common problem?-is my pc still infected

Status
Not open for further replies.
no good

as requested might have made the restart minimally faster but not starting normally.
I ran a panda scan out of desperation have included the log to showing 11 spyware 1 hacking tool/rootkit and 1 virus!!! seemed to have lost a rootkit ...but gained a virus ssomewhere!!!.......damn!


Incident Status Location

Potentially unwanted tool:application/alfacleaner Not disinfected C:\Documents and Settings\Mark\Application Data\Skinux
Adware:adware/ipbill Not disinfected Windows Registry
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Mark\Cookies\mark@247realmedia[1].txt
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\Mark\Cookies\mark@adtech[1].txt
Spyware:Cookie/NewMedia Not disinfected C:\Documents and Settings\Mark\Cookies\mark@anm.co[2].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark\Cookies\mark@bs.serving-sys[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Mark\Cookies\mark@overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Mark\Cookies\mark@questionmarket[1].txt
Spyware:Cookie/Serving-sys Not disinfected C:\Documents and Settings\Mark\Cookies\mark@serving-sys[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Mark\Cookies\mark@toplist[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Mark\Cookies\mark@tribalfusion[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Mark\Cookies\mark@xiti[1].txt
Virus:Trj/Bancos.RQ Not disinfected C:\Documents and Settings\Mark\Desktop\ComboFix.exe[327882R2FWJFW\pv.cfexe]
Potentially unwanted tool:Application/Pskill.A Not disinfected C:\WINDOWS\Motive\btbb\pskill.exe
 
Last edited by a moderator:
Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\Motive\btbb\pskill.exel

Save this as Save this as "CFScript"


CFScript.gif


Referring to the picture above, drag CFScript.txt into ComboFix.exe

Then post the results log and a new HijackThis log.
 
latest logs

as requested

O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme

noticed this line in the hjt log in the 04's which you said was the start up files... it looks suspicious and have checked and deleted the programme aleady ....can this line be deleted???

ComboFix 08-03-26.3 - Mark 2008-03-31 8:53:06.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.188 [GMT 1:00]
Running from: C:\Documents and Settings\Mark\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Mark\Desktop\CFscript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\Motive\btbb\pskill.exel
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-31 )))))))))))))))))))))))))))))))
.

2008-03-22 22:36 . 2008-03-22 22:36 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\Malwarebytes
2008-03-22 22:35 . 2008-03-22 22:36 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-22 22:35 . 2008-03-22 22:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-22 18:02 . 2008-03-30 14:59 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2008-03-22 18:02 . 2008-03-30 14:15 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2008-03-22 18:02 . 2008-03-30 14:15 1,406 --a------ C:\WINDOWS\system32\Help.ico
2008-03-20 17:59 . 2008-03-29 22:31 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-03-18 20:53 . 2008-02-22 03:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-18 20:51 . 2008-03-18 20:51 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-15 16:41 . 2008-03-30 14:48 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-15 11:37 . 2008-03-15 11:37 244 --ah----- C:\sqmnoopt19.sqm
2008-03-15 11:37 . 2008-03-15 11:37 232 --ah----- C:\sqmdata19.sqm
2008-03-15 11:36 . 2008-03-15 11:36 244 --ah----- C:\sqmnoopt18.sqm
2008-03-15 11:36 . 2008-03-15 11:36 232 --ah----- C:\sqmdata18.sqm
2008-03-15 11:32 . 2008-03-15 11:32 244 --ah----- C:\sqmnoopt17.sqm
2008-03-15 11:32 . 2008-03-15 11:32 232 --ah----- C:\sqmdata17.sqm
2008-03-07 15:03 . 2008-03-07 15:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 15:03 . 2008-03-07 15:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 14:40 . 2008-03-07 14:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 14:40 . 2008-03-07 14:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 14:39 . 2008-03-07 14:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 14:39 . 2008-03-07 14:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 14:39 . 2008-03-07 14:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 14:39 . 2008-03-07 14:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 14:39 . 2008-03-07 14:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 14:39 . 2008-03-07 14:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 14:39 . 2008-03-07 14:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys
2008-03-03 23:55 . 2008-03-03 23:58 <DIR> d-------- C:\Program Files\Windows Live
2008-03-03 23:55 . 2008-03-03 23:57 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2008-03-03 23:54 . 2008-03-03 23:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-03 23:34 . 2008-03-06 22:32 23,904 --a------ C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-03 23:34 . 2008-03-06 22:32 10,537 --a------ C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-03 23:34 . 2008-03-06 22:32 706 --a------ C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-03 14:39 . 2008-03-03 15:10 123,952 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2008-03-03 14:39 . 2008-03-03 15:10 60,800 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2008-03-03 14:38 . 2008-03-30 14:48 <DIR> d-------- C:\Program Files\Symantec
2008-03-03 14:38 . 2008-03-25 00:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-03 14:37 . 2008-03-31 01:01 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2008-02-27 13:20 . 2008-02-27 13:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-27 10:19 . 2008-02-27 10:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-27 10:19 . 2008-02-27 10:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-22 21:46 . 2008-02-22 22:21 419 --a------ C:\WINDOWS\wininit.ini
2008-02-22 21:12 . 2008-03-30 14:48 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-22 21:12 . 2008-02-22 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-22 20:20 . 2008-02-22 20:28 <DIR> d-------- C:\Documents and Settings\Mark\Application Data\RegSweep
2008-02-19 11:33 . 2008-02-19 11:33 <DIR> d-------- C:\Program Files\Motive
2008-02-19 11:33 . 2008-02-19 11:35 <DIR> d-------- C:\Program Files\BT Broadband Desktop Help
2008-02-14 18:15 . 2008-02-14 18:15 268 --ah----- C:\sqmdata16.sqm
2008-02-14 18:15 . 2008-02-14 18:15 244 --ah----- C:\sqmnoopt16.sqm
2008-02-14 01:07 . 2008-02-14 01:15 16 --a------ C:\WINDOWS\system32\coh.cache
2008-02-14 00:48 . 2008-03-03 15:10 10,740 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2008-02-14 00:48 . 2008-03-03 15:10 805 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.INF
2008-02-11 10:40 . 2008-02-11 10:40 2,715,648 --a------ C:\WINDOWS\system32\OnlineScanner.ocx
2008-02-11 10:39 . 2008-02-11 10:39 253,952 --a------ C:\WINDOWS\system32\OnlineScannerDLLA.dll
2008-02-11 10:39 . 2008-02-11 10:39 237,568 --a------ C:\WINDOWS\system32\OnlineScannerDLLW.dll
2008-02-08 14:53 . 2008-02-08 14:53 110,592 --a------ C:\WINDOWS\system32\OnlineScannerLang.dll
2008-02-05 09:48 . 2008-02-05 09:48 77,824 --a------ C:\WINDOWS\system32\OnlineScannerUninstaller.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-30 13:40 --------- d-----w C:\Program Files\BT Broadband Talk Softphone
2008-03-30 13:39 --------- d-----w C:\Program Files\BT Auto Backup
2008-03-30 13:18 --------- d-----w C:\Program Files\AC3Filter
2008-03-30 13:07 --------- d-----w C:\Documents and Settings\Mark\Application Data\Skype
2008-03-30 12:53 --------- d-----w C:\Documents and Settings\Mark\Application Data\skypePM
2008-03-29 16:38 --------- d-----w C:\Documents and Settings\Mark\Application Data\LimeWire
2008-03-26 14:24 --------- d-----w C:\Program Files\QuickTime
2008-03-26 14:10 --------- d-----w C:\Program Files\Common Files\Motive
2008-03-26 14:09 --------- d-----w C:\Program Files\btbb_wcm
2008-03-22 22:03 --------- d-----w C:\Program Files\MSN Messenger
2008-03-21 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2008-03-18 19:53 --------- d-----w C:\Program Files\Java
2008-03-03 16:29 --------- d-----w C:\Program Files\Microsoft Works
2008-03-03 13:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-02-26 18:46 61,480 ----a-w C:\Documents and Settings\Mark\GoToAssistDownloadHelper.exe
2008-02-19 10:41 --------- d-----w C:\Documents and Settings\Mark\Application Data\Motive
2008-02-19 10:31 --------- d-----w C:\Program Files\BTHomeHub
2008-02-17 19:20 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-02-17 19:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-02-15 22:54 --------- d-----w C:\Program Files\Google
2008-02-15 20:10 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-02-13 00:14 --------- d-----w C:\Program Files\LimeWire
2008-02-13 00:13 --------- d-----w C:\Documents and Settings\Mark\Application Data\uTorrent
2008-02-06 00:58 --------- d-----w C:\Program Files\DivX
2008-02-06 00:47 --------- d-----w C:\Documents and Settings\Mark\Application Data\Microgaming
2008-02-05 10:05 --------- d-----w C:\Program Files\PKR
2008-01-04 21:59 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2008-01-04 21:58 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2008-01-04 21:58 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2008-01-04 21:58 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-01-04 21:57 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-01-04 21:57 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-01-04 21:57 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-01-04 21:57 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-01-04 21:57 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-01-04 21:57 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-01-04 21:57 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-01-04 21:57 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-01-04 21:57 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-01-04 21:57 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-01-04 21:56 156,992 ----a-w C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-01-04 21:56 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-12-22 17:19 557,056 ----a-w C:\Documents and Settings\Mark\GoToAssist_phone__319_en.exe
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-11-28 17:55 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
.

((((((((((((((((((((((((((((( snapshot@2008-03-28_11.20.27.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2000-08-31 08:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2000-08-31 07:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2006-12-18 15:36:36 312,840 ----a-w C:\WINDOWS\KingComIE.dll
- 2000-08-31 08:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
+ 2000-08-31 07:00:00 28,160 ----a-w C:\WINDOWS\Nircmd.exe
- 2008-02-19 14:26:49 63,528 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 12:15:25 63,644 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-02-19 14:26:49 406,328 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 12:15:25 406,636 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2000-08-31 08:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2000-08-31 07:00:00 161,792 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 13:00 15360]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 12:34 5724184]
"BTAgile"="C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe" [2007-06-18 10:39 61440]
"SRS Audio Sandbox"="C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdslTaskBar"="stmctrl.dll" [2004-08-27 09:20 167936 C:\WINDOWS\system32\stmctrl.dll]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2006-02-28 13:00 110592 C:\WINDOWS\system32\bthprops.cpl]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2004-02-12 16:57 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2004-02-12 16:59 77824]
"OlStatusMon"="C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" [2006-01-03 15:23 94208]
"YBrowser"="C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 17:19 129536]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\PROGRA~1\Symantec\osCheck.exe" [2007-01-14 08:11 771704]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
BT Broadband Desktop Help.lnk - C:\Program Files\BT Broadband Desktop Help\bin\matcli.exe [2008-02-19 11:33:24 217088]
BTTray.lnk - C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe [2004-10-01 15:12:18 565309]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YOP]
--a------ 2007-06-26 14:48 509224 C:\PROGRA~1\Yahoo!\YOP\yop.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\BT Broadband Talk Softphone\\BTSoftphone.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

R3 Stmatm;ATM/ADSL miniport;C:\WINDOWS\system32\DRIVERS\stmatm.sys [2004-07-06 13:28]
R3 TaurusPci;ADSL Modem PCI Service;C:\WINDOWS\system32\DRIVERS\toruspci.sys [2004-08-25 11:10]

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2008-03-31 00:58:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2008-03-30 11:46:02 C:\WINDOWS\Tasks\Norton Security Online - Run Full System Scan - Mark.job"
- C:\PROGRA~1\Symantec\Norton AntiVirus\Navw32.exeh/TASK:
"2008-02-24 18:34:13 C:\WINDOWS\Tasks\Spybot - Search & Destroy - Scheduled Task.job"
- C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-31 08:57:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2008-03-31 9:00:12
ComboFix-quarantined-files.txt 2008-03-31 07:59:05
ComboFix2.txt 2008-03-29 11:13:38
ComboFix3.txt 2008-03-28 11:21:40
Pre-Run: 65,845,411,840 bytes free
Post-Run: 67,315,023,872 bytes free
.
2008-03-27 22:46:35 --- E O F ---
 
Last edited by a moderator:
O4 - HKCU\..\Run: [SRS Audio Sandbox] "C:\Program Files\SRS Labs\Audio Sandbox\SRSSSC.exe" /hideme

noticed this line in the hjt log in the 04's which you said was the start up files... it looks suspicious and have checked and deleted the programme aleady ....can this line be deleted???
Click to expand...
Yes this will keep windows from looking for the file :cool:

Both logs look fine any troubles with the PC?
 
results

You know what....innitial signs are good. it Has only spiked once when i've tried in the last 2 days when i checked my mail in my outlook email account.Apart from that the surfing seems to be back normal..... wow!!!

Unfortunately one thing that is deffo not right is the startup.
The one time it did spike i decided to shut down the comp(held down power button) on the restart it took forever still best part of 20 mins to get on line and to settle. A blue screen also appeared saying that one of disks needed to be scanned for errors and that it recoommended i didnt skip the process have seen this happen 3 times now but not before i started having these troubles? is this an out standing seperate issue or does this suggest a hardware issue/failure???

I have deleted the 04 file as we talked about just to be on the safe side. and i will continue to monitor the performance over the next couple of days to completely vanquish any fears that its going to reinstall itself or return.
I will let you know and thank you properly then. until them prelimanary kudos to you lil eagle (A.K.A the dude!)

I am then hoping you can tie up some loose ends ie deletes some of the programs/files and processes we have gone through just to maximise disk space and limit damage (ie hide the hidden system files we have "outed"

again thanks for your commitment to finding/fixing this problem to date , will be touch again shortly with a difinitive verdict.:)
 
Run - ATF Cleaner instructions here.

-------------------------------------

Download the OTMoveIt.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
Press cleanup & it will search for and delete/uninstall all the tools we have used :cool: and all their backup folders and then delete itself when you next reboot.

-------------------------------------

All so reset your restore points, please note that you will need to log into your computer with an account
which has full administrator access. You will know if the account has administrator access because
you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.


--------------------------

I'll keep this thread open for a few days. Safe surfing
 
Not sure???

LE, trust me, the last thing i wanted was to for me to writing this but ...it seems there may still be a problem. The pc though not doing it half as much is still spiking for no reason form time to time.This on its own would be acceptable if i could be sure it wasnt a threat as when its not happening the pc performance seems ok.

The things that worry me are the start up. Timed it at 20mins today looking on task manager the 2 programms with most procesess running were vault client SRV (think this may relate to a digital vault application i have for saving files dont remember it ever causing pc performance problems before the spyware issue and an application called ans LUCOMS~1.exe.
Norton loads last after everything else like messenger and IE. Most imprtantly i ran the security inspector which no probs for the last 3 days today was showing that IP addresess were again being directed to a differrent host.

Cant help thinking that all 3 problems are connected some how and unitil the comp loads up properly i cant be sure that the problem has been fixed. what do you think??:spider:
 
hjt log

as requested

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:03:34, on 04/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\LVComS.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\PROGRA~1\Logitech\Video\FxSvr2.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11252 bytes
 
Last edited by a moderator:
just need to check...

LE we are definately making progress..in fact i may have thought the situation worse than it actually is...I wasnt lying when i said the pc was still spiking it was. What i done was to uninstall and reinstall bt auto back up and its my digital vault. (linked with the vault.srv that was running so many processes on spiking)

Since i done this the spiking is so much smaller and so far its almost been a day without any major spikes, just to put your mind at rest it didnt always spike like this the virus must have affected it some how.

Being the paranoid android i am ,i still think i should run the stinger,what do you think?????? was the HJT log clear.?????? I thought i should check with you as on the instructions for running the scan it tells me to disable the system restore and then it should prompt me to reeboot. I did this and it didnt prompt me to reeboot. Is this important to reboot??? should i manually reeboot or just run it without does it matter????

Like i said its probably best i run this 1 last scan but on the other hand ithink were so close i didnt want to undo all our good work at the 11th hour if there is a risk to the system - The saying goes if it aint broke dont fix it...all very well but i dont know for sure it is!!!

Sall i still run it , turing off the restore and rebooting before scanning???
 
but...

still doesni explain why Ip addresses are getttng redirected to a different host intermittantly accoriding to security inspector on norton
 
it tells me to disable the system restore and then it should prompt me to reeboot.
Click to expand...
You do not need to disable system restore yet, but I would run the scan. Rebooting is necessary so that the files do not show up in other scans.
 
stimger

Ran as requested.

2things though downloaded form link you gave option no.1 (not epo version) and it says its out of date but the link for the updated version is the link you gave?? should i do the w32/pollip version and secondly poor i know but i couldnt work out how to scan my computer so the results are only for the c drive.


McAfee® Stinger Version 3.8.0 built on Sep 10 2007

Copyright © 2007 McAfee, Inc. All Rights Reserved.

Virus data file v1000 created on Sep 10 2007.

Ready to scan for 191 viruses, trojans and variants.

This product is outdated.

Please go to http://vil.nai.com/vil/stinger for an update.



Scan initiated on Sat Apr 05 10:54:35 2008

Number of clean files: 108079
 
Last edited by a moderator:
Lets run an F-Secure online scan.
  • Click HERE
  • Scroll to the bottom of the page and click the Start scanning button. A window will pop up.
  • Allow the Active X control to be installed on your computer, then click the Accept button
  • Click Full System Scan and allow the components to download and the scan to complete.
  • If malware is found, check Submit samples to F-Secure then select Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post
If Automatic cleaning with Submit samples hangs, click Cancel, then New Scan
  • When the cleaning option is presented, Uncheck Submit samples to F-Secure
  • Click Automatic cleaning
  • When cleaning has finished, click Show report (this will open an Internet Explorer window containing the report)
  • Highlight and Copy (CTRL + C) the complete report, and Paste (CTRL + V) in a new reply to this post

Note: This scan will only work with Internet Explorer.
You must be logged on a administrator rights to run this scan.
The scan may take a few hours.
 
F-secure results

As requested .....ugggggghhhhh i'm so hungover today!!!!


scanning Report
Sunday, April 06, 2008 10:58:01 - 14:53:41
Computer name: C600E805BDA44D4
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 2 malware found
RiskTool.Win32.PsKill (spyware)
System
Tracking Cookie (spyware)
System

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 31529
System: 3509
Not scanned: 8
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 2
Submitted: 0
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\PROGRAM FILES\COMMON FILES\SYMANTEC SHARED\CCPD-LC\SYMLCRST.DLL

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 2.30.0
F-Secure Hydra: 2.8.8110, 2008-04-05
F-Secure AVP: 7.0.171, 2008-04-05
F-Secure Pegasus: 1.20.0, 2008-02-28
F-Secure Blacklight: 1.0.64
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JPG LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------

Copyright © 1998-2007 Product support |Send virus sample to F-Secure
F-Secure assumes no responsibility for material created or published by third parties that F-Secure World Wide Web pages have a link to. Unless you have clearly stated otherwise, by submitting material to any of our servers, for example by E-mail or via our F-Secure's CGI E-mail, you agree that the material you make available may be published in the F-Secure World Wide Pages or hard-copy publications. You will reach F-Secure public web site by clicking on underlined links. While doing this, your access will be logged to our private access statistics with your domain name.This information will not be given to any third party. You agree not to take action against us in relation to material that you submit. Unless you have clearly stated otherwise, by submitting material you warrant that F-Secure may incorporate any concepts described in it in the F-Secure products/publications without liability.
 
Rescan with HiJackThis and post a new log here.
Also describe how your computer behaves at the moment Im' not seeing any reason for the increase in the CPU.
 
latest log

as requested attached is the log. Computer not regularly spiking like before or any where near as bad butaccording to task manager one i had just now was was probably caused by App.Svc32.exe looking at the processes

Computer runnning pretty well at the moment generally though when new windows are open they dont always open out full size they are opening in different shapes ie some are half the screen size others 3 quarters and some square shape this doesnt seem normal.

Also my keyboard seems to be playing up as alot of the buttons i press dont show even after changing the batteries but cant believe this is connected.

# still intriged to know what is redirecting my ip addresses every now and again. COuld it be that there has been a rule created to allow access through my firewall thus allowing the problem to return? the 2 spywear/rootkit problems found on the llast scan were they ones that we have already deleted before?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:48:29, on 06/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
C:\Program Files\Sitecom\Bluetooth Software\BTTray.exe
C:\WINDOWS\system32\LVComS.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\PROGRA~1\Sitecom\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\BT Auto Backup\VaultClientSRV.exe
C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.msn.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AdslTaskBar] rundll32.exe stmctrl.dll,TaskBar
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [OlStatusMon] "C:\Program Files\Olivetti\ANY_WAY\olDvcStatus.exe" dvcStatusMinimize
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BTAgile] C:\Program Files\BT Broadband Talk Softphone\BTAgile.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: BTTray.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Search - ?p=ZKxdm015YYGB
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BT Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Ladbrokes Poker - {C2A80015-C447-4dc4-82DD-AED83D6ED57E} - C:\Microgaming\Poker\ladbrokesMPP\MPPoker.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Sitecom\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {45A0A292-ECC6-4D8F-9EA9-A4BD411D24C1} (king.com) - http://www.king.com/ctl/kingcomie.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/win...ls/en/x86/client/wuweb_site.cab?1189783077718
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {924C1588-90C3-4910-B6CA-D57A1C0418FE} (YbUploadFavsCtl Class) - http://uk.bookmarks.yahoo.com/YbConvFav.CAB
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {BFF1950D-B1B4-4AE8-B842-B2CCF06D9A1B} (Zylom Games Player) - http://game05.zylom.com/activex/zylomgamesplayer.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation - C:\Program Files\Sitecom\Bluetooth Software\bin\btwdins.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: olMntrService - Olivetti - C:\Program Files\Olivetti\ANY_WAY\olMntrService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec RemoteAssist - Unknown owner - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe (file missing)
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: BT Auto Backup Service (VaultClientSRV) - BT - C:\Program Files\BT Auto Backup\VaultClientSRV.exe
O23 - Service: BT Auto Backup Upgrade Service (VaultClientUpgrade) - BT - C:\Program Files\BT Auto Backup\VaultClientUpgrade.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 11533 bytes
 
Last edited by a moderator:
Still not seeing any reason.

Are you fond of Symantec? This may be the reason for the spiking.

If so reinstall it, if not replace it.
 
Status
Not open for further replies.
Back
Top