View Full Version : Virtumonde.dll
girlie100
2010-02-15, 18:39
Please help,
i am trying to remove Virtumonde from a laptop running XP, at first i had no function from internet explorer, just kept trying to reload the page, i uninstalled iexplorer 8 and reinstalled it and its now working, run spybot S&D and noticed that it scans virtumonde.dll among others, tried to remove malware findings at end of scan, restarted, scanned again and they are still there.
i then run a scan through malwarebytes anti malware (free download version) and fixed the problems it found, but i still think its on here. i have disabled tea timer and done a registry backup, this is the HiJackThis log:
Logfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 16:31:29, on 15/02/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trigold\Update\TRUService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HiJackThis\TrendMicro\HiJackThis\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.intrinsicfs.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.bbc.co.uk/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.127.220 intsecure.microsoft.com
O1 - Hosts: 91.212.127.220 intsecure-2009.com
O1 - Hosts: 91.212.127.220 www.intsecure-2009.com
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton 360\Engine\3.8.0.41\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [StartSQLManager] C:\Program Files\Microsoft SQL Server\90\Tools\Binn\sqlmangr.exe /n
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - S-1-5-18 Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'SYSTEM')
O4 - .DEFAULT Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: EPSON Status Monitor 3 Environment Check(2).lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} (ExWebClientUtils Class) - https://exweb.exchange.uk.com/clientbinaries/texInfo.CAB
O16 - DPF: {034DA761-EDB7-11D7-A20A-000802318089} (EWGPHI.desInput) - https://exweb.exchange.uk.com/clientbinaries/EWGPHI.CAB
O16 - DPF: {090EC279-1378-44B7-B521-888980212E7E} (Complist3 Class) - https://exweb.exchange.uk.com/clientbinaries/eXwebCListCtl3.CAB
O16 - DPF: {2F6A847E-2EC2-11D3-AE1B-00508B014C1D} (Parser Class) - https://exweb.exchange.uk.com/clientbinaries/XMLParser.CAB
O16 - DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} (EWGPensions.desInput) - https://exweb.exchange.uk.com/clientbinaries/EWGPensions.CAB
O16 - DPF: {511835FF-EDC9-11D7-A20A-000802318089} (EWGWholeLife.desInput) - https://exweb.exchange.uk.com/clientbinaries/EWGWholeLife.CAB
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase6087.cab
O16 - DPF: {61DA056C-EDE7-11D7-A20A-000802318089} (EWGBonds.desInput) - https://exweb.exchange.uk.com/clientbinaries/EWGBonds.CAB
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1264868158828
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - https://exweb.exchange.uk.com/clientbinaries/msxml4.CAB
O16 - DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} (VersionInfo.clsVersionInfo) - https://exweb.exchange.uk.com/clientbinaries/VersionInfo.CAB
O16 - DPF: {A74D724A-AB17-11D2-A96A-006097E20477} (eXwebUtils.HTMLUtils) - https://exweb.exchange.uk.com/clientbinaries/eXwebUtils.CAB
O16 - DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} (PrintComponent.clsVersionInfo) - https://exweb.exchange.uk.com/clientbinaries/printdll.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://inertia.webex.com/client/T27L/support/ieatgpc.cab
O16 - DPF: {E7FF5332-854E-11D2-A952-006097E20477} (eXwebOccList.clsOccRes) - https://exweb.exchange.uk.com/clientbinaries/eXwebOcc.CAB
O16 - DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} (ProtoView DataTable Control 7.0 (OLEDB)) - https://exweb.exchange.uk.com/clientbinaries/pvdt70.CAB
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton 360\Engine\3.8.0.41\coIEPlg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EpsonBidirectionalService - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Norton 360 (N360) - Symantec Corporation - C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
O23 - Service: Trigold Update Service (TRUService) - Trigold - C:\Program Files\Trigold\Update\TRUService.exe
--
End of file - 10307 bytes
thank you for any help
girlie100
2010-02-16, 12:09
Please help, Malwarebytes said its clean but its not as spybot scans virtumonde.dll, virtumonde.sdc among many others!!!! i think its deep in the registry...........Please Help
Hi,
Download DDS and save it to your desktop from here (http://www.techsupportforum.com/sectools/sUBs/dds) or here (http://download.bleepingcomputer.com/sUBs/dds.scr) or here (http://www.forospyware.com/sUBs/dds).
Disable any script blocker, and then double click dds.scr to run the tool.
When done, DDS will open two (2) logs:
DDS.txt
Attach.txt
Save both reports to your desktop. Post them back to your topic.
girlie100
2010-02-20, 12:58
DDS (Ver_09-12-01.01) - NTFSx86
Run by Any Authorised User at 10:53:56.21 on 20/02/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.99 [GMT 0:00]
AV: Norton 360 *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *enabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
============== Running Processes ===============
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\Program Files\Ahead\InCD\InCDsrv.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\EPSON\eEBAPI\eEBSVC.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Trigold\Update\TRUService.exe
C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Any Authorised User\Desktop\dds.scr
============== Pseudo HJT Report ===============
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.intrinsicfs.com/
uInternet Connection Wizard,ShellNext = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Symantec NCO BHO: {602adb0e-4aff-4217-8aa1-95dac4dfa408} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton 360\engine\3.8.0.41\IPSBHO.DLL
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Norton Toolbar: {7febefe3-6b19-4349-98d2-ffb09d4b49ca} - c:\program files\norton 360\engine\3.8.0.41\coIEPlg.dll
TB: {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
mRun: [IgfxTray] c:\windows\system32\igfxtray.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SMSERIAL] sm56hlpr.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [InCD] c:\program files\ahead\incd\InCD.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [SunJavaUpdateSched] "c:\program files\common files\java\java update\jusched.exe"
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\anyaut~1\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\epsons~1.lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
============= SERVICES / DRIVERS ===============
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\n360\0308000.029\SymEFA.sys [2010-2-5 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\n360\0308000.029\BHDrvx86.sys [2010-2-5 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\n360\0308000.029\cchpx86.sys [2010-2-5 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20100218.001\IDSXpx86.sys [2010-2-20 329592]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
R2 N360;Norton 360;c:\program files\norton 360\engine\3.8.0.41\ccSvcHst.exe [2010-2-5 117640]
R2 TRUService;Trigold Update Service;c:\program files\trigold\update\TRUService.exe [2008-7-14 135816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2010-2-10 102448]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.069\NAVENG.SYS [2010-2-18 84912]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20100217.069\NAVEX15.SYS [2010-2-18 1324720]
=============== Created Last 30 ================
2010-02-18 16:10:44 0 d-sha-r- C:\cmdcons
2010-02-18 16:07:19 98816 ----a-w- c:\windows\sed.exe
2010-02-18 16:07:19 77312 ----a-w- c:\windows\MBR.exe
2010-02-18 16:07:19 261632 ----a-w- c:\windows\PEV.exe
2010-02-18 16:07:19 161792 ----a-w- c:\windows\SWREG.exe
2010-02-15 14:01:49 0 d-----w- c:\docume~1\anyaut~1\applic~1\Malwarebytes
2010-02-15 14:01:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 14:01:36 0 d-----w- c:\docume~1\alluse~1\applic~1\Malwarebytes
2010-02-15 14:01:33 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-15 14:01:33 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-14 21:20:06 0 dc-h--w- c:\windows\ie8
2010-02-14 19:42:08 0 d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 19:42:08 0 d-----w- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2010-02-14 19:24:45 48544 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-05 21:35:53 0 d-----w- c:\documents and settings\any authorised user\C
2010-02-05 19:07:24 0 d-----w- c:\program files\iTunes
2010-02-05 19:07:24 0 d-----w- c:\docume~1\alluse~1\applic~1\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-05 19:06:10 0 d-----w- c:\program files\Bonjour
2010-02-05 19:03:41 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-02-05 19:03:41 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-01-31 16:45:02 0 d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-01-31 14:19:55 0 d-----w- c:\windows\system32\Registry Patrol
2010-01-31 14:18:56 0 d-----w- c:\program files\Registry Patrol
2010-01-31 13:45:51 0 d-----r- c:\program files\Norton Support
2010-01-30 17:39:15 0 d-----w- C:\f71b5c25fa32883ca5706365d257924a
2010-01-30 17:23:14 0 d-----w- C:\b3c4cb4810021e8ab02912d6
2010-01-30 16:38:56 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-30 16:38:56 16736 ----a-w- c:\windows\system32\mucltui.dll.mui
2010-01-30 15:36:55 0 d-----w- C:\spoolerlogs
2010-01-30 14:38:00 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-01-30 14:37:50 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-30 14:37:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-30 14:37:49 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-30 14:37:49 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-30 14:37:49 0 d-----w- c:\program files\Symantec
2010-01-30 14:37:10 0 d-----w- c:\windows\system32\drivers\N360
2010-01-30 14:37:07 0 d-----w- c:\program files\Norton 360
2010-01-30 14:37:06 0 d-----w- c:\docume~1\alluse~1\applic~1\Norton
2010-01-30 14:33:16 0 d-----w- c:\program files\NortonInstaller
2010-01-30 14:33:16 0 d-----w- c:\docume~1\alluse~1\applic~1\NortonInstaller
==================== Find3M ====================
2010-01-30 14:37:41 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-30 14:37:32 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-01-05 10:00:21 78336 ------w- c:\windows\system32\ieencode.dll
2010-01-05 10:00:21 78336 ------w- c:\windows\system32\dllcache\ieencode.dll
2010-01-05 10:00:21 133120 ----a-w- c:\windows\system32\dllcache\extmgr.dll
2009-12-31 16:50:03 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-31 16:50:03 353792 ------w- c:\windows\system32\dllcache\srv.sys
2009-12-31 15:33:06 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-12-21 13:19:18 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-12-17 17:14:00 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43:27 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-16 18:43:27 343040 ------w- c:\windows\system32\dllcache\mspaint.exe
2009-12-14 07:08:23 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-14 07:08:23 33280 ------w- c:\windows\system32\dllcache\csrsrv.dll
2009-12-11 08:38:55 69120 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 19:27:51 2189184 ------w- c:\windows\system32\dllcache\ntoskrnl.exe
2009-12-08 19:26:15 2145280 ------w- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-12-08 18:43:51 2023936 ------w- c:\windows\system32\dllcache\ntkrpamp.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-08 18:43:50 2066048 ------w- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-12-04 18:22:22 455424 ------w- c:\windows\system32\dllcache\mrxsmb.sys
2009-11-27 17:11:44 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 17:11:44 17920 ------w- c:\windows\system32\dllcache\msyuv.dll
2009-11-27 17:11:44 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11:44 1291776 ------w- c:\windows\system32\dllcache\quartz.dll
2009-11-27 16:07:35 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07:35 8704 ------w- c:\windows\system32\dllcache\tsbyuv.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07:35 28672 ----a-w- c:\windows\system32\dllcache\msvidc32.dll
2009-11-27 16:07:34 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-27 16:07:34 84992 ------w- c:\windows\system32\dllcache\avifil32.dll
2009-11-27 16:07:34 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07:34 48128 ------w- c:\windows\system32\dllcache\iyuv_32.dll
2009-11-27 16:07:34 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07:34 11264 ------w- c:\windows\system32\dllcache\msrle32.dll
2008-09-18 11:33:34 32768 --sha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008091820080919\index.dat
============= FINISH: 10:56:06.64 ===============
girlie100
2010-02-20, 12:59
UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT
DDS (Ver_09-12-01.01)
Microsoft Windows XP Professional
Boot Device: \Device\HarddiskVolume1
Install Date: 10/05/2006 18:50:12
System Uptime: 20/02/2010 08:48:54 (2 hours ago)
Motherboard: FUJITSU SIEMENS | | AMILO Pro V2060
Processor: Intel(R) Pentium(R) M processor 1.70GHz | U1 | 593/400mhz
==== Disk Partitions =========================
C: is FIXED (NTFS) - 56 GiB total, 27.405 GiB free.
D: is CDROM ()
==== Disabled Device Manager Items =============
==== System Restore Points ===================
RP185: 21/11/2009 14:12:40 - Norton 360 Registry Clean
RP186: 25/11/2009 10:04:52 - Software Distribution Service 3.0
RP187: 10/12/2009 10:08:14 - Software Distribution Service 3.0
RP188: 10/12/2009 10:26:27 - Software Distribution Service 3.0
RP189: 19/12/2009 13:09:29 - Norton 360 Registry Clean
RP190: 26/12/2009 09:13:02 - Norton 360 Registry Clean
RP191: 29/12/2009 12:21:01 - Norton 360 Registry Clean
RP192: 13/01/2010 09:54:08 - Software Distribution Service 3.0
RP193: 22/01/2010 10:47:45 - Software Distribution Service 3.0
RP194: 22/01/2010 11:14:12 - Norton 360 Registry Clean
RP195: 23/01/2010 12:18:05 - Norton 360 Registry Clean
RP196: 27/01/2010 09:23:16 - Installed Java(TM) 6 Update 18
RP197: 30/01/2010 15:56:45 - Restore Operation
RP198: 30/01/2010 16:39:18 - Software Distribution Service 3.0
RP199: 30/01/2010 17:02:16 - Software Distribution Service 3.0
RP200: 30/01/2010 17:21:29 - Removed Abbey Introducer Offline
RP201: 30/01/2010 17:22:59 - Software Distribution Service 3.0
RP202: 30/01/2010 17:49:39 - Software Distribution Service 3.0
RP203: 30/01/2010 22:27:27 - Software Distribution Service 3.0
RP204: 30/01/2010 22:52:25 - Software Distribution Service 3.0
RP205: 31/01/2010 11:28:10 - Software Distribution Service 3.0
RP206: 31/01/2010 14:17:49 - Software Distribution Service 3.0
RP207: 31/01/2010 14:34:29 - Software Distribution Service 3.0
RP208: 31/01/2010 14:52:00 - Software Distribution Service 3.0
RP209: 31/01/2010 15:32:12 - Removed Microsoft SQL Server Native Client
RP210: 31/01/2010 16:39:52 - Software Distribution Service 3.0
RP211: 01/02/2010 09:45:41 - Software Distribution Service 3.0
RP212: 05/02/2010 17:10:55 - Removed Alliance and Leicester Online Forms
RP213: 05/02/2010 17:12:02 - Removed Northern Rock Online
RP214: 05/02/2010 17:14:24 - Configured Intermediary Mortgages Application
RP215: 05/02/2010 19:07:06 - Installed iTunes
RP216: 08/02/2010 10:49:07 - Printer Driver WebEx Document Loader Installed
RP217: 08/02/2010 11:00:27 - Printer Driver WebEx Document Loader Installed
RP218: 09/02/2010 23:04:00 - System Checkpoint
RP219: 10/02/2010 15:59:27 - Software Distribution Service 3.0
RP220: 14/02/2010 21:05:59 - Software Distribution Service 3.0
RP221: 15/02/2010 16:20:24 - Installed HiJackThis
RP222: 15/02/2010 17:09:19 - Removed Safari
RP223: 16/02/2010 17:44:17 - Software Distribution Service 3.0
RP224: 16/02/2010 17:56:54 - Zara - Virus Cleaning 16.02
RP225: 16/02/2010 18:02:02 - Restore Operation
RP226: 16/02/2010 18:06:23 - Restore Operation
RP227: 18/02/2010 17:08:04 - System Checkpoint
==== Installed Programs ======================
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Reader 9
Adobe® Photoshop® Album Starter Edition 3.0
ALCX11 Basic Operation Guide
ALCX11 User's Guide
Apple Application Support
Apple Mobile Device Support
Apple Software Update
Bonjour
Critical Update for Windows Media Player 11 (KB959772)
EPSON Printer Software
EPSON Scan
EPSON Speed Dial Utility
EpsonNet Print
ERUNT 1.1j
Exweb DE
GearDrvs
goal viewer (offline) Trigold Edition
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HiJackThis
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
Hotfix for Windows XP (KB970653-v3)
Hotfix for Windows XP (KB976098-v2)
Inertia 3
Intel(R) Graphics Media Accelerator Driver for Mobile
Intrinsic iPoS
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java Auto Updater
Java(TM) 6 Update 18
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Security Update (KB953297)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Small Business Edition 2003
Microsoft SQL Server 2005
Microsoft SQL Server 2005 Express Edition (INERTIA3_SQL2005)
Microsoft SQL Server 2005 Tools Express Edition
Microsoft SQL Server Native Client
Microsoft SQL Server Setup Support Files (English)
Microsoft SQL Server VSS Writer
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Microsoft WSE 2.0 SP3 Runtime
Motorola SM56 Data Fax Modem
MSN
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 4.0 SP2 (KB973688)
MSXML 6.0 Parser (KB933579)
Nero Suite
Norton 360
OGA Notifier 2.0.0048.0
Prospector AAA
Prospector Registry Tool
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Internet Explorer 7 (KB969897)
Security Update for Windows Internet Explorer 7 (KB978207)
Security Update for Windows Internet Explorer 8 (KB971961)
Security Update for Windows Internet Explorer 8 (KB976325)
Security Update for Windows Internet Explorer 8 (KB978207)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player (KB954155)
Security Update for Windows Media Player (KB968816)
Security Update for Windows Media Player (KB973540)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956744)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB956844)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB958869)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB960859)
Security Update for Windows XP (KB961371)
Security Update for Windows XP (KB961373)
Security Update for Windows XP (KB961501)
Security Update for Windows XP (KB968537)
Security Update for Windows XP (KB969059)
Security Update for Windows XP (KB969898)
Security Update for Windows XP (KB969947)
Security Update for Windows XP (KB970238)
Security Update for Windows XP (KB970430)
Security Update for Windows XP (KB971468)
Security Update for Windows XP (KB971486)
Security Update for Windows XP (KB971557)
Security Update for Windows XP (KB971633)
Security Update for Windows XP (KB971657)
Security Update for Windows XP (KB971961)
Security Update for Windows XP (KB972270)
Security Update for Windows XP (KB973346)
Security Update for Windows XP (KB973354)
Security Update for Windows XP (KB973507)
Security Update for Windows XP (KB973525)
Security Update for Windows XP (KB973869)
Security Update for Windows XP (KB973904)
Security Update for Windows XP (KB974112)
Security Update for Windows XP (KB974318)
Security Update for Windows XP (KB974392)
Security Update for Windows XP (KB974571)
Security Update for Windows XP (KB975025)
Security Update for Windows XP (KB975467)
Security Update for Windows XP (KB975560)
Security Update for Windows XP (KB975713)
Security Update for Windows XP (KB977165)
Security Update for Windows XP (KB977914)
Security Update for Windows XP (KB978037)
Security Update for Windows XP (KB978251)
Security Update for Windows XP (KB978262)
Security Update for Windows XP (KB978706)
SoundMAX
Spybot - Search & Destroy
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515 drivers.
TIxx21/x515
TRSoap
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows Internet Explorer 8 (KB978506)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955759)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Update for Windows XP (KB968389)
Update for Windows XP (KB971737)
Update for Windows XP (KB973687)
Update for Windows XP (KB973815)
VoiceOver Kit
WebEx
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live OneCare safety scanner
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Service Pack 3
==== Event Viewer Messages From Past Week ========
18/02/2010 16:50:51, information: Windows File Protection [64002] - File replacement was attempted on the protected system file uploadm.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
15/02/2010 16:28:50, error: Dhcp [1002] - The IP address lease 192.168.0.5 for the Network Card with network address 0013CEAD58D5 has been denied by the DHCP server 10.164.50.49 (The DHCP Server sent a DHCPNACK message).
15/02/2010 13:49:33, error: Dhcp [1002] - The IP address lease 192.168.2.4 for the Network Card with network address 0013CEAD58D5 has been denied by the DHCP server 192.168.0.1 (The DHCP Server sent a DHCPNACK message).
==== End Of File ===========================
Hi,
Do NOT run 'FIXES' (ComboFix etc) without being asked (http://forums.spybot.info/showthread.php?t=16806)
It seems you have run ComboFix there. Kindly post contents of c:\ComboFix.txt file.
girlie100
2010-02-20, 13:38
Sorry, it was my last try before i restored from disks,
log file:
ComboFix 10-02-17.02 - Any Authorised User 18/02/2010 16:44:26.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.186 [GMT 0:00]
Running from: c:\documents and settings\Any Authorised User\Desktop\ComboFix.exe
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\pchealth\UploadLB\Binaries\uploadm.exe
c:\windows\pchealth\UploadLB\Config\config.xml
c:\windows\pchealth\UploadLB . . . . failed to delete
.
((((((((((((((((((((((((( Files Created from 2010-01-18 to 2010-02-18 )))))))))))))))))))))))))))))))
.
2010-02-15 16:16 . 2010-02-15 16:16 -------- d-----w- c:\program files\ERUNT
2010-02-15 14:01 . 2010-02-15 14:01 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Malwarebytes
2010-02-15 14:01 . 2010-01-07 16:07 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-02-15 14:01 . 2010-02-15 14:01 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-02-15 14:01 . 2010-02-15 14:01 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-02-15 14:01 . 2010-01-07 16:07 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-02-14 21:39 . 2010-02-14 21:41 -------- d-----w- c:\program files\Windows Live Safety Center
2010-02-14 21:20 . 2010-02-14 21:22 -------- dc-h--w- c:\windows\ie8
2010-02-14 19:42 . 2010-02-14 20:46 -------- d-----w- c:\program files\Spybot - Search & Destroy
2010-02-14 19:42 . 2010-02-14 20:43 -------- d-----w- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-14 19:24 . 2010-02-14 19:24 48544 ---ha-w- c:\windows\system32\mlfcache.dat
2010-02-05 21:35 . 2010-02-05 21:35 -------- d-----w- c:\documents and settings\Any Authorised User\C
2010-02-05 19:07 . 2010-02-05 22:46 -------- d-----w- c:\program files\iTunes
2010-02-05 19:07 . 2010-02-05 19:08 -------- d-----w- c:\documents and settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-05 19:06 . 2010-02-05 19:06 -------- d-----w- c:\program files\Bonjour
2010-02-05 19:04 . 2010-02-05 19:04 -------- d-----w- c:\documents and settings\Any Authorised User\Local Settings\Application Data\Apple
2010-02-05 19:04 . 2010-02-05 19:04 -------- d-----w- c:\program files\Apple Software Update
2010-02-05 19:03 . 2009-08-28 19:42 40448 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2010-02-05 19:03 . 2009-08-28 19:42 2065696 ----a-w- c:\windows\system32\usbaaplrc.dll
2010-02-05 19:02 . 2010-02-05 19:07 -------- d-----w- c:\program files\Common Files\Apple
2010-02-05 19:02 . 2010-02-05 19:02 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple
2010-01-31 16:45 . 2010-01-31 16:45 -------- d-----w- c:\windows\SQLTools9_KB970892_ENU
2010-01-31 14:19 . 2010-01-31 14:19 -------- d-----w- c:\windows\system32\Registry Patrol
2010-01-31 14:18 . 2010-01-31 14:22 -------- d-----w- c:\program files\Registry Patrol
2010-01-31 13:45 . 2010-01-31 13:45 -------- d-----r- c:\program files\Norton Support
2010-01-30 17:47 . 2010-01-30 17:47 -------- d-----w- c:\documents and settings\All Users\Application Data\Office Genuine Advantage
2010-01-30 17:39 . 2010-01-30 17:39 -------- d-----w- C:\f71b5c25fa32883ca5706365d257924a
2010-01-30 17:23 . 2010-01-30 17:23 -------- d-----w- C:\b3c4cb4810021e8ab02912d6
2010-01-30 16:38 . 2009-08-06 19:23 274288 ----a-w- c:\windows\system32\mucltui.dll
2010-01-30 15:36 . 2010-01-30 15:36 -------- d-----w- C:\spoolerlogs
2010-01-30 14:38 . 2010-01-30 14:37 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2010-01-30 14:37 . 2010-01-30 14:37 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2010-01-30 14:37 . 2010-01-30 14:37 -------- d-----w- c:\program files\Symantec
2010-01-30 14:37 . 2010-01-30 14:37 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2010-01-30 14:37 . 2010-02-05 18:16 -------- d-----w- c:\windows\system32\drivers\N360
2010-01-30 14:37 . 2010-01-30 14:37 -------- d-----w- c:\program files\Norton 360
2010-01-30 14:37 . 2010-01-30 14:38 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2010-01-30 14:33 . 2010-01-30 14:33 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2010-01-30 14:33 . 2010-01-30 14:33 -------- d-----w- c:\program files\NortonInstaller
2010-01-30 13:47 . 2010-01-30 13:47 -------- d-----w- c:\documents and settings\Any Authorised User\Local Settings\Application Data\ICS
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-15 16:20 . 2010-02-15 16:20 388096 ----a-r- c:\documents and settings\Any Authorised User\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-14 19:23 . 2006-05-13 20:32 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Apple Computer
2010-02-09 21:07 . 2010-02-18 15:55 84912 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVENG.SYS
2010-02-09 21:07 . 2010-02-18 15:55 177520 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVENG32.DLL
2010-02-09 21:07 . 2010-02-18 15:55 1647984 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVEX32A.DLL
2010-02-09 21:07 . 2010-02-18 15:55 1324720 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVEX15.SYS
2010-02-09 21:07 . 2010-02-18 15:55 371248 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\EECTRL.SYS
2010-02-09 21:07 . 2010-02-18 15:55 2747440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\CCERASER.DLL
2010-02-09 21:07 . 2010-02-18 15:55 259440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\ECMSVR32.DLL
2010-02-09 21:07 . 2010-02-18 15:55 102448 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\ERASER.SYS
2010-02-05 19:07 . 2006-05-13 20:30 -------- d-----w- c:\program files\iPod
2010-02-05 19:05 . 2006-05-13 20:31 -------- d-----w- c:\program files\QuickTime
2010-02-05 19:04 . 2006-05-13 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Apple Computer
2010-02-05 18:28 . 2006-05-15 14:35 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\objects
2010-02-05 17:16 . 2006-05-12 17:23 64160 ----a-w- c:\documents and settings\Any Authorised User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 17:14 . 2006-05-10 17:49 -------- d--h--w- c:\program files\InstallShield Installation Information
2010-02-05 17:14 . 2006-06-29 11:38 -------- d-----w- c:\program files\Intermediary Mortgages
2010-02-05 17:12 . 2006-06-29 11:02 -------- d-----w- c:\program files\Northern Rock Online
2010-02-05 17:11 . 2006-07-29 12:03 -------- d-----w- c:\program files\Alliance and Leicester Online Forms
2010-02-04 10:14 . 2006-05-13 20:31 -------- d-----w- c:\documents and settings\All Users\Application Data\QuickTime
2010-01-31 16:55 . 2006-05-15 13:52 -------- d-----w- c:\program files\Microsoft SQL Server
2010-01-31 11:59 . 2006-06-28 11:57 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\U3
2010-01-30 17:22 . 2006-07-18 09:08 -------- d-----w- c:\program files\Abbey
2010-01-30 15:47 . 2010-01-30 15:47 503808 ----a-w- c:\documents and settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4478271f-n\msvcp71.dll
2010-01-30 15:47 . 2010-01-30 15:47 499712 ----a-w- c:\documents and settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4478271f-n\jmc.dll
2010-01-30 15:47 . 2010-01-30 15:47 348160 ----a-w- c:\documents and settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4478271f-n\msvcr71.dll
2010-01-30 15:47 . 2010-01-30 15:47 61440 ----a-w- c:\documents and settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7526f901-n\decora-sse.dll
2010-01-30 15:47 . 2010-01-30 15:47 12800 ----a-w- c:\documents and settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7526f901-n\decora-d3d.dll
2010-01-30 15:15 . 2006-05-12 14:41 -------- d-----w- c:\program files\Common Files\Symantec Shared
2010-01-30 14:37 . 2010-01-30 14:37 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2010-01-30 14:37 . 2010-01-30 14:37 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2010-01-30 14:37 . 2008-01-29 11:01 26600 ----a-r- c:\windows\system32\drivers\GEARAspiWDM.sys
2010-01-30 14:37 . 2010-01-30 14:37 1291104 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-01-30 14:37 . 2010-01-30 14:37 136840 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-01-30 14:37 . 2008-01-29 11:02 107368 ----a-r- c:\windows\system32\GEARAspi.dll
2010-01-30 14:37 . 2010-01-30 14:37 771440 ----a-w- c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-01-30 14:19 . 2006-05-12 14:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2010-01-30 14:17 . 2006-05-12 14:48 -------- d-----w- c:\documents and settings\Any Authorised User\Application Data\Symantec
2010-01-27 09:25 . 2006-05-10 17:45 -------- d-----w- c:\program files\Common Files\Java
2010-01-27 09:23 . 2006-05-10 17:45 -------- d-----w- c:\program files\Java
2010-01-22 19:51 . 2010-01-22 19:51 72488 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
2010-01-05 10:00 . 2010-01-05 10:00 78336 ------w- c:\windows\system32\ieencode.dll
2009-12-31 16:50 . 2005-02-02 19:01 353792 ----a-w- c:\windows\system32\drivers\srv.sys
2009-12-21 19:14 . 2005-02-02 18:59 916480 ------w- c:\windows\system32\wininet.dll
2009-12-17 17:14 . 2008-12-08 09:55 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-12-16 18:43 . 2005-02-02 18:58 343040 ----a-w- c:\windows\system32\mspaint.exe
2009-12-14 07:08 . 2005-02-02 18:58 33280 ----a-w- c:\windows\system32\csrsrv.dll
2009-12-08 19:27 . 2005-02-02 18:58 2189184 ------w- c:\windows\system32\ntoskrnl.exe
2009-12-08 18:43 . 2005-02-02 18:58 2066048 ------w- c:\windows\system32\ntkrnlpa.exe
2009-12-04 18:22 . 2005-02-02 19:01 455424 ----a-w- c:\windows\system32\drivers\mrxsmb.sys
2009-11-27 17:11 . 2005-02-02 18:59 1291776 ----a-w- c:\windows\system32\quartz.dll
2009-11-27 17:11 . 2005-02-02 18:58 17920 ----a-w- c:\windows\system32\msyuv.dll
2009-11-27 16:07 . 2005-02-02 18:59 8704 ----a-w- c:\windows\system32\tsbyuv.dll
2009-11-27 16:07 . 2005-02-02 18:58 28672 ----a-w- c:\windows\system32\msvidc32.dll
2009-11-27 16:07 . 2005-02-02 18:58 11264 ----a-w- c:\windows\system32\msrle32.dll
2009-11-27 16:07 . 2005-02-02 18:58 48128 ----a-w- c:\windows\system32\iyuv_32.dll
2009-11-27 16:07 . 2005-02-02 18:58 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-11-21 15:51 . 2005-02-02 18:53 471552 ----a-w- c:\windows\AppPatch\aclayers.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2005-03-22 155648]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2005-03-22 126976]
"SMSERIAL"="sm56hlpr.exe" [2005-04-26 544768]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 688218]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2005-07-25 1397760]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-11-10 417792]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 246504]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 81920]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-01-22 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
c:\documents and settings\Any Authorised User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(2).lnk - c:\windows\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-5-12 131584]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\N360\0308000.029\SymEFA.sys [05/02/2010 18:09 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\N360\0308000.029\BHDrvx86.sys [05/02/2010 18:09 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\N360\0308000.029\cchpx86.sys [05/02/2010 18:09 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSXpx86.sys [14/02/2010 19:03 329592]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);c:\program files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 22:31 29263712]
R2 N360;Norton 360;c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [05/02/2010 18:08 117640]
R2 TRUService;Trigold Update Service;c:\program files\Trigold\Update\TRUService.exe [14/07/2008 13:24 135816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/02/2010 20:19 102448]
.
Contents of the 'Scheduled Tasks' folder
2010-02-05 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.intrinsicfs.com/
uInternet Connection Wizard,ShellNext = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} - hxxps://exweb.exchange.uk.com/clientbinaries/texInfo.CAB
DPF: {034DA761-EDB7-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGPHI.CAB
DPF: {090EC279-1378-44B7-B521-888980212E7E} - hxxps://exweb.exchange.uk.com/clientbinaries/eXwebCListCtl3.CAB
DPF: {2F6A847E-2EC2-11D3-AE1B-00508B014C1D} - hxxps://exweb.exchange.uk.com/clientbinaries/XMLParser.CAB
DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGPensions.CAB
DPF: {511835FF-EDC9-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGWholeLife.CAB
DPF: {61DA056C-EDE7-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGBonds.CAB
DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} - hxxps://exweb.exchange.uk.com/clientbinaries/VersionInfo.CAB
DPF: {A74D724A-AB17-11D2-A96A-006097E20477} - hxxps://exweb.exchange.uk.com/clientbinaries/eXwebUtils.CAB
DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} - hxxps://exweb.exchange.uk.com/clientbinaries/printdll.CAB
DPF: {E7FF5332-854E-11D2-A952-006097E20477} - hxxps://exweb.exchange.uk.com/clientbinaries/eXwebOcc.CAB
DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxps://exweb.exchange.uk.com/clientbinaries/pvdt70.CAB
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-02-18 17:17
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\N360]
"ImagePath"="\"c:\program files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe\" /s \"N360\" /m \"c:\program files\Norton 360\Engine\3.8.0.41\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(2776)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\program files\Common Files\EPSON\eEBAPI\eEBSVC.exe
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlbrowser.exe
c:\program files\Microsoft SQL Server\90\Shared\sqlwriter.exe
c:\windows\system32\wscntfy.exe
c:\windows\sm56hlpr.exe
c:\program files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2010-02-18 17:23:58 - machine was rebooted
ComboFix-quarantined-files.txt 2010-02-18 17:23
ComboFix2.txt 2010-02-18 16:26
Pre-Run: 29,475,581,952 bytes free
Post-Run: 29,392,388,096 bytes free
- - End Of File - - AB10ED0C5E351AB0632999CB210014FE
Hi again,
Do you have Spybot scan results handy? If you do, post those too, please.
Open notepad and copy/paste the text in the quotebox below into it:
Dequarantine::
c:\qoobox\quarantine\c\windows\pchealth\UploadLB\Binaries\uploadm.exe.vir
c:\qoobox\quarantine\c\windows\pchealth\UploadLB\Config\config.xml.vir
Ignore::
c:\windows\pchealth\UploadLB\Binaries\uploadm.exe
c:\windows\pchealth\UploadLB\Config\config.xml
Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000000
Save this as
CFScript
A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine. This tool is not a toy and not for everyday use.
http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif
Close all browser windows, disable protection software and refering to the picture above, drag CFScript into ComboFix.exe (let ComboFix update itself).
Then post the resultant log.
Uninstall old Adobe Reader versions and get the latest one (9.3 + update 9.3.1) here (http://www.adobe.com/support/downloads/product.jsp?product=10&platform=Windows) or get Foxit Reader here (http://www.foxitsoftware.com/pdf/reader_2/down_reader.htm). Make sure you don't install toolbar if choose Foxit Reader! You may also check free readers introduced here (http://pdfreaders.org/).
Uninstall vulnerable Flash versions by following instructions here (http://kb2.adobe.com/cps/141/tn_14157.html). Fresh version can be obtained here (http://get.adobe.com/flashplayer/).
Uninstall these old Javas:
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 11
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Java(TM) 6 Update 2
Java(TM) 6 Update 3
Java(TM) 6 Update 5
Java(TM) 6 Update 7
Java(TM) SE Runtime Environment 6 Update 1
Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.
Double-click ATF Cleaner.exe to open it
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Please run an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html) as instructed in the screenshot here (http://i275.photobucket.com/albums/jj285/Bleeping/KAS/KAS9.gif).
Post back its report, a fresh dds.txt log and above mentioned ComboFix resultant log.
girlie100
2010-02-20, 14:45
i dragged the CFScript into combofix and the scan run as normal, however where the last log file was just on my c drive, i cant find the new log file, there is a combofix.txt in the combofix folder, but i dont know if that is the correct log file.
Zara
Hi,
What's the timestamp of that log file in c:\ComboFix folder?
girlie100
2010-02-20, 14:56
the timestamp is correct so here is the log file:
ComboFix 10-02-19.04 - Any Authorised User 20/02/2010 12:25:20.3.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.502.267 [GMT 0:00]
Running from: C:\Documents and Settings\Any Authorised User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Any Authorised User\Desktop\CFScript.txt
AV: Norton 360 *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
FW: Norton 360 *disabled* {7C21A4C9-F61F-4AC4-B722-A6E19C16F220}
.
((((((((((((((((((((((((( Files Created from 2010-01-20 to 2010-02-20 )))))))))))))))))))))))))))))))
.
2010-02-20 12:25:12 . 2010-02-20 12:25:13 150528 ----a-w- C:\WINDOWS\system32\dllcache\uploadm.exe
2010-02-20 10:52:47 . 2009-10-28 22:37:21 811896 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\Scxpx86.dll
2010-02-20 10:52:46 . 2009-10-28 22:37:22 329592 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys
2010-02-20 10:52:45 . 2009-10-28 22:37:22 343088 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSvix86.sys
2010-02-20 10:52:45 . 2009-10-28 22:37:21 488312 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSxpx86.dll
2010-02-20 10:52:44 . 2009-10-28 22:37:21 466992 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSviA64.sys
2010-02-18 15:55:24 . 2010-02-09 21:07:28 84912 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVENG.SYS
2010-02-18 15:55:24 . 2010-02-09 21:07:28 177520 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVENG32.DLL
2010-02-18 15:55:24 . 2010-02-09 21:07:28 1647984 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVEX32A.DLL
2010-02-18 15:55:24 . 2010-02-09 21:07:28 1324720 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\NAVEX15.SYS
2010-02-18 15:55:23 . 2010-02-09 21:07:28 371248 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\EECTRL.SYS
2010-02-18 15:55:23 . 2010-02-09 21:07:28 2747440 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\CCERASER.DLL
2010-02-18 15:55:23 . 2010-02-09 21:07:28 259440 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\ECMSVR32.DLL
2010-02-18 15:55:23 . 2010-02-09 21:07:28 102448 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20100217.069\ERASER.SYS
2010-02-15 16:20:30 . 2010-02-15 16:20:30 388096 ----a-r- C:\Documents and Settings\Any Authorised User\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
2010-02-15 16:16:20 . 2010-02-15 16:16:36 -------- d-----w- C:\Program Files\ERUNT
2010-02-15 14:01:49 . 2010-02-15 14:01:49 -------- d-----w- C:\Documents and Settings\Any Authorised User\Application Data\Malwarebytes
2010-02-15 14:01:39 . 2010-01-07 16:07:14 38224 ----a-w- C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2010-02-15 14:01:36 . 2010-02-15 14:01:36 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2010-02-15 14:01:33 . 2010-02-15 14:01:47 -------- d-----w- C:\Program Files\Malwarebytes' Anti-Malware
2010-02-15 14:01:33 . 2010-01-07 16:07:04 19160 ----a-w- C:\WINDOWS\system32\drivers\mbam.sys
2010-02-14 21:39:33 . 2010-02-14 21:41:25 -------- d-----w- C:\Program Files\Windows Live Safety Center
2010-02-14 21:20:06 . 2010-02-14 21:22:01 -------- dc-h--w- C:\WINDOWS\ie8
2010-02-14 19:42:08 . 2010-02-14 20:46:32 -------- d-----w- C:\Program Files\Spybot - Search & Destroy
2010-02-14 19:42:08 . 2010-02-14 20:43:13 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2010-02-14 19:24:45 . 2010-02-14 19:24:45 48544 ---ha-w- C:\WINDOWS\system32\mlfcache.dat
2010-02-14 19:03:10 . 2009-10-28 22:37:22 343088 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSvix86.sys
2010-02-14 19:03:10 . 2009-10-28 22:37:22 329592 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSXpx86.sys
2010-02-14 19:03:10 . 2009-10-28 22:37:21 811896 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\Scxpx86.dll
2010-02-14 19:03:10 . 2009-10-28 22:37:21 488312 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSxpx86.dll
2010-02-14 19:03:10 . 2009-10-28 22:37:21 466992 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100210.001\IDSviA64.sys
2010-02-05 21:35:53 . 2010-02-05 21:35:53 -------- d-----w- C:\Documents and Settings\Any Authorised User\C
2010-02-05 19:07:24 . 2010-02-05 22:46:28 -------- d-----w- C:\Program Files\iTunes
2010-02-05 19:07:24 . 2010-02-05 19:08:30 -------- d-----w- C:\Documents and Settings\All Users\Application Data\{755AC846-7372-4AC8-8550-C52491DAA8BD}
2010-02-05 19:06:10 . 2010-02-05 19:06:10 -------- d-----w- C:\Program Files\Bonjour
2010-02-05 19:04:25 . 2010-02-05 19:04:25 -------- d-----w- C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\Apple
2010-02-05 19:04:04 . 2010-02-05 19:04:04 -------- d-----w- C:\Program Files\Apple Software Update
2010-02-05 19:03:41 . 2009-08-28 19:42:52 40448 ----a-w- C:\WINDOWS\system32\drivers\usbaapl.sys
2010-02-05 19:03:41 . 2009-08-28 19:42:52 2065696 ----a-w- C:\WINDOWS\system32\usbaaplrc.dll
2010-02-05 19:02:02 . 2010-02-05 19:07:37 -------- d-----w- C:\Program Files\Common Files\Apple
2010-02-05 19:02:02 . 2010-02-05 19:02:02 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple
2010-01-31 16:45:02 . 2010-01-31 16:45:07 -------- d-----w- C:\WINDOWS\SQLTools9_KB970892_ENU
2010-01-31 14:19:55 . 2010-01-31 14:19:55 -------- d-----w- C:\WINDOWS\system32\Registry Patrol
2010-01-31 14:18:56 . 2010-01-31 14:22:35 -------- d-----w- C:\Program Files\Registry Patrol
2010-01-31 13:45:51 . 2010-01-31 13:45:52 -------- d-----r- C:\Program Files\Norton Support
2010-01-30 17:47:28 . 2010-01-30 17:47:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2010-01-30 17:39:15 . 2010-01-30 17:39:17 -------- d-----w- C:\f71b5c25fa32883ca5706365d257924a
2010-01-30 17:23:14 . 2010-01-30 17:23:17 -------- d-----w- C:\b3c4cb4810021e8ab02912d6
2010-01-30 16:38:56 . 2009-08-06 19:23:46 274288 ----a-w- C:\WINDOWS\system32\mucltui.dll
2010-01-30 15:47:04 . 2010-01-30 15:47:04 503808 ----a-w- C:\Documents and Settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4478271f-n\msvcp71.dll
2010-01-30 15:47:04 . 2010-01-30 15:47:04 499712 ----a-w- C:\Documents and Settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4478271f-n\jmc.dll
2010-01-30 15:47:04 . 2010-01-30 15:47:04 348160 ----a-w- C:\Documents and Settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\54\1a209876-4478271f-n\msvcr71.dll
2010-01-30 15:47:03 . 2010-01-30 15:47:03 61440 ----a-w- C:\Documents and Settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7526f901-n\decora-sse.dll
2010-01-30 15:47:03 . 2010-01-30 15:47:03 12800 ----a-w- C:\Documents and Settings\Any Authorised User\Application Data\Sun\Java\Deployment\SystemCache\6.0\17\6d0ad391-7526f901-n\decora-d3d.dll
2010-01-30 15:36:55 . 2010-01-30 15:36:55 -------- d-----w- C:\spoolerlogs
2010-01-30 14:38:00 . 2010-01-30 14:37:42 36400 ----a-r- C:\WINDOWS\system32\drivers\SymIM.sys
2010-01-30 14:37:50 . 2010-01-30 14:37:49 60808 ----a-w- C:\WINDOWS\system32\S32EVNT1.DLL
2010-01-30 14:37:49 . 2010-01-30 14:37:50 -------- d-----w- C:\Program Files\Symantec
2010-01-30 14:37:49 . 2010-01-30 14:37:49 124976 ----a-w- C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2010-01-30 14:37:38 . 2010-01-30 14:37:38 1291104 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2010-01-30 14:37:35 . 2010-01-30 14:37:35 136840 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2010-01-30 14:37:30 . 2010-01-30 14:37:30 771440 ----a-w- C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2010-01-30 14:37:10 . 2010-02-05 18:16:44 -------- d-----w- C:\WINDOWS\system32\drivers\N360
2010-01-30 14:37:07 . 2010-01-30 14:37:23 -------- d-----w- C:\Program Files\Norton 360
2010-01-30 14:37:06 . 2010-01-30 14:38:29 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Norton
2010-01-30 14:33:16 . 2010-01-30 14:33:24 -------- d-----w- C:\Documents and Settings\All Users\Application Data\NortonInstaller
2010-01-30 14:33:16 . 2010-01-30 14:33:16 -------- d-----w- C:\Program Files\NortonInstaller
2010-01-30 13:47:42 . 2010-01-30 13:47:42 -------- d-----w- C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\ICS
2010-01-22 19:51:36 . 2010-01-22 19:51:36 72488 ----a-w- C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 9.0.3.15\SetupAdmin.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-02-20 12:25:13 . 2010-02-20 12:25:12 150528 ----a-w- C:\WINDOWS\pchealth\UploadLB\Binaries\uploadm.exe
2010-02-14 19:23:45 . 2006-05-13 20:32:11 -------- d-----w- C:\Documents and Settings\Any Authorised User\Application Data\Apple Computer
2010-02-05 19:07:39 . 2006-05-13 20:30:19 -------- d-----w- C:\Program Files\iPod
2010-02-05 19:05:11 . 2006-05-13 20:31:52 -------- d-----w- C:\Program Files\QuickTime
2010-02-05 19:04:54 . 2006-05-13 20:31:46 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Apple Computer
2010-02-05 18:28:42 . 2006-05-15 14:35:13 -------- d-----w- C:\Documents and Settings\Any Authorised User\Application Data\objects
2010-02-05 17:16:52 . 2006-05-12 17:23:34 64160 ----a-w- C:\Documents and Settings\Any Authorised User\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2010-02-05 17:14:45 . 2006-05-10 17:49:43 -------- d--h--w- C:\Program Files\InstallShield Installation Information
2010-02-05 17:14:43 . 2006-06-29 11:38:20 -------- d-----w- C:\Program Files\Intermediary Mortgages
2010-02-05 17:12:04 . 2006-06-29 11:02:02 -------- d-----w- C:\Program Files\Northern Rock Online
2010-02-05 17:11:14 . 2006-07-29 12:03:36 -------- d-----w- C:\Program Files\Alliance and Leicester Online Forms
2010-02-04 10:14:54 . 2006-05-13 20:31:52 -------- d-----w- C:\Documents and Settings\All Users\Application Data\QuickTime
2010-01-31 16:55:12 . 2006-05-15 13:52:58 -------- d-----w- C:\Program Files\Microsoft SQL Server
2010-01-31 11:59:55 . 2006-06-28 11:57:00 -------- d-----w- C:\Documents and Settings\Any Authorised User\Application Data\U3
2010-01-30 17:22:26 . 2006-07-18 09:08:57 -------- d-----w- C:\Program Files\Abbey
2010-01-30 15:15:15 . 2006-05-12 14:41:26 -------- d-----w- C:\Program Files\Common Files\Symantec Shared
2010-01-30 14:37:49 . 2010-01-30 14:37:50 7456 ----a-w- C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2010-01-30 14:37:49 . 2010-01-30 14:37:49 806 ----a-w- C:\WINDOWS\system32\drivers\SYMEVENT.INF
2010-01-30 14:37:41 . 2008-01-29 11:01:28 26600 ----a-r- C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2010-01-30 14:37:32 . 2008-01-29 11:02:30 107368 ----a-r- C:\WINDOWS\system32\GEARAspi.dll
2010-01-30 14:19:38 . 2006-05-12 14:41:43 -------- d-----w- C:\Documents and Settings\All Users\Application Data\Symantec
2010-01-30 14:17:52 . 2006-05-12 14:48:13 -------- d-----w- C:\Documents and Settings\Any Authorised User\Application Data\Symantec
2010-01-27 09:25:24 . 2006-05-10 17:45:01 -------- d-----w- C:\Program Files\Common Files\Java
2010-01-27 09:23:54 . 2006-05-10 17:45:02 -------- d-----w- C:\Program Files\Java
2010-01-05 10:00:21 . 2010-01-05 10:00:21 78336 ------w- C:\WINDOWS\system32\ieencode.dll
2009-12-31 16:50:03 . 2005-02-02 19:01:18 353792 ----a-w- C:\WINDOWS\system32\drivers\srv.sys
2009-12-21 19:14:05 . 2005-02-02 18:59:20 916480 ------w- C:\WINDOWS\system32\wininet.dll
2009-12-17 17:14:00 . 2008-12-08 09:55:38 411368 ----a-w- C:\WINDOWS\system32\deploytk.dll
2009-12-16 18:43:27 . 2005-02-02 18:58:46 343040 ----a-w- C:\WINDOWS\system32\mspaint.exe
2009-12-14 07:08:23 . 2005-02-02 18:58:15 33280 ----a-w- C:\WINDOWS\system32\csrsrv.dll
2009-12-08 19:27:51 . 2005-02-02 18:58:53 2189184 ------w- C:\WINDOWS\system32\ntoskrnl.exe
2009-12-08 18:43:50 . 2005-02-02 18:58:52 2066048 ------w- C:\WINDOWS\system32\ntkrnlpa.exe
2009-12-04 18:22:22 . 2005-02-02 19:01:16 455424 ----a-w- C:\WINDOWS\system32\drivers\mrxsmb.sys
2009-11-27 17:11:44 . 2005-02-02 18:59:00 1291776 ----a-w- C:\WINDOWS\system32\quartz.dll
2009-11-27 17:11:44 . 2005-02-02 18:58:49 17920 ----a-w- C:\WINDOWS\system32\msyuv.dll
2009-11-27 16:07:35 . 2005-02-02 18:59:13 8704 ----a-w- C:\WINDOWS\system32\tsbyuv.dll
2009-11-27 16:07:35 . 2005-02-02 18:58:47 28672 ----a-w- C:\WINDOWS\system32\msvidc32.dll
2009-11-27 16:07:34 . 2005-02-02 18:58:46 11264 ----a-w- C:\WINDOWS\system32\msrle32.dll
2009-11-27 16:07:34 . 2005-02-02 18:58:31 48128 ----a-w- C:\WINDOWS\system32\iyuv_32.dll
2009-11-27 16:07:34 . 2005-02-02 18:58:07 84992 ----a-w- C:\WINDOWS\system32\avifil32.dll
.
((((((((((((((((((((((((((((( SnapShot@2010-02-18_16.20.43 )))))))))))))))))))))))))))))))))))))))))
.
+ 2010-02-18 16:54:09 . 2010-02-18 16:54:09 16384 C:\WINDOWS\Temp\Perflib_Perfdata_704.dat
+ 2010-02-18 16:53:07 . 2010-02-18 16:53:07 16384 C:\WINDOWS\Temp\Perflib_Perfdata_4a8.dat
+ 2010-02-18 16:53:07 . 2010-02-18 16:53:07 16384 C:\WINDOWS\Temp\Perflib_Perfdata_454.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12:28 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2005-03-22 12:57:38 155648]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2005-03-22 12:53:52 126976]
"SMSERIAL"="sm56hlpr.exe" [2005-04-26 10:15:00 544768]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-05 15:25:10 98394]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-05 15:24:28 688218]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50:42 155648]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2005-07-25 11:01:23 1397760]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2009-11-10 23:08:18 417792]
"SunJavaUpdateSched"="C:\Program Files\Common Files\Java\Java Update\jusched.exe" [2010-01-11 15:21:52 246504]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-06-16 05:03:04 81920]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2010-01-22 19:16:42 141608]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 00:12:16 15360]
C:\Documents and Settings\Any Authorised User\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - C:\Program Files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
EPSON Status Monitor 3 Environment Check(2).lnk - C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE [2006-5-12 131584]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\spoolsv.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R0 SymEFA;Symantec Extended File Attributes;C:\WINDOWS\system32\drivers\N360\0308000.029\SymEFA.sys [05/02/2010 18:09:12 310320]
R1 BHDrvx86;Symantec Heuristics Driver;C:\WINDOWS\system32\drivers\N360\0308000.029\BHDrvx86.sys [05/02/2010 18:09:12 259632]
R1 ccHP;Symantec Hash Provider;C:\WINDOWS\system32\drivers\N360\0308000.029\cchpx86.sys [05/02/2010 18:09:12 482432]
R1 IDSxpx86;IDSxpx86;C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20100218.001\IDSXpx86.sys [20/02/2010 10:52:46 329592]
R2 MSSQL$INERTIA3_SQL2005;SQL Server (INERTIA3_SQL2005);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [24/11/2008 22:31:10 29263712]
R2 N360;Norton 360;C:\Program Files\Norton 360\Engine\3.8.0.41\ccSvcHst.exe [05/02/2010 18:08:51 117640]
R2 TRUService;Trigold Update Service;C:\Program Files\Trigold\Update\TRUService.exe [14/07/2008 13:24:35 135816]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [10/02/2010 20:19:31 102448]
.
Contents of the 'Scheduled Tasks' folder
2010-02-05 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34:12 . 2008-07-30 12:34:12]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uStart Page = hxxp://www.intrinsicfs.com/
uInternet Connection Wizard,ShellNext = hxxp://www.bbc.co.uk/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
DPF: {0089F6EE-ED54-11D5-B0E7-00508B014C1D} - hxxps://exweb.exchange.uk.com/clientbinaries/texInfo.CAB
DPF: {034DA761-EDB7-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGPHI.CAB
DPF: {090EC279-1378-44B7-B521-888980212E7E} - hxxps://exweb.exchange.uk.com/clientbinaries/eXwebCListCtl3.CAB
DPF: {2F6A847E-2EC2-11D3-AE1B-00508B014C1D} - hxxps://exweb.exchange.uk.com/clientbinaries/XMLParser.CAB
DPF: {397F65A6-FD3C-438B-A7EB-3D2C0655189C} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGPensions.CAB
DPF: {511835FF-EDC9-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGWholeLife.CAB
DPF: {61DA056C-EDE7-11D7-A20A-000802318089} - hxxps://exweb.exchange.uk.com/clientbinaries/EWGBonds.CAB
DPF: {8E95B0CA-EB6F-11D3-979B-00508B64538B} - hxxps://exweb.exchange.uk.com/clientbinaries/VersionInfo.CAB
DPF: {A74D724A-AB17-11D2-A96A-006097E20477} - hxxps://exweb.exchange.uk.com/clientbinaries/eXwebUtils.CAB
DPF: {DDECE2F5-AF1F-44E7-B37F-96B6630F5C60} - hxxps://exweb.exchange.uk.com/clientbinaries/printdll.CAB
DPF: {E7FF5332-854E-11D2-A952-006097E20477} - hxxps://exweb.exchange.uk.com/clientbinaries/eXwebOcc.CAB
DPF: {E9C9692E-F93C-11D1-ABB0-0040054FC6FB} - hxxps://exweb.exchange.uk.com/clientbinaries/pvdt70.CAB
.
i am just uninstalling the other stuff you requested
girlie100
2010-02-20, 15:26
i cant get the kaspersky online scanner to run:
Program download is in progress. Please wait. To allow further operations of Kaspersky Online Scanner 7.0, agree in the security warning to launch the Java application signed by Kaspersky Lab.
Launch of the Java application is interrupted! Please establish an uninterrupted Internet connection for work with this program.
i have uninstalled the updates listed, ran the scanner it asked to install java, i followed the link but then it doesnt work? i will await your reply
Hi,
Let's see if we get better results with ESET online scanner.
* Go here (http://www.eset.eu/online-scanner) to run an online scanner from ESET.
Tick the box next to YES, I accept the Terms of Use.
Click Start
Make sure that the option Remove found threats is not checked.
Click Scan
Wait for the scan to finish
Copy and paste that log as a reply to this topic, along with other requested logs that weren't posted yet. How's the system running?
girlie100
2010-02-20, 19:44
The scan completed, but no log file that i could see, however i could export this as a txt file:
C:\Program Files\Registry Patrol\RegistryPatrol.exe a variant of Win32/Adware.RegistryPatrol application
this was the only threat found, i cannot find a spybot S&D log file to post, but i can run another scan if you require the log file, the system runs fine but iexporer runs slow.
girlie100
2010-02-20, 19:59
apologies, i found the spybot report, if this helps?
--- Report generated: 2010-02-18 18:00 ---
Congratulations!: No immediate threats were found. (Status)
--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---
2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-03-05 TeaTimer.exe (1.6.6.32)
2010-02-14 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-11-04 advcheck.dll (1.6.5.20)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2009-10-08 Includes\Adware.sbi (*)
2010-02-09 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-02-09 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-02-09 Includes\HijackersC.sbi (*)
2010-01-20 Includes\Keyloggers.sbi (*)
2010-02-09 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-02-10 Includes\Malware.sbi (*)
2010-02-10 Includes\MalwareC.sbi (*)
2009-03-25 Includes\PUPS.sbi (*)
2010-02-09 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-02-10 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2009-11-03 Includes\Spyware.sbi (*)
2010-02-09 Includes\SpywareC.sbi (*)
2009-06-08 Includes\Tracks.uti
2009-12-08 Includes\Trojans.sbi (*)
2010-02-10 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll
Hi,
Uninstall Registry Patrol. Is there some specific situation in which IE is slow?
girlie100
2010-02-21, 10:43
its slow starting up, and loading new pages sometimes. where do i uninstall registry patrol from? its not in add/remove? thanks
Hi,
If Registry Patrol isn't visible on installed programs list then just delete these two folders:
c:\windows\system32\Registry Patrol
c:\program files\Registry Patrol
Have you noticed if IE is slow on some certain sites or does it happen randomly?
girlie100
2010-02-21, 15:42
have deleted both folders, its slow loading homepage when you start up and slow loading pages when you go to new websites, however, i'm used to using firefox so it may just be me??
Hi,
IE is slower compared to Firefox. You may want to see if running IE with addons disabled runs any faster:
Click the Start button, click All Programs, click Accessories, click System Tools, and then click Internet Explorer (No Add-ons).
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
Now lets uninstall ComboFix:
Click START then RUN
Now copy-paste Combofix /uninstall in the runbox and click OK
Next we remove all used tools.
Please download OTC (http://oldtimer.geekstogo.com/OTC.exe) and save it to desktop.
Double-click OTC.exe.
Click the CleanUp! button.
Select Yes when the
Begin cleanup Process?
prompt appears.
If you are prompted to Reboot during the cleanup, select Yes.
The tool will delete itself once it finishes, if not delete it by yourself.
Note: If you receive a warning from your firewall or other security programs regarding OTC attempting to contact the internet, please allow it to do so.
girlie100
2010-02-21, 16:54
i have completed the steps that you gave and all the tools removed except the ATF-Cleaner. shall i remove this myself or leave it for now?
girlie100
2010-02-21, 17:05
oh yeah, i have tried IE with no add ons and it is much better, so its probably the toolbars installed for noton ect.
Hi,
You may either remove ATF Cleaner or keep it and run occasionally to clean temporary items.
Unless there's some issue left I believe we're ready here :)
girlie100
2010-02-21, 23:20
:D: thanks for all your help!!
Zara
Since this issue appears to be resolved ... this Topic has been closed. Glad I could help. :)
Note:If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than four days since your last response and you need the thread re-opened, please send me or MOD a private message (pm). A valid, working link to the closed topic is required.