PDA

View Full Version : Craig



craigcampbell66
2008-10-12, 04:05
Need help with "I think" virtumonde problem. IE7 and Firefox keep crashing. When MSN messenger is open I cannot click through to my mail...nothing happens although all other functions on the window appear to work. I keep getting an "error reading virtumonde" message when running spybot. I have tried to run the online livecare scan but it crashes every time. I downloaded a trial version of Kapersky..crashed too. I have tried vundofix, virtumonde begone, etc although they all come up clean. I also run adaware and avira antivir with updates daily but the problem persists. appreciate any advice.

Blade81
2008-10-12, 15:14
Hi

Looks like you missed
BEFORE you POST
(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288) -sticky ;)

Download and install TrendMicro HijackThis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe)
* Once installed open HijackThis by clicking Start > Programs > HijackThis and click the button labeled
Do a system scan only

* Click the scan button in the lower left hand corner of the interface and HijackThis will quickly scan your system.
* Once the scan is complete the scan button will now read save log. Click this button to save the log file to your PC. Once you select where you would like to save the file it will open in your systems default text editor. Typically this application is Notepad. Post the log here.

craigcampbell66
2008-10-13, 07:00
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:59:09 PM, on 13/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104w.bay104.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C0EB618-CB11-4E75-A7CE-6F3F2D7B241B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A840EA9-B62B-4355-9098-CA0F53B5A782}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: My Web Search Service (MyWebSearchService) - Unknown owner - C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwssvc.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10979 bytes

Blade81
2008-10-13, 08:24
Hi

Download random's system information tool (RSIT) by random/random from here (http://images.malwareremoval.com/random/RSIT.exe) and save it to your desktop.
Double click on RSIT.exe to run RSIT.
Click Continue at the disclaimer screen.
Once it has finished, two logs will open. Please post the contents of both log.txt (<<will be maximized) and info.txt (<<will be minimized)

craigcampbell66
2008-10-13, 15:17
I tried to run rsit but it only gets to about 25% and then a separate window pops up with the message.

Autolt error
line-1
Error: Error parsing function call.

I click the Ok button and both windows (the rsit tool) close.

Blade81
2008-10-13, 17:08
Hi

Let's use another tool.

Please visit this webpage for download links, and instructions for running ComboFix tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:


Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix, link (http://www.bleepingcomputer.com/forums/topic114351.html)
Remember to re-enable them afterwards.


Click Yes to allow ComboFix to continue scanning for malware.


When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix. This tool is not a toy and not for everyday use.

craigcampbell66
2008-10-14, 04:04
ComboFix 08-10-12.01 - Craig 2008-10-14 10:48:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1604 [GMT 10:00]
Running from: C:\Documents and Settings\Craig\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Craig\Application Data\FunWebProducts
C:\Documents and Settings\Craig\Application Data\FunWebProducts\Data\Craig\avatar.dat
C:\Documents and Settings\Craig\Application Data\FunWebProducts\Data\Craig\outfit.dat
C:\Documents and Settings\Craig\Application Data\FunWebProducts\Data\Craig\zbucks.dat
C:\Documents and Settings\Craig\Application Data\inst.exe
C:\Program Files\FunWebProducts
C:\Program Files\FunWebProducts\Shared\Cache\CursorManiaBtn.html
C:\Program Files\FunWebProducts\Shared\Cache\SmileyCentralBtn.html
C:\Program Files\internet explorer\msimg32.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\avatar.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfadel.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\bgfader.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common-x.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\common.css
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbl.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\cornerbr.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\ext_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\include.js
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\index.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loader.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\loading.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\logo.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\max_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\min_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\noflash.htm
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_def.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\res_roll.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\spacer.swf
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\topgrad.gif
C:\Program Files\MyWebSearch\bar\Avatar\COMMON\window.ico
C:\WINDOWS\system32\f3PSSavr.scr
C:\WINDOWS\system32\uninstall.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_MYWEBSEARCHSERVICE
-------\Service_MyWebSearchService


((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-13 22:12 . 2008-10-13 22:12 <DIR> d-------- C:\rsit
2008-10-12 11:38 . 2008-10-12 11:39 <DIR> d-------- C:\Program Files\XoftSpySE
2008-10-11 21:28 . 2008-10-12 00:43 <DIR> d-------- C:\Documents and Settings\Craig\.housecall6.6
2008-10-11 21:28 . 2008-10-11 21:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-10 20:12 . 2008-10-10 20:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-10 11:30 . 2008-10-10 11:30 189 --a------ C:\WINDOWS\wininit.ini
2008-10-08 12:00 . 2008-10-08 12:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-08 12:00 . 2008-10-12 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 11:48 . 2008-10-08 11:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 11:39 . 2008-10-08 11:39 <DIR> d-------- C:\Program Files\Avira
2008-10-08 11:27 . 2008-10-08 11:27 <DIR> d-------- C:\Program Files\CCleaner
2008-10-07 20:28 . 2001-08-17 12:12 70,730 --a--c--- C:\WINDOWS\system32\dllcache\lne100tx.sys
2008-10-07 20:28 . 2001-08-17 12:11 25,065 --a--c--- C:\WINDOWS\system32\dllcache\lmndis3.sys
2008-10-07 20:28 . 2001-08-17 12:12 20,573 --a--c--- C:\WINDOWS\system32\dllcache\lne100.sys
2008-10-07 20:28 . 2001-08-17 13:53 4,992 --a--c--- C:\WINDOWS\system32\dllcache\loop.sys
2008-10-07 20:26 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-10-07 20:25 . 2008-04-14 10:11 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-10-07 20:24 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-10-07 20:23 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-10-07 20:21 . 2001-08-17 13:28 347,550 --a--c--- C:\WINDOWS\system32\dllcache\es56tpi.sys
2008-10-07 20:20 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-10-07 20:19 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-10-07 20:18 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-10-07 20:17 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-10-07 20:16 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-10-07 20:15 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2008-10-07 20:15 . 2001-08-17 14:56 268,160 --a--c--- C:\WINDOWS\system32\dllcache\atidvai.dll
2008-10-07 20:15 . 2001-08-17 14:56 137,216 --a--c--- C:\WINDOWS\system32\dllcache\atidrae.dll
2008-10-07 20:15 . 2001-08-17 12:12 97,354 --a--c--- C:\WINDOWS\system32\dllcache\aspndis3.sys
2008-10-07 20:15 . 2001-08-17 14:55 96,128 --a--c--- C:\WINDOWS\system32\dllcache\ati.dll
2008-10-07 20:15 . 2001-08-17 13:57 77,568 --a--c--- C:\WINDOWS\system32\dllcache\ati.sys
2008-10-07 20:15 . 2001-08-17 12:49 46,464 --a--c--- C:\WINDOWS\system32\dllcache\atibt829.sys
2008-10-07 20:15 . 2001-08-17 13:52 26,496 --a--c--- C:\WINDOWS\system32\dllcache\asc.sys
2008-10-07 20:15 . 2001-08-17 13:52 22,400 --a--c--- C:\WINDOWS\system32\dllcache\asc3350p.sys
2008-10-07 20:15 . 2001-08-17 13:51 14,848 --a--c--- C:\WINDOWS\system32\dllcache\asc3550.sys
2008-10-07 19:28 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-10-07 19:27 . 2008-04-14 05:27 2,188,928 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-07 19:27 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-10-07 14:09 . 2008-10-07 14:09 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-07 14:09 . 2008-10-08 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-07 14:01 . 2008-10-07 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-30 12:58 . 2008-10-07 14:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-30 11:04 . 2008-09-30 11:04 <DIR> d-------- C:\VundoFix Backups
2008-09-19 21:54 . 2008-10-05 12:34 <DIR> d-------- C:\Documents and Settings\Craig\Application Data\OpenOffice.org2
2008-09-19 21:49 . 2008-09-19 21:50 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-13 00:31 --------- d-----w C:\Documents and Settings\Craig\Application Data\Skype
2008-10-12 05:30 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-10-12 00:55 --------- d-----w C:\Documents and Settings\Craig\Application Data\uTorrent
2008-10-12 00:53 --------- d-----w C:\Program Files\LimeWire
2008-10-08 01:49 --------- d-----w C:\Program Files\Lavasoft
2008-10-08 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-10-02 22:22 --------- d-----w C:\Documents and Settings\Craig\Application Data\SPORE Creature Creator
2008-09-25 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-19 11:49 --------- d-----w C:\Program Files\Java
2008-09-19 00:57 --------- d-----w C:\Documents and Settings\Craig\Application Data\Canon
2008-09-02 07:35 --------- d--h--r C:\Documents and Settings\Craig\Application Data\SecuROM
2008-09-02 07:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 07:34 --------- d-----w C:\Program Files\Electronic Arts
2008-08-26 03:53 --------- d-----w C:\Program Files\Common Files\Adobe
2008-08-26 00:10 --------- d-----w C:\Program Files\MSECache
2008-04-17 03:56 47,360 ----a-w C:\Documents and Settings\Craig\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2004-12-22 892928]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 271672]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-03-01 826880]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-08 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Craig^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2006-10-13 207664]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;C:\WINDOWS\system32\drivers\zpmodemnt.sys [2005-12-11 1792]
S3 ACCSKMD;Canon Camera Storage Device;C:\WINDOWS\system32\DRIVERS\accskmd.sys [2003-05-13 32640]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-10-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-10-14 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-10-14 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-10-09 00:19]

2008-10-12 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-10-09 00:19]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Craig\Application Data\Mozilla\Firefox\Profiles\nuvlp809.default\
FF -: plugin - C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 10:54:38
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-10-14 11:00:39 - machine was rebooted [Craig]
ComboFix-quarantined-files.txt 2008-10-14 01:00:34

Pre-Run: 37,845,708,800 bytes free
Post-Run: 37,884,981,248 bytes free

222 --- E O F --- 2008-10-13 12:48:00


Here is the log after running combofix. Was there evidence of the virtumonde virus or other in the previous log. Just curious as to what has been playing havoc with my pc.

appreciate the help,
Craig

craigcampbell66
2008-10-14, 05:38
Just tried to run a scan with spybot S&D. Got to the stage where it was scanning for virtumonde and the pc crashed/powered off.

Blade81
2008-10-14, 07:58
Hi


IMPORTANT I notice there are signs of one or more P2P (Peer to Peer) File Sharing Programs on your computer.

µTorrent
LimeWire


I'd like you to read the this thread (http://forums.spybot.info/showthread.php?t=282).

Please go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

Delete these folders afterwards:

C:\Documents and Settings\Craig\Application Data\uTorrent
C:\Program Files\LimeWire

and files:
C:\StubInstaller.exe

Empty Recycle Bin.

After that:


Uninstall old Adobe Reader and get the latest one here (http://www.filehippo.com/download_adobe_reader/) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm).


Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\StubInstaller.exe

Folder::
C:\VundoFix Backups
C:\Documents and Settings\Craig\Application Data\uTorrent
C:\Program Files\LimeWire

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\StubInstaller.exe"=-



Save this as
CFScript

A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log.


Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.


Download ATF (Atribune Temp File) Cleanerİ by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.


Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).


Post back its report, a fresh hjt log and above mentioned ComboFix resultant log.

craigcampbell66
2008-10-15, 04:08
tried to run the Kapersky online scan twice. It gets about 2% in and then the browser window crashes. (Firefox) I have posted the combofix log and the HJT log and I will attempt to run the Kapersky online scan through IE7.

ComboFix 08-10-14.07 - Craig 2008-10-15 9:33:35.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1495 [GMT 10:00]
Running from: C:\Documents and Settings\Craig\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Craig\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\StubInstaller.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Craig\Application Data\uTorrent
C:\Documents and Settings\Craig\Application Data\uTorrent\Believe.avi.torrent
C:\Documents and Settings\Craig\Application Data\uTorrent\dht.dat
C:\Documents and Settings\Craig\Application Data\uTorrent\dht.dat.old
C:\Documents and Settings\Craig\Application Data\uTorrent\resume.dat
C:\Documents and Settings\Craig\Application Data\uTorrent\resume.dat.old
C:\Documents and Settings\Craig\Application Data\uTorrent\rss.dat
C:\Documents and Settings\Craig\Application Data\uTorrent\rss.dat.old
C:\Documents and Settings\Craig\Application Data\uTorrent\settings.dat
C:\Documents and Settings\Craig\Application Data\uTorrent\settings.dat.old
C:\Program Files\LimeWire
C:\Program Files\LimeWire\chad kroeger into the night.m3u
C:\Program Files\LimeWire\fleetwood mac landslide.m3u
C:\Program Files\LimeWire\limewire.m3u
C:\StubInstaller.exe
C:\VundoFix Backups

.
((((((((((((((((((((((((( Files Created from 2008-09-14 to 2008-10-14 )))))))))))))))))))))))))))))))
.

2008-10-15 09:15 . 2008-10-15 09:15 <DIR> d-------- C:\Documents and Settings\Craig\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2008-10-15 09:12 . 2008-10-15 09:12 <DIR> d-------- C:\Program Files\Common Files\Adobe AIR
2008-10-13 22:12 . 2008-10-13 22:12 <DIR> d-------- C:\rsit
2008-10-12 11:38 . 2008-10-12 11:39 <DIR> d-------- C:\Program Files\XoftSpySE
2008-10-11 21:28 . 2008-10-12 00:43 <DIR> d-------- C:\Documents and Settings\Craig\.housecall6.6
2008-10-11 21:28 . 2008-10-11 21:28 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-10-10 20:12 . 2008-10-10 20:12 <DIR> d-------- C:\Program Files\Trend Micro
2008-10-10 11:30 . 2008-10-10 11:30 189 --a------ C:\WINDOWS\wininit.ini
2008-10-08 12:00 . 2008-10-08 12:02 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-10-08 12:00 . 2008-10-12 11:47 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-08 11:48 . 2008-10-08 11:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-10-08 11:39 . 2008-10-08 11:39 <DIR> d-------- C:\Program Files\Avira
2008-10-08 11:27 . 2008-10-08 11:27 <DIR> d-------- C:\Program Files\CCleaner
2008-10-07 20:28 . 2001-08-17 12:12 70,730 --a--c--- C:\WINDOWS\system32\dllcache\lne100tx.sys
2008-10-07 20:28 . 2001-08-17 12:11 25,065 --a--c--- C:\WINDOWS\system32\dllcache\lmndis3.sys
2008-10-07 20:28 . 2001-08-17 12:12 20,573 --a--c--- C:\WINDOWS\system32\dllcache\lne100.sys
2008-10-07 20:28 . 2001-08-17 13:53 4,992 --a--c--- C:\WINDOWS\system32\dllcache\loop.sys
2008-10-07 20:26 . 2001-08-17 22:36 372,824 --a--c--- C:\WINDOWS\system32\dllcache\iconf32.dll
2008-10-07 20:25 . 2008-04-14 10:11 702,845 --a--c--- C:\WINDOWS\system32\dllcache\i81xdnt5.dll
2008-10-07 20:24 . 2001-08-17 13:28 907,456 --a--c--- C:\WINDOWS\system32\dllcache\hcf_msft.sys
2008-10-07 20:23 . 2001-08-17 14:56 1,733,120 --a--c--- C:\WINDOWS\system32\dllcache\g400d.dll
2008-10-07 20:21 . 2001-08-17 13:28 347,550 --a--c--- C:\WINDOWS\system32\dllcache\es56tpi.sys
2008-10-07 20:20 . 2001-08-17 13:28 634,134 --a--c--- C:\WINDOWS\system32\dllcache\el656ct5.sys
2008-10-07 20:19 . 2001-08-17 12:14 952,007 --a--c--- C:\WINDOWS\system32\dllcache\diwan.sys
2008-10-07 20:18 . 2001-08-17 12:13 980,034 --a--c--- C:\WINDOWS\system32\dllcache\cicap.sys
2008-10-07 20:17 . 2001-08-17 13:28 714,698 --a--c--- C:\WINDOWS\system32\dllcache\cbmdmkxx.sys
2008-10-07 20:16 . 2001-08-17 13:28 871,388 --a--c--- C:\WINDOWS\system32\dllcache\bcmdm.sys
2008-10-07 20:15 . 2001-08-17 14:55 382,592 --a--c--- C:\WINDOWS\system32\dllcache\atidrab.dll
2008-10-07 20:15 . 2001-08-17 14:56 268,160 --a--c--- C:\WINDOWS\system32\dllcache\atidvai.dll
2008-10-07 20:15 . 2001-08-17 14:56 137,216 --a--c--- C:\WINDOWS\system32\dllcache\atidrae.dll
2008-10-07 20:15 . 2001-08-17 12:12 97,354 --a--c--- C:\WINDOWS\system32\dllcache\aspndis3.sys
2008-10-07 20:15 . 2001-08-17 14:55 96,128 --a--c--- C:\WINDOWS\system32\dllcache\ati.dll
2008-10-07 20:15 . 2001-08-17 13:57 77,568 --a--c--- C:\WINDOWS\system32\dllcache\ati.sys
2008-10-07 20:15 . 2001-08-17 12:49 46,464 --a--c--- C:\WINDOWS\system32\dllcache\atibt829.sys
2008-10-07 20:15 . 2001-08-17 13:52 26,496 --a--c--- C:\WINDOWS\system32\dllcache\asc.sys
2008-10-07 20:15 . 2001-08-17 13:52 22,400 --a--c--- C:\WINDOWS\system32\dllcache\asc3350p.sys
2008-10-07 20:15 . 2001-08-17 13:51 14,848 --a--c--- C:\WINDOWS\system32\dllcache\asc3550.sys
2008-10-07 19:28 . 2001-08-17 13:28 762,780 --a--c--- C:\WINDOWS\system32\dllcache\3cwmcru.sys
2008-10-07 19:27 . 2008-04-14 05:27 2,188,928 --a--c--- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2008-10-07 19:27 . 2001-08-17 14:56 66,048 --a--c--- C:\WINDOWS\system32\dllcache\s3legacy.dll
2008-10-07 14:09 . 2008-10-07 14:09 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-10-07 14:09 . 2008-10-08 10:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-10-07 14:01 . 2008-10-07 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2008-09-30 12:58 . 2008-10-07 14:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-09-19 21:54 . 2008-10-05 12:34 <DIR> d-------- C:\Documents and Settings\Craig\Application Data\OpenOffice.org2
2008-09-19 21:49 . 2008-09-19 21:50 <DIR> d-------- C:\Program Files\OpenOffice.org 2.4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-14 23:10 --------- d-----w C:\Program Files\Common Files\Adobe
2008-10-13 00:31 --------- d-----w C:\Documents and Settings\Craig\Application Data\Skype
2008-10-12 05:30 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-10-08 01:49 --------- d-----w C:\Program Files\Lavasoft
2008-10-08 01:39 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avira
2008-10-02 22:22 --------- d-----w C:\Documents and Settings\Craig\Application Data\SPORE Creature Creator
2008-09-25 23:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-09-19 11:49 --------- d-----w C:\Program Files\Java
2008-09-19 00:57 --------- d-----w C:\Documents and Settings\Craig\Application Data\Canon
2008-09-02 21:27 2,536 ----a-w C:\WINDOWS\system32\ealregsnapshot1.reg
2008-09-02 07:35 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-09-02 07:35 --------- d--h--r C:\Documents and Settings\Craig\Application Data\SecuROM
2008-09-02 07:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-09-02 07:34 --------- d-----w C:\Program Files\Electronic Arts
2008-08-26 00:10 --------- d-----w C:\Program Files\MSECache
2008-07-30 09:19 122,880 ----a-w C:\WINDOWS\system32\UAService7.exe
2008-07-18 12:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-18 12:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-18 12:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-18 12:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-18 12:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-18 12:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-18 12:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-18 12:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-18 12:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-18 12:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2008-04-17 03:56 47,360 ----a-w C:\Documents and Settings\Craig\Application Data\pcouffin.sys
.

((((((((((((((((((((((((((((( snapshot@2008-10-14_11.00.02.56 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-12 05:06:42 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-07-12 106496]
"SiSRaid"="C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe" [2004-12-22 892928]
"RemoteControl"="C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe" [2003-12-08 32768]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 49152]
"VX3000"="C:\WINDOWS\vVX3000.exe" [2006-10-13 707376]
"LifeCam"="C:\Program Files\Microsoft LifeCam\LifeExp.exe" [2006-10-13 277296]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-02 3739648]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-08-15 271672]
"dvd43"="C:\Program Files\dvd43\dvd43_tray.exe" [2008-03-01 826880]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-05-15 1628208]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-05-15 1057328]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-05-27 413696]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"SoundMan"="SOUNDMAN.EXE" [2004-12-01 C:\WINDOWS\SOUNDMAN.EXE]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-24 443968]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-08-08 110592]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]

[HKLM\~\startupfolder\C:^Documents and Settings^Craig^Start Menu^Programs^Startup^LimeWire On Startup.lnk]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"C:\\Program Files\\Kodak\\KODAK Software Updater\\7288971\\Program\\Kodak Software Updater.exe"=
"C:\\Program Files\\Canon\\DV Messenger\\DV Messenger.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"C:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\dpnsvr.exe"=
"C:\\WINDOWS\\system32\\dxdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Electronic Arts\\EADM\\Core.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R2 MSCamSvc;MSCamSvc;C:\Program Files\Microsoft LifeCam\MSCamS32.exe [2006-10-13 207664]
S2 ZPMODEMSYSNTDRVNT;ZPMODEMSYSNTDRVNT;C:\WINDOWS\system32\drivers\zpmodemnt.sys [2005-12-11 1792]
S3 ACCSKMD;Canon Camera Storage Device;C:\WINDOWS\system32\DRIVERS\accskmd.sys [2003-05-13 32640]
S3 SetupNTGLM7X;SetupNTGLM7X;D:\NTGLM7X.sys [ ]
.
Contents of the 'Scheduled Tasks' folder

2008-10-06 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-10-14 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 11:20]

2008-10-14 C:\WINDOWS\Tasks\XoftSpySE 2.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-10-09 00:19]

2008-10-12 C:\WINDOWS\Tasks\XoftSpySE.job
- C:\Program Files\XoftSpySE\XoftSpy.exe [2008-10-09 00:19]
.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 09:35:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-10-15 9:37:40
ComboFix-quarantined-files.txt 2008-10-14 23:37:25
ComboFix2.txt 2008-10-14 01:00:40

Pre-Run: 37,280,731,136 bytes free
Post-Run: 37,255,270,400 bytes free

194 --- E O F --- 2008-10-14 04:39:54


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:14 AM, on 15/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104w.bay104.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C0EB618-CB11-4E75-A7CE-6F3F2D7B241B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A840EA9-B62B-4355-9098-CA0F53B5A782}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10327 bytes


I had uninstalled both utorrent and limewire prior to posting this thread. Are you saying they are still presenting as being installed?

craigcampbell66
2008-10-15, 04:39
I cannot get the Kapersky online scanner to work through IE7. It goes through the system check and keeps coming back with the window displaying the message that I don't have the correct version of Java installed and need to install 1.5. I have checked and I do have this version installed. Have been through all the trouble shooting measures as explained on the java website and tried again after a restart with the same message displaying. It has no problems starting in Firefox......just a problem finishing.

Blade81
2008-10-15, 08:02
I had uninstalled both utorrent and limewire prior to posting this thread. Are you saying they are still presenting as being installed?
Maybe not installed but some of their leftovers was still there :)

Let me know how it goes with Kaspersky. Defragging hard drive and disabling antivirus during the scan make it sometimes go smoother.

craigcampbell66
2008-10-15, 10:26
Hard drive is defragged and my anti virus was disabled. No success. Do the logs still show evidence of something on my computer. I don't know if it is a coincidence or not but my mouse is freezing quite often at the moment and when it does the keyboard controls cease to work as well. (no manual override)
Maybe the hardware is on the way out.

craigcampbell66
2008-10-15, 15:21
Tried again with the Kapersky online scanner in both IE7 and Firefox. reinstalled java 1.6 but explorer still won't recognize it. ran the scan in Firefox but it only got 1% in and froze. It was scanning openoffice at the time if that helps.

What's next?

Still appreciate the help.

Blade81
2008-10-15, 17:17
Hi Craig,

Please download Malwarebytes' Anti-Malware (http://www.besttechie.net/tools/mbam-setup.exe) to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Please post contents of that file & a fresh hjt log in your next reply. How's the system running?

craigcampbell66
2008-10-16, 03:23
I have run the malwarebytes scan and removed the problems. I haven't really used the system that much since I have started this process to get rid of the infections. Apart from both browsers crashing during the various scans it seems to be ok but as I said it hasn't really done a lot of work over the past week. IE7 not recognising Java 1.6 may be a problem independant of any nasties in my system as might the curser/mouse freeze keyboard problem. I will try a new mouse to see if that helps. Process of elimination I guess.

You didn't say if there was evidence of the virtumonde virus in any of the log files. I am curious as to what HAS been playing havoc with my system.

Malwarebytes' Anti-Malware 1.28
Database version: 1274
Windows 5.1.2600 Service Pack 3

16/10/2008 10:12:11 AM
mbam-log-2008-10-16 (10-12-11).txt

Scan type: Full Scan (C:\|)
Objects scanned: 148244
Time elapsed: 53 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 10
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 14

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\f3PSSavr.scr.vir (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329458.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329459.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329474.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329477.SCR (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329479.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329481.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329484.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329485.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329486.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329492.DLL (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1328\A0329493.EXE (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1336\A0337622.scr (Adware.MyWebSearch) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{54EB1BD8-158C-4AFB-AECD-7A004EFFC09F}\RP1336\A0338648.dll (Adware.MyWebSearch) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23:33 AM, on 16/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\WINDOWS\vVX3000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiSRaid] C:\Program Files\Silicon Integrated Systems\SiSRaidPackage\SRaid.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [VX3000] C:\WINDOWS\vVX3000.exe
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Search - ?p=ZJfox000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by104w.bay104.mail.live.com/mail/resources/MsnPUpld.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5036.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C0EB618-CB11-4E75-A7CE-6F3F2D7B241B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A840EA9-B62B-4355-9098-CA0F53B5A782}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Autodesk Network Licensing Service - Autodesk, Inc. - C:\Program Files\Common Files\Autodesk Shared\Service\AdskNetSrv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Sony DADC Austria AG. - C:\WINDOWS\system32\UAService7.exe

--
End of file - 10466 bytes

Blade81
2008-10-16, 08:20
Hi

Didn't see any Vundo (aka Virtumonde) signs there. In your case problems may not be malware related. Are these IPs belonging to your internet service provider 208.67.220.220,208.67.222.222 ?

craigcampbell66
2008-10-16, 09:26
I did a search for the IP addresses and they came back as resolver1.dns.com and resolver2.dns.com respectively. I tried to go to both sites to see who or what they are but couldn't connect.

Do you think my machine is basically clean then and that if I continue to have problems they may not be malware related?

Blade81
2008-10-16, 12:03
Hi

Assuming that those IPs belong to your service provider it looks like system is clean of malware to me.

Let's uninstall ComboFix:

Click START then RUN
Now type Combofix /u in the runbox and click OK

craigcampbell66
2008-10-17, 03:46
I did an IP search for the geographical location of those addresses and it comes up as San Francisco ,California. Would doubt that is my Internet provider. Could they be some source of a problem?? and if so how can I tell and what needs to be done to rectify it.

grateful as always for your help,

Craig

Blade81
2008-10-17, 08:40
Hi

If those IPs belong to your operator then there's no need to do anything. If those doesn't then you could fix following entries with hjt:
O17 - HKLM\System\CCS\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{7C0EB618-CB11-4E75-A7CE-6F3F2D7B241B}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{8A840EA9-B62B-4355-9098-CA0F53B5A782}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{12B5145F-FED9-427F-866D-968073D6482E}: NameServer = 208.67.220.220,208.67.222.222

Blade81
2008-10-24, 07:54
Due to inactivity, this thread will now be closed.

Note:If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

If it has been less than five days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.