View Full Version : Cannot remove smitfraud-c
Herbidatious
2007-08-16, 14:54
Help somone, I have run spybot numerous times and it will not remove smitfraud-c, I have been told that this is a dangerous trojan. Please help. Thnx
Hi Herbidatious
Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HJTInstall.exe
Save HJTInstall.exe to your desktop.
Doubleclick on the HJTInstall.exe icon on your desktop.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
Herbidatious
2007-08-16, 19:19
Below is the logfile as requested. thnx.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:17:38, on 16/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: SelasI Class - {59F4F380-01A0-4083-9FA4-E3B827319F7E} - C:\WINDOWS\system32\vcbhafjl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclvtym.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\ers_startupmon.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 7543 bytes
Hi
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
Herbidatious
2007-08-16, 20:36
As requested, thnx.
ComboFix 07-08-14.4 - "Ian" 2007-08-16 18:02:24.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.33 [GMT 1:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\DOCUME~1\Beth\APPLIC~1\..\err.log
C:\DOCUME~1\Beth\APPLIC~1\ErrorProtector Free
C:\DOCUME~1\Beth\APPLIC~1\ErrorProtector Free\Logs\update.log
C:\DOCUME~1\IAN~1.COL\APPLIC~1\..\err.log
C:\DOCUME~1\Jack\APPLIC~1\..\err.log
C:\DOCUME~1\Jack\APPLIC~1\ErrorProtector Free
C:\DOCUME~1\Jack\APPLIC~1\ErrorProtector Free\Logs\update.log
C:\DOCUME~1\Jack\APPLIC~1\FunWebProducts
C:\DOCUME~1\Jack\APPLIC~1\FunWebProducts\Data\Jack\avatar.dat
C:\DOCUME~1\Jack\APPLIC~1\FunWebProducts\Data\Jack\register.dat
C:\DOCUME~1\Jack\APPLIC~1\WinAntiVirus Pro 2006
C:\DOCUME~1\Jack\APPLIC~1\WinAntiVirus Pro 2006\Logs\update.log
C:\DOCUME~1\Jack\APPLIC~1\WinAntiVirus Pro 2006\Logs\wa6Support.log
C:\DOCUME~1\Jack\APPLIC~1\WinAntiVirus Pro 2006\Logs\winav.log
C:\DOCUME~1\Jack\APPLIC~1\WinAntiVirus Pro 2006\PGE.dat
C:\DOCUME~1\Karen\APPLIC~1\..\err.log
C:\DOCUME~1\Karen\APPLIC~1\ErrorProtector Free
C:\DOCUME~1\Karen\APPLIC~1\ErrorProtector Free\Logs\update.log
C:\DOCUME~1\Luke\APPLIC~1\..\err.log
C:\DOCUME~1\Luke\APPLIC~1\ErrorProtector Free
C:\DOCUME~1\Luke\APPLIC~1\ErrorProtector Free\Logs\update.log
C:\Program Files\Common Files\{38416~1
C:\Program Files\Common Files\{38416~1\Activate.exe
C:\Program Files\Common Files\{38416~1\Uninst.exe
C:\Program Files\Common Files\{D8416~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\ystem3~1
C:\WA6P
C:\WINDOWS\smbols~1
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\WINDOWS\system32\vcbhafjl.dll
C:\WINDOWS\system32\wnscpsu.exe
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CMDSERVICE
-------\LEGACY_FOPN
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK
((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))
2007-08-16 18:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-16 17:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-15 12:44 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-08-15 12:41 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-08-14 19:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101a.dll
2007-08-14 19:00 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-08-14 19:00 218,112 --a--c--- C:\WINDOWS\system32\dllcache\c_g18030.dll
2007-08-14 19:00 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-08-14 19:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2007-08-14 19:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2007-08-14 18:35 <DIR> d-------- C:\Program Files\WindowsUpdate
2007-08-13 20:11 <DIR> d-------- C:\Program Files\BrainTrainAge
2007-08-11 19:02 <DIR> d-------- C:\WINDOWS\pss
2007-08-10 07:35 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:06 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\temp
2007-08-09 18:59 <DIR> d--hs---- C:\WINDOWS\SWFu
2007-08-09 18:59 <DIR> d-------- C:\WINDOWS\system32\SearchTool
2007-08-09 18:59 <DIR> d-------- C:\Program Files\Mywenger
2007-08-09 18:59 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-06 10:56 <DIR> d-------- C:\Program Files\PogoSticker
2007-08-06 10:43 <DIR> d-------- C:\Program Files\Speed Thrasher
2007-08-05 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-05 12:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 15:38 <DIR> d-------- C:\Program Files\Disney
2007-07-31 18:14 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\IMVU
2007-07-31 18:13 <DIR> d-------- C:\Program Files\IMVU
2007-07-28 19:55 <DIR> d-------- C:\DOCUME~1\Karen\APPLIC~1\Apple Computer
2007-07-26 15:34 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Apple Computer
2007-07-26 15:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-22 14:46 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-22 12:32 <DIR> d-------- C:\WINDOWS\.jagex_cache_34
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-15 12:47 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Virgin Broadband
2007-08-12 20:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-08-10 16:27 --------- d-------- C:\Program Files\Google
2007-08-09 19:13 --------- d-------- C:\Program Files\ntl
2007-07-26 15:32 --------- d-------- C:\Program Files\QuickTime
2007-07-21 11:58 --------- d-------- C:\Program Files\Puppy Luv
2007-07-19 07:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-15 20:48 --------- d-------- C:\Program Files\LimeWire
2007-07-13 00:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-07 12:07 --------- dr-h----- C:\DOCUME~1\IAN~1.COL\APPLIC~1\yahoo!
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-07-07 11:09 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-07 11:05 --------- d-------- C:\Program Files\Common Files\Motorola Shared
2007-07-07 11:01 --------- d-------- C:\Program Files\Avanquest update
2007-07-07 11:01 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\InstallShield
2007-06-30 12:20 --------- d-------- C:\Program Files\DivX
2007-06-29 17:12 --------- d-------- C:\Program Files\Kontiki
2007-06-29 17:12 --------- d-------- C:\Program Files\Channel4
2007-06-27 23:45 --------- d-------- C:\Program Files\Vizumi
2007-06-27 23:16 --------- d-------- C:\Program Files\Maxis
2007-06-27 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-27 23:12 --------- d-------- C:\Program Files\Home Cinema
2007-06-27 23:12 --------- d-------- C:\Program Files\CyberLink
2007-06-27 23:07 --------- d-------- C:\Program Files\Disney Interactive
2007-06-27 23:05 --------- d-------- C:\Program Files\Broken Sword II
2007-06-27 15:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-20 21:07 --------- d-------- C:\Program Files\Windows Live
2007-06-20 21:07 --------- d-------- C:\Program Files\MSN Messenger
2007-06-20 21:07 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 11:23 1033216 --------- C:\WINDOWS\explorer.exe
2007-05-17 12:28 549376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-17 12:28 549376 --------- C:\WINDOWS\system32\oleaut32.dll
2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 683520 --------- C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-11-09 09:16 0 --a------ C:\Program Files\Common Files\err.log
2005-07-29 15:24:26 472 --sha-r C:\WINDOWS\SWFu\mqIR.vbs
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2007-03-11 20:06 421888 --a------ C:\WINDOWS\system32\asclvtym.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SoundMan"="SOUNDMAN.EXE" [2005-03-25 05:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 19:03]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 10:40]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 19:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 18:59]
"ERS_check"="C:\Program Files\Common Files\ers_startupmon.exe" []
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 C:\WINDOWS\zHotkey.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-08 15:53 C:\WINDOWS\AGRSMMSG.exe]
"4oD"="C:\Program Files\Kontiki\KHost.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-10 19:40]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 nsysaudm;nsysaudm;\??\C:\DOCUME~1\Beth\LOCALS~1\Temp\nsysaudm.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;C:\WINDOWS\system32\drivers\UsbMicfilt.sys
S3 ZSMC302;PCL-W310;C:\WINDOWS\system32\Drivers\usbvm302.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44c422bd-7bf6-11db-887b-0013d389a330}]
AutoRun\command- G:\setupSNK.exe
Contents of the 'Scheduled Tasks' folder
2007-08-07 17:07:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 18:23:09
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-16 18:26:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-16 18:26
--- E O F ---
Hi
How about a fresh HijackThis log, too? :)
Herbidatious
2007-08-16, 20:55
sorry forgot -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:54:19, on 16/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclvtym.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\ers_startupmon.exe"
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 7190 bytes
Hi
Open HijackThis, click do a system scan only and checkmark these:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclvtym.dll
O4 - HKLM\..\Run: [ERS_check] "C:\Program Files\Common Files\ers_startupmon.exe"
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
Close all windows including browser and press fix checked.
Reboot
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\asclvtym.dll
Folder::
C:\WINDOWS\SWFu
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Herbidatious
2007-08-16, 21:46
as requested.
ComboFix 07-08-14.4 - "Ian" 2007-08-16 19:35:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.72 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Ian.COLLINSFAMILY\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\WINDOWS\system32\asclvtym.dll
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\SWFu
C:\WINDOWS\SWFu\mqIR.vbs
((((((((((((((((((((((((( Files Created from 2007-07-16 to 2007-08-16 )))))))))))))))))))))))))))))))
2007-08-16 19:17 421,888 --a------ C:\WINDOWS\system32\asclbxfe.dll
2007-08-16 19:17 36,864 --a------ C:\WINDOWS\system32\wbhldcwd.exe
2007-08-16 18:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-16 17:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-15 12:44 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-08-15 12:41 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-08-14 19:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101a.dll
2007-08-14 19:00 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-08-14 19:00 218,112 --a--c--- C:\WINDOWS\system32\dllcache\c_g18030.dll
2007-08-14 19:00 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-08-14 19:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2007-08-14 19:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2007-08-14 18:35 <DIR> d-------- C:\Program Files\WindowsUpdate
2007-08-13 20:11 <DIR> d-------- C:\Program Files\BrainTrainAge
2007-08-11 19:02 <DIR> d-------- C:\WINDOWS\pss
2007-08-10 07:35 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:06 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\temp
2007-08-09 18:59 <DIR> d-------- C:\WINDOWS\system32\SearchTool
2007-08-09 18:59 <DIR> d-------- C:\Program Files\Mywenger
2007-08-09 18:59 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-06 10:56 <DIR> d-------- C:\Program Files\PogoSticker
2007-08-06 10:43 <DIR> d-------- C:\Program Files\Speed Thrasher
2007-08-05 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-05 12:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 15:38 <DIR> d-------- C:\Program Files\Disney
2007-07-31 18:14 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\IMVU
2007-07-31 18:13 <DIR> d-------- C:\Program Files\IMVU
2007-07-28 19:55 <DIR> d-------- C:\DOCUME~1\Karen\APPLIC~1\Apple Computer
2007-07-26 15:34 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Apple Computer
2007-07-26 15:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-22 14:46 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-22 12:32 <DIR> d-------- C:\WINDOWS\.jagex_cache_34
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-16 19:17 45321 --a------ C:\WINDOWS\system32\CAUnst.exe
2007-08-15 12:47 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Virgin Broadband
2007-08-12 20:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-08-10 16:27 --------- d-------- C:\Program Files\Google
2007-08-09 19:13 --------- d-------- C:\Program Files\ntl
2007-07-26 15:32 --------- d-------- C:\Program Files\QuickTime
2007-07-21 11:58 --------- d-------- C:\Program Files\Puppy Luv
2007-07-19 07:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-15 20:48 --------- d-------- C:\Program Files\LimeWire
2007-07-13 00:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-07 12:07 --------- dr-h----- C:\DOCUME~1\IAN~1.COL\APPLIC~1\yahoo!
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-07-07 11:09 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-07 11:05 --------- d-------- C:\Program Files\Common Files\Motorola Shared
2007-07-07 11:01 --------- d-------- C:\Program Files\Avanquest update
2007-07-07 11:01 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\InstallShield
2007-06-30 12:20 --------- d-------- C:\Program Files\DivX
2007-06-29 17:12 --------- d-------- C:\Program Files\Kontiki
2007-06-29 17:12 --------- d-------- C:\Program Files\Channel4
2007-06-27 23:45 --------- d-------- C:\Program Files\Vizumi
2007-06-27 23:16 --------- d-------- C:\Program Files\Maxis
2007-06-27 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-27 23:12 --------- d-------- C:\Program Files\Home Cinema
2007-06-27 23:12 --------- d-------- C:\Program Files\CyberLink
2007-06-27 23:07 --------- d-------- C:\Program Files\Disney Interactive
2007-06-27 23:05 --------- d-------- C:\Program Files\Broken Sword II
2007-06-27 15:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-20 21:07 --------- d-------- C:\Program Files\Windows Live
2007-06-20 21:07 --------- d-------- C:\Program Files\MSN Messenger
2007-06-20 21:07 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 11:23 1033216 --------- C:\WINDOWS\explorer.exe
2007-05-17 12:28 549376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-17 12:28 549376 --------- C:\WINDOWS\system32\oleaut32.dll
2007-05-16 16:12 86528 -----c--- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 16:12 85504 -----c--- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 16:12 683520 -----c--- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 16:12 683520 --------- C:\WINDOWS\system32\inetcomm.dll
2007-05-16 16:12 510976 -----c--- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 16:12 1314816 -----c--- C:\WINDOWS\system32\dllcache\msoe.dll
2006-11-09 09:16 0 --a------ C:\Program Files\Common Files\err.log
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2007-08-16 19:17 421888 --a------ C:\WINDOWS\system32\asclbxfe.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SoundMan"="SOUNDMAN.EXE" [2005-03-25 05:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 19:03]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 10:40]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 19:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 18:59]
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 C:\WINDOWS\zHotkey.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-08 15:53 C:\WINDOWS\AGRSMMSG.exe]
"4oD"="C:\Program Files\Kontiki\KHost.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-10 19:40]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 nsysaudm;nsysaudm;\??\C:\DOCUME~1\Beth\LOCALS~1\Temp\nsysaudm.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;C:\WINDOWS\system32\drivers\UsbMicfilt.sys
S3 ZSMC302;PCL-W310;C:\WINDOWS\system32\Drivers\usbvm302.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44c422bd-7bf6-11db-887b-0013d389a330}]
AutoRun\command- G:\setupSNK.exe
Contents of the 'Scheduled Tasks' folder
2007-08-07 17:07:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-16 19:42:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-16 19:43:02
C:\ComboFix-quarantined-files.txt ... 2007-08-16 19:42
C:\ComboFix2.txt ... 2007-08-16 18:26
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:46:28, on 16/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclbxfe.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 6917 bytes
Hi
Some new baddies there.
Open HijackThis
You should see a line similar to this, but filename might be different
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclbxfe.dll
Checkmark that entry and press fix checked.
Delete these:
C:\WINDOWS\system32\asclbxfe.dll
C:\WINDOWS\system32\wbhldcwd.exe
Empty Recycle Bin.
Reboot.
Post a fresh HijackThis log
Herbidatious
2007-08-17, 13:42
Could not find the files you suggested in system32, although I had already run spybot prior to this and it only found 'funwebproducts' which cannot be removed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:38:36, on 17/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclwzwl.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 6835 bytes
Hi
Ok, that file mutates.
We'll do this:
You should see a line similar to this, but filename might be different.
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclbxfe.dll
Checkmark that entry and press fix checked.
Delete that file from that entry above.
Empty Recycle Bin.
Reboot.
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
C:\DOCUME~1\Beth\LOCALS~1\Temp\nsysaudm.sys
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
C:\DOCUME~1\Beth\LOCALS~1\Temp\nsysaudm.sys
Re-run combofix
Post a fresh HijackThis log, jotti/virustotal results and a fresh HijackThis log.
Herbidatious
2007-08-17, 20:33
Cannot find any files beginning with C\docume~1 (am I missing something) change view as required on folder options.
ComboFix 07-08-14.4 - "Ian" 2007-08-17 18:10:52.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.77 [GMT 1:00]
((((((((((((((((((((((((( Files Created from 2007-07-17 to 2007-08-17 )))))))))))))))))))))))))))))))
2007-08-17 18:06 421,888 --a------ C:\WINDOWS\system32\asclvoib.dll
2007-08-17 18:06 36,864 --a------ C:\WINDOWS\system32\wbhldcwd.exe
2007-08-16 18:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-16 17:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-15 12:44 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-08-15 12:41 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-08-14 19:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101a.dll
2007-08-14 19:00 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-08-14 19:00 218,112 --a--c--- C:\WINDOWS\system32\dllcache\c_g18030.dll
2007-08-14 19:00 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-08-14 19:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2007-08-14 19:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2007-08-14 18:35 <DIR> d-------- C:\Program Files\WindowsUpdate
2007-08-13 20:11 <DIR> d-------- C:\Program Files\BrainTrainAge
2007-08-11 19:02 <DIR> d-------- C:\WINDOWS\pss
2007-08-10 07:35 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:06 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\temp
2007-08-09 18:59 <DIR> d-------- C:\WINDOWS\system32\SearchTool
2007-08-09 18:59 <DIR> d-------- C:\Program Files\Mywenger
2007-08-09 18:59 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-06 10:56 <DIR> d-------- C:\Program Files\PogoSticker
2007-08-06 10:43 <DIR> d-------- C:\Program Files\Speed Thrasher
2007-08-05 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-05 12:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 15:38 <DIR> d-------- C:\Program Files\Disney
2007-07-31 18:14 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\IMVU
2007-07-31 18:13 <DIR> d-------- C:\Program Files\IMVU
2007-07-28 19:55 <DIR> d-------- C:\DOCUME~1\Karen\APPLIC~1\Apple Computer
2007-07-26 15:34 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Apple Computer
2007-07-26 15:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-22 14:46 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-22 12:32 <DIR> d-------- C:\WINDOWS\.jagex_cache_34
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 18:06 45321 --a------ C:\WINDOWS\system32\CAUnst.exe
2007-08-15 12:47 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Virgin Broadband
2007-08-12 20:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-08-10 16:27 --------- d-------- C:\Program Files\Google
2007-08-09 19:13 --------- d-------- C:\Program Files\ntl
2007-07-26 15:32 --------- d-------- C:\Program Files\QuickTime
2007-07-21 11:58 --------- d-------- C:\Program Files\Puppy Luv
2007-07-19 07:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-15 20:48 --------- d-------- C:\Program Files\LimeWire
2007-07-13 00:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-07 12:07 --------- dr-h----- C:\DOCUME~1\IAN~1.COL\APPLIC~1\yahoo!
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-07-07 11:09 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-07 11:05 --------- d-------- C:\Program Files\Common Files\Motorola Shared
2007-07-07 11:01 --------- d-------- C:\Program Files\Avanquest update
2007-07-07 11:01 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\InstallShield
2007-06-30 12:20 --------- d-------- C:\Program Files\DivX
2007-06-29 17:12 --------- d-------- C:\Program Files\Kontiki
2007-06-29 17:12 --------- d-------- C:\Program Files\Channel4
2007-06-27 23:45 --------- d-------- C:\Program Files\Vizumi
2007-06-27 23:16 --------- d-------- C:\Program Files\Maxis
2007-06-27 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-27 23:12 --------- d-------- C:\Program Files\Home Cinema
2007-06-27 23:12 --------- d-------- C:\Program Files\CyberLink
2007-06-27 23:07 --------- d-------- C:\Program Files\Disney Interactive
2007-06-27 23:05 --------- d-------- C:\Program Files\Broken Sword II
2007-06-27 15:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-20 21:07 --------- d-------- C:\Program Files\Windows Live
2007-06-20 21:07 --------- d-------- C:\Program Files\MSN Messenger
2007-06-20 21:07 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 11:23 1033216 --------- C:\WINDOWS\explorer.exe
2007-05-17 12:28 549376 -----c--- C:\WINDOWS\system32\dllcache\oleaut32.dll
2007-05-17 12:28 549376 --------- C:\WINDOWS\system32\oleaut32.dll
2006-11-09 09:16 0 --a------ C:\Program Files\Common Files\err.log
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2007-08-17 18:06 421888 --a------ C:\WINDOWS\system32\asclvoib.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SoundMan"="SOUNDMAN.EXE" [2005-03-25 05:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 19:03]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 10:40]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 19:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 18:59]
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 C:\WINDOWS\zHotkey.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-08 15:53 C:\WINDOWS\AGRSMMSG.exe]
"4oD"="C:\Program Files\Kontiki\KHost.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-10 19:40]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 nsysaudm;nsysaudm;\??\C:\DOCUME~1\Beth\LOCALS~1\Temp\nsysaudm.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;C:\WINDOWS\system32\drivers\UsbMicfilt.sys
S3 ZSMC302;PCL-W310;C:\WINDOWS\system32\Drivers\usbvm302.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44c422bd-7bf6-11db-887b-0013d389a330}]
AutoRun\command- G:\setupSNK.exe
Contents of the 'Scheduled Tasks' folder
2007-08-07 17:07:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-17 18:18:03
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
**************************************************************************
Completion time: 2007-08-17 18:19:49
C:\ComboFix-quarantined-files.txt ... 2007-08-17 18:19
C:\ComboFix2.txt ... 2007-08-16 19:43
C:\ComboFix3.txt ... 2007-08-16 18:26
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:33:04, on 17/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclvoib.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 6884 bytes
Hi
Were you able to find and delete that file?
I ask because it's still there.
Let's try this (NOTE: if you have shutdown or reboot computer, those instructions won't work.)
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.
Please run Killbox.
Select "Standard file kill" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\asclvoib.dll
C:\WINDOWS\system32\wbhldcwd.exe
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
My bad, it's
C:\Documents and Settings\Beth\Local Settings\Temp\nsysaudm.sys
Re-run combofix
Post:
- a fresh HijackThis log
- combofix report
- jotti/virustotal
Herbidatious
2007-08-18, 14:19
I'd already re-booted my pc. Could not delete file C:\WINDOWS\system32\asclvoib.dll and file C:\WINDOWS\system32\wbhldcwd.exe would not paste into killbox. Please advise, thnx.
Hi
You will need to then look new filename from fresh HijackThis log.
Do a scan with HijackThis and check which is the filename for this entry:
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\ascl????.dll
???? stand for any 4 letters.
Then replace C:\WINDOWS\system32\asclvoib.dll with that current filename in my previous instructions.
Herbidatious
2007-08-18, 15:04
I tried to delete file again as hijack this log shows filename - C:\WINDOWS\system32\asclvoib.dll. Did'nt work.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:01:49, on 18/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\WINDOWS\system32\asclvoib.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 6909 bytes
Hi
We'll try then another tool:
Download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer to your Desktop.
Double click OTMoveIt.exe to launch it.
Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
C:\WINDOWS\system32\asclvoib.dll
C:\WINDOWS\system32\wbhldcwd.exe
Click the Move It button.
The list will be processed and the results will appear in the right hand pane.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
When finished click Exit to exit the program.
A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
Then continue with my previous instructions.
Herbidatious
2007-08-18, 15:33
ComboFix 07-08-14.4 - "Ian" 2007-08-18 13:22:42.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.56 [GMT 1:00]
((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))
2007-08-18 11:48 <DIR> d-------- C:\!KillBox
2007-08-16 18:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-16 17:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-15 12:44 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-08-15 12:41 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-08-14 19:00 6,144 --a--c--- C:\WINDOWS\system32\dllcache\kbd101a.dll
2007-08-14 19:00 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-08-14 19:00 218,112 --a--c--- C:\WINDOWS\system32\dllcache\c_g18030.dll
2007-08-14 19:00 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-08-14 19:00 14,336 --a--c--- C:\WINDOWS\system32\dllcache\padrs412.dll
2007-08-14 19:00 10,129,408 --a--c--- C:\WINDOWS\system32\dllcache\hwxkor.dll
2007-08-14 18:35 <DIR> d-------- C:\Program Files\WindowsUpdate
2007-08-13 20:11 <DIR> d-------- C:\Program Files\BrainTrainAge
2007-08-11 19:02 <DIR> d-------- C:\WINDOWS\pss
2007-08-10 07:35 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:06 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\temp
2007-08-09 18:59 <DIR> d-------- C:\WINDOWS\system32\SearchTool
2007-08-09 18:59 <DIR> d-------- C:\Program Files\Mywenger
2007-08-09 18:59 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-06 10:56 <DIR> d-------- C:\Program Files\PogoSticker
2007-08-06 10:43 <DIR> d-------- C:\Program Files\Speed Thrasher
2007-08-05 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-05 12:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 15:38 <DIR> d-------- C:\Program Files\Disney
2007-07-31 18:14 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\IMVU
2007-07-31 18:13 <DIR> d-------- C:\Program Files\IMVU
2007-07-28 19:55 <DIR> d-------- C:\DOCUME~1\Karen\APPLIC~1\Apple Computer
2007-07-26 15:34 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Apple Computer
2007-07-26 15:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-22 14:46 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-22 12:32 <DIR> d-------- C:\WINDOWS\.jagex_cache_34
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 18:06 45321 --a------ C:\WINDOWS\system32\CAUnst.exe
2007-08-15 12:47 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Virgin Broadband
2007-08-12 20:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-08-10 16:27 --------- d-------- C:\Program Files\Google
2007-08-09 19:13 --------- d-------- C:\Program Files\ntl
2007-07-26 15:32 --------- d-------- C:\Program Files\QuickTime
2007-07-21 11:58 --------- d-------- C:\Program Files\Puppy Luv
2007-07-19 07:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-15 20:48 --------- d-------- C:\Program Files\LimeWire
2007-07-13 00:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-07 12:07 --------- dr-h----- C:\DOCUME~1\IAN~1.COL\APPLIC~1\yahoo!
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-07-07 11:09 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-07 11:05 --------- d-------- C:\Program Files\Common Files\Motorola Shared
2007-07-07 11:01 --------- d-------- C:\Program Files\Avanquest update
2007-07-07 11:01 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\InstallShield
2007-06-30 12:20 --------- d-------- C:\Program Files\DivX
2007-06-29 17:12 --------- d-------- C:\Program Files\Kontiki
2007-06-29 17:12 --------- d-------- C:\Program Files\Channel4
2007-06-27 23:45 --------- d-------- C:\Program Files\Vizumi
2007-06-27 23:16 --------- d-------- C:\Program Files\Maxis
2007-06-27 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-27 23:12 --------- d-------- C:\Program Files\Home Cinema
2007-06-27 23:12 --------- d-------- C:\Program Files\CyberLink
2007-06-27 23:07 --------- d-------- C:\Program Files\Disney Interactive
2007-06-27 23:05 --------- d-------- C:\Program Files\Broken Sword II
2007-06-27 15:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-20 21:07 --------- d-------- C:\Program Files\Windows Live
2007-06-20 21:07 --------- d-------- C:\Program Files\MSN Messenger
2007-06-20 21:07 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 11:23 1033216 --------- C:\WINDOWS\explorer.exe
2006-11-09 09:16 0 --a------ C:\Program Files\Common Files\err.log
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SoundMan"="SOUNDMAN.EXE" [2005-03-25 05:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 19:03]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 10:40]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 19:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 18:59]
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 C:\WINDOWS\zHotkey.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-08 15:53 C:\WINDOWS\AGRSMMSG.exe]
"4oD"="C:\Program Files\Kontiki\KHost.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-10 19:40]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 nsysaudm;nsysaudm;\??\C:\DOCUME~1\Beth\LOCALS~1\Temp\nsysaudm.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;C:\WINDOWS\system32\drivers\UsbMicfilt.sys
S3 ZSMC302;PCL-W310;C:\WINDOWS\system32\Drivers\usbvm302.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44c422bd-7bf6-11db-887b-0013d389a330}]
AutoRun\command- G:\setupSNK.exe
Contents of the 'Scheduled Tasks' folder
2007-08-07 17:07:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 13:29:46
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-18 13:31:52
C:\ComboFix-quarantined-files.txt ... 2007-08-18 13:31
C:\ComboFix2.txt ... 2007-08-17 18:19
C:\ComboFix3.txt ... 2007-08-16 19:43
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:33:17, on 18/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 6837 bytes
Hi
Nice, that one is gone :)
How about virustotal/jotti results for C:\Documents and Settings\Beth\Local Settings\Temp\nsysaudm.sys?
Herbidatious
2007-08-18, 16:09
Service load: 0% 100%
File: nsysaudm.sys
Status: INFECTED/MALWARE
MD5: 03bff1de5b708e92a1926ba4a33595d0
Packers detected: -
Bit9 reports: File not found
Scanner results
Scan taken on 18 Aug 2007 13:04:45 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found RootKit.Agent.ma
Sophos Antivirus Found nothing
VirusBuster Found Rootkit.Agent.UIP
VBA32 Found Trojan.NtRootKit.138
Hi
Yes, it's bad and we need a sample:
Download suspicious file packer from here (http://www.safer-networking.org/files/sfp.zip)
Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop
C:\Documents and Settings\Beth\Local Settings\Temp\nsysaudm.sys
Go to spykiller (http://www.thespykiller.co.uk/index.php?PHPSESSID=d65884362fbc872b70e1a9a9a7e13700&board=1.0)
Press new topic, make threads title "Files for Shaba"
Include to your message a link to here, then attach the cab/zip file to your message and post the topic
If you cant locate it through the browse button just copy/paste the filename and path.
Please after doing that, we'll continue :)
Hi and thanks for the file.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\Documents and Settings\Beth\Local Settings\Temp\nsysaudm.sys
Driver::
nsysaudm
Save this as "CFScript"
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Herbidatious
2007-08-18, 23:18
ComboFix 07-08-14.4 - "Ian" 2007-08-18 21:00:25.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.66 [GMT 1:00]
Command switches used :: C:\Documents and Settings\Ian.COLLINSFAMILY\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\Documents and Settings\Beth\Local Settings\Temp\nsysaudm.sys
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Documents and Settings\Beth\Local Settings\Temp\nsysaudm.sys
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_NSYSAUDM
-------\nsysaudm
((((((((((((((((((((((((( Files Created from 2007-07-18 to 2007-08-18 )))))))))))))))))))))))))))))))
2007-08-18 11:48 <DIR> d-------- C:\!KillBox
2007-08-16 18:00 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-16 17:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-15 12:44 33,408 --a------ C:\WINDOWS\system32\drivers\freedom.sys
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\PestPatrol
2007-08-15 12:43 <DIR> d-------- C:\Program Files\Common Files\Command Software
2007-08-15 12:41 <DIR> d-------- C:\Program Files\Virgin Broadband
2007-08-14 19:00 6,144 --a------ C:\WINDOWS\system32\kbd101a.dll
2007-08-14 19:00 218,112 --a------ C:\WINDOWS\system32\c_g18030.dll
2007-08-14 18:35 <DIR> d-------- C:\Program Files\WindowsUpdate
2007-08-13 20:11 <DIR> d-------- C:\Program Files\BrainTrainAge
2007-08-11 19:02 <DIR> d-------- C:\WINDOWS\pss
2007-08-10 07:35 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:06 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\SoftwareDetectionScripts
2007-08-09 19:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\temp
2007-08-09 18:59 <DIR> d-------- C:\WINDOWS\system32\SearchTool
2007-08-09 18:59 <DIR> d-------- C:\Program Files\Mywenger
2007-08-09 18:59 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\NetMon
2007-08-06 10:56 <DIR> d-------- C:\Program Files\PogoSticker
2007-08-06 10:43 <DIR> d-------- C:\Program Files\Speed Thrasher
2007-08-05 12:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-05 12:28 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-04 15:38 <DIR> d-------- C:\Program Files\Disney
2007-07-31 18:14 <DIR> d-------- C:\DOCUME~1\Jack\APPLIC~1\IMVU
2007-07-31 18:13 <DIR> d-------- C:\Program Files\IMVU
2007-07-28 19:55 <DIR> d-------- C:\DOCUME~1\Karen\APPLIC~1\Apple Computer
2007-07-26 15:34 <DIR> d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Apple Computer
2007-07-26 15:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-22 14:46 <DIR> d-------- C:\WINDOWS\.jagex_cache_32
2007-07-22 12:32 <DIR> d-------- C:\WINDOWS\.jagex_cache_34
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-17 18:06 45321 --a------ C:\WINDOWS\system32\CAUnst.exe
2007-08-15 12:47 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\Virgin Broadband
2007-08-12 20:57 --------- d-------- C:\Program Files\Lexmark X1100 Series
2007-08-10 16:27 --------- d-------- C:\Program Files\Google
2007-08-09 19:13 --------- d-------- C:\Program Files\ntl
2007-07-26 15:32 --------- d-------- C:\Program Files\QuickTime
2007-07-21 11:58 --------- d-------- C:\Program Files\Puppy Luv
2007-07-19 07:59 3583488 --a--c--- C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-15 20:48 --------- d-------- C:\Program Files\LimeWire
2007-07-13 00:31 765952 --a--c--- C:\WINDOWS\system32\dllcache\vgx.dll
2007-07-07 12:07 --------- dr-h----- C:\DOCUME~1\IAN~1.COL\APPLIC~1\yahoo!
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-07-07 11:13 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_motmodem_01005.Wdf
2007-07-07 11:09 --------- d-------- C:\Program Files\Motorola Phone Tools
2007-07-07 11:05 --------- d-------- C:\Program Files\Common Files\Motorola Shared
2007-07-07 11:01 --------- d-------- C:\Program Files\Avanquest update
2007-07-07 11:01 --------- d-------- C:\DOCUME~1\IAN~1.COL\APPLIC~1\InstallShield
2007-06-30 12:20 --------- d-------- C:\Program Files\DivX
2007-06-29 17:12 --------- d-------- C:\Program Files\Kontiki
2007-06-29 17:12 --------- d-------- C:\Program Files\Channel4
2007-06-27 23:45 --------- d-------- C:\Program Files\Vizumi
2007-06-27 23:16 --------- d-------- C:\Program Files\Maxis
2007-06-27 23:12 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-27 23:12 --------- d-------- C:\Program Files\Home Cinema
2007-06-27 23:12 --------- d-------- C:\Program Files\CyberLink
2007-06-27 23:07 --------- d-------- C:\Program Files\Disney Interactive
2007-06-27 23:05 --------- d-------- C:\Program Files\Broken Sword II
2007-06-27 15:34 823808 --a--c--- C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 15:34 671232 --a--c--- C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 15:34 6058496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 15:34 52224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 15:34 477696 --a--c--- C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 15:34 459264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 15:34 44544 --a--c--- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 15:34 384512 --a--c--- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 15:34 383488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 15:34 27648 --a--c--- C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 15:34 267776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 15:34 232960 --a--c--- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 15:34 230400 --a--c--- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 15:34 193024 --a--c--- C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 15:34 153088 --a--c--- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 15:34 132608 --a--c--- C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 15:34 124928 --a--c--- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 15:34 1152000 --a--c--- C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 15:34 105984 --a--c--- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 15:34 102400 --a--c--- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 09:27 63488 --a--c--- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 09:27 625152 --a--c--- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 09:27 13824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 08:00 161792 --a--c--- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 07:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 07:08 1104896 -----c--- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-20 21:07 --------- d-------- C:\Program Files\Windows Live
2007-06-20 21:07 --------- d-------- C:\Program Files\MSN Messenger
2007-06-20 21:07 --------- d-------- C:\Program Files\Messenger Plus! Live
2007-06-19 14:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 14:31 282112 -----c--- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 11:23 1033216 -----c--- C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 11:23 1033216 --------- C:\WINDOWS\explorer.exe
2006-11-09 09:16 0 --a------ C:\Program Files\Common Files\err.log
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C07F60AC-688D-4F3E-89EC-30B281BDD2CC}]
2007-08-17 18:06 421888 --a------ C:\_OTMOV~1\MOVEDF~1\WINDOWS\system32\asclvoib.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 14:03]
"SoundMan"="SOUNDMAN.EXE" [2005-03-25 05:20 C:\WINDOWS\SOUNDMAN.EXE]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2005-06-08 19:03]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50]
"Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2003-12-30 10:40]
"Lexmark X1100 Series"="C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" [2003-08-19 15:43]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-06-08 19:02]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-06-08 18:59]
"CHotkey"="zHotkey.exe" [2004-05-17 18:30 C:\WINDOWS\zHotkey.exe]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2002-09-10 21:26]
"AGRSMMSG"="AGRSMMSG.exe" [2005-03-08 15:53 C:\WINDOWS\AGRSMMSG.exe]
"4oD"="C:\Program Files\Kontiki\KHost.exe" []
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" []
"Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-01-24 14:12]
"PCguard"="C:\Program Files\Virgin Broadband\PCguard\Rps.exe" [2007-01-24 18:53]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03]
"LifeCU"="C:\WINDOWS\system32\BastaYa.exe" [2007-01-10 19:40]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
S3 JL2005;JL2005A Toy Camera;C:\WINDOWS\system32\Drivers\toywdm.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys
S3 ss_bus;SAMSUNG Mobile USB Device 1.0 driver (WDM);C:\WINDOWS\system32\DRIVERS\ss_bus.sys
S3 ss_mdfl;SAMSUNG Mobile USB Modem 1.0 Filter;C:\WINDOWS\system32\DRIVERS\ss_mdfl.sys
S3 ss_mdm;SAMSUNG Mobile USB Modem 1.0 Drivers;C:\WINDOWS\system32\DRIVERS\ss_mdm.sys
S3 sscdbus;SAMSUNG USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\sscdbus.sys
S3 sscdmdfl;SAMSUNG CDMA Modem Filter;C:\WINDOWS\system32\DRIVERS\sscdmdfl.sys
S3 sscdmdm;SAMSUNG CDMA Modem Drivers;C:\WINDOWS\system32\DRIVERS\sscdmdm.sys
S3 Z302Mic;Vimicro Z302 Mic Audio Filter Driver;C:\WINDOWS\system32\drivers\UsbMicfilt.sys
S3 ZSMC302;PCL-W310;C:\WINDOWS\system32\Drivers\usbvm302.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{44c422bd-7bf6-11db-887b-0013d389a330}]
AutoRun\command- G:\setupSNK.exe
Contents of the 'Scheduled Tasks' folder
2007-08-07 17:07:20 C:\WINDOWS\Tasks\SpywareBot Scheduled Scan.job - C:\Program Files\SpywareBot\SpywareBot.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-18 21:09:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-18 21:13:16 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-18 21:13
C:\ComboFix2.txt ... 2007-08-18 13:31
C:\ComboFix3.txt ... 2007-08-17 18:19
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:17:29, on 18/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\_OTMOV~1\MOVEDF~1\WINDOWS\system32\asclvoib.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 6931 bytes
Hi
Is this up-to-date?
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
Herbidatious
2007-08-19, 17:14
Cannot paste Kapersky report to much text. Please advise.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:13:40, on 19/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\_OTMOV~1\MOVEDF~1\WINDOWS\system32\asclvoib.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 7036 bytes
Hi
Is Command Antivirus up-to-date?
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
You can edit out all lines with object locked skipped; size should reduce significantly.
Herbidatious
2007-08-19, 17:40
I don't know what the Command Anti virus is?? news to me, I'm using Freedom Anti virus from Virgin PCGuard and this is up to date.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 19, 2007 2:47:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 19/08/2007
Kaspersky Anti-Virus database records: 385111
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 144914
Number of viruses found: 17
Number of infected objects: 60
Number of suspicious objects: 0
Duration of the scan process: 01:50:49
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Beth\Local Settings\Temp\ErrorProtectorFreeSetup.exe/file03 Infected: not-a-virus:Downloader.Win32.WinFixer.l skipped
C:\Documents and Settings\Beth\Local Settings\Temp\ErrorProtectorFreeSetup.exe/file04 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Documents and Settings\Beth\Local Settings\Temp\ErrorProtectorFreeSetup.exe Inno: infected - 2 skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0016.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0018.BIN/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0019.BIN Infected: Trojan-Downloader.Win32.Small.bke skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0020.BIN/data0002 Infected: not-a-virus:AdWare.Win32.WebRebates.r skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0020.BIN/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0020.BIN/data0004 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0020.BIN/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe/WISE0020.BIN Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe WiseSFX: infected - 10 skipped
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe WiseSFX Dropper: infected - 10 skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe/data0005 Infected: not-a-virus:AdWare.Win32.NetNucleus.b skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe/data0006/stream/data0004 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe/data0006/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe/data0006 Infected: not-a-virus:AdWare.Win32.TrafficSol.h skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe/data0007/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe/data0007/stream Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe/data0007 Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar/setup.exe Infected: not-a-virus:AdWare.Win32.Agent.dy skipped
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar RAR: infected - 8 skipped
C:\Documents and Settings\Luke\Local Settings\Temporary Internet Files\Content.IE5\KTAZGDQN\444444[1].htm Infected: Trojan-Downloader.JS.Psyme.eb skipped
C:\Documents and Settings\Luke\My Documents\My Music\Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\Luke\My Documents\My Music\TOTALLY HIP TRACK.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\Luke\My Documents\My Music\Wicked Remix.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\Luke\My Documents\NeroVision\Incomplete\Preview-T-4335426-Eighties classic.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Documents and Settings\Luke\My Documents\NeroVision\Incomplete\T-3045752-01 Track 1.wma Infected: Trojan-Downloader.WMA.Wimad.k skipped
C:\Program Files\filesubmit\prin7.zip\atoolbar400134.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\Program Files\filesubmit\prin7.zip\atoolbar400134.exe WiseSFX: infected - 1 skipped
C:\Program Files\filesubmit\prin7.zip\atoolbar400134.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\filesubmit\prin7.zip\WebRebates_InstallS.exe/data0002 Infected: not-a-virus:AdWare.Win32.WebRebates.r skipped
C:\Program Files\filesubmit\prin7.zip\WebRebates_InstallS.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\Program Files\filesubmit\prin7.zip\WebRebates_InstallS.exe/data0004 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\Program Files\filesubmit\prin7.zip\WebRebates_InstallS.exe/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\Program Files\filesubmit\prin7.zip\WebRebates_InstallS.exe NSIS: infected - 4 skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070816-191447-512.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070817-105149-983.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070817-174029-391.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vcbhafjl.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP19\A0001729.dll Infected: not-a-virus:AdWare.Win32.HotBar.cc skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP20\A0001771.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP20\A0001869.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP22\A0002977.dll Infected: not-a-virus:AdWare.Win32.HotBar.cc skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP22\A0003006.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP23\A0003022.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\change.log Object is locked skipped
C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe NSIS: infected - 2 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\BastaYa.exe Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\WINDOWS\system32\brrotate.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\WINDOWS\system32\italfds.exe Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\WINDOWS\system32\SearchTool\nsa1C.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped
C:\WINDOWS\system32\SearchTool\SearchTool.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped
C:\WINDOWS\system32\SmartShopper\SmartShopper0.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped
C
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\asclvoib.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hi
That's the same thing under different name :)
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Empty these folders:
C:\Documents and Settings\Beth\Local Settings\Temp
C:\QooBox\Quarantine
C:\_OTMoveIt\MovedFiles
Delete these:
C:\Documents and Settings\Beth\My Documents\My Pictures\barbie icons.exe
C:\Documents and Settings\Jack\My Documents\My Received Files\ring ring bannana phone naked.rar
C:\Documents and Settings\Luke\My Documents\My Music\Eighties classic.wma
C:\Documents and Settings\Luke\My Documents\My Music\TOTALLY HIP TRACK.wma
C:\Documents and Settings\Luke\My Documents\My Music\Wicked Remix.wma
C:\Documents and Settings\Luke\My Documents\NeroVision\Incomplete\Preview-T-4335426-Eighties classic.wma
C:\Documents and Settings\Luke\My Documents\NeroVision\Incomplete\T-3045752-01 Track 1.wma
C:\Program Files\filesubmit\prin7.zip
C:\WINDOWS\5-a0c18a429b8010fee34ee31d9073371d.exe
C:\WINDOWS\system32\BastaYa.exe
C:\WINDOWS\system32\brrotate.dll
C:\WINDOWS\system32\italfds.exe
C:\WINDOWS\system32\SearchTool
C:\WINDOWS\system32\SmartShopper
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
Herbidatious
2007-08-19, 20:29
Could not empty Folder C:_OTMoveIt\MovedFiles (message 'cannot delete asclvoib.dll, access denied).
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:23:13, on 19/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\_OTMOV~1\MOVEDF~1\WINDOWS\system32\asclvoib.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [LifeCU] C:\WINDOWS\system32\BastaYa.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 7036 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, August 19, 2007 5:57:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 19/08/2007
Kaspersky Anti-Virus database records: 385131
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
Scan Statistics:
Total number of scanned objects: 131588
Number of viruses found: 8
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 01:42:53
Infected Object Name / Virus Name / Last Action
C:\!KillBox\asclvoib.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\!KillBox\asclvoib.dll( 1) Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070816-191447-512.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070817-105149-983.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070817-174029-391.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP19\A0001729.dll Infected: not-a-virus:AdWare.Win32.HotBar.cc skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP20\A0001771.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP20\A0001869.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP22\A0002977.dll Infected: not-a-virus:AdWare.Win32.HotBar.cc skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP22\A0003006.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP23\A0003022.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003207.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003207.exe/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003207.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003208.exe Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003209.dll Infected: not-a-virus:AdWare.Win32.TrafficSol.d skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003210.exe Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003211.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003213.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003214.dll Infected: not-a-virus:AdWare.Win32.Beginto.f skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003216.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.Accoona.b skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003216.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003216.exe WiseSFX Dropper: infected - 1 skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003221.exe/data0002 Infected: not-a-virus:AdWare.Win32.WebRebates.r skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003221.exe/data0003 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003221.exe/data0004 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003221.exe/data0005 Infected: not-a-virus:AdWare.Win32.WebRebates.p skipped
C:\System Volume Information\_restore{1506C531-5A27-4107-AE68-02DD7D553190}\RP29\A0003221.exe NSIS: infected - 4 skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\asclvoib.dll Infected: not-a-virus:AdWare.Win32.BHO.bh skipped
Scan process completed.
Hi
Empty these folders (in safe mode if not successful otherwise):
C:\!KillBox\
C:\_OTMoveIt\MovedFiles\
Delete these:
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070816-191447-512.dll
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070817-105149-983.dll
C:\Program Files\Trend Micro\HijackThis\backups\backup-20070817-174029-391.dll
Empty Recycle Bin
All other viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
Herbidatious
2007-08-19, 21:10
Folders emptied and files deleted.
The only problem I have left is that spybot cannot remove funwebproducts but if this is not that dangerous will deal with at a later date. Other than that all clear. Thanks very much for all your help much appreciated. :bigthumb:
Hi
Please then post spybot report here:
* Close all browsers.
* Open SpyBot, check for and get any updates available.
* Check for problems and fix everything found in red
* Then on the toolbar menu select mode and switch to advanced mode, on the left lower down select tools, and view report, ensure all the options are selected near the bottom except
* Uncheck[ ] do not report disabled or known legitimate Items.
* Uncheck[ ] Include a list of services in report.
* Uncheck[ ] Include uninstall list in report.
* Now select (near the top) view report.
* Click export and in the 'save in' box choose a place such as your my documents folder, then in your next post near the bottom select the "browse" button; navigate to and attach or post that report.
Herbidatious
2007-08-19, 21:45
Which shall I uncheck as the report is to big to upload. Thanks.
1. Include results of last check in report
2. Include activex list in report
3. Include browser pages in report
4. Include start up list in report
5. Include system information in report
6. Include BHO list in report
7. Include process list in report
8. Include list of Winsock LSPs in report
Hi
Uncheck all except this:
Include results of last check in report
Herbidatious
2007-08-20, 21:28
as requested, Thnx
Hi
First we'll need to backup registry:
Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.
Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop
Windows Registry Editor Version 5.00
[-HKEY_USERS\S-1-5-18\Software\Fun Web Products]
[-HKEY_USERS\S-1-5-20\Software\Fun Web Products]
[-HKEY_USERS\S-1-5-19\Software\Fun Web Products]
[-HKEY_USERS\.DEFAULT\Software\Fun Web Products]
It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif
Doubleclick fix.reg, press Yes and ok.
(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)
Re-scan with spybot and tell me that has resolved the problem?
Herbidatious
2007-08-21, 13:57
Thanks, is there anything else that I need to do? :D:
Hi
Post a fresh HijackThis log please :)
Herbidatious
2007-08-21, 18:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:12:12, on 21/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Virgin Broadband\PCguard\fws.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Command Software\dvpapi.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\zHotkey.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Virgin Broadband\PCguard\Rps.exe
C:\WINDOWS\system32\lexpps.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Virgin Broadband\advisor\BroadbandadvisorComHandler.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://vc.freedom.net/html/virus_definition_template.html
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Virgin Broadband\PCguard\FBHR.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\_OTMOV~1\MOVEDF~1\WINDOWS\system32\asclvoib.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [CHotkey] zHotkey.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [PCguard] "C:\Program Files\Virgin Broadband\PCguard\Rps.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Startup: spywareblaster.lnk = C:\Program Files\SpywareBlaster\spywareblaster.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Jack\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.medion.co.uk
O15 - Trusted Zone: *.musicmatch.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123753183109
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1123758956265
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O23 - Service: AVG Anti-Spyware Guard - Unknown owner - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (file missing)
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PCguard Firewall (RP_FWS) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\fws.exe
--
End of file - 6843 bytes
Hi
Open HijackThis, click do a system scan only and checkmark this:
O2 - BHO: Hoja Class - {C07F60AC-688D-4F3E-89EC-30B281BDD2CC} - C:\_OTMOV~1\MOVEDF~1\WINDOWS\system32\asclvoib.dll (file missing)
Close all windows including browser and press fix checked.
Otherwise it looks good :)
Any other problems?
Herbidatious
2007-08-21, 22:38
Thanks very much for all your help. :bigthumb:
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can remove all tools we used.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. A malicious site could render Java content under older, vulnerable versions of Sun's software if the user has not removed them. Please follow these steps to remove older version Java components and update: Download the latest version of Java Runtime Environment (JRE) 6 Update 2 (http://java.sun.com/javase/downloads/index.jsp) and save it to your desktop.
Scroll down to where it says "Java Runtime Environment (JRE) 6u2...allows end-users to run Java applications".
Click the "Download" button to the right.
Read the License Agreement and then check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation and save the file to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.
Update Adobe Reader
It looks like your version of Adobe Reader is out of date and you're vulnerable for infections.
Please download the newest version here:
http://www.adobe.com/products/acrobat/readstep2_servefile.html?option=full&order=1&type=&language=English&platform=WinXPSP2&esdcanbeused=0&esdcanhandle=0&hasjavascript=1&dlm=nos
Install it, then go to Add/Remove Programs and remove any older versions that may remain.
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Re-enable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.