PDA

View Full Version : Virtumonde



Ade the Jambo
2008-04-23, 17:23
Hello

On 21/4 I posted a Virtumonde issue but without the HJT log as I could not get it to run.

I now can get it to run for some reason so I am reposting this and noting that the previous thread can be ignored.

I hope you can help, it is driving me mad!

HJT Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:16:20, on 23/04/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\C4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\system32\MsgSys.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\System32\Drivers\ldlcserv.exe
C:\Program Files\c4ebreg\c4ebreg.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\WINNT\Explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
F3 - REG:win.ini: run=""
F2 - REG:system.ini: UserInit=C:\WINNT\SwitchUser.EXE
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINNT\system32\pmnnoom.dll (file missing)
O2 - BHO: (no name) - {1F9C928F-CAFF-461F-8782-531B3E4A1D29} - C:\WINNT\system32\efcbx.dll (file missing)
O2 - BHO: (no name) - {749476E4-41A3-43DF-B025-5605938D011A} - C:\WINNT\system32\hgdcd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {22fe20af-2a7c-f019-48f4-63d5b4d57ec9} - {9ce75d4b-5d36-4f84-910f-c7a2fa02ef22} - C:\WINNT\system32\mlJBQHAT.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [d01b4403] rundll32.exe "C:\WINNT\system32\nnnmkLFV.dll",b
O4 - HKLM\..\Run: [0A55460E67700F222955] Rundll32.exe "C:\WINNT\system32\cplbicic.dll",s
O4 - HKLM\..\Run: [BMd328779f] Rundll32.exe "C:\WINNT\system32\geuvcpfj.dll",s
O4 - HKLM\..\RunOnce: [SpybotDeletingA9920] command /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5275] cmd /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1207] command /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9911] cmd /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4607] command /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6186] cmd /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB9553] command /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7286] command /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB68] command /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6594] cmd /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3464] cmd /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8054] command /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1135] cmd /c del "C:\WINNT\system32\hgdcd.dll"
O4 - HKLM\..\Policies\Explorer\Run: [D4mLTXM4JD] C:\WINNT\TEMP\winB3.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Global Startup: ABSplus Launcher.lnk = C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: pmnnoom - pmnnoom.dll (file missing)
O20 - Winlogon Notify: winnmi32 - winnmi32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINNT\System32\Drivers\ldlcserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 12549 bytes

Ade the Jambo
2008-04-23, 17:24
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, April 18, 2008 7:36:09 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 3 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/04/2008
Kaspersky Anti-Virus database records: 714084
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 45800
Number of viruses found: 4
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 02:38:59

Infected Object Name / Virus Name / Last Action
C:\CFGSAFE\QCINIT\con00000\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03F80000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00000\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00025\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00025\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00035\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/08D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00035\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/08D40001.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00035\snap.zip ZIP: infected - 2 skipped
C:\CFGSAFE\QCINIT\con00045\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00045\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00046\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00046\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00058\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00058\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/053C0000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00058\snap.zip ZIP: infected - 2 skipped
C:\CFGSAFE\QCINIT\con00061\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00061\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00066\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00066\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00071\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00071\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/05480000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00071\snap.zip ZIP: infected - 2 skipped
C:\CFGSAFE\QCINIT\con00073\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00073\snap.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF79F.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DF96EB.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Music\Holding Area\shrek third.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03F80000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\053C0000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\05480000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\08D40001.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\Program Files\Common Files\Real\Toolbar\RealBar.dll Infected: not-a-virus:AdWare.Win32.MegaSearch.s skipped
C:\Program Files\Veoh Networks\Veoh\client.log Object is locked skipped
C:\Program Files\Veoh Networks\Veoh\upload.log Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\GB070168.ldb Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\SYSMAST.cbk Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbd Object is locked skipped
C:\WINNT\system32\CatRoot\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\CATMAST.cbk Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\hgdcd.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINNT\system32\nnnmkLFV.dll Infected: Packed.Win32.Monder.gen skipped
C:\WINNT\Temp\qsp636.tmp Infected: Net-Worm.Win32.Lovesan.a skipped
C:\WINNT\Temp\qspFF.tmp Infected: Net-Worm.Win32.Lovesan.a skipped
C:\WINNT\Temp\ZLT01b63.TMP Object is locked skipped

Scan process completed.

pskelley
2008-04-27, 01:01
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

You have a Vundo infection, but Kaspersky is also showing this nasty:
C:\WINNT\Temp\qsp636.tmp ------> Net-Worm.Win32.Lovesan.a
C:\WINNT\Temp\qspFF.tmp ------> Net-Worm.Win32.Lovesan.a
http://research.sunbelt-software.com/threatdisplay.aspx?name=Net-Worm.Win32.Lovesan.a&threatid=46649

Are your Windows Updates current? To my knowledge (I am not real familiar with your operating system) you are supposed to be patched for this worm?
If you still need help, I will do what I can.

1) Follow the directions here: http://www.snapfiles.com/get/fixblast.html
to download and run the tool.

2) C:\CFGSAFE\QCINIT\con00000\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/ <<< delete the contents of that Quarantine folder

3) C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\ <<< delete the contents of that quarantine folder

4) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

5) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Ade the Jambo
2008-04-28, 15:15
Hello pskelley and thank you very much for your attention. Here is the outcome of following your directions:

1. I ran fixblast and after a few minutes it returned an application error: "the intstruction at "0x0040933a" referenced memory at "0x10031000". The required data was not placed into memory because of an I/O error status of "0xc000009c".

2., 3 and 4 went fine.

5. I received an error saying registry was too small, pc restarted and the logfile below was created:

Combofix log:

ComboFix 08-04-27.2 - 28/04/2008 12:14:22.1 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\cookies.ini
C:\WINNT\pskt.ini
C:\WINNT\system32\dcdgh.ini
C:\WINNT\system32\dcdgh.ini2
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\nnnmkLFV.dll
C:\WINNT\system32\VFLkmnnn.ini
C:\WINNT\system32\VFLkmnnn.ini2
C:\WINNT\system32\VFLkmnnn.tmp
C:\WINNT\system32\xbcfe.ini
C:\WINNT\system32\xbcfe.ini2
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NTLOAD


((((((((((((((((((((((((( Files Created from 2008-03-28 to 2008-04-28 )))))))))))))))))))))))))))))))
.

2008-04-28 10:38 . 08-04-28 10:38 <DIR> d-------- C:\WINNT\system32\BITS
2008-04-28 10:24 . 07-07-30 19:19 549,720 --a------ C:\WINNT\system32\wuapi.dll
2008-04-28 10:24 . 07-07-30 19:19 325,976 --a------ C:\WINNT\system32\wucltui.dll
2008-04-28 10:24 . 07-07-30 19:19 43,352 --a------ C:\WINNT\system32\wups2.dll
2008-04-28 10:24 . 07-07-30 19:18 34,136 --a------ C:\WINNT\system32\wucltui.dll.mui
2008-04-28 10:24 . 07-07-30 19:18 33,624 --a------ C:\WINNT\system32\wups.dll
2008-04-28 10:24 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuaucpl.cpl.mui
2008-04-28 10:24 . 07-07-30 19:19 25,944 --a------ C:\WINNT\system32\wuapi.dll.mui
2008-04-28 10:24 . 07-07-30 19:18 20,312 --a------ C:\WINNT\system32\wuaueng.dll.mui
2008-04-22 16:22 . 08-04-25 12:59 <DIR> d-a------ C:\Program Files\DigiGuide TV Guide
2008-04-21 15:25 . 08-04-28 11:35 742,776 ---h----- C:\WINNT\ShellIconCache
2008-04-21 15:22 . 08-04-21 15:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-18 19:20 . 08-04-21 09:40 109,669 --a------ C:\WINNT\BMd328779f.xml
2008-04-18 16:10 . 08-04-18 16:10 <DIR> d-a------ C:\WINNT\system32\Kaspersky Lab
2008-04-18 16:10 . 08-04-18 16:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-30 08:42 . 07-08-01 16:47 102,664 --a------ C:\WINNT\system32\drivers\tmcomm.sys
2008-03-30 08:39 . 08-03-30 08:39 1,093,632 --a------ C:\WINNT\system32\mfc80.dll
2008-03-30 08:39 . 08-03-30 08:39 1,079,808 --a------ C:\WINNT\system32\mfc80u.dll
2008-03-30 08:39 . 08-03-30 08:39 626,688 --a------ C:\WINNT\system32\msvcr80.dll
2008-03-30 08:39 . 08-03-30 08:39 548,864 --a------ C:\WINNT\system32\msvcp80.dll
2008-03-30 08:39 . 08-03-30 08:39 479,232 --a------ C:\WINNT\system32\msvcm80.dll
2008-03-30 08:39 . 08-03-30 08:39 69,632 --a------ C:\WINNT\system32\mfcm80.dll
2008-03-30 08:39 . 08-03-30 08:39 57,344 --a------ C:\WINNT\system32\mfcm80u.dll
2008-03-30 08:39 . 08-03-30 08:39 550 --a------ C:\WINNT\system32\Microsoft.VC80.MFC.manifest
2008-03-30 08:39 . 08-03-30 08:39 522 --a------ C:\WINNT\system32\Microsoft.VC80.CRT.manifest
2008-03-30 08:33 . 08-03-31 07:41 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\HouseCall 6.6
2008-03-28 23:19 . 08-03-30 01:01 966 --a------ C:\WINNT\system32\scolmpdain.xml

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-28 11:27 --------- d-----w C:\Program Files\C4ebreg
2008-04-28 09:55 --------- d-----w C:\Documents and Settings\Administrator\Application Data\AVG7
2008-04-24 19:57 189,952 ----a-w C:\WINNT\Internet Logs\xDB10F.tmp
2008-04-24 19:42 3,018,752 ----a-w C:\WINNT\Internet Logs\xDB10E.tmp
2008-04-22 21:16 3,036,672 ----a-w C:\WINNT\Internet Logs\xDB10C.tmp
2008-04-22 19:20 232,960 ----a-w C:\WINNT\Internet Logs\xDB10D.tmp
2008-04-21 19:55 3,016,704 ----a-w C:\WINNT\Internet Logs\xDB10A.tmp
2008-04-21 19:48 252,416 ----a-w C:\WINNT\Internet Logs\xDB10B.tmp
2008-04-21 14:56 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-21 14:55 --------- d-----w C:\Program Files\Audacity
2008-04-18 21:03 3,019,264 ----a-w C:\WINNT\Internet Logs\xDB108.tmp
2008-04-18 21:03 150,528 ----a-w C:\WINNT\Internet Logs\xDB109.tmp
2008-04-18 14:52 274,432 ----a-w C:\WINNT\Internet Logs\xDB107.tmp
2008-04-18 14:51 3,015,680 ----a-w C:\WINNT\Internet Logs\xDB106.tmp
2008-04-17 17:54 95,744 ----a-w C:\WINNT\Internet Logs\xDB105.tmp
2008-04-17 17:54 3,006,464 ----a-w C:\WINNT\Internet Logs\xDB104.tmp
2008-04-14 13:06 646,144 ----a-w C:\WINNT\Internet Logs\xDB103.tmp
2008-04-14 13:06 3,008,000 ----a-w C:\WINNT\Internet Logs\xDB102.tmp
2008-04-11 14:22 --------- d-----w C:\Program Files\Flickr Uploadr
2008-04-07 01:47 2,983,424 ----a-w C:\WINNT\Internet Logs\xDB100.tmp
2008-04-07 01:47 192,512 ----a-w C:\WINNT\Internet Logs\xDB101.tmp
2008-04-06 16:48 2,983,424 ----a-w C:\WINNT\Internet Logs\xDBFE.tmp
2008-04-06 16:47 107,520 ----a-w C:\WINNT\Internet Logs\xDBFF.tmp
2008-04-06 05:08 2,984,960 ----a-w C:\WINNT\Internet Logs\xDBFC.tmp
2008-04-06 01:40 26,112 ----a-w C:\WINNT\Internet Logs\xDBFD.tmp
2008-04-05 14:38 2,985,984 ----a-w C:\WINNT\Internet Logs\xDBFA.tmp
2008-04-05 08:28 19,456 ----a-w C:\WINNT\Internet Logs\xDBFB.tmp
2008-04-05 03:38 2,983,424 ----a-w C:\WINNT\Internet Logs\xDBF8.tmp
2008-04-05 03:38 18,432 ----a-w C:\WINNT\Internet Logs\xDBF9.tmp
2008-04-04 12:58 27,648 ----a-w C:\WINNT\Internet Logs\xDBF7.tmp
2008-04-04 12:53 2,992,128 ----a-w C:\WINNT\Internet Logs\xDBF6.tmp
2008-04-02 07:37 22,016 ----a-w C:\WINNT\Internet Logs\xDBF5.tmp
2008-04-02 07:27 2,988,544 ----a-w C:\WINNT\Internet Logs\xDBF4.tmp
2008-03-31 21:57 2,993,152 ----a-w C:\WINNT\Internet Logs\xDBF2.tmp
2008-03-31 21:01 24,576 ----a-w C:\WINNT\Internet Logs\xDBF3.tmp
2008-03-30 08:24 2,976,768 ----a-w C:\WINNT\Internet Logs\xDBF0.tmp
2008-03-30 00:16 189,440 ----a-w C:\WINNT\Internet Logs\xDBF1.tmp
2008-03-26 18:20 273,408 ----a-w C:\WINNT\Internet Logs\xDBEF.tmp
2008-03-26 18:20 2,935,808 ----a-w C:\WINNT\Internet Logs\xDBEE.tmp
2008-03-26 10:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-20 18:01 2,908,160 ----a-w C:\WINNT\Internet Logs\xDBEC.tmp
2008-03-20 18:01 138,752 ----a-w C:\WINNT\Internet Logs\xDBED.tmp
2008-03-20 07:51 2,939,392 ----a-w C:\WINNT\Internet Logs\xDBEA.tmp
2008-03-20 07:22 30,208 ----a-w C:\WINNT\Internet Logs\xDBEB.tmp
2008-03-20 07:18 --------- d---a-w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-20 07:10 499,712 ----a-w C:\WINNT\system32\msvcp71.dll
2008-03-20 07:10 348,160 ----a-w C:\WINNT\system32\msvcr71.dll
2008-03-20 07:10 26,944 ----a-w C:\WINNT\system32\drivers\avg7rsnt.sys
2008-03-20 07:10 --------- d-----w C:\Documents and Settings\Default User\Application Data\AVG7
2008-03-20 07:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-03-19 22:38 --------- d---a-w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-19 22:14 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-18 18:18 26,112 ----a-w C:\WINNT\Internet Logs\xDBE9.tmp
2008-03-18 18:18 2,881,536 ----a-w C:\WINNT\Internet Logs\xDBE8.tmp
2008-03-15 19:14 860,672 ----a-w C:\WINNT\Internet Logs\xDBE5.tmp
2008-03-15 19:13 2,883,584 ----a-w C:\WINNT\Internet Logs\xDBE4.tmp
2008-02-11 19:39 647,680 ----a-w C:\WINNT\Internet Logs\xDBE7.tmp
2008-02-11 19:39 2,877,952 ----a-w C:\WINNT\Internet Logs\xDBE3.tmp
2008-02-01 08:14 2,877,952 ----a-w C:\WINNT\Internet Logs\xDBE2.tmp
2008-02-01 08:13 17,408 ----a-w C:\WINNT\Internet Logs\xDBE6.tmp
2008-02-01 00:11 21,504 ----a-w C:\WINNT\Internet Logs\xDBE1.tmp
2008-02-01 00:02 2,883,584 ----a-w C:\WINNT\Internet Logs\xDBE0.tmp
2008-01-30 22:42 2,877,440 ----a-w C:\WINNT\Internet Logs\xDBDE.tmp
2008-01-30 19:48 29,184 ----a-w C:\WINNT\Internet Logs\xDBDF.tmp
2004-03-22 20:06 51,416 ----a-w C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT
2003-09-02 22:30 794 ----a-w C:\Program Files\INSTALL.LOG
2003-01-07 11:26 271 ---h--w C:\Program Files\desktop.ini
2003-01-07 11:26 21,952 ---h--w C:\Program Files\folder.htt
1999-12-07 16:00 32,528 ----a-w C:\WINNT\inf\wbfirdma.sys
2007-11-29 22:31 479,232 ----a-w C:\Program Files\mozilla firefox\plugins\msvcm80.dll
2007-11-29 22:31 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
2007-11-29 22:31 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{182C7ED7-E56D-4509-9D9B-AC49318D9895}]
C:\WINNT\system32\pmnnoom.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1F9C928F-CAFF-461F-8782-531B3E4A1D29}]
C:\WINNT\system32\efcbx.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{749476E4-41A3-43DF-B025-5605938D011A}]
C:\WINNT\system32\hgdcd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9ce75d4b-5d36-4f84-910f-c7a2fa02ef22}]
C:\WINNT\system32\mlJBQHAT.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"internat.exe"="internat.exe" [99-12-07 17:00 20752 C:\WINNT\system32\internat.exe]
"NOMAD Detector"="C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE" [02-06-26 04:16 19456]
"Creative Detector"="C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" [03-08-06 14:49 90112]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [07-06-14 17:26 68856]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [07-10-23 22:18 443968]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [99-12-07 17:00 111376 C:\WINNT\system32\mobsync.exe]
"C4EBReg"="C:\Program Files\c4ebreg\c4ebreg.exe" [04-06-04 16:27 294912]
"ISAM SMT Service"="C:\Program Files\C4ebreg\isamsmt.exe" [02-11-15 17:50 102400]
"vptray"="C:\Program Files\NavNT\vptray.exe" [02-06-03 20:09 73728]
"LTWinModem1"="ltmsg.exe" [03-06-10 01:18 38912 C:\WINNT\system32\ltmsg.exe]
"SoundFusion"="cwcprops.cpl" [03-06-10 01:18 45296 C:\WINNT\system32\cwcprops.cpl]
"TrackPointSrv"="tp4serv.exe" [03-06-10 01:19 110592 C:\WINNT\system32\tp4serv.exe]
"TP4EX"="tp4ex.exe" [02-09-04 01:05 53248 C:\WINNT\system32\TP4EX.exe]
"TPTRAY"="C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE" [03-06-10 01:17 48640]
"TPHOTKEY"="C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe" [03-06-10 01:18 86016]
"ISSI EZUpdate Service"="c:\sdwork\issimsvc.exe" [03-06-13 09:31 185344]
"Nokia Tray Application"="C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe" [02-04-29 16:22 401408]
"ConfigSafe"="C:\CFGSAFE\NTFSCLUP.EXE" [01-05-28 00:00 40960]
"CSScheduleCheck"="C:\CFGSAFE\SCHWIZEX.exe" [01-05-28 00:00 61440]
"CTStartup"="C:\Program Files\Creative\Splash Screen\CTEaxSpl.exe" [01-12-20 02:00 28672]
"NOMAD Detector"="C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE" [02-06-26 04:16 19456]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [04-04-19 15:58 180269]
"stgclean"="c:\sdwork\w32main2.exe" [04-01-19 14:11 228864]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [06-08-13 23:54 282624]
"Disc Detector"="C:\Program Files\Creative\ShareDLL\CtNotify.exe" [01-12-26 03:00 191488]
"MyPointsPointAlert0"="C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [07-09-25 02:11 132496]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [08-04-17 19:31 579584]
"0A55460E67700F222955"="C:\WINNT\system32\cplbicic.dll" [ ]
"BMd328779f"="C:\WINNT\system32\geuvcpfj.dll" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [08-03-20 08:09 219136]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [02-08-27 00:04 186640]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
DigiGuide TV Guide.lnk - C:\Program Files\DigiGuide TV Guide\Client.exe [2008-04-22 16:23:04 180224]
Mp3tag Quick Pick.lnk - C:\Program Files\Mp3tag\Mp3tagQuickPick.exe [2004-02-29 11:04:25 53248]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
ABSplus Launcher.lnk - C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe [2003-06-10 22:23:03 57344]
Belkin Wireless USB Utility.lnk - C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe [2006-11-03 17:00:54 1585152]
Billminder.lnk - C:\Program Files\quickenw\BILLMIND.EXE [2003-06-10 21:55:04 25600]
Integrity Client.lnk - C:\Program Files\Zone Labs\Integrity Client\iclient.exe [2003-08-29 09:56:24 660744]
Microsoft Office.lnk - C:\Program Files\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
Wireless Configuration Utility HW.51.lnk - C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe [2006-02-23 15:52:48 454656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
"D4mLTXM4JD"= C:\WINNT\TEMP\winB3.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDevMgrUpdate"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\policies\microsoft\windows\windowsupdate\au]
"NoAutoUpdate"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{1DD7CBED-2F05-11D3-A521-00400514C916}"= C:\CFGSAFE\CSHOOK.DLL [01-05-28 00:00 126976]
"{182C7ED7-E56D-4509-9D9B-AC49318D9895}"= C:\WINNT\system32\pmnnoom.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnoom]
pmnnoom.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winnmi32]
winnmi32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll
"msacm.ctmp3"= C:\WINNT\System32\ctmp3.acm

R1 Avg7RsNT;AVG7 Resident Driver NT;C:\WINNT\system32\Drivers\avg7rsnt.sys [08-03-20 08:10 ]
R2 AppnApi;AppnApi;C:\WINNT\system32\drivers\appnapi.sys [02-08-19 22:19 ]
R2 IBM_LLC2;IBM Personal Communications LLC2 Driver;C:\WINNT\system32\DRIVERS\llc2.sys [02-08-19 22:19 ]
R2 NsTrcNT;NsTrcNT;C:\WINNT\system32\drivers\nstrcnt.sys [02-08-19 22:19 ]
R2 pdlnctdl;Twinax CUT Adapter;C:\WINNT\system32\drivers\pdlnctdl.sys [02-08-19 22:19 ]
R2 pdlndldl;IBM Enterprise Extender (HPR/IP);C:\WINNT\system32\drivers\pdlndldl.sys [02-08-19 22:19 ]
R2 portD;CMS PortIO Service;C:\WINNT\system32\DRIVERS\portd2k.sys [01-07-17 11:23 ]
R2 VnxTcp;VnxTcp;C:\WINNT\system32\drivers\vnxtcp.sys [02-05-28 17:36 ]
R3 Anydlc;Anydlc;C:\WINNT\system32\drivers\anydlc.sys [02-08-19 22:19 ]
R3 Appn;Appn;C:\WINNT\system32\drivers\appn.sys [02-08-19 22:19 ]
R3 AppnBase;AppnBase;C:\WINNT\system32\drivers\AppnBase.sys [02-08-19 22:19 ]
R3 KLOGNT;KLOGNT;C:\WINNT\system32\drivers\klognt.sys [02-08-19 22:19 ]
R3 pdlnacom;PDLC Adapter -- COM;C:\WINNT\system32\drivers\pdlnacom.sys [02-08-19 22:19 ]
R3 pdlnafac;PDLC Adapter Factory;C:\WINNT\system32\drivers\pdlnafac.sys [02-08-19 22:19 ]
R3 pdlnatcm;Twinax Adapter Common;C:\WINNT\system32\drivers\pdlnatcm.sys [02-08-19 22:19 ]
R3 pdlnatdl;Twinax Adapter;C:\WINNT\system32\drivers\pdlnatdl.sys [02-08-19 22:19 ]
R3 pdlncbas;PDLC CxM Classes;C:\WINNT\system32\drivers\pdlncbas.sys [02-08-19 22:19 ]
R3 pdlncfwk;PDLC Connection Manager;C:\WINNT\system32\drivers\pdlncfwk.sys [02-08-19 22:19 ]
R3 pdlndint;PDLC DLC Classes;C:\WINNT\system32\drivers\pdlndint.sys [02-08-19 22:19 ]
R3 pdlndlpb;PDLC LAPB;C:\WINNT\system32\drivers\pdlndlpb.sys [02-08-19 22:19 ]
R3 pdlndoem;PDLC OEM Interface;C:\WINNT\system32\drivers\pdlndoem.sys [02-08-19 22:19 ]
R3 pdlndqll;PDLC QLLC;C:\WINNT\system32\drivers\pdlndqll.sys [02-08-19 22:19 ]
R3 pdlndsdl;PDLC SDLC;C:\WINNT\system32\drivers\pdlndsdl.sys [02-08-19 22:19 ]
R3 pdlndtdl;Twinax DLC;C:\WINNT\system32\drivers\pdlndtdl.sys [02-08-19 22:19 ]
R3 pdlnebas;PDLC Environment;C:\WINNT\system32\drivers\pdlnebas.sys [02-08-19 22:19 ]
R3 pdlnecfg;PDLC Configuration;C:\WINNT\system32\drivers\pdlnecfg.sys [02-08-19 22:19 ]
R3 pdlnemap;PDLC Mapper;C:\WINNT\system32\drivers\pdlnemap.sys [02-08-19 22:19 ]
R3 pdlnemsg;PDLC Message Driver;C:\WINNT\system32\drivers\pdlnemsg.sys [02-08-19 22:19 ]
R3 pdlnepkt;PDLC Buffer Manager;C:\WINNT\system32\drivers\pdlnepkt.sys [02-08-19 22:19 ]
R3 pdlnshay;PDLC Hayes At signalling;C:\WINNT\system32\drivers\pdlnshay.sys [02-08-19 22:19 ]
R3 pdlnslea;PDLC SDLC Leased;C:\WINNT\system32\drivers\pdlnslea.sys [02-08-19 22:19 ]
R3 pdlnsv25;PDLC V25bis signalling;C:\WINNT\system32\drivers\pdlnsv25.sys [02-08-19 22:19 ]
R3 pdlnsx25;PDLC X.25;C:\WINNT\system32\drivers\pdlnsx25.sys [02-08-19 22:19 ]
R3 Tp4Track;IBM PS/2 TrackPoint Driver;C:\WINNT\system32\DRIVERS\tp4track.sys [03-06-10 01:19 ]
S3 avpnnic;AGN Virtual Network Adapter;C:\WINNT\system32\DRIVERS\avpnnic.sys [03-04-04 12:48 ]
S3 hpoid407;IEEE-1284.4 Driver hpoid407;C:\WINNT\system32\DRIVERS\hpoid407.sys [02-11-20 12:55 ]
S3 hpoius07;USB to IEEE-1284.4 Translation Driver hpoius07;C:\WINNT\system32\DRIVERS\hpoius07.sys [02-11-20 12:54 ]
S3 IBMTOK;IBM Shared RAM Token-Ring Adapter Miniport;C:\WINNT\system32\DRIVERS\IBMTOK5.SYS [00-03-15 10:32 ]
S3 IBMTRP;IBM Token-Ring PCI Family Adapter;C:\WINNT\system32\DRIVERS\IBMTRP.SYS [02-07-22 18:05 ]
S3 S3Inc;S3Inc;C:\WINNT\system32\DRIVERS\s3mt3d.sys [99-10-29 14:11 ]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [02-07-22 12:05 ]
S3 W8335PCI;IEEE 802.11g Wireless Cardbus/PCI Adapter HW51;C:\WINNT\system32\DRIVERS\MRV8335.sys [06-02-23 15:52 ]

*Newly Created Service* - IPNAT
*Newly Created Service* - RASAUTO
*Newly Created Service* - SHAREDACCESS
.
Contents of the 'Scheduled Tasks' folder
"2008-04-28 10:04:30 C:\WINNT\Tasks\Scheduled Snapshot.job"
- C:\CFGSAFE\SCHWIZEX.EXE
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-28 12:26:55
Windows 5.0.2195 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
CTStartup = C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run?/???7lw^7l???????x82?x????4???E??x4???.??x4???????D87l4????????>/?x???d?/?d?/?d?/?????????*e?wp%J?d?/?d?/??????`7l?G7l?LI?h???d?/?d?/?d?/???<l????d?/???<ld?/??>/?d?7l?>/??C@?x?????9lx???)0?xd?/???@

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\System32\NavLogon.dll
.
Completion time: 2008-04-28 12:38:03 - machine was rebooted [gb070168]
ComboFix-quarantined-files.txt 2008-04-28 11:37:35

Pre-Run: 578,904,064 bytes free
Post-Run: 4,611,923,968 bytes free

272


and the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:46:23, on 28/04/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\C4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\Drivers\ldlcserv.exe
C:\WINNT\system32\MsgSys.EXE
C:\Program Files\c4ebreg\c4ebreg.exe
C:\Program Files\NavNT\vptray.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\WINNT\Explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINNT\system32\pmnnoom.dll (file missing)
O2 - BHO: (no name) - {1F9C928F-CAFF-461F-8782-531B3E4A1D29} - C:\WINNT\system32\efcbx.dll (file missing)
O2 - BHO: (no name) - {749476E4-41A3-43DF-B025-5605938D011A} - C:\WINNT\system32\hgdcd.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {22fe20af-2a7c-f019-48f4-63d5b4d57ec9} - {9ce75d4b-5d36-4f84-910f-c7a2fa02ef22} - C:\WINNT\system32\mlJBQHAT.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [0A55460E67700F222955] Rundll32.exe "C:\WINNT\system32\cplbicic.dll",s
O4 - HKLM\..\Run: [BMd328779f] Rundll32.exe "C:\WINNT\system32\geuvcpfj.dll",s
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Policies\Explorer\Run: [D4mLTXM4JD] C:\WINNT\TEMP\winB3.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Global Startup: ABSplus Launcher.lnk = C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209374434039
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O20 - Winlogon Notify: pmnnoom - pmnnoom.dll (file missing)
O20 - Winlogon Notify: winnmi32 - winnmi32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINNT\System32\Drivers\ldlcserv.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 11566 bytes


Thanks

pskelley
2008-04-28, 15:58
Thanks for returning your information and the feedback, proceed carefully, in the numbered order, like this:

1) I missed this the first time and it is important:
You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\Program Files\NavNT\
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

C:\PROGRAM FILES~1\Grisoft\AVG7\
(uninstall one of those AV programs)

2) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

3) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {182C7ED7-E56D-4509-9D9B-AC49318D9895} - C:\WINNT\system32\pmnnoom.dll (file missing)
O2 - BHO: (no name) - {1F9C928F-CAFF-461F-8782-531B3E4A1D29} - C:\WINNT\system32\efcbx.dll (file missing)
O2 - BHO: (no name) - {749476E4-41A3-43DF-B025-5605938D011A} - C:\WINNT\system32\hgdcd.dll (file missing)
O2 - BHO: {22fe20af-2a7c-f019-48f4-63d5b4d57ec9} - {9ce75d4b-5d36-4f84-910f-c7a2fa02ef22} - C:\WINNT\system32\mlJBQHAT.dll (file missing)
O4 - HKLM\..\Run: [0A55460E67700F222955] Rundll32.exe "C:\WINNT\system32\cplbicic.dll",s
O4 - HKLM\..\Run: [BMd328779f] Rundll32.exe "C:\WINNT\system32\geuvcpfj.dll",s
O4 - HKLM\..\Policies\Explorer\Run: [D4mLTXM4JD] C:\WINNT\TEMP\winB3.exe
(if you use the Alexa toolbar, you may leave the next two items)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\web\related.htm
O9 - Extra button: Point Alert - {16BF42FD-CA0A-4f48-819D-B0343254DD67} - file://C:\Program Files\MyPointsPointAlert\System\Temp\mypoints_script0.htm (file missing) (HKCU)
O20 - Winlogon Notify: pmnnoom - pmnnoom.dll (file missing)
O20 - Winlogon Notify: winnmi32 - winnmi32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINNT\system32\cplbicic.dll <<< delete that file

C:\WINNT\system32\geuvcpfj.dll <<< delete that file

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log and tell me how the computer is running.

Thanks

Ade the Jambo
2008-04-28, 19:11
Thank you for your prompt attention and clear instructions. The log will be posted below. Initially computer seems to be running a lot faster and no pop ups but it is early days yet - I will be able to provide better feedback in a couple of hours.

At what stage should I re-enable the switches and options that were amended?

Thanks

Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:04:47, on 28/04/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WinDomainlogon.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\C4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\Drivers\ldlcserv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\c4ebreg\c4ebreg.exe
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\Program Files\DigiGuide TV Guide\digiguide.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Global Startup: ABSplus Launcher.lnk = C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209374434039
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINNT\System32\Drivers\ldlcserv.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 9995 bytes

pskelley
2008-04-28, 19:32
Thanks for returning your information, just a bit more, this item:
MyPoints_PointAlert <<< I suggest you uninstall in Add Remove programs:
http://www.bleepingcomputer.com/uninstall/884/MyPoints-PointAlert.html
http://research.sunbelt-software.com/threatdisplay.aspx?name=Adware.MyPoints&threatid=53229
Then remove this line with HJT:
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.6.0_03\ <<< Java needs to be updated

The balance of the HJT log appears to be clean of malware. Remove combofix and the C:\Qoobox\Quarantine\ folder and
run a new Kaspersky Online Scan using these settings:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

Ade the Jambo
2008-04-29, 10:22
Good morning

Add Remove programs does not list MyPoints_PointAlert, or anything that looks like it - is there another way and / or should I proceed with the HJT step?

pskelley
2008-04-29, 13:57
Please proceed with the KOS, we will remove it manually.

Thanks

Ade the Jambo
2008-04-29, 18:51
Java update seems to be fine. Here is the KOS log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, April 29, 2008 4:50:05 PM
Operating System: Microsoft Windows 2000 Professional, Service Pack 3 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/04/2008
Kaspersky Anti-Virus database records: 653244
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\

Scan Statistics:
Total number of scanned objects: 37609
Number of viruses found: 3
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 01:48:48

Infected Object Name / Virus Name / Last Action
C:\CFGSAFE\QCINIT\con00035\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/08D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00035\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/08D40001.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00035\snap.zip ZIP: infected - 2 skipped
C:\CFGSAFE\QCINIT\con00046\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00046\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00058\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00058\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/053C0000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00058\snap.zip ZIP: infected - 2 skipped
C:\CFGSAFE\QCINIT\con00061\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00061\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00066\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00066\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00071\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00071\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/05480000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00071\snap.zip ZIP: infected - 2 skipped
C:\CFGSAFE\QCINIT\con00073\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00073\snap.zip ZIP: infected - 1 skipped
C:\CFGSAFE\QCINIT\con00081\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/03D40000.VBN Infected: Net-Worm.Win32.Lovesan.a skipped
C:\CFGSAFE\QCINIT\con00081\snap.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFA850.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Music\Holding Area\shrek third.mp3 Infected: Trojan-Downloader.WMA.Wimad.n skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\RECYCLER\S-1-5-21-810944919-384656099-253784651-500\Dc2\C\WINNT\system32\nnnmkLFV.dll.vir Infected: Packed.Win32.Monder.gen skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Internet Logs\GB070168.ldb Object is locked skipped
C:\WINNT\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\Temp\ZLT050c0.TMP Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2008-04-29, 19:18
Thanks for returning the scan results, looks like most of the junk is quarantined but not all.

I posted directions for doing this before in my post #3??

1) Delete the contents of the Quarantine folder in red
C:\CFGSAFE\QCINIT\con00035\snap.zip/documents and settings/all users/Application Data/Symantec/Norton AntiVirus Corporate Edition/7.5/Quarantine/08D40000.VBN ------> Net-Worm.Win32.Lovesan.a
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000041213443506

2) Delete the infected file in red:
C:\Documents and Settings\Administrator\My Documents\My Music\Holding Area\shrek third.mp3 ------> Trojan-Downloader.WMA.Wimad.n
http://www.bitdefender.com/VIRUS-1000277-en--Trojan.Downloader.WMA.Wimad.N.html

3) When the above is done, empty the Recycle Bin so this will be remove:
C:\RECYCLER\S-1-5-21-810944919-384656099-253784651-500\Dc2\C\WINNT\system32\nnnmkLFV.dll.vir ------> Packed.Win32.Monder.gen

4) I need to see another HJT log

5) Posting this information now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

Ade the Jambo
2008-04-30, 11:37
Sorry, I must have missed some of the quarantined files which were held in a zip file - hopefully now dealt with.

Thanks for the very useful links. Meanwhile here is the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:24:51, on 30/04/2008
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\System32\ibmpmsvc.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\System32\drivers\trcboot.exe
C:\Program Files\IBM\Personal Communications\PCS_AGNT.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINNT\System32\CTsvcCDA.exe
C:\Program Files\C4ebreg\isamsmt.exe
c:\sdwork\issimsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\vnxserv.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\Drivers\ldlcserv.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\ltmsg.exe
C:\WINNT\system32\tp4serv.exe
C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
C:\Program Files\ThinkPad\PkgMgr\HOTKEY\TPONSCR.exe
C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\internat.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
C:\Program Files\Zone Labs\Integrity Client\iclient.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\c4ebreg\c4ebreg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [C4EBReg] "C:\Program Files\c4ebreg\c4ebreg.exe" /q
O4 - HKLM\..\Run: [ISAM SMT Service] "C:\Program Files\C4ebreg\isamsmt.exe"
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [SoundFusion] RunDll32 cwcprops.cpl,CrystalControlWnd
O4 - HKLM\..\Run: [TrackPointSrv] tp4serv.exe
O4 - HKLM\..\Run: [TP4EX] tp4ex.exe
O4 - HKLM\..\Run: [TPTRAY] C:\PROGRA~1\ThinkPad\UTILIT~1\TP98TRAY.EXE
O4 - HKLM\..\Run: [TPHOTKEY] C:\PROGRA~1\ThinkPad\PkgMgr\HOTKEY\TPHKMGR.exe
O4 - HKLM\..\Run: [ISSI EZUpdate Service] "c:\sdwork\issimsvc.exe"
O4 - HKLM\..\Run: [Nokia Tray Application] C:\Program Files\Common Files\Nokia\NCLTools\NclTray.exe
O4 - HKLM\..\Run: [ConfigSafe] C:\CFGSAFE\NTFSCLUP.EXE
O4 - HKLM\..\Run: [CSScheduleCheck] C:\CFGSAFE\SCHWIZEX.EXE -CHECK
O4 - HKLM\..\Run: [CTStartup] C:\Program Files\Creative\Splash Screen\CTEaxSpl.EXE /run
O4 - HKLM\..\Run: [NOMAD Detector] C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stgclean] c:\sdwork\w32main2.exe /cleanup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Disc Detector] C:\Program Files\Creative\ShareDLL\CtNotify.exe
O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\NOMAD Jukebox 3\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Startup: DigiGuide TV Guide.lnk = C:\Program Files\DigiGuide TV Guide\Client.exe
O4 - Startup: Mp3tag Quick Pick.lnk = C:\Program Files\Mp3tag\Mp3tagQuickPick.exe
O4 - Global Startup: ABSplus Launcher.lnk = C:\Program Files\CMS Peripherals\ABSplus Backup\Launcher.exe
O4 - Global Startup: Belkin Wireless USB Utility.lnk = C:\Program Files\Belkin\USB F5D7050\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: Billminder.lnk = C:\Program Files\quickenw\BILLMIND.EXE
O4 - Global Startup: Integrity Client.lnk = C:\Program Files\Zone Labs\Integrity Client\iclient.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.20\WlanCU.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 4.00\AMVConverter\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: MediaManager tool grab multimedia file - C:\Program Files\MP3 Player Utilities 4.00\MediaManager\grab.html
O8 - Extra context menu item: Search Using Copernic Agent - C:\Program Files\Copernic Agent\Web\SearchExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1209374434039
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = ibm.com
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ibm.com
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\System32\CTsvcCDA.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINNT\System32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: ISAM SMT Service (ISAMsmt) - IBM Global Services - C:\Program Files\C4ebreg\isamsmt.exe
O23 - Service: ISSI EZUpdate (ISSIMon) - IBM Global Services - c:\sdwork\issimsvc.exe
O23 - Service: ldlcserv - IBM Corporation - C:\WINNT\System32\Drivers\ldlcserv.exe
O23 - Service: TrcBoot - IBM Corporation - C:\WINNT\System32\drivers\trcboot.exe
O23 - Service: Vsclient Service (VnxService) - Unknown owner - C:\WINNT\system32\vnxserv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINNT\system32\ZoneLabs\vsmon.exe

--
End of file - 9816 bytes

pskelley
2008-04-30, 13:46
Thanks for the feedback and the HJT log...
http://www.privacyanywhere.com/research/rid/MyPointsPointAlert.htm
Adware

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [MyPointsPointAlert0] "C:\Program Files\MyPoints_PointAlert\MyPointsPointAlert0.exe"

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Program Files\MyPoints_PointAlert\ <<< delete that folder and contents

Safe Surfing:bigthumb:

Ade the Jambo
2008-04-30, 14:59
Now done these tasks.

Thanks for your fantastic support and the computer is now running brilliantly - really grateful.

Do you need any further logs or reports? Would you recommend that I now re-enable Teatimer?

pskelley
2008-04-30, 15:08
You are welcome, glad I could help. If you run TeaTimer, enable it now. Be careful, it's a cyber-jungle out there, have a look:
http://en.wikipedia.org/wiki/Russian_Business_Network
http://rbnexploit.blogspot.com/