26 15:12 . 2008-07-26 15:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
    2008-07-24 19:32 . 2008-07-24 19:32 <DIR> d-------- C:\Program Files\BinaryBiz

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-08-20 16:50 --------- d-----w C:\Program Files\LimeWire
    2008-08-19 16:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
    2008-08-18 19:39 --------- d-----w C:\Documents and Settings\Jon\Application Data\OpenOffice.org2
    2008-08-17 18:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-08-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
    2008-08-17 18:27 --------- d-----w C:\Program Files\Symantec
    2008-08-17 17:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
    2008-08-14 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2008-08-10 14:51 --------- d-----w C:\Program Files\SopCast
    2008-08-10 14:46 --------- d-----w C:\Documents and Settings\Jon\Application Data\SopCast
    2008-08-05 19:25 --------- d-----w C:\Program Files\Belkin
    2008-08-01 15:26 --------- d-----w C:\Program Files\Bonjour
    2008-07-26 15:53 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
    2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
    2008-06-30 19:34 --------- d-----w C:\Program Files\PKR
    2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
    2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
    2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
    2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
    2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
    2007-11-09 17:59 22,328 ----a-w C:\Documents and Settings\Jon\Application Data\PnkBstrK.sys
    2007-09-17 10:14 1,136 ----a-w C:\Documents and Settings\Jon\Application Data\filterclsid.dat
    .

    ((((((((((((((((((((((((((((( snapshot@2008-08-17_19.34.30.46 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
    + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
    + 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
    "IntelliPoint "= "C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 00:41 163840]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.yv12 "= yv12vfw.dll
    "vidc.CDVC "= cdvccodc.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
    backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
    backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
    backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
    backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=C:\Documents and Settings\Jon\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
    --a--c--- 2005-12-29 11:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
    --a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
    --a--c--- 2006-09-22 05:01 139264 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBVE.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
    --a--c--- 2006-07-31 20:00 19857408 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
    --a--c--- 2007-02-27 15:55 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
    --a--c--- 2006-02-06 18:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
    --a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
    --a--c--- 2007-01-22 17:22 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
    --a------ 2005-11-14 20:11 1544099 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKR Pal]
    --a------ 2008-06-29 23:41 2273896 C:\Program Files\PKR\pkrpal.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
    --a------ 2005-06-28 20:15 642560 c:\Program Files\PowerStrip\pstrip.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    -ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
    --a------ 2008-01-02 14:02 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
    -----c--- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
    --a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
    --a--c--- 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
    --a------ 2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
    --a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring "=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring "=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe "=
    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
    "C:\\Program Files\\MSN Messenger\\livecall.exe "=
    "C:\\Program Files\\PPMate\\PPMate\\ppmate.exe "=
    "C:\\Program Files\\PPLive\\PPLive.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
    "C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
    "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrA.exe "=
    "C:\\WINDOWS\\system32\\PnkBstrB.exe "=
    "C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
    "C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
    "C:\\Program Files\\iTunes\\iTunes.exe "=
    "C:\\WINDOWS\\system32\\winver.exe "=
    "C:\\Program Files\\Skype\\Phone\\Skype.exe "=


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
    \Shell\AutoRun\command - D:\Launch.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d16fcb4-e973-11dc-8036-00173fc657ea}]
    \Shell\AutoRun\command - E:\setupSNK.exe

    *Newly Created Service* - CATCHME
    .
    Contents of the 'Scheduled Tasks' folder
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-08-20 19:13:22
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2008-08-20 19:14:25
    ComboFix-quarantined-files.txt 2008-08-20 18:13:53
    ComboFix2.txt 2008-08-19 18:55:03
    ComboFix3.txt 2008-08-19 18:26:36
    ComboFix4.txt 2008-08-19 17:41:25
    ComboFix5.txt 2008-08-20 18:10:45

    Pre-Run: 91,379,220,480 bytes free
    Post-Run: 91,366,699,008 bytes free

    237 --- E O F --- 2008-08-14 19:34:47

    ----------------------------------------------------------------------------------------------------

    Hijackthis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 19:14:55, on 20/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\Microsoft IntelliPoint\point32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\WINDOWS\system32\CTsvcCDA.exe
    C:\Program Files\FileZilla Server\FileZilla Server.exe
    C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.skybroadband.com
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
    O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKUS\S-1-5-21-776561741-162531612-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
    O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - http://www.ppmate.com/search/downcab.jsp
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
    O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
    O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

    --
    End of file - 7380 bytes

    ----------------------------------------------------------------------------------------------------

    The problem is still persisting and I am now certain it is related to Iexplorer as the warning box popped up long enough for me to see what it said.
     
  8. 2008/08/20
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi JonG86
    OK there is nothing showing in the logs, so lets get a on-line scan and see if it shows anything.

    Please do this.

    Download ATF Cleaner by Atribune and save it to your Desktop.
    This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
    Double click ATF-Cleaner.exe to run the program.
    Check the boxes to the left of:

    Windows Temp
    Current User Temp
    All Users Temp
    Cookies
    Temporary Internet Files
    Prefetch
    Java Cache
    Recycle bin


    The rest are optional - if you want it to remove everything check "Select All ".
    Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

    Now the scan.

    Please do an online scan with Kaspersky WebScanner

    Click on "Accept" If your pop "“up blocker blocks any windows from opening.

    Click Run on the window that opens.
    Windows Vista users you must open the web browser using the Run as Administrator command.
    • The program will launch and then begin downloading the latest definition files:
    • Under Scan on the left side.Click on My Computer
    • This will start the program and scan your system.
    • Click the "Scan Report" On the left side.
    • The scan will take a while so be patient and let it run.
    • Once the scan is complete it will display if your system has been infected.
      • Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:
    • Save the text file to your desktop.
    • Copy and paste that information in your next post.

    Please post the Kaspersky results.

    Thanks
    Geri
     
    Geri,
    #7
  9. 2008/08/21
    JonG86

    JonG86 Inactive Thread Starter

    Joined:
    2008/08/17
    Messages:
    6
    Likes Received:
    0
    Kaspersky found one infected file

    Thursday, August 21, 2008
    Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
    Kaspersky Online Scanner 7 version: 7.0.25.0
    Program database last update: Thursday, August 21, 2008 18:29:12
    Records in database: 1121564
    Scan settings
    Scan using the following database extended
    Scan archives yes
    Scan mail databases yes
    Scan area Critical Areas
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup
    C:\Documents and Settings\Jon\Start Menu\Programs\Startup
    C:\Program Files
    C:\WINDOWS
    Scan statistics
    Files scanned 72043
    Threat name 1
    Infected objects 1
    Suspicious objects 0
    Duration of the scan 02:19:04

    File name Threat name Threats count
    C:\Program Files\PKR\pkr.exe Infected: not-a-virus:Monitor.Win32.PKRPoker.b 1
     
  10. 2008/08/21
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi JonG86

    C:\Program Files\PKR\pkr.exe
    pkr.exe is a bootstrapper.exe belonging to PKR 3D Poker from PKR Ltd
    Do you use this?

    If not then delete "PKR 3D Poker" from add/remove if it is listed.
    and then this folder.
    C:\Program Files\PKR

    Is this what the name is on the warning? or did you type that in and can you see anything else it might be saying?

    Iexplorer

    Thanks
    Geri
     
    Geri,
    #9
  11. 2008/08/21
    Geri Lifetime Subscription

    Geri Inactive Alumni

    Joined:
    2003/03/02
    Messages:
    4,580
    Likes Received:
    7
    Hi JonG86
    Because you uninstalled Norton we need to run their uninstall tool. Just deleting from add/remove programs does not do a very clean uninstall.

    Go here and run the Norton Removal Tool for the product version you had.

    http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

    Then check to see if you still get the warning message.

    After doing the above make sure you download AVG if that is the one you are going with at this time, not good to be running with no AV.

    Geri
     

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.