Need help removing bo:heap

Status
Not open for further replies.
D

dasaaki

New member
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:12:28, on 24/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Loraine\Application Data\nSvcAppFlt.exe
C:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\3\3Connect\Wilog.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Anefisawa] rundll32.exe "C:\WINDOWS\Ddawab.dll",e
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Win32load] C:\Documents and Settings\Loraine\Application Data\nSvcAppFlt.exe -lds
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2FD7400-FDEB-4F97-9A09-850ADF82B9CF}: NameServer = 4.2.2.4 4.2.2.3
O23 - Service: Google Update Service (gupdate1c9ac1177cb3bb0) (gupdate1c9ac1177cb3bb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5605 bytes

Any help would be greatly appreciated
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance) http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Pinned (sticky) to the top of this forum, and posted above are the directions, make sure you have read and followed them.

Could you tell what symptoms you receive from this infection: bo:heap What program is finding it and what exactly is it showing you about the infection.

1) Please DO NOT ENABLE Spybot S&D TeaTimer while we work together.

2) A word of warning: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own. This tool is not a toy and not for everyday use

Download ComboFix from here:

Link 1

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this Link for programs that need to be disabled and instruction on how to disable them.
  • Remember to re-enable them when we're done.

  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:
whatnext.jpg

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a New Hijackthis log.

*If there is no internet connection when Combofix has completely finished then restart your computer to restore back the connections.

Tutorial if needed
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

3) Post also an uninstall list: Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP,
Update for Windows XP and Windows XP Hotfix to shorten the list)
Image: http://img.bleepingcomputer.com/tutorials/hijackthis/uninstall-man.jpg

Thanks
 
When i first ran combifix it deleted C:\WINDOWS\system32\sdra64.exe
Rebooted, i waited for the log report, it loaded notepad but notepad was empty. I ran combifix again which gave me this log.

ComboFix 09-03-25.03 - Loraine 2009-03-26 12:24:46.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.72 [GMT 0:00]
Running from: c:\documents and settings\Loraine\Desktop\ComboFix.exe
* Resident AV is active

.

((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-26 12:09 . 2009-03-26 12:24 <DIR> d-------- C:\quarantine
2009-03-26 00:54 . 2009-03-26 00:54 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-26 00:50 . 2009-03-26 00:50 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-25 11:43 . 2009-03-25 11:43 <DIR> d---s---- c:\documents and settings\Loraine\UserData
2009-03-25 09:51 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-25 09:51 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-25 09:51 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-24 23:11 . 2009-03-24 23:11 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 22:53 . 2009-03-24 22:53 <DIR> d-------- c:\program files\ERUNT
2009-03-24 22:43 . 2009-03-24 22:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-24 22:43 . 2009-03-24 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 18:44 . 2009-03-25 10:30 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-24 14:39 . 2008-08-14 10:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-24 14:39 . 2008-08-14 09:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-24 14:39 . 2008-08-14 09:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-24 14:39 . 2008-08-14 09:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-24 14:33 . 2008-05-01 14:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-24 14:29 . 2008-06-13 13:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-24 14:17 . 2008-12-12 17:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-24 14:08 . 2008-10-24 11:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-24 13:55 . 2008-10-15 16:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-24 11:26 . 2008-12-11 11:57 333,184 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-24 11:12 . 2009-03-26 11:26 <DIR> d-------- c:\documents and settings\Loraine\Tracing
2009-03-24 11:07 . 2009-03-24 11:07 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-24 11:07 . 2009-03-24 11:07 <DIR> d-------- c:\program files\Microsoft
2009-03-24 11:06 . 2009-03-24 11:07 <DIR> d-------- c:\program files\Windows Live
2009-03-24 10:55 . 2009-03-24 10:55 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-24 10:55 . 2008-05-07 05:18 1,287,680 -----c--- c:\windows\system32\dllcache\quartz.dll
2009-03-24 10:55 . 2008-09-04 16:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-24 10:23 . 2008-06-20 10:45 360,320 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-03-24 10:23 . 2008-06-20 17:41 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-03-24 10:23 . 2008-08-14 09:51 138,368 -----c--- c:\windows\system32\dllcache\afd.sys
2009-03-24 10:23 . 2006-08-16 11:58 100,352 -----c--- c:\windows\system32\dllcache\6to4svc.dll
2009-03-24 10:21 . 2009-03-26 00:56 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-23 23:42 . 2009-03-23 23:47 <DIR> d-------- c:\program files\Google
2009-03-23 23:42 . 2009-03-26 11:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-23 17:23 . 2009-03-25 17:29 512 --a------ c:\windows\randseed.rnd
2009-03-23 17:02 . 2008-04-11 18:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-23 16:49 . 2009-03-23 16:49 <DIR> d-------- c:\windows\Icons
2009-03-23 16:22 . 2009-03-24 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kontiki
2009-03-23 16:22 . 2009-03-23 16:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Channel4
2009-03-23 14:36 . 2009-03-23 14:36 40,960 --a------ c:\windows\Ddawab.dll
2009-03-23 14:36 . 2009-03-23 14:36 11,264 --a------ c:\documents and settings\Loraine\Application Data\nSvcAppFlt.exe
2009-03-23 14:34 . 2009-03-25 23:07 <DIR> d-------- c:\program files\uTorrent
2009-03-23 14:34 . 2009-03-25 23:19 <DIR> d-------- c:\documents and settings\Loraine\Application Data\uTorrent
2009-03-23 14:10 . 2008-10-03 10:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-03-23 14:07 . 2009-03-23 15:15 <DIR> d-------- c:\documents and settings\Loraine\Application Data\DivX
2009-03-23 13:54 . 2006-10-04 14:06 1,197,294 -----c--- c:\windows\system32\dllcache\sysmain.sdb
2009-03-23 13:54 . 2006-10-04 14:06 764,868 -----c--- c:\windows\system32\dllcache\apph_sp.sdb
2009-03-23 13:54 . 2006-10-04 14:06 217,118 -----c--- c:\windows\system32\dllcache\apphelp.sdb
2009-03-23 13:53 . 2009-03-23 13:53 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-23 13:50 . 2009-03-23 13:50 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-23 13:50 . 2009-03-23 13:52 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-23 12:43 . 2009-03-23 12:45 <DIR> d-------- c:\program files\DivX
2009-03-23 12:43 . 2009-03-23 12:44 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-23 10:33 . 2009-03-23 10:33 <DIR> d-------- c:\documents and settings\Loraine\Application Data\Birdstep Technology
2009-03-23 10:33 . 2009-03-23 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-03-23 10:33 . 2007-05-28 17:00 10,240 --------- c:\windows\system32\drivers\mdvrmng.sys
2009-03-23 10:32 . 2008-03-16 12:47 872,192 --a------ c:\windows\system32\drivers\mod7700.sys
2009-03-23 10:32 . 2008-03-17 09:56 103,168 --a------ c:\windows\system32\drivers\ewusbfake.sys
2009-03-23 10:32 . 2008-03-17 09:03 101,376 --a------ c:\windows\system32\drivers\ewusbmdm.sys
2009-03-23 10:32 . 2008-01-22 13:09 100,992 --a------ c:\windows\system32\drivers\ewusbnet.sys
2009-03-23 10:32 . 2004-08-03 22:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-23 10:32 . 2004-08-03 22:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-23 10:32 . 2007-08-09 02:13 24,448 --a------ c:\windows\system32\drivers\ewdcsc.sys
2009-03-23 10:31 . 2009-03-23 10:31 <DIR> d-------- c:\program files\Huawei Modems
2009-03-23 10:31 . 2009-03-23 10:31 <DIR> d-------- c:\program files\3
2009-03-23 10:31 . 2009-03-23 10:31 76,118 --a------ c:\windows\Huawei ModemsUninstall.exe
2009-03-23 10:30 . 2004-08-03 22:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-19 15:08 . 2009-03-19 15:08 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-03-19 15:08 . 2009-03-19 15:08 348,160 --a------ c:\windows\system32\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 21:34 --------- d--h--w c:\program files\InstallShield Installation Information
2009-01-27 01:35 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-01-27 01:35 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-01-27 01:35 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Win32load"="c:\documents and settings\Loraine\Application Data\nSvcAppFlt.exe" [2009-03-23 11264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-23 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2003-06-26 303104]
"SiS KHooker"="c:\windows\System32\khooker.exe" [2003-05-29 294912]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]
"Anefisawa"="c:\windows\Ddawab.dll" [2009-03-23 40960]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Loraine\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Consola KIT ADSL.lnk - c:\program files\Telefonica\Kit ADSL USB\dslmon.exe [2006-02-15 901272]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-03-23 479232]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Documents and Settings\\Loraine\\Application Data\\nSvcAppFlt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-06-27 58464]
R2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2009-03-23 10240]
S2 gupdate1c9ac1177cb3bb0;Google Update Service (gupdate1c9ac1177cb3bb0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 133104]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{addfa530-1795-11de-a9be-0030135d51a9}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 23:42]

2009-03-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 23:45]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {E2FD7400-FDEB-4F97-9A09-850ADF82B9CF} = 4.2.2.3 4.2.2.4
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 12:26:45
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-03-26 12:29:29
ComboFix-quarantined-files.txt 2009-03-26 12:29:24
ComboFix2.txt 2009-03-26 12:17:01

Pre-Run: 33,389,375,488 bytes free
Post-Run: 33,376,759,808 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

168 --- E O F --- 2009-03-26 00:57:00







Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:45, on 26/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\3\3Connect\Wilog.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [Anefisawa] rundll32.exe "C:\WINDOWS\Ddawab.dll",e
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Win32load] C:\Documents and Settings\Loraine\Application Data\nSvcAppFlt.exe -lds
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2FD7400-FDEB-4F97-9A09-850ADF82B9CF}: NameServer = 4.2.2.3 4.2.2.4
O23 - Service: Google Update Service (gupdate1c9ac1177cb3bb0) (gupdate1c9ac1177cb3bb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5351 bytes






3Connect
Adobe Acrobat 5.0
Adobe Flash Player 10 ActiveX
Adobe Shockwave Player 11.5
Agente ADSL USB
Choice Guard
Critical Update for Windows Media Player 11 (KB959772)
DivX Codec
DivX Converter
DivX Player
DivX Plus DirectShow Filters
DivX Web Player
ERUNT 1.1j
Google Earth
Google Update Helper
Google Updater
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB952287)
Huawei modem
Kit ADSL USB
McAfee VirusScan Enterprise
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSVCRT
MSXML 4.0 SP2 (KB954430)
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows XP (KB938464-v2)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB944338-v2)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958215)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960714)
Security Update for Windows XP (KB960715)
Segoe UI
SiS 740
SoundMAX
Spybot - Search & Destroy
Update for Windows XP (KB898461)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
VC80CRTRedist - 8.0.50727.762
Windows Installer 3.1 (KB893803)
Windows Live Call
Windows Live Communications Platform
Windows Live Essentials
Windows Live Essentials
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Live Upload Tool
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB885884
Windows XP Service Pack 2
WinRAR archiver
 
Please read the directions carefully:
Could you tell what symptoms you receive from this infection: bo:heap What program is finding it and what exactly is it showing you about the infection.
Click to expand...

uTorrent <<< p2p programs must be uninstalled, see this:
http://forums.spybot.info/showthread.php?t=282
If your helper detects the presence of such programs on your computer he/she will ask you to remove them. Help will be withdrawn should you not agree to their removal.
Click to expand...
I see no uninstaller and will use CFScript. If you do not wish to remove them, stop now and let me know.

Follow the instructions carefully and in the numbered order.

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

2) Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\Ddawab.dll

Folder::
c:\program files\uTorrent
c:\documents and settings\Loraine\Application Data\uTorrent

Save this as CFScript

CFScriptB-4.gif


Referring to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log. (wait until you finish to post the logs)

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O4 - HKLM\..\Run: [Anefisawa] rundll32.exe "C:\WINDOWS\Ddawab.dll",e

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

*Cleaning Prefetch may result in a few slow starts until the folder is repopulated:
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

Download Malwarebytes' Anti-Malware to your Desktop
http://www.malwarebytes.org/

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post the log from CFScript, the log from MBAM and a new HJT log.

Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.

Tutorial if needed:
http://www.techsupportteam.org/forum/tutorials/2282-malwarebytes-anti-malware-mbam.html

How is the computer running now?

Uninstall list: I look for malware and security issues and will not know all of your programs, but you should.
Hackers are using out of date programs to infect folks more and more,
Here is a small free tool that lets you know when something needs an update if you are interested:
http://secunia.com/vulnerability_scanning/personal/ While PSI runs in the System Tray for realtime notifications, I personally prefer to turn it off in MSConfig and run it from All Programs when I want to do a check.

Adobe Flash Player 10 ActiveX
Adobe recommends all users of Adobe Flash Player 10.0.12.36 and earlier versions upgrade to the newest version 10.0.22.87
http://www.adobe.com/support/security/bulletins/apsb09-01.html
 
I am getting buffer overflow protection warnings from McAfee with these offending messages:
C:\Program Files\Internet Explorer\iexplore.exe::GetProcAddress

bo:heap

C:\Program Files\Internet Explorer\iexplore.exe

Im get the message everytime i turn on my laptop and connect to the internet.
Its causing my laptop to run slower than usual and my internet speed has dropped.


ComboFix 09-03-25.03 - Loraine 2009-03-26 15:44:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.222.66 [GMT 0:00]
Running from: c:\documents and settings\Loraine\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Loraine\Desktop\CFScript.txt
* Created a new restore point
* Resident AV is active


FILE ::
c:\windows\Ddawab.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\uTorrent
c:\program files\uTorrent\14458-utorrent.1717.dmp
c:\program files\uTorrent\14458-utorrent.94bf.dmp
c:\program files\uTorrent\14458-utorrent.d075.dmp
c:\windows\Ddawab.dll

.
((((((((((((((((((((((((( Files Created from 2009-02-26 to 2009-03-26 )))))))))))))))))))))))))))))))
.

2009-03-26 12:09 . 2009-03-26 15:44 <DIR> d-------- C:\quarantine
2009-03-26 00:54 . 2009-03-26 00:54 <DIR> d-------- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-03-26 00:50 . 2009-03-26 00:50 <DIR> d-------- c:\program files\MSXML 4.0
2009-03-25 11:43 . 2009-03-25 11:43 <DIR> d---s---- c:\documents and settings\Loraine\UserData
2009-03-25 09:51 . 2008-10-16 14:06 268,648 --a------ c:\windows\system32\mucltui.dll
2009-03-25 09:51 . 2008-10-16 14:06 208,744 --a------ c:\windows\system32\muweb.dll
2009-03-25 09:51 . 2008-10-16 14:06 27,496 --a------ c:\windows\system32\mucltui.dll.mui
2009-03-24 23:11 . 2009-03-24 23:11 <DIR> d-------- c:\program files\Trend Micro
2009-03-24 22:53 . 2009-03-24 22:53 <DIR> d-------- c:\program files\ERUNT
2009-03-24 22:43 . 2009-03-24 22:43 <DIR> d-------- c:\program files\Spybot - Search & Destroy
2009-03-24 22:43 . 2009-03-24 22:49 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-24 18:44 . 2009-03-25 10:30 <DIR> d-------- c:\windows\system32\CatRoot_bak
2009-03-24 14:39 . 2008-08-14 10:00 2,180,352 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2009-03-24 14:39 . 2008-08-14 09:58 2,136,064 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2009-03-24 14:39 . 2008-08-14 09:22 2,057,728 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2009-03-24 14:39 . 2008-08-14 09:22 2,015,744 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2009-03-24 14:33 . 2008-05-01 14:30 331,776 -----c--- c:\windows\system32\dllcache\msadce.dll
2009-03-24 14:29 . 2008-06-13 13:10 272,128 -----c--- c:\windows\system32\dllcache\bthport.sys
2009-03-24 14:17 . 2008-12-12 17:33 3,060,224 -----c--- c:\windows\system32\dllcache\mshtml.dll
2009-03-24 14:08 . 2008-10-24 11:10 453,632 -----c--- c:\windows\system32\dllcache\mrxsmb.sys
2009-03-24 13:55 . 2008-10-15 16:57 332,800 -----c--- c:\windows\system32\dllcache\netapi32.dll
2009-03-24 11:26 . 2008-12-11 11:57 333,184 -----c--- c:\windows\system32\dllcache\srv.sys
2009-03-24 11:12 . 2009-03-26 13:26 <DIR> d-------- c:\documents and settings\Loraine\Tracing
2009-03-24 11:07 . 2009-03-24 11:07 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-24 11:07 . 2009-03-24 11:07 <DIR> d-------- c:\program files\Microsoft
2009-03-24 11:06 . 2009-03-24 11:07 <DIR> d-------- c:\program files\Windows Live
2009-03-24 10:55 . 2009-03-24 10:55 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-03-24 10:55 . 2008-05-07 05:18 1,287,680 -----c--- c:\windows\system32\dllcache\quartz.dll
2009-03-24 10:55 . 2008-09-04 16:42 1,106,944 -----c--- c:\windows\system32\dllcache\msxml3.dll
2009-03-24 10:23 . 2008-06-20 10:45 360,320 -----c--- c:\windows\system32\dllcache\tcpip.sys
2009-03-24 10:23 . 2008-06-20 17:41 245,248 -----c--- c:\windows\system32\dllcache\mswsock.dll
2009-03-24 10:23 . 2008-08-14 09:51 138,368 -----c--- c:\windows\system32\dllcache\afd.sys
2009-03-24 10:23 . 2006-08-16 11:58 100,352 -----c--- c:\windows\system32\dllcache\6to4svc.dll
2009-03-24 10:21 . 2009-03-26 00:56 <DIR> d--h----- c:\windows\$hf_mig$
2009-03-23 23:42 . 2009-03-23 23:47 <DIR> d-------- c:\program files\Google
2009-03-23 23:42 . 2009-03-26 11:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Google Updater
2009-03-23 17:23 . 2009-03-25 17:29 512 --a------ c:\windows\randseed.rnd
2009-03-23 17:02 . 2008-04-11 18:50 683,520 -----c--- c:\windows\system32\dllcache\inetcomm.dll
2009-03-23 16:49 . 2009-03-23 16:49 <DIR> d-------- c:\windows\Icons
2009-03-23 16:22 . 2009-03-24 21:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\Kontiki
2009-03-23 16:22 . 2009-03-23 16:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Channel4
2009-03-23 14:36 . 2009-03-23 14:36 11,264 --a------ c:\documents and settings\Loraine\Application Data\nSvcAppFlt.exe
2009-03-23 14:10 . 2008-10-03 10:15 247,326 -----c--- c:\windows\system32\dllcache\strmdll.dll
2009-03-23 14:07 . 2009-03-23 15:15 <DIR> d-------- c:\documents and settings\Loraine\Application Data\DivX
2009-03-23 13:54 . 2006-10-04 14:06 1,197,294 -----c--- c:\windows\system32\dllcache\sysmain.sdb
2009-03-23 13:54 . 2006-10-04 14:06 764,868 -----c--- c:\windows\system32\dllcache\apph_sp.sdb
2009-03-23 13:54 . 2006-10-04 14:06 217,118 -----c--- c:\windows\system32\dllcache\apphelp.sdb
2009-03-23 13:53 . 2009-03-23 13:53 <DIR> d-------- c:\program files\Windows Media Connect 2
2009-03-23 13:50 . 2009-03-23 13:50 <DIR> d-------- c:\windows\system32\LogFiles
2009-03-23 13:50 . 2009-03-23 13:52 <DIR> d-------- c:\windows\system32\drivers\UMDF
2009-03-23 12:43 . 2009-03-23 12:45 <DIR> d-------- c:\program files\DivX
2009-03-23 12:43 . 2009-03-23 12:44 <DIR> d-------- c:\program files\Common Files\DivX Shared
2009-03-23 10:33 . 2009-03-23 10:33 <DIR> d-------- c:\documents and settings\Loraine\Application Data\Birdstep Technology
2009-03-23 10:33 . 2009-03-23 10:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\Birdstep Technology
2009-03-23 10:33 . 2007-05-28 17:00 10,240 --------- c:\windows\system32\drivers\mdvrmng.sys
2009-03-23 10:32 . 2008-03-16 12:47 872,192 --a------ c:\windows\system32\drivers\mod7700.sys
2009-03-23 10:32 . 2008-03-17 09:56 103,168 --a------ c:\windows\system32\drivers\ewusbfake.sys
2009-03-23 10:32 . 2008-03-17 09:03 101,376 --a------ c:\windows\system32\drivers\ewusbmdm.sys
2009-03-23 10:32 . 2008-01-22 13:09 100,992 --a------ c:\windows\system32\drivers\ewusbnet.sys
2009-03-23 10:32 . 2004-08-03 22:08 31,616 --a------ c:\windows\system32\drivers\usbccgp.sys
2009-03-23 10:32 . 2004-08-03 22:08 31,616 --a--c--- c:\windows\system32\dllcache\usbccgp.sys
2009-03-23 10:32 . 2007-08-09 02:13 24,448 --a------ c:\windows\system32\drivers\ewdcsc.sys
2009-03-23 10:31 . 2009-03-23 10:31 <DIR> d-------- c:\program files\Huawei Modems
2009-03-23 10:31 . 2009-03-23 10:31 <DIR> d-------- c:\program files\3
2009-03-23 10:31 . 2009-03-23 10:31 76,118 --a------ c:\windows\Huawei ModemsUninstall.exe
2009-03-23 10:30 . 2004-08-03 22:08 26,496 --a--c--- c:\windows\system32\dllcache\usbstor.sys
2009-03-19 15:08 . 2009-03-19 15:08 499,712 --a------ c:\windows\system32\msvcp71.dll
2009-03-19 15:08 . 2009-03-19 15:08 348,160 --a------ c:\windows\system32\msvcr71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-24 21:34 --------- d--h--w c:\program files\InstallShield Installation Information
2009-02-09 10:19 1,846,272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 18:52 49,504 ----a-w c:\windows\system32\sirenacm.dll
2009-01-27 01:35 9,464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-01-27 01:35 9,336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-01-27 01:35 43,528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-01-27 01:35 129,784 ------w c:\windows\system32\pxafs.dll
2009-01-27 01:35 120,056 ------w c:\windows\system32\pxcpyi64.exe
2009-01-27 01:35 118,520 ------w c:\windows\system32\pxinsi64.exe
2009-01-27 01:34 90,112 ----a-w c:\windows\system32\dpl100.dll
2009-01-27 01:34 823,296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-01-27 01:34 823,296 ----a-w c:\windows\system32\divx_xx07.dll
2009-01-27 01:34 815,104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-01-27 01:34 802,816 ----a-w c:\windows\system32\divx_xx11.dll
2009-01-27 01:34 684,032 ----a-w c:\windows\system32\DivX.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-03 15360]
"Win32load"="c:\documents and settings\Loraine\Application Data\nSvcAppFlt.exe" [2009-03-23 11264]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-03-23 39408]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"SiS Tray"="c:\windows\System32\sistray.EXE" [2003-06-26 303104]
"SiS KHooker"="c:\windows\System32\khooker.exe" [2003-05-29 294912]
"Smapp"="c:\program files\Analog Devices\SoundMAX\SMTray.exe" [2003-05-05 143360]
"ShStatEXE"="c:\program files\Network Associates\VirusScan\SHSTAT.EXE" [2004-09-22 94208]
"McAfeeUpdaterUI"="c:\program files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 139320]
"Network Associates Error Reporting Service"="c:\program files\Common Files\Network Associates\TalkBack\TBMon.exe" [2003-10-07 147514]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\System32\CTFMON.EXE" [2004-08-03 15360]

c:\documents and settings\Loraine\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Consola KIT ADSL.lnk - c:\program files\Telefonica\Kit ADSL USB\dslmon.exe [2006-02-15 901272]
Update Agent.lnk - c:\program files\3\3Connect\AutoUpdateSrv.exe [2009-03-23 479232]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Documents and Settings\\Loraine\\Application Data\\nSvcAppFlt.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R2 gupdate1c9ac1177cb3bb0;Google Update Service (gupdate1c9ac1177cb3bb0);c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 133104]
S1 NaiAvTdi1;NaiAvTdi1;c:\windows\system32\drivers\mvstdi5x.sys [2005-01-14 58464]
S2 mdvrmng;Mobile IP Route Manager;c:\windows\system32\drivers\mdvrmng.sys [2007-05-28 10240]


--- Other Services/Drivers In Memory ---

*NewlyCreated* - ENTDRV51
*Deregistered* - ALG
*Deregistered* - AudioSrv
*Deregistered* - BITS
*Deregistered* - Browser
*Deregistered* - CryptSvc
*Deregistered* - DcomLaunch
*Deregistered* - Dhcp
*Deregistered* - dmserver
*Deregistered* - Dnscache
*Deregistered* - EntDrv51
*Deregistered* - ERSvc
*Deregistered* - EventSystem
*Deregistered* - FastUserSwitchingCompatibility
*Deregistered* - gupdate1c9ac1177cb3bb0
*Deregistered* - gusvc
*Deregistered* - helpsvc
*Deregistered* - ImapiService
*Deregistered* - lanmanserver
*Deregistered* - lanmanworkstation
*Deregistered* - LmHosts
*Deregistered* - McAfeeFramework
*Deregistered* - McShield
*Deregistered* - McTaskManager
*Deregistered* - Netman
*Deregistered* - Nla
*Deregistered* - PolicyAgent
*Deregistered* - PptpMiniport
*Deregistered* - ProtectedStorage
*Deregistered* - PSched
*Deregistered* - RasAcd
*Deregistered* - Rasl2tp
*Deregistered* - RasMan
*Deregistered* - RasPppoe
*Deregistered* - Raspti
*Deregistered* - Rdbss
*Deregistered* - RDPCDD
*Deregistered* - rdpdr
*Deregistered* - RemoteRegistry
*Deregistered* - RpcSs
*Deregistered* - SamSs
*Deregistered* - Schedule
*Deregistered* - Secdrv
*Deregistered* - seclogon
*Deregistered* - SENS
*Deregistered* - SharedAccess
*Deregistered* - ShellHWDetection
*Deregistered* - SoundMAX Agent Service (default)
*Deregistered* - Spooler
*Deregistered* - sr
*Deregistered* - srservice
*Deregistered* - Srv
*Deregistered* - SSDPSRV
*Deregistered* - swenum
*Deregistered* - TapiSrv
*Deregistered* - TermDD
*Deregistered* - TermService
*Deregistered* - Themes
*Deregistered* - TrkWks
*Deregistered* - Update
*Deregistered* - VgaSave
*Deregistered* - VolSnap
*Deregistered* - W32Time
*Deregistered* - Wanarp
*Deregistered* - WebClient
*Deregistered* - winmgmt
*Deregistered* - wscsvc
*Deregistered* - wuauserv
*Deregistered* - WZCSVC

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{addfa530-1795-11de-a9be-0030135d51a9}]
\Shell\AutoRun\command - E:\AutoRun.exe
.
Contents of the 'Scheduled Tasks' folder

2009-03-26 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-03-23 23:42]

2009-03-26 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-03-23 23:45]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-Anefisawa - c:\windows\Ddawab.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
TCP: {E2FD7400-FDEB-4F97-9A09-850ADF82B9CF} = 4.2.2.4 4.2.2.3
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-26 15:46:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(608)
c:\windows\system32\EntApi.dll
.
Completion time: 2009-03-26 15:49:22
ComboFix-quarantined-files.txt 2009-03-26 15:49:07
ComboFix2.txt 2009-03-26 12:29:34
ComboFix3.txt 2009-03-26 12:17:01

Pre-Run: 33,314,844,672 bytes free
Post-Run: 33,311,948,800 bytes free

250 --- E O F --- 2009-03-26 00:57:00



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:01:31, on 26/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\3\3Connect\Wilog.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Win32load] C:\Documents and Settings\Loraine\Application Data\nSvcAppFlt.exe -lds
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2FD7400-FDEB-4F97-9A09-850ADF82B9CF}: NameServer = 4.2.2.4 4.2.2.3
O23 - Service: Google Update Service (gupdate1c9ac1177cb3bb0) (gupdate1c9ac1177cb3bb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5134 bytes


Malwarebytes' Anti-Malware 1.34
Database version: 1902
Windows 5.1.2600 Service Pack 2

26/03/2009 17:15:48
mbam-log-2009-03-26 (17-15-48).txt

Scan type: Full Scan (C:\|)
Objects scanned: 93629
Time elapsed: 39 minute(s), 17 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win32load (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:17:56, on 26/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\Program Files\3\3Connect\Wilog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2FD7400-FDEB-4F97-9A09-850ADF82B9CF}: NameServer = 4.2.2.4 4.2.2.3
O23 - Service: Google Update Service (gupdate1c9ac1177cb3bb0) (gupdate1c9ac1177cb3bb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5219 bytes


Im no longer getting a message pop up from virus scan when i turn on my laptop on. Ill report back with how my internet speed is.
 
The internet speed has improved and im yet to have a virus scan message telling me i have bo:heap.

Thankyou so much for your help it is greatly appreciated :)
 
Have a look here to help you computer perform even better:
http://www.netsquirrel.com/msconfig/msconfig_xp.html
http://www.malwareremoval.com/tutorials/runningslowly.php
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx

Remove combofix from the computer like this:

Click START then RUN
Now type or copy Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

CF_Cleanup.png


Clean the System Restore files like this:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

(Optional, only if you want the check)
Update MBAM and scan to be sure we missed none of the junk, there is no need to post a clean scan result.
(MBAM is yours to keep if you wish, update it and run it once a month or so)

Update McAfee and scan the system, to be sure it is running right and scanning clean. If you have problems with the program, contact tech support for instructions.
http://www.mcafee.com/us/support/

If all is well at this point, let me know and I will close the topic.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

http://users.telenet.be/bluepatchy/miekiemoes/Links.html
http://www.microsoft.com/windows/ie/community/columns/protection.mspx
Improve the safety of your browsing and e-mail activities
http://www.microsoft.com/protect/computer/advanced/browsing.mspx
 
Everything was fine until today my internet speed dropped and i got a message from VirusScan

Av-test.txt.Vir C:\quarantine EICAR test file
Av-test.txt.Vir.0 C:\quarantine EICAR test file
Av-test.txt.Vir.1 C:\quarantine EICAR test file

Ive tried to delete the files out of quarantine but access is denied.

Ran HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:55:06, on 27/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\sistray.EXE
C:\WINDOWS\System32\khooker.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Telefonica\Kit ADSL USB\dslmon.exe
C:\Program Files\3\3Connect\AutoUpdateSrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\3\3Connect\Wilog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS Tray] C:\WINDOWS\System32\sistray.EXE
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: Consola KIT ADSL.lnk = ?
O4 - Global Startup: Update Agent.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2FD7400-FDEB-4F97-9A09-850ADF82B9CF}: NameServer = 4.2.2.4 4.2.2.3
O23 - Service: Google Update Service (gupdate1c9ac1177cb3bb0) (gupdate1c9ac1177cb3bb0) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5340 bytes

Many Thanks.
 
Everything was fine until today when my internet speed dropped and got this message from VirusScan

Av-test.txt.vir c:\quarantine
Av-test.txt.vir.0 c:\quarantine
Av-test.txt.vir.1 c:\quarantine

Ran HJT
 
EICAR <<< http://www.eicar.org/anti_virus_test_file.htm
Looks like some kind of online university test file? I have no idea. This quarantine file (C:\quarantine) had to be created by someone or some program on the computer, likely Network Associates. If you don't know why it is there, delete it. If access is denied, then sign in as administrator or delete it in safe mode: http://spyware-free.us/tutorials/safemode/

As far as the fluxuations in internet sppeds, I suggest you take that up with technical support at your Internet Service Provider. I might be able to offer suggestions (not my field) but they are the ones who have the equipment and knowledge to test the connections and find out what is causing the issue.

Thanks
 
Status
Not open for further replies.
Back
Top