PDA

View Full Version : common problem?-is my pc still infected



karmdrefner
2008-03-12, 20:50
recently had a malware problem something to do with myway.mywebsearch/ trojan downloader. I believe i may have sorted the problem thanks to you guys but i'm not sure?

The reason i'm not sure is, at fairly regular intervals my comp is running loads of processes on task manager even when it is idle. making the comp run slowly this problem coincided with the virus . I need someone to check HJT log to see if they can see a problem.
Thanks

KARM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:40:45, on 12/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LVComS.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelp.exe
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12140 bytes

little eagle
2008-03-18, 04:49
Close all programs leaving only HijackThis running. Place a check against each of the following,

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab

Click on Fix Checked when finished and exit HijackThis.

--------------------------------------

Be sure to keep SunJava, updated new version is 6.5
In Add/Remove programs click on these and press *remove* if listed:
J2SE Runtime Environment 5.0 - 97.99Mb
J2SE Runtime Environment 5.0 Update 2 - 143.00Mb
J2SE Runtime Environment 5.0 Update 4 - 144.00Mb
J2SE Runtime Environment 5.0 Update 5- 151.00Mb
Java 2 Runtime Environment, SE v1.4.2_04 - 130.00Mb
Or any other outdated J2SE
It is important to remove older versions as these are the ones with the holes in them.
You will be surprised when you go to add/remove to see all of the versions sitting there.
Download Newest >>>> http://www.java.com/en/download/index.jsp
Once installed you can test to see that it is in fact installed >>>>
Sun Java Test (http://www.java.com/en/download/installed.jsp)

------------------------------------

Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

--------------------------------------

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

karmdrefner
2008-03-18, 23:46
how annpoying!! i spent ages writing a detailed description of what has been happeinng that i thought i'd posted in the waiting room but my copm froze at the wrong time and alas it didnt post!!.
anyway I carried out your instructions as requested and have included the new HJT log for you to look at.
For the record the computer is still the same.

karmdrefner
2008-03-19, 00:10
examples of what are happening is.
alot of the time My pc is spiking and running at 100% even when idle.It takes 30mins before this settles (even before emptying the prefetch folder).
on task manager svchost.exe ,vaultclientSRV.exe,system idle process,yop.exe are the programms using most memory or most processes at these times???

the comp generally is running slower web pages open with just the title showing then about 5/10 secs later the rest of the page shows (with some pics missing sometimes)

Most importantly i have run norton security inspector and it says something along the line s of your ip addresses are being directed to a new host.It gives me the option of fixing this which i do it seems to work but if i try again aby a couple of days later the problem has returned.

This is in keeping with the problem connected with myway.mywebsearch which Norton was unable to detect but spybot did.After removal this would reinstall itself.
on trying to fix this ps kelly got me to download kapsersky and this found a trojan downloader in a wma file which i deleted. neither problem is apparently on the computer any more biut the spiking etc started at the time of their discovery and is still happening. Is it possible that i have a viris which is mutating somehow to avoid detection or is letting other viruses on to the comp.After trojan was deleted the pc ran a bit faster bit the spiking has been a contant problem.

I would suggest its a hardware issue but Norton was unable to pick up/stop the innitial problem and y is the secrity inspector finding a reaccuring threat???


eagerly awaiting your views/insructions

cheers

little eagle
2008-03-19, 04:50
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

karmdrefner
2008-03-19, 20:33
as requested....combo fix and HJT log

ComboFix 08-03-18.1 - Mark 2008-03-19 16:41:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.230 [GMT 0:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-18 19:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-18 19:51 . 2008-03-18 19:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-15 15:41 . 2008-03-15 15:41 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-15 10:37 . 2008-03-15 10:37 244 --ah----- C:\sqmnoopt19.sqm
2008-03-15 10:37 . 2008-03-15 10:37 232 --ah----- C:\sqmdata19.sqm
2008-03-15 10:36 . 2008-03-15 10:36 244 --ah----- C:\sqmnoopt18.sqm
2008-03-15 10:36 . 2008-03-15 10:36 232 --ah----- C:\sqmdata18.sqm
2008-03-15 10:32 . 2008-03-15 10:32 244 --ah----- C:\sqmnoopt17.sqm
2008-03-15 10:32 . 2008-03-15 10:32 232 --ah----- C:\sqmdata17.sqm
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-03 22:55 . 2008-03-03 22:58 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 22:55 . 2008-03-03 22:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 22:54 . 2008-03-03 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-03 22:34 . 2008-01-12 18:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-03 22:34 . 2008-01-15 09:54 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-03 22:34 . 2008-01-15 05:28 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-03 13:39 . 2008-03-03 14:10 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-03 13:39 . 2008-03-03 14:10 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-03 13:38 . 2008-03-10 21:48 <DIR> d-------- C:\Program Files\Symantec
2008-03-03 13:38 . 2008-03-03 22:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-03 13:37 . 2008-03-19 16:44 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-27 12:20 . 2008-02-27 12:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 09:19 . 2008-02-27 09:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-27 09:19 . 2008-02-27 09:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 20:46 . 2008-02-22 21:21 419 --a------ C:\WINDOWS\wininit.ini
2008-02-22 20:12 . 2008-02-22 20:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-22 20:12 . 2008-02-22 20:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 19:20 . 2008-02-22 19:28 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\RegSweep
2008-02-19 10:33 . 2008-02-19 10:33 <DIR> d-------- C:\Program Files\Motive
2008-02-19 10:33 . 2008-02-19 10:35 <DIR> d-------- C:\Program Files\BT Broadband Desktop Help

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-18 19:53 --------- d-----w C:\Program Files\Java
2008-03-15 16:00 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-03 22:59 --------- d-----w C:\Program Files\MSN Messenger
2008-03-03 16:29 --------- d-----w C:\Program Files\Microsoft Works
2008-03-03 14:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-03 14:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-03 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-26 18:46 61,480 ----a-w C:\Documents and Settings\Mark\GoToAssistDownloadHelper.exe
2008-02-19 10:41 --------- d-----w C:\Documents and Settings\Mark\Application Data\Motive
2008-02-19 10:34 --------- d-----w C:\Program Files\Common Files\Motive
2008-02-19 10:31 --------- d-----w C:\Program Files\BTHomeHub
2008-02-17 19:20 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-17 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-15 22:54 --------- d-----w C:\Program Files\Google
2008-02-15 20:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-13 23:06 --------- d-----w C:\Documents and Settings\Mark\Application Data\Skype
2008-02-13 16:03 --------- d-----w C:\Documents and Settings\Mark\Application Data\skypePM
2008-02-13 00:15 --------- d-----w C:\Documents and Settings\Mark\Application Data\LimeWire
2008-02-13 00:14 --------- d-----w C:\Program Files\LimeWire
2008-02-13 00:13 --------- d-----w C:\Documents and Settings\Mark\Application Data\uTorrent
2008-02-06 00:58 --------- d-----w C:\Program Files\DivX
2008-02-06 00:47 --------- d-----w C:\Documents and Settings\Mark\Application Data\Microgaming
2008-02-05 10:05 --------- d-----w C:\Program Files\PKR
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-22 17:19 557,056 ----a-w C:\Documents and Settings\Mark\GoToAssist_phone__319_en.exe
2007-11-28 17:55 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdslTaskBar"="stmctrl.dll" [2004-08-27 08:20 167936 C:\WINDOWS\system32\stmctrl.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-12 15:57 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-12 15:59 77824]
"OlStatusMon"="C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" [2006-01-03 14:23 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-25 19:54 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-07 06:59 935936]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-06-26 13:48 509224]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 13:34 936960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 07:11 771704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 12:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2008-02-19 10:33:24 217088]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [2004-10-01 14:12:18 565309]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 13:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 olMntrService;olMntrService;"C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe" [2006-01-03 10:36]
R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2008-01-30 16:18]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2004-07-06 12:28]
R3 TaurusPci;ADSL Modem PCI Service;C:\WINDOWS\system32\DRIVERS\toruspci.sys [2004-08-25 10:10]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-19 01:49:09 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-16 11:37:19 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Mark.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-24 18:34:13 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 16:45:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-03-19 16:46:41
.
2008-03-12 07:47:21 --- E O F ---

little eagle
2008-03-20, 03:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:16:14, on 19/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelp.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1205869893_91469da6839c2b86ec698dab87f121ab&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12376 bytes

little eagle
2008-03-20, 04:01
Run this online scan from ESET (http://www.eset.eu/online-scanner)

You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan


When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt

karmdrefner
2008-03-20, 20:29
eset notepad log (i named it eset20 to remeber it by programme and date on desktop) 1 threat found


# version=4
# OnlineScanner.ocx=1.0.0.635
# OnlineScannerDLLA.dll=1, 0, 0, 79
# OnlineScannerDLLW.dll=1, 0, 0, 78
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2964 (20080320)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=da5346550b2c9b49a6282ac99eb0ae85
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-03-20 06:05:08
# local_time=2008-03-20 06:05:08 (+0000, GMT Standard Time)
# country="United Kingdom"
# osver=5.1.2600 NT Service Pack 2
# scanned=181504
# found=1
# scan_time=3839
C:\Program Files\MSN Messenger\msimg32.dll Win32/Toolbar.MyWebSearch application (unable to clean - deleted) 00000000000000000000000000000000

karmdrefner
2008-03-20, 20:41
got a feeling it has attached to my email accounts so have posted this to change options not to receive email notifications. I'll check via the site , incase the user of the spyware virus can keep updated what were doing and mutate it - if this is the case damn it might be too late?.....i'm really getting paranoid arn't I!!!!!!!

:red:

little eagle
2008-03-21, 01:37
Let's do a little cleanup.

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /U, it needs to be there.

http://nutnworks.com/img/CF_Cleanup.png

----------------------------------------
Download and run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

--------------------------------

Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.


..i'm really getting paranoid arn't I!!!!!!!I think we all are :red:

karmdrefner
2008-03-21, 14:24
followed your instructions, did you mean clean up as in uninstall combofix?? and got the following message

"windows cannot find combofix make sure you type the name correctly and try again." (i had)

when i went to the desktop i found that combo fix was actively being unistalled is this what you wanted to happen?? (if not how on earth??) was expecting to use it??....so i reinstalled it from the link you gave me earlier..... i then found that i couldnt connect to the internet and had to reeboot!!
(even though i've reinstalled when i tried again to run "ComboFix /u " i got the same message)

Couple of other things..... what happened to the file found in the eset scan was i manually spose to find and delete it??? because not sure if it was done automatically with the scan it suggested it only had discovered it and i needed the full version to remove it?? (PC still playing up any way cant have been removed i guess)

2ndly evidence that it has access to my email as well as windows is that when i open a new window it opens in a really small minimized state and more importantly when i open my hotmail account i get the following message

" you are about to leave a secure internet connection it will be possible for others to view information you send.do you want to continue?"

little eagle
2008-03-21, 18:27
what happened to the file found in the eset scan was i manually spose to find and delete it???
If you followed the instructions it should have removed it.

Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!

--------------------

Just a nag screen...........nothing to worry about.


" you are about to leave a secure internet connection it will be possible for others to view information you send.do you want to continue?"

little eagle
2008-03-21, 18:27
Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used
to fix your problems and all their backup folders and then delete itself when you next reboot.

karmdrefner
2008-03-22, 17:24
Hi lE, right
For about 10 to 15min of glorious surfing i thought the problem may have been fixed comp seemed to be running almost perfectly......but then the spiking returned (seemed to coincide with opening a link to facebook in favouirtes probably nothing but have deleted this link now)
...think it has reinstalled itself again?? the comp slows intermittantly when the spiking starts up getting non responsive pages and error reports happening the pages are showing the headers again before the rest of the screen appears!!

On the plus side the web pages open out fully and the hotmail is opening without that warning message about people being able to see my information. ( this was the state of play a week or so ago as these problems appeared long after the spiking and slowness etc had originally presented itself on the pc. makes me think we have cleared the threat found by eset but there is an underlying problem which is allowing other threats onto my pc. PS kelly cleared a trojan downloader virus picked up on kaspersky but agian soon after the spiking reapeared and i got the addtional problems of the minimized windows etc.

whats next captain?? enjoying the challenge of trying to beat this bastard virus but wondering if the only option is to reinstall windows but obviously this is a last resort and is something i'm keen to avoid if at all possible. have included a hjt log in cas it shows up anything?!?!

one last thing when i originally knew there was a problem on the pc that norton wasnt picking up i downloaded spybot which was finding a myway.mywebsearch threat which it would delete but subsequently rein stall itself. teatimer would give me the option of deleting registry changes or allowing them...not sure if i allowed /denied the right ones...is it worth (if possible) to check these to se if it might help resolve the whole issue??just an idea...hey what do i know ....(not much lol)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:17:52, on 22/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelp.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\BT Broadband Desktop Help\bin\mpbtn.exe
C:\PROGRA~1\Motive\Common\MOTIVE~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1205869893_91469da6839c2b86ec698dab87f121ab&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12595 bytes

little eagle
2008-03-22, 17:53
Some of the trouble may be Ladbrokes Poker

Click HERE (http://www.pandasoftware.com/products/activescan.htm) to run Panda's ActiveScan

* You need to use IE to run this scan
* Once you are on the Panda site click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country
* Enter your State/Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If it wants to install an ActiveX component allow it
* It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
* When download is complete, click on My Computer to start the scan
* When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

karmdrefner
2008-03-22, 20:36
I cant believe it!!! wernt expecting so many!!! attached is the panda active scan results.


Incident Status Location

Potentially unwanted tool:application/alfacleaner Not disinfected C:\Documents and Settings\Mark\Application Data\Skinux
Adware:adware/ipbill Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark\Cookies\mark@247realmedia[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Mark\Cookies\mark@adtech[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Mark\Cookies\mark@anm.co[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark\Cookies\mark@bs.serving-sys[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mark\Cookies\mark@questionmarket[2].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark\Cookies\mark@realmedia[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark\Cookies\mark@serving-sys[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mark\Cookies\mark@xiti[1].txt
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Motive\btbb\pskill.exe

little eagle
2008-03-22, 22:37
Download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt

karmdrefner
2008-03-23, 00:32
below is the latest log.

this scan found 9 items and deleted them where as the one are the other 3 an issue i'm guessing not???
also you said ladbrokes maybe an issue should i unistall and refrain from using that poker site???to be honest only ever played on it once as far as i can remember?!?!?


Malwarebytes' Anti-Malware 1.09
Database version: 521

Scan type: Full Scan (A:\|C:\|D:\|E:\|)
Objects scanned: 72161
Time elapsed: 23 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 8
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{25560540-9571-4d7b-9389-0f166788785a} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{2eff3cf7-99c1-4c29-bc2b-68e057e22340} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{3dc201fb-e9c9-499c-a11f-23c360d7c3f8} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{63d0ed2c-b45b-4458-8b3b-60c69bbbd83c} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{98d9753d-d73b-42d5-8c85-4469cda897ab} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{9ff05104-b030-46fc-94b8-81276e4e27df} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{a6573479-9075-4a65-98a6-19fd29cf7374} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\MSN Messenger\riched20.dll (Adware.MyWeb.FunWeb) -> Quarantined and deleted successfully.

karmdrefner
2008-03-23, 00:35
*before(panda) found 12 and as far as i'm aware didnt delete them??

little eagle
2008-03-23, 02:08
Cookies that can be removed by running - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

-------------------------------
Reboot and rescan with HiJackThis and post a new log here.
Also please describe how your computer behaves at the moment.

karmdrefner
2008-03-24, 14:50
just like before its taken far too long to load up the desktop(even with a cleared prefetch folder taken into account) surfing was quick and working normally untill the spiking started (assuming this is the "problem" reinstalling itself) then all the problems i have already described came back including the when i ran security inspector on norton i was advised that my ip addresses were agian being redirected to another host.

Notice when i restart the comp a programm called ccApp closes is this anything??

when the desktop loads the taaskbar loads after all the shortcuts have loaded is this normal???probably.

Would it show anything if i ran HJT log when the spiking is in full flow? below is the latest log

-----------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:54, on 24/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\LVComS.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1205869893_91469da6839c2b86ec698dab87f121ab&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12576 bytes

little eagle
2008-03-25, 01:31
Check add and remove programs for MyWebSearch if found remove it.

-----------------------------------

Then delete the folder in C:\Program Files\MyWebSearch

karmdrefner
2008-03-25, 22:30
soz dude no mywebsearch found in add remove files or in C:\Program Files\MyWebSearch. i didd find some zip files in the spybot folder which i deleted just to be on the safe side?:scratch: still genrally slow and spiking

little eagle
2008-03-26, 03:12
Would it show anything if i ran HJT log when the spiking is in full flow? May be but the task manager might let you know what is eating up all the memory.
CTRL ALT DELETE will bring it up.

karmdrefner
2008-03-26, 13:56
ran a hjt log whilst spiking
had a lokk at task manager too there are a whole load of processes going on some with very few processes but taking up alot of memory and vice versa


some examples are
svchost system 00processes but 34480k memory
msmpeng.exe 00 " but 20,572 "
vault clientsrv.exe 25 3088k
explorer.exe 00 11,292
iexplorer.exe minimal 38,384 k
system idle process 88 processes only 16k

karmdrefner
2008-03-26, 14:00
spiking hjt

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:36:22, on 26/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\btbb_wcm\McciTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Desktop Help.lnk = C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1205869893_91469da6839c2b86ec698dab87f121ab&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 12578 bytes

karmdrefner
2008-03-26, 14:26
:sad:Just seen the most obvious evidence that my comp has been hacked.

I have allready mentioned to you that when running security inspector on norton it advised that ip adresses have been redirected to a diffrent host and even when i fix it the problem returns....
the evidence of this is that whilst looking at my emails on my email address provided by my isp and that i use outlook for I noticed that one of my friends had replied to an email thread which though i am included on.....i most certainly havent received i'm guessing the only reason i received this partcular email was because i fixed th problem on security inspector otherewise someone else would still have been receiving my emails!! really quite worried now!

Thanks for all your help and patience with this little eagle but can you tell me if were any closer to finding the root of this problem? knowing someone else is receiving my email plus who knows what else is rather distressing.

little eagle
2008-03-27, 03:06
Click start > control panel > user accounts > change the way users log on or off > uncheck fast user switching > restart you computor.

Download, unzip and run 'RootkitRevealer' from Sysinternals:
http://www.sysinternals.com/Utilities/RootkitRevealer.html
Once the program has started, press Scan and let it run.
When the scan is done, use 'File > Save' to place the logfile in a convenient location (such as the desktop). The default filename will be 'RootkitReveal.txt'.

Save your Log File
Copy/Paste the contecnts of that logfile into your next reply

NOT touch the PC at ALL for Whatever reason/s until it has 100% completed its scan, or attempted scan in case of some error etc !

That way you should have a much simpler and clearer log file in which to pursue and evaluate.

karmdrefner
2008-03-27, 21:08
as requested.Looks like you might have gotten to the ...ROOT" of the problem( razor like it form me dont you think! :0) ) Windows wouldnt let me save it to the desktop innitially though saying the folderfile name does not exist or something the spiking has gone mad too as soon as the scan finished?? again probably just coincidence??

unable to cut and paster so have added as an attachement as a zip file is this any good????

karmdrefner
2008-03-28, 00:32
More often than not recently surfin the web is almost back to normal speed ....when its not spiking!!also the windows messenger sign in screen is minimized to a smaller size than usual this is a farly new occurance???

little eagle
2008-03-28, 03:35
Download ComboFix again from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) or Here (http://subs.geekstogo.com/ComboFix.exe) to your Desktop.

In the event you already have Combofix, this is a new version that I need you to download.
It must be saved directly to your desktop.


1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan.
Click on this link (http://www.bleepingcomputer.com/forums/topic114351.html) to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re enable the protection again afterwards before connecting to the net



2. Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.

IF you have not already done so Combofix will disconnect your machine from the Internet when it starts.
If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.


3. Now double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review


Note: Do not mouseclick combofix's window while it's running. That may cause it to stall or freeze.

karmdrefner
2008-03-28, 13:42
as requested! attached are the combo fix and hjt logs .
should i reboot the pc aswell not done that yet?

little eagle
2008-03-29, 03:29
Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINDOWS\TEMP\vlt52.tmp
C:\WINDOWS\TEMP\vlt53.tmp
C:\WINDOWS\TEMP\vlt58.tmp
C:\WINDOWS\TEMP\vlt5B.tmp
C:\WINDOWS\TEMP\vlt5C.tmp
C:\WINDOWS\TEMP\vlt5D.tmp



Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

karmdrefner
2008-03-29, 13:30
wasnt sure but went through the process of disbling antivirus and disconnecting form internet before doing this step...siking starteg soon after reconnectio attached are the logs

ComboFix 08-03-26.3 - Mark 2008-03-29 11:08:39.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.199 [GMT 0:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\TEMP\vlt52.tmp
C:\WINDOWS\TEMP\vlt53.tmp
C:\WINDOWS\TEMP\vlt58.tmp
C:\WINDOWS\TEMP\vlt5B.tmp
C:\WINDOWS\TEMP\vlt5C.tmp
C:\WINDOWS\TEMP\vlt5D.tmp
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-29 )))))))))))))))))))))))))))))))
.

2008-03-22 21:36 . 2008-03-22 21:36 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-03-22 21:35 . 2008-03-22 21:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-22 21:35 . 2008-03-22 21:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 17:02 . 2008-03-26 14:40 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-22 17:02 . 2008-03-26 13:40 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-22 17:02 . 2008-03-26 13:40 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-20 16:59 . 2008-03-21 18:02 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-18 19:53 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-18 19:51 . 2008-03-18 19:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-15 15:41 . 2008-03-26 14:26 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-15 10:37 . 2008-03-15 10:37 244 --ah----- C:\sqmnoopt19.sqm
2008-03-15 10:37 . 2008-03-15 10:37 232 --ah----- C:\sqmdata19.sqm
2008-03-15 10:36 . 2008-03-15 10:36 244 --ah----- C:\sqmnoopt18.sqm
2008-03-15 10:36 . 2008-03-15 10:36 232 --ah----- C:\sqmdata18.sqm
2008-03-15 10:32 . 2008-03-15 10:32 244 --ah----- C:\sqmnoopt17.sqm
2008-03-15 10:32 . 2008-03-15 10:32 232 --ah----- C:\sqmdata17.sqm
2008-03-07 14:03 . 2008-03-07 14:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 14:03 . 2008-03-07 14:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 13:40 . 2008-03-07 13:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 13:40 . 2008-03-07 13:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 13:39 . 2008-03-07 13:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 13:39 . 2008-03-07 13:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 13:39 . 2008-03-07 13:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 13:39 . 2008-03-07 13:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 13:39 . 2008-03-07 13:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 13:39 . 2008-03-07 13:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 13:39 . 2008-03-07 13:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-03 22:55 . 2008-03-03 22:58 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 22:55 . 2008-03-03 22:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 22:54 . 2008-03-03 22:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-03 22:34 . 2008-03-06 21:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-03 22:34 . 2008-03-06 21:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-03 22:34 . 2008-03-06 21:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-03 13:39 . 2008-03-03 14:10 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-03 13:39 . 2008-03-03 14:10 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-03 13:38 . 2008-03-26 14:26 <DIR> d-------- C:\Program Files\Symantec
2008-03-03 13:38 . 2008-03-24 23:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-03 13:37 . 2008-03-28 16:20 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-28 16:21 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-26 14:25 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-26 14:24 --------- d-----w C:\Program Files\QuickTime
2008-03-26 14:10 --------- d-----w C:\Program Files\Common Files\Motive
2008-03-26 14:09 --------- d-----w C:\Program Files\btbb_wcm
2008-03-26 14:09 --------- d-----w C:\Program Files\BT Broadband Talk Softphone
2008-03-22 22:03 --------- d-----w C:\Program Files\MSN Messenger
2008-03-21 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-03-18 19:53 --------- d-----w C:\Program Files\Java
2008-03-03 16:29 --------- d-----w C:\Program Files\Microsoft Works
2008-03-03 14:10 805 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-03-03 14:10 10,740 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-03-03 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-27 12:20 --------- d-----w C:\Program Files\Trend Micro
2008-02-27 09:19 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-26 18:46 61,480 ----a-w C:\Documents and Settings\Mark\GoToAssistDownloadHelper.exe
2008-02-22 20:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 19:28 --------- d-----w C:\Documents and Settings\Mark\Application Data\RegSweep
2008-02-19 10:41 --------- d-----w C:\Documents and Settings\Mark\Application Data\Motive
2008-02-19 10:35 --------- d-----w C:\Program Files\BT Broadband Desktop Help
2008-02-19 10:33 --------- d-----w C:\Program Files\Motive
2008-02-19 10:31 --------- d-----w C:\Program Files\BTHomeHub
2008-02-17 19:20 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-17 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-15 22:54 --------- d-----w C:\Program Files\Google
2008-02-15 20:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-13 23:06 --------- d-----w C:\Documents and Settings\Mark\Application Data\Skype
2008-02-13 16:03 --------- d-----w C:\Documents and Settings\Mark\Application Data\skypePM
2008-02-13 00:15 --------- d-----w C:\Documents and Settings\Mark\Application Data\LimeWire
2008-02-13 00:14 --------- d-----w C:\Program Files\LimeWire
2008-02-13 00:13 --------- d-----w C:\Documents and Settings\Mark\Application Data\uTorrent
2008-02-11 09:39 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 09:39 237,568 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 13:53 110,592 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-06 00:58 --------- d-----w C:\Program Files\DivX
2008-02-06 00:47 --------- d-----w C:\Documents and Settings\Mark\Application Data\Microgaming
2008-02-05 10:05 --------- d-----w C:\Program Files\PKR
2008-02-05 08:48 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-22 17:19 557,056 ----a-w C:\Documents and Settings\Mark\GoToAssist_phone__319_en.exe
2007-11-28 17:55 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 12:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34 5724184]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 09:39 61440]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdslTaskBar"="stmctrl.dll" [2004-08-27 08:20 167936 C:\WINDOWS\system32\stmctrl.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 12:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-12 15:57 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-12 15:59 77824]
"OlStatusMon"="C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" [2006-01-03 14:23 94208]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-25 19:54 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 20:16 286720]
"btbb_wcm_McciTrayApp"="C:\Program Files\btbb_wcm\McciTrayApp.exe" [2006-12-07 06:59 935936]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19 129536]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [ ]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2007-06-26 13:48 509224]
"btbb_McciTrayApp"="C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe" [2007-08-22 13:34 936960]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 07:11 771704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 12:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06 29696]
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2008-02-19 10:33:24 217088]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [2004-10-01 14:12:18 565309]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 13:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

R2 olMntrService;olMntrService;"C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe" [2006-01-03 10:36]
R2 VaultClientSRV;BT Auto Backup Service;C:\Program Files\BT Auto Backup\VaultClientSRV.exe [2008-01-30 16:18]
R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2004-07-06 12:28]
R3 TaurusPci;ADSL Modem PCI Service;C:\WINDOWS\system32\DRIVERS\toruspci.sys [2004-08-25 10:10]
S3 Symantec RemoteAssist;Symantec RemoteAssist;"C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe" []
S3 XGLD;XGLD;C:\DOCUME~1\Mark\LOCALS~1\Temp\XGLD.exe []

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-29 01:32:22 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-23 09:36:46 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Mark.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-24 18:34:13 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 11:11:50
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-03-29 11:13:37
ComboFix-quarantined-files.txt 2008-03-29 11:12:41
ComboFix2.txt 2008-03-28 11:21:40
Pre-Run: 67,316,547,584 bytes free
Post-Run: 67,305,590,784 bytes free
.
2008-03-27 22:46:35 --- E O F ---

little eagle
2008-03-29, 15:15
Run this online scan from ESET (http://www.eset.eu/online-scanner)

You will need to use Internet explorer for this scan!
First, accept the Terms of Use
Click: Start
When asked, allow the ActiveX control to install
Click: Start
Make sure the options:
Remove found threats, and Scan unwanted applications
are both checked!
Click: Scan


When the scan finishes, use Notepad to open the ESET report.
It will be located here C:\Program Files\EsetOnlineScanner\log.txt

karmdrefner
2008-03-29, 23:41
says its clear......but on start up the comp takes a good 15 minutes at least to stop spikking enough to get on the web/messenger and still spiking every so often freezing any thing i ws doing on the pc emasils cant be sent web pages fail etc etc. Another funny quirk i have noticed is that when you open websites they have an icon associted wihthe site next to the web address. for example WWW.arsenal.com willl have the soccoer teams badge next to it....or should have!!! I've noticed at present it has a facebook emblem next to it!!!

little eagle
2008-03-30, 00:24
Can you post another hijackthis log?

karmdrefner
2008-03-30, 02:51
:) as requested

little eagle
2008-03-30, 14:46
Lets try this the 04's are startups that are not necessary.
You will how ever have the backups should you wish to reinstall them.

Close all programs leaving only HijackThis running. Place a check against each of the following, :

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [btbb_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O23 - Service: XGLD - Unknown owner - C:\DOCUME~1\Mark\LOCALS~1\Temp\XGLD.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.

karmdrefner
2008-03-30, 20:01
as requested might have made the restart minimally faster but not starting normally.
I ran a panda scan out of desperation have included the log to showing 11 spyware 1 hacking tool/rootkit and 1 virus!!! seemed to have lost a rootkit ...but gained a virus ssomewhere!!!.......damn!


Incident Status Location

Potentially unwanted tool:application/alfacleaner Not disinfected C:\Documents and Settings\Mark\Application Data\Skinux
Adware:adware/ipbill Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark\Cookies\mark@247realmedia[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Mark\Cookies\mark@adtech[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Mark\Cookies\mark@anm.co[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark\Cookies\mark@bs.serving-sys[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark\Cookies\mark@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mark\Cookies\mark@questionmarket[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark\Cookies\mark@serving-sys[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark\Cookies\mark@toplist[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mark\Cookies\mark@xiti[1].txt
Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\Mark\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Motive\btbb\pskill.exe

little eagle
2008-03-31, 04:52
Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINDOWS\Motive\btbb\pskill.exel



Save this as Save this as "CFScript"


http://nutnworks.com/CFix/CFScript.gif

Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.

karmdrefner
2008-03-31, 22:21
as requested

O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme

noticed this line in the hjt log in the 04's which you said was the start up files... it looks suspicious and have checked and deleted the programme aleady ....can this line be deleted???

ComboFix 08-03-26.3 - Mark 2008-03-31 8:53:06.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT 1:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Motive\btbb\pskill.exel
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-22 22:36 . 2008-03-22 22:36 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-03-22 22:35 . 2008-03-22 22:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-22 22:35 . 2008-03-22 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 18:02 . 2008-03-30 14:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-22 18:02 . 2008-03-30 14:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-22 18:02 . 2008-03-30 14:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-20 17:59 . 2008-03-29 22:31 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-18 20:53 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-18 20:51 . 2008-03-18 20:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-15 16:41 . 2008-03-30 14:48 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-15 11:37 . 2008-03-15 11:37 244 --ah----- C:\sqmnoopt19.sqm
2008-03-15 11:37 . 2008-03-15 11:37 232 --ah----- C:\sqmdata19.sqm
2008-03-15 11:36 . 2008-03-15 11:36 244 --ah----- C:\sqmnoopt18.sqm
2008-03-15 11:36 . 2008-03-15 11:36 232 --ah----- C:\sqmdata18.sqm
2008-03-15 11:32 . 2008-03-15 11:32 244 --ah----- C:\sqmnoopt17.sqm
2008-03-15 11:32 . 2008-03-15 11:32 232 --ah----- C:\sqmdata17.sqm
2008-03-07 15:03 . 2008-03-07 15:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 15:03 . 2008-03-07 15:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 14:40 . 2008-03-07 14:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 14:40 . 2008-03-07 14:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 14:39 . 2008-03-07 14:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 14:39 . 2008-03-07 14:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 14:39 . 2008-03-07 14:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 14:39 . 2008-03-07 14:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 14:39 . 2008-03-07 14:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 14:39 . 2008-03-07 14:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 14:39 . 2008-03-07 14:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-03 23:55 . 2008-03-03 23:58 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 23:55 . 2008-03-03 23:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-03 23:34 . 2008-03-06 22:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-03 23:34 . 2008-03-06 22:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-03 23:34 . 2008-03-06 22:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-03 14:39 . 2008-03-03 15:10 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-03 14:39 . 2008-03-03 15:10 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-03 14:38 . 2008-03-30 14:48 <DIR> d-------- C:\Program Files\Symantec
2008-03-03 14:38 . 2008-03-25 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-03 14:37 . 2008-03-31 01:01 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-27 13:20 . 2008-02-27 13:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 10:19 . 2008-02-27 10:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-27 10:19 . 2008-02-27 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 21:46 . 2008-02-22 22:21 419 --a------ C:\WINDOWS\wininit.ini
2008-02-22 21:12 . 2008-03-30 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-22 21:12 . 2008-02-22 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 20:20 . 2008-02-22 20:28 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\RegSweep
2008-02-19 11:33 . 2008-02-19 11:33 <DIR> d-------- C:\Program Files\Motive
2008-02-19 11:33 . 2008-02-19 11:35 <DIR> d-------- C:\Program Files\BT Broadband Desktop Help
2008-02-14 18:15 . 2008-02-14 18:15 268 --ah----- C:\sqmdata16.sqm
2008-02-14 18:15 . 2008-02-14 18:15 244 --ah----- C:\sqmnoopt16.sqm
2008-02-14 01:07 . 2008-02-14 01:15 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-14 00:48 . 2008-03-03 15:10 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-14 00:48 . 2008-03-03 15:10 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-11 10:40 . 2008-02-11 10:40 2,715,648 --a------ C:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 10:39 . 2008-02-11 10:39 253,952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 10:39 . 2008-02-11 10:39 237,568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 14:53 . 2008-02-08 14:53 110,592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 09:48 . 2008-02-05 09:48 77,824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 13:40 --------- d-----w C:\Program Files\BT Broadband Talk Softphone
2008-03-30 13:39 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-30 13:18 --------- d-----w C:\Program Files\AC3Filter
2008-03-30 13:07 --------- d-----w C:\Documents and Settings\Mark\Application Data\Skype
2008-03-30 12:53 --------- d-----w C:\Documents and Settings\Mark\Application Data\skypePM
2008-03-29 16:38 --------- d-----w C:\Documents and Settings\Mark\Application Data\LimeWire
2008-03-26 14:24 --------- d-----w C:\Program Files\QuickTime
2008-03-26 14:10 --------- d-----w C:\Program Files\Common Files\Motive
2008-03-26 14:09 --------- d-----w C:\Program Files\btbb_wcm
2008-03-22 22:03 --------- d-----w C:\Program Files\MSN Messenger
2008-03-21 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-03-18 19:53 --------- d-----w C:\Program Files\Java
2008-03-03 16:29 --------- d-----w C:\Program Files\Microsoft Works
2008-03-03 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-26 18:46 61,480 ----a-w C:\Documents and Settings\Mark\GoToAssistDownloadHelper.exe
2008-02-19 10:41 --------- d-----w C:\Documents and Settings\Mark\Application Data\Motive
2008-02-19 10:31 --------- d-----w C:\Program Files\BTHomeHub
2008-02-17 19:20 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-17 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-15 22:54 --------- d-----w C:\Program Files\Google
2008-02-15 20:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-13 00:14 --------- d-----w C:\Program Files\LimeWire
2008-02-13 00:13 --------- d-----w C:\Documents and Settings\Mark\Application Data\uTorrent
2008-02-06 00:58 --------- d-----w C:\Program Files\DivX
2008-02-06 00:47 --------- d-----w C:\Documents and Settings\Mark\Application Data\Microgaming
2008-02-05 10:05 --------- d-----w C:\Program Files\PKR
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-22 17:19 557,056 ----a-w C:\Documents and Settings\Mark\GoToAssist_phone__319_en.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-28 17:55 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-28_11.20.27.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2006-12-18 15:36:36 312,840 ----a-w C:\WINDOWS\KingComIE.dll
- 2000-08-31 08:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 07:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-02-19 14:26:49 63,528 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 12:15:25 63,644 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-02-19 14:26:49 406,328 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 12:15:25 406,636 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 08:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 10:39 61440]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdslTaskBar"="stmctrl.dll" [2004-08-27 09:20 167936 C:\WINDOWS\system32\stmctrl.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-12 16:57 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-12 16:59 77824]
"OlStatusMon"="C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" [2006-01-03 15:23 94208]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2008-02-19 11:33:24 217088]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [2004-10-01 15:12:18 565309]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 14:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2004-07-06 13:28]
R3 TaurusPci;ADSL Modem PCI Service;C:\WINDOWS\system32\DRIVERS\toruspci.sys [2004-08-25 11:10]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 00:58:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-30 11:46:02 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Mark.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-24 18:34:13 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 08:57:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-03-31 9:00:12
ComboFix-quarantined-files.txt 2008-03-31 07:59:05
ComboFix2.txt 2008-03-29 11:13:38
ComboFix3.txt 2008-03-28 11:21:40
Pre-Run: 65,845,411,840 bytes free
Post-Run: 67,315,023,872 bytes free
.
2008-03-27 22:46:35 --- E O F ---

little eagle
2008-04-01, 14:52
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme

noticed this line in the hjt log in the 04's which you said was the start up files... it looks suspicious and have checked and deleted the programme aleady ....can this line be deleted???Yes this will keep windows from looking for the file :cool:

Both logs look fine any troubles with the PC?

karmdrefner
2008-04-01, 21:35
You know what....innitial signs are good. it Has only spiked once when i've tried in the last 2 days when i checked my mail in my outlook email account.Apart from that the surfing seems to be back normal..... wow!!!

Unfortunately one thing that is deffo not right is the startup.
The one time it did spike i decided to shut down the comp(held down power button) on the restart it took forever still best part of 20 mins to get on line and to settle. A blue screen also appeared saying that one of disks needed to be scanned for errors and that it recoommended i didnt skip the process have seen this happen 3 times now but not before i started having these troubles? is this an out standing seperate issue or does this suggest a hardware issue/failure???

I have deleted the 04 file as we talked about just to be on the safe side. and i will continue to monitor the performance over the next couple of days to completely vanquish any fears that its going to reinstall itself or return.
I will let you know and thank you properly then. until them prelimanary kudos to you lil eagle (A.K.A the dude!)

I am then hoping you can tie up some loose ends ie deletes some of the programs/files and processes we have gone through just to maximise disk space and limit damage (ie hide the hidden system files we have "outed"

again thanks for your commitment to finding/fixing this problem to date , will be touch again shortly with a difinitive verdict.:)

little eagle
2008-04-02, 06:21
Run - ATF Cleaner instructions here. (http://forums.security-central.us/showthread.php?t=1925)

-------------------------------------

Download the OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.

Press cleanup & it will search for and delete/uninstall all the tools we have used :cool: and all their backup folders and then delete itself when you next reboot.

-------------------------------------

All so reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


--------------------------

I'll keep this thread open for a few days. Safe surfing

karmdrefner
2008-04-02, 16:49
LE, trust me, the last thing i wanted was to for me to writing this but ...it seems there may still be a problem. The pc though not doing it half as much is still spiking for no reason form time to time.This on its own would be acceptable if i could be sure it wasnt a threat as when its not happening the pc performance seems ok.

The things that worry me are the start up. Timed it at 20mins today looking on task manager the 2 programms with most procesess running were vault client SRV (think this may relate to a digital vault application i have for saving files dont remember it ever causing pc performance problems before the spyware issue and an application called ans LUCOMS~1.exe.
Norton loads last after everything else like messenger and IE. Most imprtantly i ran the security inspector which no probs for the last 3 days today was showing that IP addresess were again being directed to a differrent host.

Cant help thinking that all 3 problems are connected some how and unitil the comp loads up properly i cant be sure that the problem has been fixed. what do you think??:spider:

karmdrefner
2008-04-03, 19:48
spiking starting up again!!!!!!! as bad as it s ever been.....damn!

little eagle
2008-04-04, 14:34
Rescan with HiJackThis and post a new log here.

karmdrefner
2008-04-04, 18:07
as requested

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03:34, on 04/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1205869893_91469da6839c2b86ec698dab87f121ab&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11252 bytes

little eagle
2008-04-04, 18:47
Lets run stinger Instructions can be found here http://vil.nai.com/vil/stinger/

Let me know if it finds anything.

karmdrefner
2008-04-05, 00:48
LE we are definately making progress..in fact i may have thought the situation worse than it actually is...I wasnt lying when i said the pc was still spiking it was. What i done was to uninstall and reinstall bt auto back up and its my digital vault. (linked with the vault.srv that was running so many processes on spiking)

Since i done this the spiking is so much smaller and so far its almost been a day without any major spikes, just to put your mind at rest it didnt always spike like this the virus must have affected it some how.

Being the paranoid android i am ,i still think i should run the stinger,what do you think?????? was the HJT log clear.?????? I thought i should check with you as on the instructions for running the scan it tells me to disable the system restore and then it should prompt me to reeboot. I did this and it didnt prompt me to reeboot. Is this important to reboot??? should i manually reeboot or just run it without does it matter????

Like i said its probably best i run this 1 last scan but on the other hand ithink were so close i didnt want to undo all our good work at the 11th hour if there is a risk to the system - The saying goes if it aint broke dont fix it...all very well but i dont know for sure it is!!!

Sall i still run it , turing off the restore and rebooting before scanning???

karmdrefner
2008-04-05, 01:23
still doesni explain why Ip addresses are getttng redirected to a different host intermittantly accoriding to security inspector on norton

little eagle
2008-04-05, 03:09
it tells me to disable the system restore and then it should prompt me to reeboot. You do not need to disable system restore yet, but I would run the scan. Rebooting is necessary so that the files do not show up in other scans.

karmdrefner
2008-04-05, 13:42
Ran as requested.

2things though downloaded form link you gave option no.1 (not epo version) and it says its out of date but the link for the updated version is the link you gave?? should i do the w32/pollip version and secondly poor i know but i couldnt work out how to scan my computer so the results are only for the c drive.


McAfee® Stinger Version 3.8.0 built on Sep 10 2007

Copyright © 2007 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Sep 10 2007.

Ready to scan for 191 viruses, trojans and variants.

This product is outdated.

Please go to http://vil.nai.com/vil/stinger for an update.



Scan initiated on Sat Apr 05 10:54:35 2008

Number of clean files: 108079

little eagle
2008-04-06, 02:24
Lets run an F-Secure online scan.
Click HERE (http://support.f-secure.com/enu/home/ols.shtml)
Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
Allow the Active X control to be installed on your computer, then click the Accept button
Click Full System Scan and allow the components to download and the scan to complete.
If malware is found, check Submit samples to F-Secure then select Automatic cleaning
When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
When the cleaning option is presented, Uncheck Submit samples to F-Secure
Click Automatic cleaning
When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.

karmdrefner
2008-04-06, 16:58
As requested .....ugggggghhhhh i'm so hungover today!!!!


scanning Report
Sunday, April 06, 2008 10:58:01 - 14:53:41
Computer name: C600E805BDA44D4
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 2 malware found
RiskTool.Win32.PsKill (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 31529
System: 3509
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-04-05
F-Secure AVP: 7.0.171, 2008-04-05
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.

little eagle
2008-04-06, 20:30
Rescan with HiJackThis and post a new log here.
Also describe how your computer behaves at the moment Im' not seeing any reason for the increase in the CPU.

karmdrefner
2008-04-06, 21:02
as requested attached is the log. Computer not regularly spiking like before or any where near as bad butaccording to task manager one i had just now was was probably caused by App.Svc32.exe looking at the processes

Computer runnning pretty well at the moment generally though when new windows are open they dont always open out full size they are opening in different shapes ie some are half the screen size others 3 quarters and some square shape this doesnt seem normal.

Also my keyboard seems to be playing up as alot of the buttons i press dont show even after changing the batteries but cant believe this is connected.

# still intriged to know what is redirecting my ip addresses every now and again. COuld it be that there has been a rule created to allow access through my firewall thus allowing the problem to return? the 2 spywear/rootkit problems found on the llast scan were they ones that we have already deleted before?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48:29, on 06/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\LVComS.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab?AuthParam=1205869893_91469da6839c2b86ec698dab87f121ab&GroupName=JSC&BHost=javadl.sun.com&FilePath=/ESD39/JSCDL/jdk/6u5b/jinstall-6u5-windows-i586-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11533 bytes

little eagle
2008-04-06, 21:46
Still not seeing any reason.

Are you fond of Symantec? This may be the reason for the spiking.

If so reinstall it, if not replace it.

karmdrefner
2008-04-07, 17:27
Thats good enough for me Little E!!! Thanks for all your help my PC isrunning miles better than it was your help has been much apreciated.

Ithink your right about Norton i think its way over rated!! Can you reccomend an alternative any chance of one last link to set me up???

Thanks again, hope never have to but i wont hesitate to use this service again if needed.

karm:D:

little eagle
2008-04-07, 22:34
I like Nod32 http://www.eset.com/download/index.php
But AVG is also good. Both have anti-spyware programs that work fine with Spybot. Just have one realtime protection running.

karmdrefner
2008-04-07, 22:54
Nice one! all the best!:cool:

little eagle
2008-04-08, 02:19
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help.

Note: If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.