View Full Version : Virtumonde infection.
As thread title states my PC has become infected by Virtumonde and Virtumonde.dll.
S&D reports two entries of each, every time I scan.
My hard drive is partioned into C & E.
The E drive is a Recovery drive which I have never used and I wouldn't know how to.
The C drive is no longer visible in 'My Computer'?
A lot of icons have disappeared from the desktop and I have 'VIRUS ALERT'
in the taskbar next to the clock and also on the 'General' tab of 'System Properties'.
Also when I click on 'Start' the 'Run, Search, Control Panel' etc. options have also disappeared.
I have read the stickies and d/loaded HJT.
Hope you can sort out this nightmare for me.
TIA
Here is the log -
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19: VIRUS ALERT!, on 28/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Safe mode
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [Microsoft Corp Updates] synet-ud.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [28ac83c8] rundll32.exe "C:\WINDOWS\system32\levtjrfs.dll",b
O4 - HKLM\..\RunServices: [Microsoft Corp Updates] synet-ud.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166226399125
O20 - AppInit_DLLs: drjfzo.dll jzpoks.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 5745 bytes
Hello and welcome to Safer Networking.
My name is km2357 and I will be helping you to remove any infection(s) that you may have.
I will be giving you a series of instructions that need to be followed in the order in which I give them to you.
If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.
Please do not start another thread or topic, I will assist you at this thread until we solve your problems.
Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.
I will be back as soon as possible with your first instructions!
I see that you posted your HJT log in Safe Mode. From now on please post all HJT logs in Normal Mode. Thanks. :)
Step # 1 Download CCleaner
Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.
Double click on the ccsetup.exe file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location.
Under Install Options, choose all the default settings except I would recommend that you unclick/untick install the Yahoo! Toolbar, unless you want it. You can also Uncheck the 'Automatically check for updates' box.
Click Install then finish to complete installation.
Step # 2 Retrieve the Installed Programs List from CCleaner
Open CCleaner if it's not already running.
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
Step # 3: Download and Run ComboFix
We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Be sure to save ComboFix.exe to your Desktop
Please ensure you read this guide carefully and install the Recovery Console first.
The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.
Once installed, you should see a blue screen prompt that says:
The Recovery Console was successfully installed.
Please continue as follows:
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.
Please include the following reports for further review, and so we may continue cleaning the system:
CCleaner Install List
C:\ComboFix.txt
New HijackThis log.
Use multiple posts if you can't fit everything into one post.
Cheers for this mate, will follow instructions and get back to you as soon as possible.
EDIT> Already had CCleaner installed (v.2.10.618) and ran it but kept getting warnings from Nod32?
I had run it before registering on the forum and didn't get the same warnings which are something like:-
Win32/TrojanDownloader.Agent.OED.trojan
Located in:-
C:\Documents and Settings\Computer\Local Settings\Temp\22E8.exe
Analyzed, ran Cleaner and saved the text file from Unistall despite the interruptions from Nod32 (which is now disabled).
Should I run CCleaner again?
D/loaded Combofix and RecoveryConsole but will wait for further instructions re: CCleaner.
TIA for taking up your time mate.
No need to run CCleaner for right now, I will be having you run it later on though to help clean out the temp folders/junk on your computer.
For now, go ahead and run ComboFix following the instructions in my last post to you. Then post back the CCleaner Install List, ComboFix and HiJackThis Logs in your next post for me to look over.
Things are looking good mate !!
Desktop icons have returned, C drive shows in My Computer and everything appears when I click on Start.
Here's the info you requested:-
Acrobat.com
Ad-Aware
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 9
Adobe® Photoshop® Album Starter Edition 3.0
AirPlus G
ANIO Service
ANIWZCS2 Service
Apple Software Update
BBC iPlayer Download Manager
BKE v2.2
BT Broadband Desktop Help
BT Yahoo! Applications
CCleaner (remove only)
Default
DivX Converter
DivX Player
DivX Web Player
DriverAgent Plugin for Netscape by TouchStone Software
DVD Shrink 3.2
DVD to iPod Converter 4
EVEREST Home Edition v2.20
Free Video to Mp3 Converter version 2.7
GetDiz 3.0
Google Earth Pro
HijackThis 2.0.2
InCD
Infinity USB 1.60
iTunes
J2SE Runtime Environment 5.0 Update 6
Lara Croft Tomb Raider: The Angel Of Darkness
Lexmark X74-X75
Logitech Desktop Messenger
Logitech User's Guide
Macromedia Shockwave Player
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft AutoRoute 2006
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (2.0.0.16)
MSN
Nero 6 Ultra Edition
Nero Digital
NeroVision Express Content
NOD32 antivirus system
Nokia Connectivity Cable Driver
Nokia PC Suite
NVIDIA Drivers
OCD Commander
PC Connectivity Solution
PowerQuest PartitionMagic 8.0
QuickPar 0.9
QuickSFV (Remove only)
QuickTime
RealPlayer
Shockwave
Spybot - Search & Destroy
System Requirements Lab
Tomb Raider III
Tomb Raider: Legend 1.0
USB 2.0 Card Reader
USB97C210 Software
V+ Application
VeohTV BETA
VideoLAN VLC media player 0.8.1
WinAVIVideoConverter
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (08/03/2007 3.2)
Windows Driver Package - Nokia Modem (08/03/2007 6.84.0.2)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player Firefox Plugin
WinRAR archiver
XP Codec Pack
ComboFix 08-08-28.04 - Computer 2008-08-29 0:14:28.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1529 [GMT 1:00]
Running from: C:\Documents and Settings\Computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Computer\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\WINDOWS\system32\cbXRHaaW.dll
C:\WINDOWS\system32\ccixim.dll
C:\WINDOWS\system32\dao350.dll
C:\WINDOWS\system32\drjfzo.dll
C:\WINDOWS\system32\dyildgqp.ini
C:\WINDOWS\system32\ggodvekj.dll
C:\WINDOWS\system32\ghrtqvtr.dll
C:\WINDOWS\system32\IlTELkkj.ini
C:\WINDOWS\system32\IlTELkkj.ini2
C:\WINDOWS\system32\jkkLETlI.dll
C:\WINDOWS\system32\jzpoks.dll
C:\WINDOWS\system32\rcihyoaf.dll
C:\WINDOWS\system32\sfrjtvel.ini
----- BITS: Possible infected sites -----
http://freefile.kristopherw.us
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 )))))))))))))))))))))))))))))))
.
2008-08-28 00:17 . 2008-08-28 00:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 23:22 . 2008-08-27 23:22 111,108 --a------ C:\WINDOWS\system32\msxml71.dll
2008-08-27 23:17 . 2008-08-27 23:17 103,552 --a------ C:\WINDOWS\system32\levtjrfs.dll
2008-08-27 17:47 . 2008-08-27 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Documents
2008-08-27 16:34 . 2008-08-27 16:34 189 --a------ C:\WINDOWS\wininit.ini
2008-08-27 15:57 . 2008-08-27 16:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-27 15:57 . 2008-08-28 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-12 09:16 . 2008-07-23 17:50 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-08-12 09:16 . 2008-07-23 17:50 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-12 09:16 . 2008-07-23 17:50 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-10 21:04 . 2008-08-10 21:03 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-08-10 21:04 . 2008-08-10 21:03 299,392 --a------ C:\WINDOWS\system32\imon.dll
2008-08-10 21:04 . 2008-08-10 21:03 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-28 23:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-08-28 21:59 --------- d-----w C:\Documents and Settings\Computer\Application Data\uTorrent
2008-08-27 13:17 --------- d-----w C:\Program Files\ESET
2008-08-16 09:20 --------- d-----w C:\Program Files\BKE v2.2
2008-08-12 08:17 --------- d-----w C:\Program Files\DivX
2008-07-27 19:22 --------- d-----w C:\Program Files\V+ Application
2008-07-27 19:19 1,167,360 ------w C:\WINDOWS\Setup1.exe
2008-07-27 19:18 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-07-27 18:28 --------- d-----w C:\Program Files\Conduit
2008-07-26 20:01 --------- d-----w C:\Program Files\Lavasoft
2008-07-26 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 20:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 19:58 --------- d-----w C:\Documents and Settings\Computer\Application Data\Lavasoft
2008-07-25 19:15 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-07-25 19:15 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-25 19:14 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-07-25 19:13 --------- d-----w C:\Program Files\Nokia
2008-07-25 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-23 16:50 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-07-11 15:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-10 09:11 --------- d-----w C:\Documents and Settings\Computer\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-07-09 03:53 --------- d-----w C:\Program Files\NOS
2008-07-09 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-08 19:37 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-08 19:35 --------- d-----w C:\Program Files\Common Files\Adobe
.
------- Sigcheck -------
2004-08-04 05:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 05:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe
2005-03-02 19:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 16:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 19:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 16:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll
2004-08-04 05:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 05:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll
2004-08-04 05:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 05:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-04 04:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 04:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
2004-08-04 04:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 04:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
2005-03-02 01:36 2056832 d8aba3eab509627e707a3b14f00fbb6b C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
2006-12-19 17:12 2059392 ba4b97c00a437c1cc3da365d93ee1e9d C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
2007-02-28 10:15 2059392 4d3dbdccbf97f5ba1e74f322b155c3ba C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
2004-08-04 06:05 2015232 fb142b7007ca2eea76966c6c5cc12150 C:\WINDOWS\$NtUninstallKB890859$\ntkrnlpa.exe
2005-03-02 01:34 2015232 3cd941e472ddf3534e53038535719771 C:\WINDOWS\$NtUninstallKB929338$\ntkrnlpa.exe
2006-12-19 13:55 2015744 bbb2322eb14ad9ad55b1024ffd4d88bf C:\WINDOWS\$NtUninstallKB931784$\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\Driver Cache\i386\ntkrnlpa.exe
2007-02-28 09:38 2015744 a58ac1c6199ef34228abee7fc057ae09 C:\WINDOWS\system32\ntkrnlpa.exe
2007-02-28 09:38 2057600 515d30e2c90a3665a2739309334c9283 C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2005-03-02 02:04 2179456 28187802b7c368c0d3aef7d4c382aabb C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
2006-12-19 17:51 2182016 cef243f6defd20be4adde26c7ecacb54 C:\WINDOWS\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
2007-02-28 10:55 2182144 5a5c8db4aa962c714c8371fbdf189fc9 C:\WINDOWS\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
2004-08-04 04:18 2148352 626309040459c3915997ef98ec1c8d40 C:\WINDOWS\$NtUninstallKB890859$\ntoskrnl.exe
2005-03-02 01:57 2135552 48b3e89af7074cee0314a3e0c7faffdb C:\WINDOWS\$NtUninstallKB929338$\ntoskrnl.exe
2006-12-19 15:15 2136064 8318ed54797f3e513fd5817a1d4bbd18 C:\WINDOWS\$NtUninstallKB931784$\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\Driver Cache\i386\ntoskrnl.exe
2007-02-28 10:08 2136064 1220faf071dea8653ee21de7dcda8bfd C:\WINDOWS\system32\ntoskrnl.exe
2007-02-28 10:10 2180352 582a8dbaa58c3b1f176eb2817daee77c C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-06-13 11:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\explorer.exe
2007-06-13 12:26 1033216 7712df0cdde3a5ac89843e61cd5b3658 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2004-08-04 05:56 1032192 a0732187050030ae399b241436565e64 C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2007-06-13 11:23 1033216 97bd6515465659ff8f3b7be375b2ea87 C:\WINDOWS\system32\dllcache\explorer.exe
2004-08-04 05:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 05:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe
2004-08-04 05:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 05:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe
2004-08-04 05:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 05:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
2005-06-11 01:17 57856 ad3d9d191aea7b5445fe1d82ffbb4788 C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2004-08-04 05:56 57856 7435b108b935e42ea92ca94f59c8e717 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\spoolsv.exe
2005-06-11 00:53 57856 da81ec57acd4cdc3d4c51cf3d409af9f C:\WINDOWS\system32\dllcache\spoolsv.exe
2004-08-04 05:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\userinit.exe
2004-08-04 05:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetIcon"="C:\Program Files\SMSC\Seticon.exe" [2003-07-29 18:33 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06 7311360]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-08-10 21:03 950664]
"28ac83c8"="C:\WINDOWS\system32\levtjrfs.dll" [2008-08-27 23:17 103552]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 14:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=drjfzo.dll jzpoks.dll ccixim.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
--------- 2007-05-23 12:52 936960 C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2004-07-09 15:07 1249280 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-03-23 17:06 1398272 C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-21 12:09 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\uTorrent\\utorrent.exe"=
"C:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"40332:TCP"= 40332:TCP:Utorrent
"6572:UDP"= 6572:UDP:Utorrent
R2 MAC_MOT;MAC_MOT;C:\WINDOWS\system32\drivers\MAC_MOT.sys [2003-05-28 04:55]
R2 PAR1284;PAR1284;C:\WINDOWS\system32\drivers\PAR1284.sys [2002-03-20 13:46]
R3 INFUSB;INFUSB;C:\WINDOWS\system32\drivers\infusb.sys [2002-09-30 16:16]
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\drivers\imhidusb.sys []
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys []
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 12:43]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f33f37d-b5d4-11da-b4e3-00138f6e8db9}]
\Shell\AutoRun\command - F:\AUTORUN\AUTORUN.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EDC12331-E47A-B81E-D43B-74C9E78B5193}]
C:\WINDOWS\system32:lpr.exe
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-Microsoft Corp Updates - synet-ud.exe
HKLM-RunServices-Microsoft Corp Updates - synet-ud.exe
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Computer\Application Data\Mozilla\Firefox\Profiles\f9frcf6q.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://news.bbc.co.uk/sport1/hi/football/
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 00:27:45
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
C:\WINDOWS\system32\sfrjtvel.ini 1330104 bytes
scan completed successfully
hidden files: 1
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\levtjrfs.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
.
**************************************************************************
.
Completion time: 2008-08-29 0:31:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-28 23:31:29
Pre-Run: 50,869,420,032 bytes free
Post-Run: 50,758,565,888 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
238 --- E O F --- 2008-08-14 21:28:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:11, on 29/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [28ac83c8] rundll32.exe "C:\WINDOWS\system32\levtjrfs.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166226399125
O20 - AppInit_DLLs: drjfzo.dll jzpoks.dll ccixim.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 6036 bytes
I've already uninstalled Utorrent and will await further instructions.
Things are looking good mate !!
Desktop icons have returned, C drive shows in My Computer and everything appears when I click on Start.
That's great. :) Let's continue.
Step # 1 Remove Logitech Desktop Messenger
You appear to have a program on your system called Logitech® Desktop Messenger. This is a background process that can automatically access the Internet without your knowledge or permission. Although it does provide updates for your Logitech products, the fact that it can access the Internet without your consent is potentially dangerous. It does download and update your Logitech products but this can be done manually by visiting the Logitech web site. My advice would be to uninstall this program (Start > Control Panel > Add or Remove Programs) but this is entirely your decision. I suggest doing all updates yourself and removing this application!
Step # 2 Update Java
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u7 (http://www.java.com/en/download/manual.jsp).
Click on the link to download Windows Offline Installation and save to your desktop. Do NOT use the Sun Download Manager.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Remove the following old versions of Java:
J2SE Runtime Environment 5.0 Update 6
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
From your desktop double-click on the download to install the newest version.
Step # 3: Run CFScript
Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
KILLALL::
File::
C:\WINDOWS\system32\msxml71.dll
C:\WINDOWS\system32\levtjrfs.dll
Folder::
C:\Documents and Settings\Computer\Application Data\uTorrent
C:\Program Files\uTorrent
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"28ac83c8"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=""
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\uTorrent\\utorrent.exe"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"40332:TCP"=-
"6572:UDP"=-
[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7f33f37d-b5d4-11da-b4e3-00138f6e8db9}]
RootKit::
C:\WINDOWS\system32\sfrjtvel.ini
Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Note: This CFScript is for use on mick-m's computer only! Do not use it on your computer.
Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
In your next post/reply, I need to see the following:
1. The ComboFix Log that appears after Step 3 has been completed.
2. A fresh HiJackThis Log taken after Step 3 has been completed.
Logs as requested
ComboFix 08-08-28.04 - Computer 2008-08-29 20:18:45.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1648 [GMT 1:00]
Running from: C:\Documents and Settings\Computer\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Computer\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active
FILE ::
C:\WINDOWS\system32\levtjrfs.dll
C:\WINDOWS\system32\msxml71.dll
.
/wow section - STAGE 45
pv: No matching processes found
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
/wow section - STAGE 46
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
The process cannot access the file because it is being used by another process.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Computer\Application Data\uTorrent
C:\Documents and Settings\Computer\Application Data\uTorrent\(Wifey - Xxx) Wifeysworld Swallow Compilation.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\[DVD_MUSIC_VIDEO] GEORGE_MICHAEL---TWENTY_FIVE_DVD1 by Zaelous_Inquisitor90.ISO.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\0010 - Allie.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\33_private_XXX_Videos_Amateur.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\44_echte_private_piss_Videos_Amateur.rar.1.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\44_echte_private_piss_Videos_Amateur.rar.2.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\44_echte_private_piss_Videos_Amateur.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\50_private_Amateur_Videos_echt.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\63_private_Amateur_Videos_Amateur.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\85_Spanner_Voyeur_Videos_echt.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\A Time To Remember 1976-1980.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Abby Winters - Girls In Love.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\alicia-solo.wmv.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Amy Winehouse Live In London-I Told You I Was Trouble(DVDRIP).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Amy_Winehouse-Back_To_Black_(Deluxe_Edition)-2CD-2007-UKP.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Anal Fisting And Pissing End Of Violation Of Audrey Hollander.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Anchors Aweigh.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Audrey.Hollander.and.Angelique.Morreau.Fisting.wmv.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Back.To.School.Special.[English].XXX.DVDRip.XviD-[WwW.TorrentesX.CoM].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Barbra Streisand - Duets [2002][CD+3Vids+Covers].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Barbra Streisand - Live In Concert 2006.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Barely Legal Innocence 7 XXX [DVDRiP][Teen-Over-18].www.lokotorrents.com.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Barely Legal School Girls 2 XXX DVDRip 2006.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Barely Legal School Girls 2.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Barely.Legal.Straight.To.Anal.[English].XXX.DVDRip.XVID-[WwW.TorrentesX.CoM].avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Birth place of dance Vol.1 (the best dance classics) 2007.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Bookworm Bitches - Cytherea - 7 squirting orgasms!.wmv.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Bookworm Bitches.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Cannabis - Cooking With Marijuana - The Gourmet Menu By Chef Hans.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Classic Euphoria cd3 With covers(NiTrO).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Daniella Rush & Meridian-fist & piss.mpg.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\David Bowie-The Rise And Fall Of Ziggy Stardust And The Spiders From Mars(Darkside_RG).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\David Bowie - The Rise And Fall Of Ziggy Stardust And The Spiders From Mars - 06-11-07 - Pn Pass.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\david bowie.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\David Icke- Was He Right.divx.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\dht.dat
C:\Documents and Settings\Computer\Application Data\uTorrent\DJ Tiesto - Adagio for Strings Video. live.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\DJ Tiesto - Best and New 2005.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Duffy - Mercy [192kbps][Youtuberip].mp3.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Duffy - Rockferry.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Edinburgh.Military.Tattoo.2008.WS.PDTV.XviD-COUNCiL.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Floorfillers Anthems-3CD-2007 seeded by www.p2p-world.dl.am.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Floorfillers Anthems [2007] ( Zaion RG ).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Flowers Squirt Shower 4 XXX DVDRip 2006.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\For All Who Hate The Red Scum Manchester City F.C. - Boys in Blue.torrent.mp3.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Frauen_im_Suff_Teil_1_120_min_deutsch.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\GATECRASHER IMMORTAL WITH TRACK NAMES ETC FIXED.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Gilmour_OAI.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Girls Aloud-The Sound Of-Greatest Hits (withcovers) a DHZ.Inc Release.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Great Magic Tricks - Maths.Numbers.zip.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Hacking for Dummies.pdf.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Hacking Wireless Networks for Dummies.pdf.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Harry Potter Audiobooks read by Jim Dale (Chaptered, ready for iPod).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Hash1s_38_Of_The_Greatest_Hash1_Singles_Of_All_Time.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\How To Do Everything With Your iPod (mcgraw-hill).pdf.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\ImTOO DVD To iPod Converter.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Internal_Explosions_6_Teen_Porn_XXX.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Japanese Teen Great Anal.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Jenaveve Jolie and Sativa Rose - Sweet Cream Pies - by Bomkia.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Johnny Cash - Man In Black (The Very Best Of).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Justin Timberlake - Future Sex-Love Sounds (2006) - R&B.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Kasabian - Kasabian.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Kirsty MacColl - Tropical Brainstorm (Bonus Tracks) Japan.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Lily Thai - Peter North.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Mamma Mia PFD ENG XviD.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\maria_dea-solo.wmv.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Mark Ronson - Version.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Microsoft Office XP PRO (word, excel, powerpoint, outlook, access, frontpage, Publisher 2003).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\MILFS Night Out.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Ministry Of Sound - Annual 2008 3CD[EAC-@320 MP3](oan).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Ministry of Sound Anthems 1991-2008.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Ministry Of Sound The Annual 2008.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Morrissey-Vauxhall And I(Darkside_RG).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Now Thats What i Call Music 65 A DHZ.Inc Pre release.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Now_Thats_What_I_Call_Music_64-2CD-2006.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Oasis - Stop The Clocks (2006) - Rock [www.torrentazos.com].rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Only PCTools -~mininova.org~-.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Paul McKenna - Easy Weight Loss & Quit Smoking Now .rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Paul Simon-The Paul Simon Anthology(Darkside_RG).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Pink Floyd - Animals.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Pirates.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Playing With Cytherea XXX [DVDRIP][Hardcore][www.sexotorrent.com].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\PrivateSwingerparty_Amateur.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Raymond Briggs, The Snowman & Father Christmas.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Razorlight - Razorlight [2006][CD+Vid+Cov]192Kbps.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Razorlight - Up All Night (Darkside_RG).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\resume.dat
C:\Documents and Settings\Computer\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\Computer\Application Data\uTorrent\ROD STEWART-STILL THE SAME GREAT ROCK CLASSICS OF OUR TIME.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Roger Waters.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\rss.dat
C:\Documents and Settings\Computer\Application Data\uTorrent\SapphicErotica.Angelique.&.Catherine.XXX.[SiteRip][GoldenPirates].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Scissor Sisters - Ta-Dah (2006) - Pop [www.torrentazos.com].rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\settings.dat
C:\Documents and Settings\Computer\Application Data\uTorrent\settings.dat.old
C:\Documents and Settings\Computer\Application Data\uTorrent\Sexy.Beast.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Shameless Season 1.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Shameless Season 2.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Shameless Season 3.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Snow.Cake.2006.LiMiTED.DVDRiP.XviD-HLS[www.moviex.info].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Snow_Patrol-Eyes_Open-2006-FM.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Sophie and Sandy - Christmas Fisting.avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Squirting 101 - teaches how to make a girl squirt!.mpg.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\stop smoking forever.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Take That - Beautiful World [2006][CD+SkidVid+Cov].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Teagan.Sexual.Freak.2.[English].XXX.DVDRip.XviD-[WwW.TorrentesX.CoM].avi.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\TeagansJuices_scene_1.wmv.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Teen - Self ass fist.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Teeny-Päärchen gestohlenes Video erste Sexerfahrungen.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Anthems.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Art And Science Of Cooking With Cannabis.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Best Christmas Album In The World Ever [2CD] [www.pctorrent.com].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Kooks - Inside in, Inside out.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Perry Como Christmas Album [Compilation].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Simpsons 2007.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Simpsons Movie (2007) [Eng] [DVDrip].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Smiths Best 1.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Smiths Best 2.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The Zutons - Tired Of Hangin' Around A DHZ.Inc release.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The.Departed.TELECINE.XViD-PUKKA[www.moviex.info].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The.Queen.PROPER.DVDSCR.XviD-MoF[www.moviex.info].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The.Simpsons.Movie.DVDSCR.DVDR-mVs.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\The_Who-Endless_Wire-2006-MP3.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Tiesto - Elements Of Life (limited Edition).torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Tom Petty & The Heartbreakers-22 cd.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Tom Petty & The Heartbreakers - 2005 - Live in Concert Soundstage (Discs 1&2) XviD.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Total-Privat_Total-Pervers_(Andrea_Dalton).zip.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\totalaudioconveter.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Two_Very Cute_Teens(Hot_Lesbian_Sceenes)_This_time_in_privacy_of_their_rooms_learning_fisting_SY1.wmv.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\utorrent.lng
C:\Documents and Settings\Computer\Application Data\uTorrent\Va_Pop Party 4(withcovers) a DHZ.Inc Release.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\We All Scream For Ass Cream.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\We Were Dead Before the Ship Even Sank.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Who (The) - Quadrophenia (1973) @ 320.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\wifeys world.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Wigan Pier 55.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\WinAVI.Video.Converter.v7.7.Incl.Keymaker-CORE.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Windows 98 Second Edition English.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\World.Trade.Center.2006.TS.Internal.XViD-GRuNTZ[www.moviex.info].torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\World.Trade.Center.2006.TS.XviD.Proper-NoGrp.zip.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\www.hornywhores.net_MILF.Squirters.9.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Xilisoft PSP iPOD CD to MOV MP3 WAV MPEG WMA AVI RM Video Audio Converter Ripper.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Xvision Youtube Video Player Downloader v1.0 - BEAN.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\XXX Amateur Porn - Screaming Moaning Squirting Homemade Anal Sex.rar.torrent
C:\Documents and Settings\Computer\Application Data\uTorrent\Zutons - Tired Of Hanging Around [2006][CD+Vid+Cov].torrent
C:\Program Files\uTorrent
C:\Program Files\uTorrent\4602-utorrent.e353.dmp
C:\WINDOWS\system32\levtjrfs.dll
C:\WINDOWS\system32\msxml71.dll
C:\WINDOWS\system32\sfrjtvel.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-29 20:08 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-29 20:07 . 2008-08-29 20:07 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-28 00:17 . 2008-08-28 00:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-08-27 17:47 . 2008-08-27 17:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Documents
2008-08-27 16:34 . 2008-08-27 16:34 189 --a------ C:\WINDOWS\wininit.ini
2008-08-27 15:57 . 2008-08-27 16:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-08-27 15:57 . 2008-08-28 22:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-12 09:16 . 2008-07-23 17:50 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-08-12 09:16 . 2008-07-23 17:50 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-08-12 09:16 . 2008-07-23 17:50 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-08-10 21:04 . 2008-08-10 21:03 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2008-08-10 21:04 . 2008-08-10 21:03 299,392 --a------ C:\WINDOWS\system32\imon.dll
2008-08-10 21:04 . 2008-08-10 21:03 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 19:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-08-29 19:08 --------- d-----w C:\Program Files\Java
2008-08-27 13:17 --------- d-----w C:\Program Files\ESET
2008-08-16 09:20 --------- d-----w C:\Program Files\BKE v2.2
2008-08-12 08:17 --------- d-----w C:\Program Files\DivX
2008-07-27 19:22 --------- d-----w C:\Program Files\V+ Application
2008-07-27 19:19 1,167,360 ------w C:\WINDOWS\Setup1.exe
2008-07-27 19:18 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2008-07-27 18:28 --------- d-----w C:\Program Files\Conduit
2008-07-26 20:01 --------- d-----w C:\Program Files\Lavasoft
2008-07-26 20:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-26 20:00 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-26 19:58 --------- d-----w C:\Documents and Settings\Computer\Application Data\Lavasoft
2008-07-25 19:15 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-07-25 19:15 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-25 19:14 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-07-25 19:13 --------- d-----w C:\Program Files\Nokia
2008-07-25 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-07-23 16:50 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-07-11 15:51 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-07-10 09:11 --------- d-----w C:\Documents and Settings\Computer\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-07-09 03:53 --------- d-----w C:\Program Files\NOS
2008-07-09 03:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\NOS
2008-07-08 19:37 --------- d-----w C:\Program Files\Common Files\Adobe AIR
2008-07-08 19:35 --------- d-----w C:\Program Files\Common Files\Adobe
.
------- Sigcheck -------
2004-08-04 05:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\svchost.exe
2004-08-04 05:56 14336 8f078ae4ed187aaabc0a305146de6716 C:\WINDOWS\system32\dllcache\svchost.exe
2005-03-02 19:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll
2007-03-08 16:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll
2004-08-04 05:56 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll
2005-03-02 19:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll
2007-03-08 16:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\user32.dll
2007-03-08 16:36 577536 b409909f6e2e8a7067076ed748abf1e7 C:\WINDOWS\system32\dllcache\user32.dll
2004-08-04 05:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\ws2_32.dll
2004-08-04 05:56 82944 2ed0b7f12a60f90092081c50fa0ec2b2 C:\WINDOWS\system32\dllcache\ws2_32.dll
2004-08-04 05:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\winlogon.exe
2004-08-04 05:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\system32\dllcache\winlogon.exe
2004-08-04 04:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\dllcache\ndis.sys
2004-08-04 04:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\system32\drivers\ndis.sys
2004-08-04 04:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\dllcache\ip6fw.sys
2004-08-04 04:00 29056 4448006b6bc60e6c027932cfc38d6855 C:\WINDOWS\system32\drivers\ip6fw.sys
2004-08-04 05:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\services.exe
2004-08-04 05:56 108032 c6ce6eec82f187615d1002bb3bb50ed4 C:\WINDOWS\system32\dllcache\services.exe
2004-08-04 05:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\lsass.exe
2004-08-04 05:56 13312 84885f9b82f4d55c6146ebf6065d75d2 C:\WINDOWS\system32\dllcache\lsass.exe
2004-08-04 05:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\ctfmon.exe
2004-08-04 05:56 15360 24232996a38c0b0cf151c2140ae29fc8 C:\WINDOWS\system32\dllcache\ctfmon.exe
2004-08-04 05:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\userinit.exe
2004-08-04 05:56 24576 39b1ffb03c2296323832acbae50d2aff C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((( snapshot@2008-08-29_ 0.30.58.89 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-11-10 11:27:06 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2005-11-10 11:27:16 49,250 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2005-11-10 13:03:54 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:56 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetIcon"="C:\Program Files\SMSC\Seticon.exe" [2003-07-29 18:33 40960]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-12-10 04:06 7311360]
"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2008-08-10 21:03 950664]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 14:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-04 05:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= ffdshow.ax
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2008-06-12 02:38 34672 C:\Program Files\Adobe\Reader 9.0\Reader\reader_sl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\btbb_McciTrayApp]
--------- 2007-05-23 12:52 936960 C:\Program Files\BT Broadband Desktop Help\bin\BTHelpNotifier.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\D-Link AirPlus G]
--a------ 2004-07-09 15:07 1249280 C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
--------- 2006-03-23 17:06 1398272 C:\Program Files\Ahead\InCD\InCD.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Nokia.PCSync]
--a------ 2008-03-26 18:41 1232896 C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
--a------ 2008-04-16 12:53 1079808 C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-05-27 10:50 413696 C:\Program Files\QuickTime\QTTask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-06-21 12:09 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2005-08-31 17:11 2478080 C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YBrowser]
--a------ 2006-07-21 16:19 129536 C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\Real\\RealPlayer\\trueplay.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Ahead\\Nero MediaHome\\NeroMediaHome.exe"=
"C:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
R2 MAC_MOT;MAC_MOT;C:\WINDOWS\system32\drivers\MAC_MOT.sys [2003-05-28 04:55]
R2 PAR1284;PAR1284;C:\WINDOWS\system32\drivers\PAR1284.sys [2002-03-20 13:46]
R3 INFUSB;INFUSB;C:\WINDOWS\system32\drivers\infusb.sys [2002-09-30 16:16]
S3 imhidusb;Immersion's HID USB Driver;C:\WINDOWS\system32\drivers\imhidusb.sys []
S3 ZD1201U;ZyDAS ZD1201 IEEE 802.11b Wireless LAN Driver (USB);C:\WINDOWS\system32\DRIVERS\zd1201u.sys []
S3 ZDNDIS5;ZDNDIS5 Protocol Driver;C:\WINDOWS\system32\ZDNDIS5.SYS [2002-10-30 12:43]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{EDC12331-E47A-B81E-D43B-74C9E78B5193}]
C:\WINDOWS\system32:lpr.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 21:41:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\ESET\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\update\update.exe
C:\WINDOWS\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-08-29 21:47:01 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 20:46:54
ComboFix2.txt 2008-08-28 23:31:35
Pre-Run: 50,466,332,672 bytes free
Post-Run: 50,446,217,216 bytes free
341 --- E O F --- 2008-08-14 21:28:45
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:54, on 29/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\385cb67dda0ffd4dea8c0d990dc65796\update\update.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/su/*http://uk.search.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166226399125
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 6130 bytes
Step # 1 Run CCleaner
CCleaner will remove everything from the temp/temporary folders but please note that it will not make back ups!
Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
Then select the items you wish to clean up.
In the Windows Tab:
Clean all entries in the Internet Explorer section except Cookies
Clean all the entries in the Windows Explorer section
Clean all entries in the System section
Clean all entries in the Advanced section
Clean any others that you choose
In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it
Clean all in the Opera section if you use it
Clean Sun Java in the Internet Section
Clean any others that you choose
Click the Run Cleaner button.
A pop up box will appear advising this process will permanently delete files from your system.
Click OK and it will scan and clean your system.
Click exit when done.
If it asks you to reboot at the end, click NO
Step # 2: Remove Hijackthis Entries
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.clientapps.yahoo.com/c...rch.yahoo.com/
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Step # 3 Download and Run Malwarebytes' Anti-Malware
Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Before running a scan, click the Update tab, next click Check for Updates to download any updates, if available.
Next click the Scanner tab and select Perform Quick Scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
You can also access the log by doing the following:
Click on the Malwarebytes' Anti-Malware icon to launch the program.
Click on the Logs tab.
Click on the log at the bottom of those listed to highlight it.
Click Open.
In your next post/reply, I need to see the following:
1. MalwareBytes' Log
2. A fresh HiJackThis Log
Logs as requested.
Malwarebytes' Anti-Malware 1.25
Database version: 1098
Windows 5.1.2600 Service Pack 2
19:24:00 30/08/2008
mbam-log-08-30-2008 (19-24-00).txt
Scan type: Quick Scan
Objects scanned: 44247
Time elapsed: 13 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\xml.xml.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.bgrm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:25, on 30/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166226399125
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 5632 bytes
Step # 1: Run Kaspersky Online Scan
Please go to Kaspersky website (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) and perform an online antivirus scan.
Read through the requirements and privacy statement and click on Accept button.
It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
When the downloads have finished, click on Settings.
Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button: Spyware, Adware, Dialers, and other potentially dangerous programs
Archives
Mail databases Click on My Computer under Scan.
Once the scan is complete, it will display the results. Click on View Scan Report.
You will see a list of infected items there. Click on Save Report As....
Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
Please post this log in your next reply.
In your next post/response, I need to see the following:
1. Kaspersky Log
2. A fresh HiJackThis Log
3. How is your computer doing, any problems?
Hiya mate, my PC is running fine.
Here are the logs requested
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 31, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Saturday, August 30, 2008 21:31:36
Records in database: 1170941
--------------------------------------------------------------------------------
Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes
Scan area - My Computer:
C:\
D:\
E:\
Scan statistics:
Files scanned: 48582
Threat name: 12
Infected objects: 19
Suspicious objects: 0
Duration of the scan: 03:57:21
File name / Threat name / Threats count
C:\Documents and Settings\Computer\My Documents\Downloads\uTorrent-1.6-install.exe Infected: Trojan-Downloader.Win32.Banload.utn 1
C:\Program Files\BT Broadband Desktop Help\vendors\btbb\wwwcache\wt\deviceview\private\content\driven_dev\upgrade\McciContextUpgrade.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
C:\Program Files\ESET\cache\FND1.NFI Infected: Trojan.Win32.Monder.iyk 1
C:\Program Files\ESET\infected\2JWIZ2BA.NQF Infected: Trojan.Win32.Monder.iyk 1
C:\Program Files\ESET\infected\TGBMLTBA.NQF Infected: Trojan-Downloader.Win32.Agent.adlz 1
C:\Program Files\ESET\infected\TGBMLTBA.NQF Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.bd 1
C:\Program Files\ESET\infected\TGBMLTBA.NQF Infected: not-a-virus:FraudTool.Win32.Agent.bk 1
C:\Program Files\ESET\infected\TGBMLTBA.NQF Infected: not-a-virus:FraudTool.Win32.Agent.bi 1
C:\Program Files\ESET\infected\TGBMLTBA.NQF Infected: Trojan.Win32.Agent.abct 1
C:\Program Files\ESET\infected\TGBMLTBA.NQF Infected: Trojan.Win32.Agent.abcs 1
C:\Program Files\ESET\infected\TGBMLTBA.NQF Infected: not-a-virus:FraudTool.Win32.MSAntivirus.p 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ccixim.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dbd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\drjfzo.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.daq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ggodvekj.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.daq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\ghrtqvtr.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.dbd 1
C:\QooBox\Quarantine\C\WINDOWS\system32\jzpoks.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.daq 1
C:\QooBox\Quarantine\C\WINDOWS\system32\rcihyoaf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.daq 1
C:\WINDOWS\Motive\btbb\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
C:\WINDOWS\Motive\btbb\UninstallHelper.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101 1
The selected area was scanned.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 05:04, on 31/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - Cmdmapping - (no file) (HKCU)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1166226399125
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Unknown owner - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE
--
End of file - 5711 bytes
Using Windows Explorer, delete the following file, if found:
C:\Documents and Settings\Computer\My Documents\Downloads\uTorrent-1.6-install.exe
Delete the contents of the following folders, do not delete the folders themselves:
C:\Program Files\ESET\cache
C:\Program Files\ESET\infected
Empty your Recycle Bin.
Let me know how everything went.
uTorrent 1.6.exe - Deleted.
Eset Infected - All files deleted.
Eset Cache - FND1.NFI deleted, CACHE.NDB & FND0.NFI cannot be deleted because they are being used by another person or progam etc.
I quit Nod 32 but the 2 files will still not delete, same message occurs.
There is also Cache(2) which also contains CACHE.NDB which I left alone for now.
Emptied Recycle Bin.
Eset Cache - FND1.NFI deleted, CACHE.NDB & FND0.NFI cannot be deleted because they are being used by another person or progam etc.
Don't worry about those other two, FND1.NFI was the only infected item in the cache and it was sucessfully deleted.
Your latest HJT log looks clean and you report no more problems, so you are now good to go. :)
Remove ComboFix, by doing the following:
Go to Start > Run - type in ComboFix /u & click OK
Delete CFScript.txt from your Desktop.
Please take the time to read my All Clean Post.
Please follow these simple steps in order to keep your computer clean and secure:
This is a good time to clear your existing system restore points and establish a new clean restore point
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created..
Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.
Make your Internet Explorer more secure This can be done by following these simple instructions: From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub frames across different domains to Prompt When all these settings have been made, click on the OK button.
If it asks you if you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Set correct settings for files that should be hidden in Windows XP
Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
If unchecked please checkHide protected operating system files (Recommended)
If necessary check "Display content of system folders"
If necessary Uncheck Hide file extensions for known file types.
Click OK
Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
Visit Microsoft's Update Site Frequently It is important that you visit Microsoft Updates (http://update.microsoft.com/) regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
Computer Safety on line Anti Malware (http://forum.malwareremoval.com/viewtopic.php?p=54#54)
Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file (http://www.mvps.org/winhelp2002/hosts.htm) Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE (http://www.bleepingcomputer.com/forums/tutorial51.html) If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button on the task bar at the bottom of your screen Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then doubleclick it. On the dropdown box, change the setting from automatic to manual. Click ok..
Use an alternative instant messenger program.Trillian (http://www.trillian.cc/) and Miranda IM (http://www.miranda-im.com/) These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
Please read Tony Klein's excellent article: How I got Infected in the First Place (http://forums.subratam.org/index.php?showtopic=5931)
Please read Understanding Spyware, Browser Hijackers, and Dialers (http://www.bleepingcomputer.com/forums/tutorial41.html)
Please read Simple and easy ways to keep your computer safe and secure on the Internet (http://www.bleepingcomputer.com/tutorials/tutorial82.html)
If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox (http://www.mozilla.org/products/firefox) or
Opera (http://www.opera.com/download/).
If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back (http://spyware-free.us/2006/01/time-to-fight-back.html). Follow these steps and your potential for being infected again will reduce dramatically.
Here's a good website to read about Malware prevention:
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
Good luck!
Please reply one last time so that I know you have read my post and this thread can be closed.
Hiya mate, sorry for the delay in replying.
Thanks a million for your help, I owe you a great many beers.
I'll certainly take the time to go through all the links in your post.
Many thanks once again.
Best of luck to you and yours.
You're welcome. I'm glad I was able to help out.