Strange Virus I haven't seen before

JonG86 · 2008/08/18

I removed a Sasser virus from my computer just last week and thought all was going well until I uninstalled my out of date Norton and tried to install AVG until I can get a new full anti virus. During the install AVG tried to auto close several programs but could not close an instance of Iexplorer, which I couldn't understand as I didn't have any instances running.

Also hyperlinks and drop down boxes stopped working correctly on websites that I frequent. Then I noticed that task manager and system restore had both been disabled (an ominous sign in my books).

On top of these two symptoms for some reason when I have a program running in the main window it will suddenly be minimized, closed or de-selected without warning so while I could be typing on the screen nothing is typing on the forum (It took me an extra 2 minutes to type this message out because of this strange effect).

I have noticed that a warning box does pop up every now and again but I am not sure what it says as it disappears rapidly (although I am sure it says something about Iexplorer).

I did the virus scan recommended on the forum (panda scan) and it found and disinfected a trojan virus, however the problem still remains (spybot and Malware have both been run as well).

Here are the HijackThis! logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:32:19, on 18/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\vxto7cj3.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.skybroadband.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {930247B4-16BE-48d2-87DD-86D7FB314639} - (no file)
O2 - BHO: solution Class - {99C6D1BB-7555-474C-91DA-D8FB62A9CC75} - C:\WINDOWS\system32\VXTOmCJk.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-776561741-162531612-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - http://www.ppmate.com/search/downcab.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

Geri · 2008/08/18

Hi JonG86
Welcome to Windowsbbs.

You said you ran Malwarebytes' Anti-Malware ? If so did you make sure you updated it before you ran it?
If not please update it and run. and post the log.

Please do the following in the order given.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {930247B4-16BE-48d2-87DD-86D7FB314639} - (no file)
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

Now do this.

Download ComboFix from Here to your Desktop.

It's best to disable realtime protection applications as they sometimes interfere with the tool.
Check this link for any applicable programs you may have.

Close all open programs and windows

Double click combofix.exe and follow the prompts.

Vista users right click Combofix.exe and select Run As Administrator.

When finished, it shall produce a log for you. Post the Combofix log

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Note - ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.

Note - Combofix makes some changes when run to prevent autorun/autoplay of ALL CDs, floppies and USB devices, to assist with malware removal & increase security. If this is an issue or makes it difficult for you to use those devices, please ask how to reset it.

Please post the combofix log and the MBAM log (if it's a new one).

Thanks
Geri

JonG86 · 2008/08/19

Thanks for your quick reply.

Combofix log:

ComboFix 08-08-18.05 - Jon 2008-08-19 18:37:53.2 - NTFSx86

Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\#SharedObjects\RWAXN3ZC\interclick.com
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\#SharedObjects\RWAXN3ZC\interclick.com\ud.sol
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\Jon\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\Jon\UserData
C:\Documents and Settings\Jon\UserData\index.dat
C:\Documents and Settings\Jon\UserData\S5IB4HI7\oXMLStore[1].xml
C:\WINDOWS\system32\VXTOmCJk.dll

.
((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-17 21:21 . 2008-08-17 21:21 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 21:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-17 21:20 . 2008-08-17 21:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-17 21:07 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
2008-08-17 20:19 . 2008-08-17 20:49 <DIR> d-------- C:\VundoFix Backups
2008-08-17 19:18 . 2008-08-17 19:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 19:14 . 2008-08-17 19:14 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-17 15:58 . 2008-08-17 15:58 <DIR> d-------- C:\Program Files\Veetle
2008-08-17 15:58 . 2008-08-17 15:59 48,396 --a------ C:\WINDOWS\UninstVeetleTVPlayer.exe
2008-08-15 00:54 . 2008-08-15 00:54 0 --a------ C:\WINDOWS\system32\vxto7cj3.exe.a_a
2008-08-15 00:46 . 2008-08-15 00:49 <DIR> d-------- C:\My Pics
2008-08-15 00:21 . 2008-08-15 01:00 <DIR> d-------- C:\Hopton drunk
2008-08-15 00:19 . 2008-08-15 00:20 <DIR> d-------- C:\EXEs
2008-08-15 00:00 . 2008-01-09 15:50 230,428,730 --a------ C:\bbstudent.avi
2008-08-14 22:04 . 2008-08-17 18:21 80,898 --a------ C:\WINDOWS\system32\vxto7cj3.exe
2008-08-14 21:48 . 2008-08-14 21:47 29,760 --a------ C:\WINDOWS\system32\0wQsPcwK.exe
2008-08-14 21:48 . 2008-08-14 21:48 0 --a------ C:\WINDOWS\system32\0wQsPcwK.exe.a_a
2008-08-14 20:07 . 2008-08-14 20:07 <DIR> d-------- C:\Program Files\PC Inspector File Recovery
2008-08-14 20:07 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\INT13EXT.VXD
2008-08-05 20:20 . 2005-11-10 19:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2008-08-03 22:41 . 2008-08-03 22:41 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
2008-08-03 22:41 . 2008-08-03 22:41 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
2008-08-03 22:41 . 2008-08-03 22:41 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
2008-08-03 22:41 . 2008-08-03 22:41 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
2008-08-03 22:21 . 2008-08-03 22:21 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
2008-07-27 13:29 . 2008-05-31 22:59 4,096 --ahs---- C:\Thumbs.db
2008-07-27 13:26 . 2008-05-30 16:34 1 --ah----- C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
2008-07-27 13:26 . 2008-05-30 17:11 1 --ah----- C:\e3f91452-1541-4677-9bf1-8c746794078d
2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
2008-07-27 13:26 . 2008-05-30 16:54 1 --ah----- C:\a9679fed-50db-4665-ae2c-691be92b2d79
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\22c35db8-d162-4a92-b534-9c039a99b804
2008-07-27 01:50 . 2008-05-16 17:07 2,473,112,328 --a------ C:\MGBfinished.avi
2008-07-26 22:24 . 2008-07-26 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-07-26 21:54 . 2008-07-26 21:54 <DIR> d-------- C:\Program Files\GetData
2008-07-26 21:31 . 2008-08-17 19:31 81,920 --a------ C:\WINDOWS\inform.dat
2008-07-26 21:31 . 2008-07-26 21:31 2 --a------ C:\1417323579
2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Acronis
2008-07-26 21:22 . 2008-07-26 21:22 97,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-07-26 20:58 . 2008-07-26 20:58 <DIR> d-------- C:\Program Files\PowerQuest
2008-07-26 17:20 . 2008-08-19 17:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 17:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 17:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 15:16 . 2008-06-02 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-26 15:16 . 2008-07-26 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 15:12 . 2008-07-26 15:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-24 19:32 . 2008-07-24 19:32 <DIR> d-------- C:\Program Files\BinaryBiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 16:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-18 19:39 --------- d-----w C:\Documents and Settings\Jon\Application Data\OpenOffice.org2
2008-08-17 19:16 --------- d-----w C:\Documents and Settings\Jon\Application Data\uTorrent
2008-08-17 18:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-17 18:27 --------- d-----w C:\Program Files\Symantec
2008-08-17 17:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-14 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 14:51 --------- d-----w C:\Program Files\SopCast
2008-08-10 14:46 --------- d-----w C:\Documents and Settings\Jon\Application Data\SopCast
2008-08-05 19:25 --------- d-----w C:\Program Files\Belkin
2008-08-01 15:26 --------- d-----w C:\Program Files\Bonjour
2008-07-26 15:53 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-30 19:34 --------- d-----w C:\Program Files\PKR
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-11-09 17:59 22,328 ----a-w C:\Documents and Settings\Jon\Application Data\PnkBstrK.sys
2007-09-17 10:14 1,136 ----a-w C:\Documents and Settings\Jon\Application Data\filterclsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-17_19.34.30.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IntelliPoint "= "C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 00:41 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12 "= yv12vfw.dll
"vidc.CDVC "= cdvccodc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Jon\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a--c--- 2005-12-29 11:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
--a--c--- 2006-09-22 05:01 139264 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a--c--- 2006-07-31 20:00 19857408 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
--a--c--- 2007-02-27 15:55 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2006-02-06 18:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a--c--- 2007-01-22 17:22 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
--a------ 2005-11-14 20:11 1544099 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKR Pal]
--a------ 2008-06-29 23:41 2273896 C:\Program Files\PKR\pkrpal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
--a------ 2005-06-28 20:15 642560 c:\Program Files\PowerStrip\pstrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-02 14:02 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a--c--- 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\PPMate\\PPMate\\ppmate.exe "=
"C:\\Program Files\\PPLive\\PPLive.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"C:\\Program Files\\uTorrent\\uTorrent.exe "=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\WINDOWS\\system32\\winver.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d16fcb4-e973-11dc-8036-00173fc657ea}]
\Shell\AutoRun\command - E:\setupSNK.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9988775D-4368-4857-871A-D01D66CA3A71}]
rundll32 dcrick.dll,InitO
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\k7jyfkq4.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
.
.
------- File Associations (Beta) -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 18:40:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-19 18:41:24
ComboFix-quarantined-files.txt 2008-08-19 17:41:09
ComboFix2.txt 2008-08-17 18:34:54

Pre-Run: 91,436,408,832 bytes free
Post-Run: 91,426,058,240 bytes free

249 --- E O F --- 2008-08-14 19:34:47

Malware log after the scan:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

19:20:57 19/08/2008
mbam-log-08-19-2008 (19-20-57).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125321
Time elapsed: 27 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9988775d-4368-4857-871a-d01d66ca3a71} (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\VXTOmCJk.dll.vir (Trojan.BHO) -> Delete on reboot.
C:\System Volume Information\_restore{12F93191-5295-4DC8-9D2E-4D7A78D90D75}\RP39\A0011990.dll (Trojan.BHO) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\0wQsPcwK.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vxto7cj3.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

JonG86 · 2008/08/19

Thanks for the quick reply.

Combofix log:

ComboFix 08-08-18.05 - Jon 2008-08-19 19:52:55.4 - NTFSx86

Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-19 to 2008-08-19 )))))))))))))))))))))))))))))))
.

2008-08-19 19:21 . 2008-08-19 19:21 61,440 --a------ C:\WINDOWS\system32\drivers\ptgor.sys
2008-08-17 21:21 . 2008-08-17 21:21 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 21:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-17 21:20 . 2008-08-17 21:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-17 21:07 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
2008-08-17 20:19 . 2008-08-17 20:49 <DIR> d-------- C:\VundoFix Backups
2008-08-17 19:18 . 2008-08-17 19:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 19:14 . 2008-08-17 19:14 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-17 15:58 . 2008-08-17 15:58 <DIR> d-------- C:\Program Files\Veetle
2008-08-17 15:58 . 2008-08-17 15:59 48,396 --a------ C:\WINDOWS\UninstVeetleTVPlayer.exe
2008-08-15 00:46 . 2008-08-15 00:49 <DIR> d-------- C:\My Pics
2008-08-15 00:21 . 2008-08-15 01:00 <DIR> d-------- C:\Hopton drunk
2008-08-15 00:19 . 2008-08-15 00:20 <DIR> d-------- C:\EXEs
2008-08-15 00:00 . 2008-01-09 15:50 230,428,730 --a------ C:\bbstudent.avi
2008-08-14 22:04 . 2008-08-17 18:21 80,898 --a------ C:\WINDOWS\system32\vxto7cj3.exe
2008-08-14 21:48 . 2008-08-14 21:47 29,760 --a------ C:\WINDOWS\system32\0wQsPcwK.exe
2008-08-14 20:07 . 2008-08-14 20:07 <DIR> d-------- C:\Program Files\PC Inspector File Recovery
2008-08-14 20:07 . 2002-02-18 18:40 6,200 --a------ C:\WINDOWS\system32\INT13EXT.VXD
2008-08-05 20:20 . 2005-11-10 19:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2008-08-03 22:41 . 2008-08-03 22:41 16,244 --a------ C:\WINDOWS\system32\rrt_is.wav
2008-08-03 22:41 . 2008-08-03 22:41 7,302 --a------ C:\WINDOWS\system32\rrt_vf.wav
2008-08-03 22:41 . 2008-08-03 22:41 7,148 --a------ C:\WINDOWS\system32\rrt_tv.wav
2008-08-03 22:41 . 2008-08-03 22:41 6,282 --a------ C:\WINDOWS\system32\rrt_tn.wav
2008-08-03 22:21 . 2008-08-03 22:21 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
2008-07-27 13:29 . 2008-05-31 22:59 4,096 --ahs---- C:\Thumbs.db
2008-07-27 13:26 . 2008-05-30 16:34 1 --ah----- C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
2008-07-27 13:26 . 2008-05-30 17:11 1 --ah----- C:\e3f91452-1541-4677-9bf1-8c746794078d
2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
2008-07-27 13:26 . 2008-05-30 16:54 1 --ah----- C:\a9679fed-50db-4665-ae2c-691be92b2d79
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\22c35db8-d162-4a92-b534-9c039a99b804
2008-07-27 01:50 . 2008-05-16 17:07 2,473,112,328 --a------ C:\MGBfinished.avi
2008-07-26 22:24 . 2008-07-26 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-07-26 21:54 . 2008-07-26 21:54 <DIR> d-------- C:\Program Files\GetData
2008-07-26 21:31 . 2008-08-17 19:31 81,920 --a------ C:\WINDOWS\inform.dat
2008-07-26 21:31 . 2008-07-26 21:31 2 --a------ C:\1417323579
2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Acronis
2008-07-26 21:22 . 2008-07-26 21:22 97,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-07-26 20:58 . 2008-07-26 20:58 <DIR> d-------- C:\Program Files\PowerQuest
2008-07-26 17:20 . 2008-08-19 17:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 17:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 17:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 15:16 . 2008-06-02 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-26 15:16 . 2008-07-26 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 15:12 . 2008-07-26 15:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-24 19:32 . 2008-07-24 19:32 <DIR> d-------- C:\Program Files\BinaryBiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-19 16:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-18 19:39 --------- d-----w C:\Documents and Settings\Jon\Application Data\OpenOffice.org2
2008-08-17 19:16 --------- d-----w C:\Documents and Settings\Jon\Application Data\uTorrent
2008-08-17 18:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-17 18:27 --------- d-----w C:\Program Files\Symantec
2008-08-17 17:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-14 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 14:51 --------- d-----w C:\Program Files\SopCast
2008-08-10 14:46 --------- d-----w C:\Documents and Settings\Jon\Application Data\SopCast
2008-08-05 19:25 --------- d-----w C:\Program Files\Belkin
2008-08-01 15:26 --------- d-----w C:\Program Files\Bonjour
2008-07-26 15:53 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-30 19:34 --------- d-----w C:\Program Files\PKR
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-11-09 17:59 22,328 ----a-w C:\Documents and Settings\Jon\Application Data\PnkBstrK.sys
2007-09-17 10:14 1,136 ----a-w C:\Documents and Settings\Jon\Application Data\filterclsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-17_19.34.30.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IntelliPoint "= "C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 00:41 163840]
"Malwarebytes Anti-Malware (reboot) "= "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" [2008-08-17 15:01 1195640]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12 "= yv12vfw.dll
"vidc.CDVC "= cdvccodc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Jon\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a--c--- 2005-12-29 11:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
--a--c--- 2006-09-22 05:01 139264 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a--c--- 2006-07-31 20:00 19857408 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
--a--c--- 2007-02-27 15:55 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2006-02-06 18:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a--c--- 2007-01-22 17:22 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
--a------ 2005-11-14 20:11 1544099 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKR Pal]
--a------ 2008-06-29 23:41 2273896 C:\Program Files\PKR\pkrpal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
--a------ 2005-06-28 20:15 642560 c:\Program Files\PowerStrip\pstrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-02 14:02 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a--c--- 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall "= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\PPMate\\PPMate\\ppmate.exe "=
"C:\\Program Files\\PPLive\\PPLive.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\LimeWire\\LimeWire.exe "=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"C:\\Program Files\\uTorrent\\uTorrent.exe "=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\WINDOWS\\system32\\winver.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d16fcb4-e973-11dc-8036-00173fc657ea}]
\Shell\AutoRun\command - E:\setupSNK.exe
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Jon\Application Data\Mozilla\Firefox\Profiles\k7jyfkq4.default\
FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.co.uk/
.
.
------- File Associations (Beta) -------
.
inifile=%SystemRoot%\System32\NOTEPAD.EXE %1 "
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-19 19:53:57
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-19 19:55:02
ComboFix-quarantined-files.txt 2008-08-19 18:54:33
ComboFix2.txt 2008-08-19 18:26:36
ComboFix3.txt 2008-08-19 17:41:25
ComboFix4.txt 2008-08-17 18:34:54

Pre-Run: 91,410,984,960 bytes free
Post-Run: 91,399,847,936 bytes free

240 --- E O F --- 2008-08-14 19:34:47

Mbam log:

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

19:20:50 19/08/2008
mbam-log-08-19-2008 (19-20-47).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125321
Time elapsed: 27 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\solution.solution (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\solution.solution.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{892b2785-b0d0-4aa2-ae6a-0ed60b00a979} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{00476c87-a276-49bf-86bc-ff005732430b} (Trojan.BHO) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9988775d-4368-4857-871a-d01d66ca3a71} (Trojan.Agent) -> No action taken.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\QooBox\Quarantine\C\WINDOWS\system32\VXTOmCJk.dll.vir (Trojan.BHO) -> No action taken.
C:\System Volume Information\_restore{12F93191-5295-4DC8-9D2E-4D7A78D90D75}\RP39\A0011990.dll (Trojan.BHO) -> No action taken.
C:\WINDOWS\system32\0wQsPcwK.exe.a_a (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\vxto7cj3.exe.a_a (Trojan.Agent) -> No action taken.

Geri · 2008/08/19

Hi JonG86
Ok you're not doing the step with MBAM to fix what it finds.
C:\WINDOWS\system32\0wQsPcwK.exe.a_a (Trojan.Agent) -> No action taken.

Here are the instructions to do that.

Launch Malwarebytes' Anti-Malware and click on the Update tab then click Check for updates.

If an update is found, it will download and install the latest version.

Once the program has loaded, select 'Perform Quick Scan', then click Scan.

The scan may take some time to finish,so please be patient.

When the scan is complete, click OK, then Show Results to view the results.

Make sure that everything is checked, and click Remove Selected.

When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note below)

The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.

Post the entire report in your next reply along with a fresh HijackThis log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Do you know what these are? If you do not know please delete them.
C:\EXEs
C:\bbstudent.avi
C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
C:\e3f91452-1541-4677-9bf1-8c746794078d
C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
C:\a9679fed-50db-4665-ae2c-691be92b2d79
C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
C:\22c35db8-d162-4a92-b534-9c039a99b804
C:\MGBfinished.avi

Now please do this.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button.
Click here to see how to use CFScript.txt
Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and another fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.
Code:
File::
C:\WINDOWS\system32\drivers\ptgor.sys
C:\WINDOWS\system32\vxto7cj3.exe
C:\WINDOWS\system32\0wQsPcwK.exe
C:\WINDOWS\system32\INT13EXT.VXD
C:\WINDOWS\system32\rrt_is.wav
C:\WINDOWS\system32\rrt_vf.wav
C:\WINDOWS\system32\rrt_tv.wav
C:\WINDOWS\system32\rrt_tn.wav 
Please post the combofix log the new MBAM log and a new HJT log.

Let me know about those files.

Thanks
Geri

I see you have P2P software ( Limewire, BitTorrent uTorrent etc… ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares and their infections.

References for the risk of these programs are here,
here and here.

I would strongly recommend that you uninstall them, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

Note: Please be advised that continued use of these programs after being warned of the danger of infections from them, may result in the discontinued help of future cleaning of your system here at Windowsbbs Malware and Virus removal.

JonG86 · 2008/08/20

Again, many thanks for the quick reply. The files you mentioned are my film making files and also my EXE backups taken from my portable hard drive, they will be removed by tomorrow but don't pose any kind of threat.

I removed the P2P programs as per your instruction, I would hate to lose such a valuable source of information as this because of something I rarely use anyway.

The Malware log I posted was an old one

Here is the new one with the combofix log and the new hijack this log:

----------------------------------------------------------------------------------------------------

MBAM

Malwarebytes' Anti-Malware 1.25
Database version: 1062
Windows 5.1.2600 Service Pack 2

19:07:19 20/08/2008
mbam-log-08-20-2008 (19-07-19).txt

Scan type: Full Scan (C:\|)
Objects scanned: 125432
Time elapsed: 33 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

----------------------------------------------------------------------------------------------------

Combofix Log:

ComboFix 08-08-19.02 - Jon 2008-08-20 19:11:04.5 - NTFSx86

Running from: C:\Documents and Settings\Jon\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Jon\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\0wQsPcwK.exe
C:\WINDOWS\system32\drivers\ptgor.sys
C:\WINDOWS\system32\INT13EXT.VXD
C:\WINDOWS\system32\rrt_is.wav
C:\WINDOWS\system32\rrt_tn.wav
C:\WINDOWS\system32\rrt_tv.wav
C:\WINDOWS\system32\rrt_vf.wav
C:\WINDOWS\system32\vxto7cj3.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\0wQsPcwK.exe
C:\WINDOWS\system32\INT13EXT.VXD
C:\WINDOWS\system32\rrt_is.wav
C:\WINDOWS\system32\rrt_tn.wav
C:\WINDOWS\system32\rrt_tv.wav
C:\WINDOWS\system32\rrt_vf.wav
C:\WINDOWS\system32\vxto7cj3.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-20 to 2008-08-20 )))))))))))))))))))))))))))))))
.

2008-08-17 21:21 . 2008-08-17 21:21 <DIR> d-------- C:\Program Files\Panda Security
2008-08-17 21:21 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-08-17 21:20 . 2008-08-17 21:20 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-17 21:07 . 2008-08-15 21:15 <DIR> d-------- C:\SDFix
2008-08-17 20:19 . 2008-08-17 20:49 <DIR> d-------- C:\VundoFix Backups
2008-08-17 19:18 . 2008-08-17 19:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-17 19:14 . 2008-08-17 19:14 <DIR> d-------- C:\Program Files\CleanUp!
2008-08-17 15:58 . 2008-08-17 15:58 <DIR> d-------- C:\Program Files\Veetle
2008-08-17 15:58 . 2008-08-17 15:59 48,396 --a------ C:\WINDOWS\UninstVeetleTVPlayer.exe
2008-08-15 00:46 . 2008-08-15 00:49 <DIR> d-------- C:\My Pics
2008-08-15 00:21 . 2008-08-15 01:00 <DIR> d-------- C:\Hopton drunk
2008-08-15 00:19 . 2008-08-15 00:20 <DIR> d-------- C:\EXEs
2008-08-15 00:00 . 2008-01-09 15:50 230,428,730 --a------ C:\bbstudent.avi
2008-08-14 20:07 . 2008-08-14 20:07 <DIR> d-------- C:\Program Files\PC Inspector File Recovery
2008-08-05 20:20 . 2005-11-10 19:54 402,944 -ra------ C:\WINDOWS\system32\drivers\BLKWGU.sys
2008-08-03 22:21 . 2008-08-03 22:21 <DIR> d-------- C:\WINDOWS\{16D3778B-2A5E-481D-B7DC-FA4A68496C97}
2008-07-27 13:29 . 2008-05-31 22:59 4,096 --ahs---- C:\Thumbs.db
2008-07-27 13:26 . 2008-05-30 16:34 1 --ah----- C:\f339b4f8-146d-47ac-a5df-f6fd0713f770
2008-07-27 13:26 . 2008-05-30 17:11 1 --ah----- C:\e3f91452-1541-4677-9bf1-8c746794078d
2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\b3326ca6-3843-4d99-b4e5-b1499dde18db
2008-07-27 13:26 . 2008-05-30 16:23 1 --ah----- C:\ab142a8b-3c75-4e4b-8e8b-d6e295badac9
2008-07-27 13:26 . 2008-05-30 16:54 1 --ah----- C:\a9679fed-50db-4665-ae2c-691be92b2d79
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a5a8afaf-4f4c-4366-b7ea-bd4d2343d64d
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\a0e610f2-ee7d-45e9-a0e4-3a2aa19954d7
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\2dcd5038-37af-4090-bdb7-0c75f7d91576
2008-07-27 13:26 . 2008-05-30 16:24 1 --ah----- C:\22c35db8-d162-4a92-b534-9c039a99b804
2008-07-27 01:50 . 2008-05-16 17:07 2,473,112,328 --a------ C:\MGBfinished.avi
2008-07-26 22:24 . 2008-07-26 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Acronis
2008-07-26 21:54 . 2008-07-26 21:54 <DIR> d-------- C:\Program Files\GetData
2008-07-26 21:31 . 2008-08-17 19:31 81,920 --a------ C:\WINDOWS\inform.dat
2008-07-26 21:31 . 2008-07-26 21:31 2 --a------ C:\1417323579
2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Common Files\Acronis
2008-07-26 21:22 . 2008-07-26 21:22 <DIR> d-------- C:\Program Files\Acronis
2008-07-26 21:22 . 2008-07-26 21:22 97,248 --a------ C:\WINDOWS\system32\drivers\snapman.sys
2008-07-26 20:58 . 2008-07-26 20:58 <DIR> d-------- C:\Program Files\PowerQuest
2008-07-26 17:20 . 2008-08-19 17:51 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\Jon\Application Data\Malwarebytes
2008-07-26 17:20 . 2008-07-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-26 17:20 . 2008-08-17 15:01 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-26 17:20 . 2008-08-17 15:01 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-26 15:16 . 2008-06-02 20:02 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2008-07-26 15:16 . 2008-07-26 15:16 <DIR> d-------- C:\Documents and Settings\Administrator
2008-07-26 15:12 . 2008-07-26 15:12 <DIR> d-------- C:\WINDOWS\system32\NtmsData
2008-07-24 19:32 . 2008-07-24 19:32 <DIR> d-------- C:\Program Files\BinaryBiz

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-20 16:50 --------- d-----w C:\Program Files\LimeWire
2008-08-19 16:45 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-08-18 19:39 --------- d-----w C:\Documents and Settings\Jon\Application Data\OpenOffice.org2
2008-08-17 18:38 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-17 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-08-17 18:27 --------- d-----w C:\Program Files\Symantec
2008-08-17 17:19 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-14 19:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-08-10 14:51 --------- d-----w C:\Program Files\SopCast
2008-08-10 14:46 --------- d-----w C:\Documents and Settings\Jon\Application Data\SopCast
2008-08-05 19:25 --------- d-----w C:\Program Files\Belkin
2008-08-01 15:26 --------- d-----w C:\Program Files\Bonjour
2008-07-26 15:53 --------- d-----w C:\Documents and Settings\Jon\Application Data\Skype
2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll
2008-06-30 19:34 --------- d-----w C:\Program Files\PKR
2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll
2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2007-11-09 17:59 22,328 ----a-w C:\Documents and Settings\Jon\Application Data\PnkBstrK.sys
2007-09-17 10:14 1,136 ----a-w C:\Documents and Settings\Jon\Application Data\filterclsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-08-17_19.34.30.46 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-01-09 14:01:48 118,784 ----a-w C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2008-01-09 14:01:48 53,248 ----a-w C:\WINDOWS\bdoscandel.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec PIF AlertEng "= "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2007-11-28 20:51 583048]
"IntelliPoint "= "C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-16 00:41 163840]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.yv12 "= yv12vfw.dll
"vidc.CDVC "= cdvccodc.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dllschannel.dlldigest.dllmsnsspc.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin Wireless USB Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin Wireless USB Utility.lnk
backup=C:\WINDOWS\pss\Belkin Wireless USB Utility.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Desktop Help.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BT Broadband Desktop Help.lnk
backup=C:\WINDOWS\pss\BT Broadband Desktop Help.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package Menu.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package Menu.lnk
backup=C:\WINDOWS\pss\Picture Package Menu.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Picture Package VCD Maker.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Picture Package VCD Maker.lnk
backup=C:\WINDOWS\pss\Picture Package VCD Maker.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Jon^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\Jon\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_wcm_McciTrayApp]
--a--c--- 2005-12-29 11:22 543232 C:\Program Files\btbb_wcm\McciTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 13:00 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTSysVol]
--a------ 2003-09-17 10:43 57344 C:\Program Files\Creative\SB Live! 24-bit\Surround Mixer\CTSysVol.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus DX5000 Series]
--a--c--- 2006-09-22 05:01 139264 C:\WINDOWS\system32\spool\drivers\w32x86\3\E_FATIBVE.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eyeBeam SIP Client]
--a--c--- 2006-07-31 20:00 19857408 C:\Program Files\BT Broadband Talk Softphone\BTSoftphone.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FileZilla Server Interface]
--a--c--- 2007-02-27 15:55 937984 C:\Program Files\FileZilla Server\FileZilla Server Interface.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Motive SmartBridge]
--a--c--- 2006-02-06 18:52 462935 C:\PROGRA~1\BTHOME~1\Help\SMARTB~1\BTHelpNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
--a------ 2007-01-19 12:54 5674352 C:\Program Files\MSN Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVIDIA nTune]
--a--c--- 2007-01-22 17:22 81920 C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-04-19 13:26 86016 C:\WINDOWS\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OSSelectorReinstall]
--a------ 2005-11-14 20:11 1544099 C:\Program Files\Common Files\Acronis\Acronis Disk Director\oss_reinstall.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PKR Pal]
--a------ 2008-06-29 23:41 2273896 C:\Program Files\PKR\pkrpal.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PowerStrip]
--a------ 2005-06-28 20:15 642560 c:\Program Files\PowerStrip\pstrip.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
-ra------ 2007-09-13 13:31 22880040 C:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-02 14:02 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
-----c--- 2000-05-11 01:00 90112 C:\WINDOWS\Updreg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a--c--- 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
--a------ 2004-08-04 13:00 110592 C:\WINDOWS\system32\bthprops.cpl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-04-19 13:26 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P17Helper]
--a------ 2005-05-03 19:38 64512 C:\WINDOWS\system32\P17.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring "=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring "=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "=
"C:\\Program Files\\MSN Messenger\\livecall.exe "=
"C:\\Program Files\\PPMate\\PPMate\\ppmate.exe "=
"C:\\Program Files\\PPLive\\PPLive.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe "=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe "=
"C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe "=
"C:\\WINDOWS\\system32\\PnkBstrA.exe "=
"C:\\WINDOWS\\system32\\PnkBstrB.exe "=
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe "=
"C:\\Program Files\\iTunes\\iTunes.exe "=
"C:\\WINDOWS\\system32\\winver.exe "=
"C:\\Program Files\\Skype\\Phone\\Skype.exe "=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\Launch.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9d16fcb4-e973-11dc-8036-00173fc657ea}]
\Shell\AutoRun\command - E:\setupSNK.exe

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-20 19:13:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-20 19:14:25
ComboFix-quarantined-files.txt 2008-08-20 18:13:53
ComboFix2.txt 2008-08-19 18:55:03
ComboFix3.txt 2008-08-19 18:26:36
ComboFix4.txt 2008-08-19 17:41:25
ComboFix5.txt 2008-08-20 18:10:45

Pre-Run: 91,379,220,480 bytes free
Post-Run: 91,366,699,008 bytes free

237 --- E O F --- 2008-08-14 19:34:47

----------------------------------------------------------------------------------------------------

Hijackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:14:55, on 20/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\FileZilla Server\FileZilla Server.exe
C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.skybroadband.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/...b/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,First Home Page = http://www.skybroadband.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll "
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe "
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-21-776561741-162531612-682003330-1004\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.skybroadband.com (file missing)
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {2BE6A92D-D51C-4659-B372-BB18C99BC439} - http://www.ppmate.com/search/downcab.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 7380 bytes

----------------------------------------------------------------------------------------------------

The problem is still persisting and I am now certain it is related to Iexplorer as the warning box popped up long enough for me to see what it said.

Geri · 2008/08/20

Hi JonG86
OK there is nothing showing in the logs, so lets get a on-line scan and see if it shows anything.

Please do this.

Download ATF Cleaner by Atribune and save it to your Desktop.
This is a good tool to get rid of the temporary garbage you pick up while surfing the net.
Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
Recycle bin

The rest are optional - if you want it to remove everything check "Select All ".
Finally, click Empty Selected. When you get the "Done Cleaning" message, click OK.

Now the scan.

Please do an online scan with Kaspersky WebScanner

Click on "Accept" If your pop "“up blocker blocks any windows from opening.

Click Run on the window that opens.
Windows Vista users you must open the web browser using the Run as Administrator command.

The program will launch and then begin downloading the latest definition files:

Under Scan on the left side.Click on My Computer

This will start the program and scan your system.

Click the "Scan Report" On the left side.

The scan will take a while so be patient and let it run.

Once the scan is complete it will display if your system has been infected.

Click the Save Report As button, and in the Browse dialog box, type a name for the scan report file that you want to create and select its type Text file. Click OK to save the file.:

Save the text file to your desktop.

Copy and paste that information in your next post.

Please post the Kaspersky results.

Thanks
Geri

JonG86 · 2008/08/21

Kaspersky found one infected file

Thursday, August 21, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 21, 2008 18:29:12
Records in database: 1121564
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Critical Areas
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
C:\Documents and Settings\Jon\Start Menu\Programs\Startup
C:\Program Files
C:\WINDOWS
Scan statistics
Files scanned 72043
Threat name 1
Infected objects 1
Suspicious objects 0
Duration of the scan 02:19:04

File name Threat name Threats count
C:\Program Files\PKR\pkr.exe Infected: not-a-virus:Monitor.Win32.PKRPoker.b 1

Geri · 2008/08/21

Hi JonG86

C:\Program Files\PKR\pkr.exe
pkr.exe is a bootstrapper.exe belonging to PKR 3D Poker from PKR Ltd
Do you use this?

If not then delete "PKR 3D Poker" from add/remove if it is listed.
and then this folder.
C:\Program Files\PKR

Is this what the name is on the warning? or did you type that in and can you see anything else it might be saying?

Iexplorer

Thanks
Geri

Geri · 2008/08/21

Hi JonG86
Because you uninstalled Norton we need to run their uninstall tool. Just deleting from add/remove programs does not do a very clean uninstall.

Go here and run the Norton Removal Tool for the product version you had.

http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2005033108162039

Then check to see if you still get the warning message.

After doing the above make sure you download AVG if that is the one you are going with at this time, not good to be running with no AV.

Geri

Log in or Sign up

Strange Virus I haven't seen before

JonG86 Inactive Thread Starter

Geri Inactive Alumni

JonG86 Inactive Thread Starter

JonG86 Inactive Thread Starter

Geri Inactive Alumni

JonG86 Inactive Thread Starter

Geri Inactive Alumni

JonG86 Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

Share This Page

Log in or Sign up

Strange Virus I haven't seen before

JonG86 Inactive Thread Starter

Geri Inactive Alumni

JonG86 Inactive Thread Starter

JonG86 Inactive Thread Starter

Geri Inactive Alumni

JonG86 Inactive Thread Starter

Geri Inactive Alumni

JonG86 Inactive Thread Starter

Geri Inactive Alumni

Geri Inactive Alumni

Share This Page

Useful Searches