PDA

View Full Version : Virtumonde again



Chris9494
2008-11-13, 17:00
I have picked up a Virtumonde problem that Spybot does not seem to be able to remove. Please can anybody help?
My Hijackthis logfile is:-

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:31:47, on 13/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Genesys PC Camera Device\GenePccMon.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://hebnetfinder.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bridgendravens.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sp/*http://uk.search.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://hebnetfinder.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Search The Web
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys PC Camera Device\GenePccMon.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: ykptjg.dll,c:\progra~1\kasper~1\kasper~2\mzvkbd.dll,c:\progra~1\kasper~1\kasper~2\adialhk.dll,c:\progra~1\kasper~1\kasper~2\kloehk.dll
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9474 bytes

pskelley
2008-11-14, 16:53
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Make sure you read and follow the directions, anything else will slow the process and waste both of our time. I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
The junk can be tough to remove, so do not expect fast or easy.

Are you having any symptoms other that that? Vundo is a prolific popup maker, if it is on your computer, you will know it. Let's start like this.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.

Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Post also any comments you think will help, especially malware symptoms.

Thanks

Chris9494
2008-11-18, 16:28
Thanks for the reply.
The symptoms are those of unrequested websites appearing frequently when on line - which are difficult to delete. I have also experienced unauthorised changes to the home page option. Internet access is very slow.
I run Kapersky Internet Security which reports a Trojan Viruses in C:\Windows|System32\ijjyqicu.dll and C:\Windows\System\liJYQICu.dll which it cannot remove. Spybot reports Trojans in C:Windows\System32\uCIQYJjl.ini and \uCIQYJjl.ini2 as well as an entry in the registry HIKEY_LOCAL_MACHINE\Software\Microsoft|RemoveRP

I tried to follow your instructions to copy the Save List file. However after I click on "Save list..." the program terminates without displaying the file save window. I have tried to re-download Hijackthis but without success and the downloaded file runs correctly on another computer. This looks looks another problem with my software.
Please advise on my next step

Chris9494

pskelley
2008-11-18, 16:33
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from one of these locations:

Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
See this Link (http://www.bleepingcomputer.com/forums/topic114351.html) for programs that need to be disabled and instruction on how to disable them.
Remember to re-enable them when we're done.


Double click on ComboFix.exe & follow the prompts.

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


http://i24.photobucket.com/albums/c30/ken545/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://i24.photobucket.com/albums/c30/ken545/whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

Chris9494
2008-11-20, 15:10
:) Instructions have been executed and the text files are attached. Thanks

ComboFix 08-11-19.08 - chris 2008-11-20 12:51:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1569 [GMT 0:00]
Running from: c:\documents and settings\chris\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\chris\Local Settings\Application Data\Microsoft\Windows Media\10.0\WMSDKNSD.XML
c:\documents and settings\chris\Local Settings\Temporary Internet Files\mcc6.tmp
c:\windows\system32\byXPIaYS.dll
c:\windows\system32\cbXNFuTj.dll
c:\windows\system32\cbXOIxwu.dll
c:\windows\system32\idxlty.dll
c:\windows\system32\jrkpjopr.dll
c:\windows\system32\ljJYQICu.dll
c:\windows\system32\pmnmLdAr.dll
c:\windows\system32\ssqNHBTk.dll
c:\windows\system32\uCIQYJjl.ini
c:\windows\system32\uCIQYJjl.ini2
c:\windows\system32\wvUmljgD.dll
c:\windows\system32\xmpxwlhg.ini
c:\windows\system32\XXXljJYQICu.dll

----- BITS: Possible infected sites -----

hxxp://www.securityenchancement.com
.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-13 14:30 . 2008-11-13 14:30 <DIR> d-------- c:\program files\Trend Micro
2008-11-13 11:57 . 2008-11-13 11:57 160 --a------ c:\windows\wininit.ini
2008-11-13 08:53 . 2008-11-13 11:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-13 08:53 . 2008-11-13 12:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-12 22:05 . 2008-11-12 22:05 85,504 --a------ c:\windows\system32\ijxphoxb.dll
2008-11-11 22:04 . 2008-11-11 22:04 85,504 --a------ c:\windows\system32\vdywrxjo.dll
2008-11-11 20:55 . 2008-11-11 20:55 85,504 --a------ c:\windows\system32\glmqeklr.dll
2008-11-11 16:01 . 2008-11-11 16:01 <DIR> d-------- c:\documents and settings\chris\Application Data\Apple Computer
2008-11-11 12:38 . 2008-11-11 12:38 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-11 12:34 . 2008-11-11 12:34 <DIR> d-------- c:\program files\Apple Software Update
2008-11-11 12:34 . 2008-11-11 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-10 20:54 . 2008-11-10 20:55 85,504 --a------ c:\windows\system32\svnqsfpm.dll
2008-11-10 15:18 . 2008-11-10 15:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\TomTom
2008-11-07 20:14 . 2008-11-07 20:14 <DIR> d-------- c:\documents and settings\chris\Application Data\CANON INC
2008-11-07 20:14 . 2008-11-11 21:01 <DIR> d-------- c:\documents and settings\chris\Application Data\CameraWindowDC
2008-11-07 20:13 . 2008-11-11 21:06 <DIR> d-------- c:\documents and settings\chris\Application Data\ZoomBrowser EX
2008-11-07 20:12 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-07 20:12 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-07 20:12 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-07 20:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-06 19:57 . 2008-11-06 19:57 <DIR> d-------- c:\documents and settings\chris\Application Data\TomTom
2008-11-06 19:54 . 2008-11-06 19:54 <DIR> d-------- c:\program files\TomTom HOME 2
2008-11-06 15:11 . 2008-11-06 15:11 1,277,393 --a------ c:\windows\system32\xa4176421.exe
2008-11-06 15:11 . 2008-11-06 15:11 1,277,393 --a------ c:\windows\system32\xa4166218.exe
2008-11-06 15:04 . 2008-11-06 15:12 2,826,240 --ahs---- c:\windows\system32\amtlib.dll
2008-11-06 15:03 . 2008-11-06 15:03 176,128 --a------ c:\windows\system32\xwr89113.dll
2008-11-06 15:03 . 2008-11-06 15:03 176,128 --a------ c:\windows\system32\wr89113.dll
2008-11-06 15:02 . 2008-11-06 15:02 1,277,393 --a------ c:\windows\system32\xa3633375.exe
2008-11-06 15:02 . 2008-11-06 15:02 1,277,393 --a------ c:\windows\system32\xa3623265.exe
2008-11-06 14:48 . 2008-11-06 14:48 <DIR> d-------- c:\program files\Adobe Media Player
2008-11-06 14:42 . 2008-11-06 14:42 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-05 19:01 . 2008-11-05 19:01 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-05 19:01 . 2008-11-05 19:01 1,409 --a------ c:\windows\QTFont.for
2008-11-04 15:42 . 2008-11-04 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-04 15:35 . 2008-11-04 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-11-04 15:31 . 2008-11-04 15:31 <DIR> d-------- c:\program files\Bonjour
2008-11-04 15:12 . 2008-11-04 15:12 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-04 15:03 . 2008-11-04 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-01 22:08 . 2008-11-01 22:08 <DIR> d-------- C:\My Downloads
2008-10-30 22:23 . 2008-11-01 19:43 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-30 22:23 . 2005-02-25 03:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-10-30 21:01 . 2008-10-30 21:12 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-10-30 21:01 . 2008-10-30 21:12 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-10-30 21:00 . 2008-11-20 12:57 2,949,664 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-10-30 21:00 . 2008-11-20 12:57 499,744 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-10-30 21:00 . 2008-11-20 12:57 24,124 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-10-30 21:00 . 2008-11-20 12:57 2,788 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-10-30 20:18 . 2008-10-30 21:00 <DIR> d-------- c:\program files\Kaspersky Lab
2008-10-30 20:18 . 2008-11-20 09:16 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-10-27 20:08 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-27 20:08 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-10-27 17:29 . 2008-10-27 17:29 552 --a------ c:\windows\system32\d3d8caps.dat
2008-10-27 11:43 . 2008-10-27 11:43 140,095 --a------ c:\windows\system32\AdobeFnt.lst
2008-10-27 11:21 . 2008-10-27 11:21 7,680 --ahs---- c:\windows\Thumbs.db
2008-10-27 11:21 . 2008-11-11 12:06 69 --a------ c:\windows\NeroDigital.ini
2008-10-23 13:41 . 2008-10-27 11:21 <DIR> d-------- c:\program files\Dream Aquarium
2008-10-23 13:11 . 2008-10-23 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\LightScribe
2008-10-22 20:03 . 2008-10-22 20:03 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-22 18:54 . 2007-07-30 18:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-22 18:54 . 2007-07-30 18:19 207,736 --a------ c:\windows\system32\muweb.dll
2008-10-22 18:54 . 2007-07-30 18:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-22 17:30 . 2008-10-22 17:30 <DIR> d-------- c:\program files\LightWork Design
2008-10-22 17:25 . 2008-10-22 17:27 <DIR> d-------- c:\program files\Common Files\FotoNation
2008-10-22 17:25 . 1998-07-07 17:10 534,528 --a------ c:\windows\system32\LTOCX10N.OCX
2008-10-22 17:20 . 2008-10-22 17:20 <DIR> d-------- c:\documents and settings\chris\WINDOWS
2008-10-22 17:18 . 2008-10-22 17:18 <DIR> d-------- c:\windows\Application Data
2008-10-22 17:18 . 2008-10-22 17:18 <DIR> d-------- c:\program files\ArcSoft
2008-10-22 17:17 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2008-10-22 17:16 . 2008-10-27 11:21 <DIR> d-------- c:\program files\FinePixViewer
2008-10-22 17:14 . 2008-10-22 17:14 <DIR> d-------- c:\program files\REGSHAVE
2008-10-22 17:14 . 2001-11-24 17:11 81,924 --a------ c:\windows\system32\drivers\VC4CB104.SYS
2008-10-22 17:14 . 2001-11-25 02:11 81,924 --a------ c:\windows\system32\drivers\V4CB0115.SYS
2008-10-22 17:14 . 2001-11-25 02:11 81,924 --a------ c:\windows\system32\drivers\V4CB010B.SYS
2008-10-22 17:14 . 2001-11-21 21:09 81,796 --a------ c:\windows\system32\drivers\V4CB0109.SYS
2008-10-22 17:14 . 2002-02-04 22:33 69,632 --a------ c:\windows\system32\FREGSHEX.DLL
2008-10-22 17:14 . 2002-02-26 17:27 65,536 --a------ c:\windows\system32\FINFCHECK.dll
2008-10-22 17:14 . 2002-01-15 11:30 49,152 --a------ c:\windows\system32\FINSTALL.dll
2008-10-22 17:14 . 2002-02-12 16:00 45,056 --a------ c:\windows\system32\FCLKBTN.DLL
2008-10-22 17:12 . 2008-11-11 12:40 <DIR> d-------- c:\program files\QuickTime
2008-10-22 17:12 . 2008-11-11 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-22 17:10 . 2008-10-22 17:10 13,750 --a------ c:\windows\system32\wpa.bak
2008-10-22 16:46 . 2008-10-22 16:56 <DIR> d-------- c:\program files\Canon
2008-10-22 16:46 . 2008-10-22 16:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-10-22 16:44 . 2008-10-22 16:44 <DIR> d-------- c:\program files\Common Files\Canon
2008-10-22 16:40 . 2008-11-06 19:53 <DIR> d-------- c:\program files\TomTom HOME
2008-10-22 16:31 . 2008-10-22 16:31 <DIR> d-------- c:\program files\MSBuild
2008-10-22 16:31 . 2008-10-22 16:31 <DIR> d-------- c:\program files\Microsoft Works
2008-10-22 16:31 . 2006-10-26 18:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-10-22 16:26 . 2008-10-22 16:26 <DIR> d-------- c:\windows\SHELLNEW
2008-10-22 16:26 . 2008-10-27 11:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-22 16:25 . 2008-10-22 16:25 <DIR> dr-h----- C:\MSOCache
2008-10-22 16:07 . 2008-10-26 18:04 <DIR> d-------- c:\program files\Google
2008-10-22 15:57 . 2008-10-22 15:57 <DIR> d---s---- c:\documents and settings\chris\UserData
2008-10-22 15:09 . 2008-10-22 15:18 <DIR> d-------- c:\program files\Arcade Chess
2008-10-22 14:55 . 2008-10-22 14:55 <DIR> d-------- c:\program files\Mahjong Deluxe
2008-10-22 14:50 . 2008-10-30 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-10-22 14:50 . 2006-03-03 10:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-10-22 14:46 . 2008-10-30 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-10-22 14:34 . 2008-10-22 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-22 14:33 . 2008-11-01 19:49 <DIR> d-------- c:\documents and settings\chris\Application Data\Motive
2008-10-22 14:32 . 2008-11-02 19:12 <DIR> d-------- c:\program files\Common Files\Motive
2008-10-22 14:32 . 2008-10-22 14:33 <DIR> d-------- c:\program files\BT Broadband Desktop Help
2008-10-22 14:32 . 2008-10-22 14:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2008-10-22 14:32 . 2002-01-05 06:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2008-10-22 14:32 . 2002-01-05 05:18 84,992 --a------ c:\windows\system32\ATL70.DLL
2008-10-22 14:32 . 2001-10-11 10:26 65,536 --a------ c:\windows\system32\YCRWin32.dll
2008-10-22 14:31 . 2008-10-22 14:34 <DIR> d-------- c:\program files\Yahoo!
2008-10-22 14:31 . 2008-10-22 14:33 <DIR> d-------- c:\program files\BTHomeHub
2008-10-22 14:10 . 2008-10-22 14:10 5,208 --a------ c:\windows\system32\pid.PNF
2008-10-22 14:08 . 2001-08-17 13:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys
2008-10-22 14:07 . 2008-04-14 00:10 57,600 --a------ c:\windows\system32\drivers\redbook.sys
2008-10-22 14:07 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-10-22 14:06 . 2008-04-14 04:42 74,240 --a------ c:\windows\system32\usbui.dll
2008-10-22 14:06 . 2008-04-14 04:42 74,240 --a--c--- c:\windows\system32\dllcache\usbui.dll
2008-10-22 14:05 . 2008-04-14 00:06 14,208 --a------ c:\windows\system32\drivers\battc.sys
2008-10-22 14:05 . 2008-04-14 00:06 13,952 --a------ c:\windows\system32\drivers\CmBatt.sys
2008-10-22 14:05 . 2008-04-14 00:06 10,240 --a------ c:\windows\system32\drivers\compbatt.sys
2008-10-22 14:04 . 2008-11-06 14:54 <DIR> dr------- c:\documents and settings\All Users\Documents
2008-10-22 14:03 . 2008-10-22 14:32 <DIR> d--h----- c:\documents and settings\Default User
2008-10-22 14:03 . 2008-10-22 13:18 <DIR> d-------- c:\documents and settings\All Users
2008-10-22 14:03 . 2008-10-22 13:23 <DIR> d-------- C:\Documents and Settings
2008-10-22 14:03 . 2008-10-30 21:00 1,214,323 --a------ c:\windows\setupapi.log.0.old
2008-10-22 14:02 . 2008-10-22 13:21 261 --a------ c:\windows\system32\$winnt$.inf
2008-10-22 14:00 . 2008-11-20 12:58 <DIR> d-------- c:\program files\lg_fwupdate
2008-10-22 14:00 . 1998-06-23 23:00 115,016 --a------ c:\windows\system32\MSINET.OCX

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 19:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 14:52 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 13:11 --------- d-----w c:\documents and settings\chris\Application Data\Ahead
2008-10-22 17:18 4,608 ----a-w c:\windows\system32\w95inf32.dll
2008-10-22 17:18 2,272 ----a-w c:\windows\system32\w95inf16.dll
2008-10-22 17:12 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-22 14:36 --------- d-----w c:\program files\Atheros
2008-10-22 13:58 --------- d-----w c:\program files\CyberLink
2008-10-22 13:55 --------- d-----w c:\program files\Common Files\Ahead
2008-10-22 13:54 --------- d-----w c:\program files\Common Files\LightScribe
2008-10-22 13:54 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-10-22 13:52 --------- d-----w c:\program files\Nero
2008-10-22 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-10-22 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Atheros
2008-10-22 13:44 --------- d-----w c:\documents and settings\chris\Application Data\AdobeUM
2008-10-22 13:36 --------- d-----w c:\program files\CONEXANT
2008-10-22 13:35 --------- d-----w c:\program files\Genesys PC Camera Device
2008-10-22 13:33 --------- d-----w c:\program files\Synaptics
2008-10-22 13:33 --------- d-----w c:\documents and settings\chris\Application Data\InstallShield
2008-10-22 13:31 315,392 ----a-w c:\windows\HideWin.exe
2008-10-22 13:31 --------- d-----w c:\program files\Realtek
2008-10-22 13:27 --------- d-----w c:\program files\Intel
2008-10-22 13:19 --------- d-----w c:\program files\microsoft frontpage
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5241E039-3166-31D1-8EC7-7AF24ADFB5A7}]
2008-11-06 15:03 176128 --a------ c:\windows\system32\xwr89113.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-12-05 2295072]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8495104]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-25 864256]
"GenePccMon.exe"="c:\program files\Genesys PC Camera Device\GenePccMon.exe" [2007-02-14 36864]
"ACU"="c:\program files\Atheros\ACU.exe" [2007-05-03 376921]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-09-17 1377576]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2007-02-26 249856]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
"nwiz"="nwiz.exe" [2007-10-24 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 3:44:06 AM 29696]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [1/9/2002 2:53:14 AM 200704]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [9/10/2008 12:00:00 PM 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"McciCMService"=2 (0x2)
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29:38 PM 32784]
R2 adfs;adfs;c:\windows\system32\drivers\adfs.sys [8/14/2008 7:57:42 AM 74720]
R3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\DRIVERS\usbgene.sys [10/22/2008 1:35:28 PM 131584]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [3/13/2008 7:02:46 PM 26640]
R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS [10/22/2008 2:32:48 PM 18304]
R3 RTSTOR;USB Mass Stroage Device;c:\windows\system32\drivers\RTSTOR.SYS [10/22/2008 1:34:38 PM 41728]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [10/22/2008 1:47:59 PM 57024]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS [10/22/2008 2:32:48 PM 19712]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS []
S4 McciCMService;McciCMService;"c:\program files\Common Files\Motive\McciCMService.exe" [10/22/2008 2:32:44 PM 303104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8476189-ab32-11dd-b811-00224318d289}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
- - - - ORPHANS REMOVED - - - -

BHO-{040B1E60-D8CE-48C8-8A9E-C6C8AC516540} - c:\windows\system32\ljJYQICu.dll
BHO-{96E74E0B-9143-4D55-B522-35112296956A} - c:\windows\system32\byXPIaYS.dll
HKCU-Run-AdobeBridge - (no file)
ShellExecuteHooks-{96E74E0B-9143-4D55-B522-35112296956A} - c:\windows\system32\byXPIaYS.dll
Notify-cbXNgHbY - cbXNgHbY.dll



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 12:59:13
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\acs.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Nero\Nero 7\InCD\InCDsrv.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\windows\system32\nvsvc32.exe
c:\program files\CyberLink\Shared Files\RichVideo.exe
c:\windows\system32\wdfmgr.exe
c:\program files\Canon\CAL\CALMAIN.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-11-20 13:04:00 - machine was rebooted
ComboFix-quarantined-files.txt 2008-11-20 13:03:36

Pre-Run: 301,455,548,416 bytes free
Post-Run: 301,428,625,408 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

301 --- E O F --- 2008-10-30 22:23:39



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:05:55, on 20/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bridgendravens.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/customize/btyahoo/defaults/sb/*http://uk.docs.yahoo.com/info/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://hebnetfinder.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: D - {5241E039-3166-31D1-8EC7-7AF24ADFB5A7} - C:\WINDOWS\system32\xwr89113.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys PC Camera Device\GenePccMon.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9784 bytes


Chris9494

pskelley
2008-11-20, 15:38
Thanks for returning your information, proceed carefully and in the numbered order.

Chris, I have some unusual files I need information about. I do not want to remove anything valid. Please do this:
Make sure you have all files and folders enabled:
http://www.bleepingcomputer.com/tutorials/tutorial62.html
Use one or more of these scanners and let me know the results:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

files to scan:
c:\windows\system32\xa4176421.exe
c:\windows\system32\xa4166218.exe
c:\windows\system32\xa3633375.exe
c:\windows\system32\xa3623265.exe

If you find those are bad and can add them safely to the CFScript you are about to run (carefully) you may do so. They would be added as files.
If you are unsure, then just post the information for me.


Instructions start here:

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:


File::
c:\windows\system32\wr89113.dll
C:\WINDOWS\system32\xwr89113.dll
c:\windows\system32\ijxphoxb.dll
c:\windows\system32\vdywrxjo.dll
c:\windows\system32\glmqeklr.dll
c:\windows\system32\svnqsfpm.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5241E039-3166-31D1-8EC7-7AF24ADFB5A7}]

Save this as CFScript

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.clientapps.yahoo.com/c...o/bt_side.html
O2 - BHO: D - {5241E039-3166-31D1-8EC7-7AF24ADFB5A7} - C:\WINDOWS\system32\xwr89113.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

5) Download Malwarebytes' Anti-Malware to your Desktop
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM, a new HJT log and any information I requested.

How is the computer running?

Cheers...Phil

Chris9494
2008-11-20, 22:29
Hi Phil

I have worked through the last set of instructions. The files
c:\windows\system32\xa4176421.exe
c:\windows\system32\xa4166218.exe
c:\windows\system32\xa3633375.exe
c:\windows\system32\xa3623265.exe

all contained the same seven entries when scanned with virusscan.jotti.
These files were added to the other files to produce the CFScript.

These were run with Combofix as directed.

The Hijackthis system scan only did not have an entry
VO2 - BHO: D - {5241E039-3166-31D1-8EC7-7AF24ADFB5A7} - C:\WINDOWS\system32\xwr89113.dll
so I just ticked the other two boxes and ran the program

AFT Cleaner and Anti-Malware ran OK.

The scan reports are as follows

ComboFix 08-11-19.08 - chris 2008-11-20 15:35:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1500 [GMT 0:00]
Running from: c:\documents and settings\chris\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\chris\Desktop\CFScript.txt
* Created a new restore point

FILE ::
c:\windows\system32\glmqeklr.dll
c:\windows\system32\ijxphoxb.dll
c:\windows\system32\svnqsfpm.dll
c:\windows\system32\vdywrxjo.dll
c:\windows\system32\wr89113.dll
c:\windows\system32\xa3623265.exe
c:\windows\system32\xa3633375.exe
c:\windows\system32\xa4166218.exe
c:\windows\system32\xa4176421.exe
c:\windows\system32\xwr89113.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\glmqeklr.dll
c:\windows\system32\ijxphoxb.dll
c:\windows\system32\svnqsfpm.dll
c:\windows\system32\vdywrxjo.dll
c:\windows\system32\wr89113.dll
c:\windows\system32\xa3623265.exe
c:\windows\system32\xa3633375.exe
c:\windows\system32\xa4166218.exe
c:\windows\system32\xa4176421.exe
c:\windows\system32\xwr89113.dll

.
((((((((((((((((((((((((( Files Created from 2008-10-20 to 2008-11-20 )))))))))))))))))))))))))))))))
.

2008-11-20 15:10 . 2008-11-20 15:10 <DIR> d-------- c:\windows\LastGood
2008-11-13 14:30 . 2008-11-13 14:30 <DIR> d-------- c:\program files\Trend Micro
2008-11-13 11:57 . 2008-11-13 11:57 160 --a------ c:\windows\wininit.ini
2008-11-13 08:53 . 2008-11-13 11:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2008-11-13 08:53 . 2008-11-13 12:52 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-11-11 16:01 . 2008-11-11 16:01 <DIR> d-------- c:\documents and settings\chris\Application Data\Apple Computer
2008-11-11 12:38 . 2008-11-11 12:38 <DIR> d-------- c:\program files\Common Files\Apple
2008-11-11 12:34 . 2008-11-11 12:34 <DIR> d-------- c:\program files\Apple Software Update
2008-11-11 12:34 . 2008-11-11 12:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple
2008-11-10 15:18 . 2008-11-10 15:18 <DIR> d-------- c:\documents and settings\All Users\Application Data\TomTom
2008-11-07 20:14 . 2008-11-07 20:14 <DIR> d-------- c:\documents and settings\chris\Application Data\CANON INC
2008-11-07 20:14 . 2008-11-11 21:01 <DIR> d-------- c:\documents and settings\chris\Application Data\CameraWindowDC
2008-11-07 20:13 . 2008-11-11 21:06 <DIR> d-------- c:\documents and settings\chris\Application Data\ZoomBrowser EX
2008-11-07 20:12 . 2008-04-14 05:42 159,232 --a------ c:\windows\system32\ptpusd.dll
2008-11-07 20:12 . 2008-04-14 00:15 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
2008-11-07 20:12 . 2008-04-14 00:15 15,104 --a--c--- c:\windows\system32\dllcache\usbscan.sys
2008-11-07 20:12 . 2001-08-17 22:36 5,632 --a------ c:\windows\system32\ptpusb.dll
2008-11-06 19:57 . 2008-11-06 19:57 <DIR> d-------- c:\documents and settings\chris\Application Data\TomTom
2008-11-06 19:54 . 2008-11-06 19:54 <DIR> d-------- c:\program files\TomTom HOME 2
2008-11-06 15:04 . 2008-11-06 15:12 2,826,240 --ahs---- c:\windows\system32\amtlib.dll
2008-11-06 14:48 . 2008-11-06 14:48 <DIR> d-------- c:\program files\Adobe Media Player
2008-11-06 14:42 . 2008-11-06 14:42 <DIR> d-------- c:\program files\Common Files\Adobe AIR
2008-11-05 19:01 . 2008-11-05 19:01 54,156 --ah----- c:\windows\QTFont.qfn
2008-11-05 19:01 . 2008-11-05 19:01 1,409 --a------ c:\windows\QTFont.for
2008-11-04 15:42 . 2008-11-04 15:42 <DIR> d-------- c:\documents and settings\All Users\Application Data\FLEXnet
2008-11-04 15:35 . 2008-11-04 15:35 <DIR> d-------- c:\documents and settings\All Users\Application Data\ALM
2008-11-04 15:31 . 2008-11-04 15:31 <DIR> d-------- c:\program files\Bonjour
2008-11-04 15:12 . 2008-11-04 15:12 <DIR> d-------- c:\program files\Common Files\Macrovision Shared
2008-11-04 15:03 . 2008-11-04 15:05 <DIR> d-------- c:\documents and settings\All Users\Application Data\WinZip
2008-11-01 22:08 . 2008-11-01 22:08 <DIR> d-------- C:\My Downloads
2008-10-30 22:23 . 2008-11-01 19:43 <DIR> d--h----- c:\windows\$hf_mig$
2008-10-30 22:23 . 2005-02-25 03:35 22,752 --a------ c:\windows\system32\spupdsvc.exe
2008-10-30 21:01 . 2008-10-30 21:12 96,976 --a------ c:\windows\system32\drivers\klin.dat
2008-10-30 21:01 . 2008-10-30 21:12 87,855 --a------ c:\windows\system32\drivers\klick.dat
2008-10-30 21:00 . 2008-11-20 13:18 2,956,832 --ahs---- c:\windows\system32\drivers\fidbox.dat
2008-10-30 21:00 . 2008-11-20 13:18 499,744 --ahs---- c:\windows\system32\drivers\fidbox2.dat
2008-10-30 21:00 . 2008-11-20 14:19 24,180 --ahs---- c:\windows\system32\drivers\fidbox.idx
2008-10-30 21:00 . 2008-11-20 13:18 2,788 --ahs---- c:\windows\system32\drivers\fidbox2.idx
2008-10-30 20:18 . 2008-10-30 21:00 <DIR> d-------- c:\program files\Kaspersky Lab
2008-10-30 20:18 . 2008-11-20 13:19 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kaspersky Lab
2008-10-27 20:08 . 2008-04-14 00:17 25,856 --a------ c:\windows\system32\drivers\usbprint.sys
2008-10-27 20:08 . 2008-04-14 00:17 25,856 --a--c--- c:\windows\system32\dllcache\usbprint.sys
2008-10-27 17:29 . 2008-10-27 17:29 552 --a------ c:\windows\system32\d3d8caps.dat
2008-10-27 11:43 . 2008-10-27 11:43 140,095 --a------ c:\windows\system32\AdobeFnt.lst
2008-10-27 11:21 . 2008-10-27 11:21 7,680 --ahs---- c:\windows\Thumbs.db
2008-10-27 11:21 . 2008-11-11 12:06 69 --a------ c:\windows\NeroDigital.ini
2008-10-23 13:41 . 2008-10-27 11:21 <DIR> d-------- c:\program files\Dream Aquarium
2008-10-23 13:11 . 2008-10-23 13:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\LightScribe
2008-10-22 20:03 . 2008-10-22 20:03 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-22 18:54 . 2007-07-30 18:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-22 18:54 . 2007-07-30 18:19 207,736 --a------ c:\windows\system32\muweb.dll
2008-10-22 18:54 . 2007-07-30 18:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-22 17:30 . 2008-10-22 17:30 <DIR> d-------- c:\program files\LightWork Design
2008-10-22 17:25 . 2008-10-22 17:27 <DIR> d-------- c:\program files\Common Files\FotoNation
2008-10-22 17:25 . 1998-07-07 17:10 534,528 --a------ c:\windows\system32\LTOCX10N.OCX
2008-10-22 17:20 . 2008-10-22 17:20 <DIR> d-------- c:\documents and settings\chris\WINDOWS
2008-10-22 17:18 . 2008-10-22 17:18 <DIR> d-------- c:\windows\Application Data
2008-10-22 17:18 . 2008-10-22 17:18 <DIR> d-------- c:\program files\ArcSoft
2008-10-22 17:17 . 1998-10-29 14:45 306,688 --a------ c:\windows\IsUninst.exe
2008-10-22 17:16 . 2008-10-27 11:21 <DIR> d-------- c:\program files\FinePixViewer
2008-10-22 17:14 . 2008-10-22 17:14 <DIR> d-------- c:\program files\REGSHAVE
2008-10-22 17:14 . 2001-11-24 17:11 81,924 --a------ c:\windows\system32\drivers\VC4CB104.SYS
2008-10-22 17:14 . 2001-11-25 02:11 81,924 --a------ c:\windows\system32\drivers\V4CB0115.SYS
2008-10-22 17:14 . 2001-11-25 02:11 81,924 --a------ c:\windows\system32\drivers\V4CB010B.SYS
2008-10-22 17:14 . 2001-11-21 21:09 81,796 --a------ c:\windows\system32\drivers\V4CB0109.SYS
2008-10-22 17:14 . 2002-02-04 22:33 69,632 --a------ c:\windows\system32\FREGSHEX.DLL
2008-10-22 17:14 . 2002-02-26 17:27 65,536 --a------ c:\windows\system32\FINFCHECK.dll
2008-10-22 17:14 . 2002-01-15 11:30 49,152 --a------ c:\windows\system32\FINSTALL.dll
2008-10-22 17:14 . 2002-02-12 16:00 45,056 --a------ c:\windows\system32\FCLKBTN.DLL
2008-10-22 17:12 . 2008-11-11 12:40 <DIR> d-------- c:\program files\QuickTime
2008-10-22 17:12 . 2008-11-11 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-10-22 17:10 . 2008-10-22 17:10 13,750 --a------ c:\windows\system32\wpa.bak
2008-10-22 16:46 . 2008-10-22 16:56 <DIR> d-------- c:\program files\Canon
2008-10-22 16:46 . 2008-10-22 16:46 <DIR> d-------- c:\documents and settings\All Users\Application Data\ZoomBrowser
2008-10-22 16:44 . 2008-10-22 16:44 <DIR> d-------- c:\program files\Common Files\Canon
2008-10-22 16:40 . 2008-11-06 19:53 <DIR> d-------- c:\program files\TomTom HOME
2008-10-22 16:31 . 2008-10-22 16:31 <DIR> d-------- c:\program files\MSBuild
2008-10-22 16:31 . 2008-10-22 16:31 <DIR> d-------- c:\program files\Microsoft Works
2008-10-22 16:31 . 2006-10-26 18:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-10-22 16:26 . 2008-10-22 16:26 <DIR> d-------- c:\windows\SHELLNEW
2008-10-22 16:26 . 2008-10-27 11:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-22 16:25 . 2008-10-22 16:25 <DIR> dr-h----- C:\MSOCache
2008-10-22 16:07 . 2008-10-26 18:04 <DIR> d-------- c:\program files\Google
2008-10-22 15:57 . 2008-10-22 15:57 <DIR> d---s---- c:\documents and settings\chris\UserData
2008-10-22 15:09 . 2008-10-22 15:18 <DIR> d-------- c:\program files\Arcade Chess
2008-10-22 14:55 . 2008-10-22 14:55 <DIR> d-------- c:\program files\Mahjong Deluxe
2008-10-22 14:50 . 2008-10-30 20:08 <DIR> d-------- c:\documents and settings\All Users\Application Data\SiteAdvisor
2008-10-22 14:50 . 2006-03-03 10:07 143,360 --a------ c:\windows\system32\dunzip32.dll
2008-10-22 14:46 . 2008-10-30 20:13 <DIR> d-------- c:\documents and settings\All Users\Application Data\McAfee
2008-10-22 14:34 . 2008-10-22 14:34 <DIR> d-------- c:\documents and settings\All Users\Application Data\Yahoo! Companion
2008-10-22 14:33 . 2008-11-01 19:49 <DIR> d-------- c:\documents and settings\chris\Application Data\Motive
2008-10-22 14:32 . 2008-11-02 19:12 <DIR> d-------- c:\program files\Common Files\Motive
2008-10-22 14:32 . 2008-10-22 14:33 <DIR> d-------- c:\program files\BT Broadband Desktop Help
2008-10-22 14:32 . 2008-10-22 14:43 <DIR> d-------- c:\documents and settings\All Users\Application Data\Motive
2008-10-22 14:32 . 2002-01-05 06:37 344,064 --a------ c:\windows\system32\msvcr70.dll
2008-10-22 14:32 . 2002-01-05 05:18 84,992 --a------ c:\windows\system32\ATL70.DLL
2008-10-22 14:32 . 2001-10-11 10:26 65,536 --a------ c:\windows\system32\YCRWin32.dll
2008-10-22 14:31 . 2008-10-22 14:34 <DIR> d-------- c:\program files\Yahoo!
2008-10-22 14:31 . 2008-10-22 14:33 <DIR> d-------- c:\program files\BTHomeHub
2008-10-22 14:10 . 2008-10-22 14:10 5,208 --a------ c:\windows\system32\pid.PNF
2008-10-22 14:08 . 2001-08-17 13:59 3,072 --a------ c:\windows\system32\drivers\audstub.sys
2008-10-22 14:07 . 2008-04-14 00:10 57,600 --a------ c:\windows\system32\drivers\redbook.sys
2008-10-22 14:07 . 2008-04-14 05:41 21,504 --a------ c:\windows\system32\hidserv.dll
2008-10-22 14:06 . 2008-04-14 04:42 74,240 --a------ c:\windows\system32\usbui.dll
2008-10-22 14:06 . 2008-04-14 04:42 74,240 --a--c--- c:\windows\system32\dllcache\usbui.dll
2008-10-22 14:05 . 2008-04-14 00:06 14,208 --a------ c:\windows\system32\drivers\battc.sys
2008-10-22 14:05 . 2008-04-14 00:06 13,952 --a------ c:\windows\system32\drivers\CmBatt.sys
2008-10-22 14:05 . 2008-04-14 00:06 10,240 --a------ c:\windows\system32\drivers\compbatt.sys
2008-10-22 14:04 . 2008-11-06 14:54 <DIR> dr------- c:\documents and settings\All Users\Documents
2008-10-22 14:03 . 2008-10-22 14:32 <DIR> d--h----- c:\documents and settings\Default User
2008-10-22 14:03 . 2008-10-22 13:18 <DIR> d-------- c:\documents and settings\All Users
2008-10-22 14:03 . 2008-10-22 13:23 <DIR> d-------- C:\Documents and Settings
2008-10-22 14:03 . 2008-10-30 21:00 1,214,323 --a------ c:\windows\setupapi.log.0.old
2008-10-22 14:02 . 2008-10-22 13:21 261 --a------ c:\windows\system32\$winnt$.inf
2008-10-22 14:00 . 2008-11-20 13:19 <DIR> d-------- c:\program files\lg_fwupdate
2008-10-22 14:00 . 1998-06-23 23:00 115,016 --a------ c:\windows\system32\MSINET.OCX
2008-10-22 14:00 . 1998-07-21 23:00 102,912 --a------ c:\windows\system32\Vb6stkit.dll
2008-10-22 14:00 . 1998-07-21 23:00 102,160 --a------ c:\windows\system32\VB6KO.DLL
2008-10-22 14:00 . 2001-08-29 20:00 59,904 --a------ c:\windows\system32\wbemdisp.tlb
2008-10-22 14:00 . 2006-02-17 13:19 16,384 --a------ c:\windows\system32\lgfwunis.exe
2008-10-22 14:00 . 2008-11-20 13:19 265 --a------ c:\windows\lgfwup.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-07 19:56 --------- d--h--w c:\program files\InstallShield Installation Information
2008-11-06 14:52 --------- d-----w c:\program files\Common Files\Adobe
2008-10-23 13:11 --------- d-----w c:\documents and settings\chris\Application Data\Ahead
2008-10-22 17:18 4,608 ----a-w c:\windows\system32\w95inf32.dll
2008-10-22 17:18 2,272 ----a-w c:\windows\system32\w95inf16.dll
2008-10-22 17:12 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-22 14:36 --------- d-----w c:\program files\Atheros
2008-10-22 13:58 --------- d-----w c:\program files\CyberLink
2008-10-22 13:55 --------- d-----w c:\program files\Common Files\Ahead
2008-10-22 13:54 --------- d-----w c:\program files\Common Files\LightScribe
2008-10-22 13:54 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead
2008-10-22 13:52 --------- d-----w c:\program files\Nero
2008-10-22 13:52 --------- d-----w c:\documents and settings\All Users\Application Data\Nero
2008-10-22 13:47 --------- d-----w c:\documents and settings\All Users\Application Data\Atheros
2008-10-22 13:44 --------- d-----w c:\documents and settings\chris\Application Data\AdobeUM
2008-10-22 13:36 --------- d-----w c:\program files\CONEXANT
2008-10-22 13:35 --------- d-----w c:\program files\Genesys PC Camera Device
2008-10-22 13:33 --------- d-----w c:\program files\Synaptics
2008-10-22 13:33 --------- d-----w c:\documents and settings\chris\Application Data\InstallShield
2008-10-22 13:31 315,392 ----a-w c:\windows\HideWin.exe
2008-10-22 13:31 --------- d-----w c:\program files\Realtek
2008-10-22 13:27 --------- d-----w c:\program files\Intel
2008-10-22 13:19 --------- d-----w c:\program files\microsoft frontpage
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
.

((((((((((((((((((((((((((((( snapshot@2008-11-20_13.03.12.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-30 18:19:20 92,504 ----a-w c:\windows\LastGood\system32\cdm.dll
+ 2007-07-30 18:19:36 549,720 ----a-w c:\windows\LastGood\system32\wuapi.dll
+ 2007-07-30 18:19:16 53,080 ----a-w c:\windows\LastGood\system32\wuauclt.exe
+ 2007-07-30 18:19:42 1,712,984 ----a-w c:\windows\LastGood\system32\wuaueng.dll
+ 2007-07-30 18:19:32 325,976 ----a-w c:\windows\LastGood\system32\wucltui.dll
+ 2007-07-30 18:18:40 33,624 ----a-w c:\windows\LastGood\system32\wups.dll
+ 2007-07-30 18:19:12 43,352 ----a-w c:\windows\LastGood\system32\wups2.dll
+ 2007-07-30 18:19:28 203,096 ----a-w c:\windows\LastGood\system32\wuweb.dll
- 2007-07-30 18:19:20 92,504 -c--a-w c:\windows\system32\dllcache\cdm.dll
+ 2008-10-16 14:09:44 92,696 -c--a-w c:\windows\system32\dllcache\cdm.dll
- 2007-07-30 18:19:36 549,720 -c--a-w c:\windows\system32\dllcache\wuapi.dll
+ 2008-10-16 14:12:20 561,688 -c--a-w c:\windows\system32\dllcache\wuapi.dll
- 2007-07-30 18:19:16 53,080 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
+ 2008-10-16 14:09:44 51,224 -c--a-w c:\windows\system32\dllcache\wuauclt.exe
- 2007-07-30 18:19:42 1,712,984 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
+ 2008-10-16 14:13:40 1,809,944 -c--a-w c:\windows\system32\dllcache\wuaueng.dll
- 2007-07-30 18:19:32 325,976 -c--a-w c:\windows\system32\dllcache\wucltui.dll
+ 2008-10-16 14:12:22 323,608 -c--a-w c:\windows\system32\dllcache\wucltui.dll
- 2007-07-30 18:19:28 203,096 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 14:13:40 202,776 -c--a-w c:\windows\system32\dllcache\wuweb.dll
+ 2008-10-16 14:08:58 34,328 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups.dll\7.2.6001.788\wups.dll
+ 2008-10-16 14:09:44 43,544 ----a-w c:\windows\system32\SoftwareDistribution\Setup\ServiceStartup\wups2.dll\7.2.6001.788\wups2.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LightScribe Control Panel"="c:\program files\Common Files\LightScribe\LightScribeControlPanel.exe" [2007-12-05 2295072]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"TomTomHOME.exe"="c:\program files\TomTom HOME 2\HOMERunner.exe" [2008-09-26 206184]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-10-24 8495104]
"AzMixerSel"="c:\program files\Realtek\Audio\InstallShield\AzMixerSel.exe" [2006-07-18 53248]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2007-05-25 864256]
"GenePccMon.exe"="c:\program files\Genesys PC Camera Device\GenePccMon.exe" [2007-02-14 36864]
"ACU"="c:\program files\Atheros\ACU.exe" [2007-05-03 376921]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
"SecurDisc"="c:\program files\Nero\Nero 7\InCD\NBHGui.exe" [2007-11-26 1629480]
"InCD"="c:\program files\Nero\Nero 7\InCD\InCD.exe" [2007-11-26 1057064]
"NBKeyScan"="c:\program files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-09-17 1377576]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2007-03-14 71216]
"LanguageShortcut"="c:\program files\CyberLink\PowerDVD\Language\Language.exe" [2007-01-08 52256]
"LGODDFU"="c:\program files\lg_fwupdate\fwupdate.exe" [2007-02-26 249856]
"btbb_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe" [2008-09-11 1517056]
"btbb_wcm_McciTrayApp"="c:\program files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe" [2008-08-28 1516032]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"REGSHAVE"="c:\program files\REGSHAVE\REGSHAVE.EXE" [2002-02-04 53248]
"AdobeCS4ServiceManager"="c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" [2008-08-14 611712]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-09-06 413696]
"AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-04-25 201992]
"nwiz"="nwiz.exe" [2007-10-24 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 3:44:06 AM 29696]
Exif Launcher.lnk - c:\program files\FinePixViewer\QuickDCF.exe [1/9/2002 2:53:14 AM 200704]
WinZip Quick Pick.lnk - c:\program files\WinZip\WZQKPICK.EXE [9/10/2008 12:00:00 PM 525664]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Microsoft Office Groove Audit Service"=3 (0x3)
"McciCMService"=2 (0x2)
"gusvc"=3 (0x3)
"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\mmc.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Common Files\\Adobe\\CS4ServiceManager\\CS4ServiceManager.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"5353:TCP"= 5353:TCP:Adobe CSI CS4

R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [1/29/2008 6:29:38 PM 32784]
R2 adfs;adfs;c:\windows\system32\drivers\adfs.sys [8/14/2008 7:57:42 AM 74720]
R3 DCamUSBGene;GenesysLogic USB2.0 PC Camera;c:\windows\system32\DRIVERS\usbgene.sys [10/22/2008 1:35:28 PM 131584]
R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\DRIVERS\klfltdev.sys [3/13/2008 7:02:46 PM 26640]
R3 MRESP50;MRESP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50.SYS [10/22/2008 2:32:48 PM 18304]
R3 RTSTOR;USB Mass Stroage Device;c:\windows\system32\drivers\RTSTOR.SYS [10/22/2008 1:34:38 PM 41728]
R3 WSIMD;wsimd Service;c:\windows\system32\DRIVERS\wsimd.sys [10/22/2008 1:47:59 PM 57024]
S3 MREMP50;MREMP50 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50.SYS [10/22/2008 2:32:48 PM 19712]
S3 MREMP50a64;MREMP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MREMP50a64.SYS []
S3 MRESP50a64;MRESP50a64 NDIS Protocol Driver;\??\c:\progra~1\COMMON~1\Motive\MRESP50a64.SYS []
S4 McciCMService;McciCMService;"c:\program files\Common Files\Motive\McciCMService.exe" [10/22/2008 2:32:44 PM 303104]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f8476189-ab32-11dd-b811-00224318d289}]
\Shell\AutoRun\command - F:\InstallTomTomHOME.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"c:\program files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder

2008-11-19 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-20 15:38:19
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-11-20 15:39:03
ComboFix-quarantined-files.txt 2008-11-20 15:38:56
ComboFix2.txt 2008-11-20 13:04:01

Pre-Run: 301,406,302,208 bytes free
Post-Run: 301,387,034,624 bytes free

303 --- E O F --- 2008-10-30 22:23:39


Malwarebytes' Anti-Malware 1.30
Database version: 1414
Windows 5.1.2600 Service Pack 3

20/11/2008 18:21:31
mbam-log-2008-11-20 (18-21-31).txt

Scan type: Full Scan (C:\|)
Objects scanned: 135695
Time elapsed: 35 minute(s), 44 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 38

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Qoobox\Quarantine\C\WINDOWS\system32\byXPIaYS.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXNFuTj.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\cbXOIxwu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\idxlty.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\jrkpjopr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ljJYQICu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\pmnmLdAr.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqNHBTk.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\wvUmljgD.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Qoobox\Quarantine\C\WINDOWS\system32\XXXljJYQICu.dll.vir (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP25\A0003950.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP24\A0003761.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP24\A0003817.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP27\A0004121.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP27\A0004131.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP27\A0004132.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP27\A0004164.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP27\A0004165.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP30\A0004474.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP30\A0004500.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP30\A0004502.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP30\A0008606.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP32\A0012714.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP32\A0012715.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP32\A0012718.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP46\A0013134.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP46\A0013135.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP46\A0013136.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013592.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013588.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013589.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013590.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013591.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013593.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013594.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013595.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013596.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{66D8275F-BD0C-42B4-9453-8E192FD65E18}\RP49\A0013598.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:06:48, on 20/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Genesys PC Camera Device\GenePccMon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Atheros\ACU.exe
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\lg_fwupdate\fwupdate.exe
C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe
C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://bridgendravens.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://hebnetfinder.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\4.1.509.5470\swg.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [AzMixerSel] C:\Program Files\Realtek\Audio\InstallShield\AzMixerSel.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [GenePccMon.exe] C:\Program Files\Genesys PC Camera Device\GenePccMon.exe
O4 - HKLM\..\Run: [ACU] "C:\Program Files\Atheros\ACU.exe" -nogui
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [LGODDFU] "C:\Program Files\lg_fwupdate\fwupdate.exe" blrun
O4 - HKLM\..\Run: [btbb_McciTrayApp] "C:\Program Files\BT Broadband Desktop Help\btbb\BTHelpNotifier.exe"
O4 - HKLM\..\Run: [btbb_wcm_McciTrayApp] C:\Program Files\BT Broadband Desktop Help\btbb_wcm\McciTrayApp.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AdobeCS4ServiceManager] "C:\Program Files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [LightScribe Control Panel] C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Atheros - C:\WINDOWS\system32\acs.exe
O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe

--
End of file - 9807 bytes


The computer seems to be running much faster both when booting up and accessing the internet although I have tried to minimise my on-line work while these routines were being run. I looks as if we are definately moving in the right direction. The original three trojan files that were causing the problem no longer appear on a scan and the other scans managed to find a few more. HOPEFULLY we should be almost clear. Is there any more I should do?

with thanks Chris9494

pskelley
2008-11-20, 23:01
Thanks for returning your information and the feedback. Good job with those instructions:bigthumb: The HijackThis log looks good, look down it for me and make sure you recognize every entry. Most of what MBAM found is in the combofix quarantine and infected System Restore files, we will remove that soon.
I would like to scan with the resident antivirus program, but first, please see if you can post the uninstall list for me now that much malware has been removed.

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

I am also wondering why you are still runing Internet Explorer 6 when IE7 is much more secure and IE8 is already out on beta?

Thanks

Chris9494
2008-11-21, 17:05
Yes the Hijackthis routine now works. Saved list is:
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
2007 Microsoft Office Suite Service Pack 1 (SP1)
Adobe Acrobat 4.0
Adobe ActiveShare 1.3.1
Adobe AIR
Adobe AIR
Adobe Anchor Service CS3
Adobe Anchor Service CS4
Adobe Asset Services CS3
Adobe Bridge CS3
Adobe Bridge CS4
Adobe Bridge Start Meeting
Adobe Camera Raw 4.0
Adobe CMaps CS4
Adobe Color - Photoshop Specific CS4
Adobe Color EU Extra Settings
Adobe Color EU Recommended Settings CS4
Adobe Color JA Extra Settings CS4
Adobe Color NA Extra Settings CS4
Adobe Color NA Recommended Settings
Adobe Color Video Profiles CS CS4
Adobe CSI CS4
Adobe Default Language CS4
Adobe Device Central CS3
Adobe Device Central CS4
Adobe Drive CS4
Adobe ExtendScript Toolkit 2
Adobe ExtendScript Toolkit CS4
Adobe Extension Manager CS4
Adobe Flash Player 10 ActiveX
Adobe Fonts All
Adobe Help Viewer CS3
Adobe Illustrator CS3
Adobe Illustrator CS3
Adobe Linguistics CS3
Adobe Linguistics CS4
Adobe Media Player
Adobe Media Player
Adobe Output Module
Adobe PDF Library Files CS4
Adobe PhotoDeluxe Home Edition 4.0
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop CS3
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4
Adobe Photoshop CS4 Support
Adobe Reader 7.0
Adobe Search for Help
Adobe Service Manager Extension
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Setup
Adobe Stock Photos CS3
Adobe Type Support CS4
Adobe Update Manager CS3
Adobe Update Manager CS4
Adobe Version Cue CS3 Client
Adobe WinSoft Linguistics Plugin
Adobe WinSoft Linguistics Plugin
Adobe XMP Panels CS3
Adobe XMP Panels CS4
AdobeColorCommonSetCMYK
AdobeColorCommonSetRGB
Apple Software Update
Arcade Chess
ArcSoft VideoImpression 1.6FP
Atheros Client Installation Program
BT Broadband Desktop Help
BT Wireless Connection Manager
BT Yahoo! Applications
BTHomeHub
Canon Camera Access Library
Canon Camera Support Core Library
Canon G.726 WMP-Decoder
Canon MovieEdit Task for ZoomBrowser EX
Canon RAW Image Task for ZoomBrowser EX
Canon Utilities CameraWindow
Canon Utilities CameraWindow DC
Canon Utilities CameraWindow DC_DV 5 for ZoomBrowser EX
Canon Utilities CameraWindow DC_DV 6 for ZoomBrowser EX
Canon Utilities EOS Utility
Canon Utilities MyCamera
Canon Utilities MyCamera DC
Canon Utilities PhotoStitch
Canon Utilities RemoteCapture DC
Canon Utilities RemoteCapture Task for ZoomBrowser EX
Canon Utilities ZoomBrowser EX
Canon ZoomBrowser EX Memory Card Utility
Connect
Dream Aquarium
DVD Suite
FinePixViewer Ver.3.0
FUJIFILM USB Driver
Genesys PC Camera Device
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Kaspersky Internet Security 2009
Kaspersky Internet Security 2009
Kazoo Player
kuler
LG ODD Auto Firmware Update
LightScribe System Software 1.10.27.1
Mahjong Deluxe
Malwarebytes' Anti-Malware
Microsoft .NET Framework 2.0
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Enterprise 2007
Microsoft Office Enterprise 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Nero 7 Essentials
neroxml
NVIDIA Drivers
PDF Settings CS4
Photoshop Camera Raw
PowerDVD
PowerProducer
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Realtek USB 2.0 Card Reader
SecurDisc Viewer
Security Update for 2007 Microsoft Office System (KB951944)
Security Update for 2007 Microsoft Office System (KB955936)
Security Update for Microsoft Office Excel 2007 (KB955470)
Security Update for Microsoft Office OneNote 2007 (KB950130)
Security Update for Microsoft Office PowerPoint 2007 (KB951338)
Security Update for Microsoft Office Publisher 2007 (KB950114)
Security Update for Microsoft Office system 2007 (KB951808)
Security Update for Microsoft Office system 2007 (KB954326)
Security Update for Microsoft Office Word 2007 (KB950113)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB958644)
Soft Modem with SmartCP
Spybot - Search & Destroy
Suite Shared Configuration CS4
Synaptics Pointing Device Driver
TomTom HOME
Update for Microsoft Office Outlook 2007 (KB952142)
Update for Office 2007 (KB946691)
Update for Windows XP (KB898461)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
VC_MergeModuleToMSI
Windows Internet Explorer 7
Windows Media Format Runtime
WinZip 12.0

I have now upgraded to Internet Explorer 7

Chris9494

pskelley
2008-11-21, 17:50
OK, thanks for returning that informaton. Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.

Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested: https://psi.secunia.com/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Reader 7.0 <<< this is the only out of date item I see:
http://news.cnet.com/8301-1009_3-10081618-83.html?tag=nl.e433
http://www.filehippo.com/download_adobe_reader/
(if you want a smaller program, have a look at this one)
Foxit Reader 2.3 for Windows
http://www.foxitsoftware.com/pdf/rd_intro.php

All I can say is that I personally was surprised when I ran PSI at how many programs I had running that were out of date, end of life and exploitable. I will have to let you deal with that.

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png

Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.

Update Kaspersky Internet Security and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html

Chris9494
2008-11-24, 17:07
I have deinstalled Combofix successfully and run full system scans with MBAM and Kaspersky Internet Security 2009

MBAM reported no infected files

Kaspersky reported 13 "vunerabilities" which I assume are not too important. Please let me know if I need to take any further action over these.

It looks as if I may be clear of these viruses as last. Thans very much for all your help - it's very much appreciated.

Chris9494

pskelley
2008-11-24, 17:19
I can not comment on what Kaspersky found unless you show the information to me. Otherwise I would say you are good to go:santa:

Chris9494
2008-11-26, 16:22
Hello again

Is a fair comment but Kaypersky would not permit a copy and paste routine from the report file - hence the reason why I didn't include the details on my last reply.
I have now done a few hours on the internet without any problems and I'm happy to leave things at this point.

Thanks again for all your help

Chris9494

pskelley
2008-11-26, 16:47
http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif


Thanks:santa: