Please Help. Cannot remove downloader virus

hi deano12345,

ok thanks for the logs. no clues there either. may has well try vundoFix:

VundoFix by Atri
Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.


Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
-------------------------------------------------------------
shelf life
 
Hi shelf life,
here are the reports you requested,

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.6

Scan started at 19:30:36 27/09/2006

Listing files found while scanning....

No infected files were found.


VundoFix V6.2.4

Checking Java version...

Java version is 1.5.0.6

Scan started at 08:03:17 16/10/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.2.4

Checking Java version...

Java version is 1.5.0.6

Scan started at 08:45:30 16/10/2006

Listing files found while scanning....

No infected files were found.

Logfile of HijackThis v1.99.1
Scan saved at 08:55:44, on 16/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Documents and Settings\lcc\Desktop\VundoFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRAM FILES\WINRAR\WinRAR.exe
C:\DOCUME~1\lcc\LOCALS~1\Temp\Rar$EX01.109\HijackThis.exe
C:\DOCUME~1\lcc\LOCALS~1\Temp\Rar$EX01.110\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: TeleSA.lnk = C:\Program Files\AVer Teletext\AVerSA.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147706307343
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E04FDE82-D487-4F9E-9697-F1F047CABE1B}: NameServer = 212.67.120.148 212.67.96.129
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CAISafe - Unknown owner - DESKTOP\eTrust EZ Antivirus\ISafe.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - DESKTOP\eTrust EZ Antivirus\VetMsg.exe (file missing)

Thanks for your continuing help and support shelf life,
deano12345 :)
 
hi deano12345,

that didnt help much. your running hjt out of a temp dir. now, did you download it again? needs to be in its own folder so it can safely make backups:

* Downloads:
* Please make sure you have the latest version. HJT 1.99.1
* http://www.downloads.subratam.org/hijackthis.zip
* If you are unfamiliar with zip programs get HijackThis.exe here:
* http://www.merijn.org/files/HijackThis.exe

* First put hijackthis into a permanent folder.
* Do this first - go to C: and create a new permanent folder.
Example C:\AntiSpyWare or C:\hijackthis
* This is necessary to ensure you have backups should anything go wrong.
* Then put (or download - choose "save" not "run") the hijackthis.exe file in this folder.
If you downloaded a zipped HJT file unzip it to the permanent folder so you have C:\hijackthis\hijackthis.exe.
* Example of the wrong way:
C:\DOCUME~1\Name\LOCALS~1\Temp\Temporary Directory for hijackthis.zip\HijackThis.exe
* Running hjt from the wrong folder may delay assistance as your helper will have to ask for a new log
----------------------------------------
we've done several things now, run ewido, smitfraud,silent runners, vundofix, and iam sure you have run windows defender and trojan remover. all are coming up clean. starting to think this is a false positive or maybe a stray leftover from something that nortons flagging. lets try
combofix for any clues:

download from one of these links:

http://download.bleepingcomputer.com/sUBs/combofix.exe
http://www.techsupportforum.com/sectools/combofix.exe

Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

shelf life
 
H shelf life,
sorry about the hjt log, don't know what happened there, must be an old one I still got on my computer. I'll have a look and get rid of it.
Here is the combo fix report as requested.
Cheers for your help shelf life.
deano 12345

ComboFix 06.10.16 - Running from: "C:\Documents and Settings\lcc\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-17 to 2006-10-17 ))))))))))))))))))))))))))))))))))


2006-10-12 23:52 28,672 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\CO_Mon.sys
2006-10-12 21:24 48,816 --a------ C:\WINDOWS\SYSTEM32\S32EVNT1.DLL
2006-10-12 21:24 109,744 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SYMEVENT.SYS
2006-10-09 18:45 75,264 --a------ C:\WINDOWS\SYSTEM32\unacev2.dll
2006-10-09 18:45 153,088 --a------ C:\WINDOWS\SYSTEM32\UNRAR3.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-16 12:26 1568656 --ah----- C:\Documents and Settings\lcc\Application Data\IconCache.db
2006-10-12 21:25 -------- d-------- C:\Program Files\Norton AntiVirus
2006-10-12 21:24 10344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\symlcbrd.sys
2006-10-12 16:01 -------- d-------- C:\Program Files\Symantec Technical Support
2006-10-05 15:23 -------- d-------- C:\Program Files\Kaspersky Lab
2006-10-03 20:49 -------- d-------- C:\Program Files\TrojanHunter 4.6
2006-09-28 14:16 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-09-19 15:47 -------- d-------- C:\Program Files\WinClear
2006-09-13 06:01 1084416 --a------ C:\WINDOWS\SYSTEM32\msxml3.dll
2006-09-10 12:40 16384 --a------ C:\Documents and Settings\lcc\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2006-08-30 18:17 -------- d-------- C:\Program Files\GD Winamp Control
2006-08-25 16:45 617472 --a------ C:\WINDOWS\SYSTEM32\comctl32.dll
2006-08-23 19:43 -------- d-------- C:\Program Files\Windows Installer Clean Up
2006-08-23 00:31 5906432 --------- C:\WINDOWS\SYSTEM32\ieframe.dll
2006-08-23 00:31 50688 --------- C:\WINDOWS\SYSTEM32\msfeedsbs.dll
2006-08-23 00:31 457728 --------- C:\WINDOWS\SYSTEM32\msfeeds.dll
2006-08-23 00:31 413696 --a------ C:\WINDOWS\SYSTEM32\vbscript.dll
2006-08-23 00:31 225792 --a------ C:\WINDOWS\SYSTEM32\webcheck.dll
2006-08-23 00:31 175616 --------- C:\WINDOWS\SYSTEM32\ieui.dll
2006-08-23 00:31 152064 --a------ C:\WINDOWS\SYSTEM32\msls31.dll
2006-08-23 00:18 78336 --a------ C:\WINDOWS\SYSTEM32\ieencode.dll
2006-08-23 00:18 206336 --------- C:\WINDOWS\SYSTEM32\WinFXDocObj.exe
2006-08-23 00:17 40448 --a------ C:\WINDOWS\SYSTEM32\licmgr10.dll
2006-08-23 00:17 105472 --a------ C:\WINDOWS\SYSTEM32\url.dll
2006-08-23 00:17 100352 --a------ C:\WINDOWS\SYSTEM32\occache.dll
2006-08-23 00:16 16896 --a------ C:\WINDOWS\SYSTEM32\corpol.dll
2006-08-23 00:14 378368 --a------ C:\WINDOWS\SYSTEM32\iedkcs32.dll
2006-08-23 00:14 229376 --a------ C:\WINDOWS\SYSTEM32\ieaksie.dll
2006-08-23 00:13 71680 --a------ C:\WINDOWS\SYSTEM32\admparse.dll
2006-08-23 00:13 55296 --a------ C:\WINDOWS\SYSTEM32\iesetup.dll
2006-08-23 00:13 54784 --a------ C:\WINDOWS\SYSTEM32\ie4uinit.exe
2006-08-23 00:13 43008 --a------ C:\WINDOWS\SYSTEM32\iernonce.dll
2006-08-23 00:13 152064 --a------ C:\WINDOWS\SYSTEM32\ieakeng.dll
2006-08-23 00:13 122880 --a------ C:\WINDOWS\SYSTEM32\advpack.dll
2006-08-23 00:13 11776 --a------ C:\WINDOWS\SYSTEM32\ieudinit.exe
2006-08-23 00:11 12288 --------- C:\WINDOWS\SYSTEM32\msfeedssync.exe
2006-08-23 00:10 61440 --------- C:\WINDOWS\SYSTEM32\icardie.dll
2006-08-23 00:10 35328 --a------ C:\WINDOWS\SYSTEM32\imgutil.dll
2006-08-23 00:09 262656 --------- C:\WINDOWS\SYSTEM32\iertutil.dll
2006-08-23 00:07 45568 --a------ C:\WINDOWS\SYSTEM32\mshta.exe
2006-08-22 23:37 48128 --a------ C:\WINDOWS\SYSTEM32\mshtmler.dll
2006-08-22 23:36 380928 --------- C:\WINDOWS\SYSTEM32\ieapfltr.dll
2006-08-22 23:30 161792 --a------ C:\WINDOWS\SYSTEM32\ieakui.dll
2006-08-21 13:21 16896 --a------ C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 10:14 23040 --a------ C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 10:14 128896 --------- C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-16 12:58 100352 --a------ C:\WINDOWS\SYSTEM32\6to4svc.dll
2006-08-10 19:46 22752 --a------ C:\WINDOWS\SYSTEM32\spupdsvc.exe
2006-08-07 16:02 534208 --a------ C:\WINDOWS\SYSTEM32\SymNeti.dll
2006-08-07 16:02 161472 --a------ C:\WINDOWS\SYSTEM32\SymRedir.dll
2006-07-27 14:24 679424 --a------ C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 09:24 72704 --a------ C:\WINDOWS\SYSTEM32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"STManager"="\"C:\\Program Files\\SpeedTouch\\Dr SpeedTouch\\drst.exe\" -b"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.0.720.3640\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"SystemTray"="SysTray.Exe"
"SpeedTouch USB Diagnostics"="\"C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon"
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="\"C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe\" /tray"
"SiSPower"="Rundll32.exe SiSPower.dll,ModeAgent"
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{81559C35-8464-49F7-BB0E-07A383BEF910}"="SpywareGuard"
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - lcc.job

Completion time: 06-10-17 9:59:07.60
C:\ComboFix.txt ... 06-10-17 09:59
 
hi deano12345,

nothing in there either, everything ive seen so far looks ok. no clues anywhere.i think norton is flagging a false positive.
cant remember, you may have this: ATFcleaner. good to have and use once in a while. check select all, then click on empty selected. link:

http://www.atribune.org/content/view/19/2/

hows it looking on that end?

shelf life
 
Hi shelf life,
I do Have ATF cleaner and have just run it.
Whan the folder number on the virus alert keeps changing ie; from tmp6E.tmp to tmp6F.tmp etc., is this still possibly a false positive alert ?, and if so how can I get rid of it ? Otherwise there is nothing going drastically wrong with my computer other than it is definitely slower to load and to retrieve mail etc., and it's freezing quite a bit, so something is amiss somewhere.
Thanks once again for your untiring help shelf life, it's much appreciated.
deano12345
 
hi deano12345,

from tmp6E.tmp to tmp6F.tmp etc., is this still possibly a false positive alert ?
Click to expand...

no, that shouldnt be happening.
------------------------------------------
let try cwshredder.
please download the stand alone version of cwshredder from here:

http://www.intermute.com/spysubtract/cwshredder_download.html

click the icon to launch it, then click on the "fix" button. it will scan and tell you if it found anything.
---------------------------------------------
also please use pandas online scanner:

Panda ActiveScan

http://www.pandasoftware.com/products/activescan.htm

* click the Scan your PC button
* A new window will open...click the Check Now button
* Enter your Country if not already posted
* Enter your State or Province
* Enter your e-mail address and click send
* Select either Home User or Company
* Click the big Scan Now button
* If prompted to install the ActiveX component-- allow it
* It will start downloading files it needs for the scan
* When the download is complete, click on My Computer to start
* When the scan completes, if anything malicious is found, click the See Report button, then Save Report and save it somewhere so you can find it. Post the contents of the ActiveScan report in next reply.

shelf life
 
Hi shelf life,
I ran cwshredder but it didn't find anything, then I ran panda active scan and it came up with some stuff, hope this is the one.
My computer is running weird now. Lots of strange things happening, losing colour and pages becoming transparent. Takes ages now to get onto a site, page is usually blank.
Here is the panda report, I've got my fingers and toes crossed.
Thanks shelf life,
deano12345


Incident Status Location

Adware:adware program Not disinfected c:\windows\ss3unstl.exe
Potentially unwanted tool:Application/Restart Not disinfected C:\WINDOWS\SYSTEM32\Tools\Restart.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\lcc\My Documents\My Completed Downloads\VirtumundoBeGone.exe[²ƒÇ]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\lcc\My Documents\My Completed Downloads\rebuilt.SmitfraudFix.zip[SmitfraudFix/Process.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\lcc\My Documents\My Completed Downloads\New Folder\SmitfraudFix.zip[SmitfraudFix/Process.exe]
 
hi deano12345,

more bad news. with the exception (maybe) of the first item all the rest is ok.
VirtumundoBeGone.exe is a removal tool, the others are part of smitfraud. some apps may list them as suspicious or unwanted.
lets not even worry about the first one for now. you have windows defender installed, is that flagging anything?

lets try another online scanner

Kaspersky virus scanner
http://www.kaspersky.com/virusscanner


Click on Kaspersky Online Scanner button
click accept to the mumbo jumbo

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:(this make take awhile to complete)
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
o Scan using the following Anti-Virus database:
>Extended (if available otherwise Standard)
o Scan Options:
>Scan Archives
>Scan Mail Bases
* Click OK
* Now under select a target to scan:
>Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
o Now click on the Save as Text button:
* Save the file to your desktop.
* Copy and paste that information in your next post.
-----------------------------------------
shelf life
 
Hi shelf life,
Here is the kaspersky report. It's found some stuff, hope it's the one,
Thankyou for your time, it's really appreciated,
deano12345

Ps., what does object locked, skipped, mean in the scanner report please shelf life?

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, October 20, 2006 5:13:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 20/10/2006
Kaspersky Anti-Virus database records: 233275
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 128268
Number of viruses found: 1
Number of infected objects: 9 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:42:42

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0499NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt\0834NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-07182006-155723.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\Incoming\AP950.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2006-10-20_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\lcc\Local Settings\Temp\~DFD3C7.tmp Object is locked skipped
C:\Documents and Settings\lcc\Local Settings\Temp\~DFD3F5.tmp Object is locked skipped
C:\Documents and Settings\lcc\Local Settings\Temp\~DF8EFA.tmp Object is locked skipped
C:\Documents and Settings\lcc\Local Settings\Temp\~DF534D.tmp Object is locked skipped
C:\Documents and Settings\lcc\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcc\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcc\Local Settings\Temporary Internet Files\AntiPhishing\2997C193-A464-4307-88C9-F9C00083CD16.dat Object is locked skipped
C:\Documents and Settings\lcc\My Documents\My Completed Downloads\rebuilt.SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\lcc\My Documents\My Completed Downloads\rebuilt.SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\lcc\My Documents\My Completed Downloads\New Folder\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\lcc\My Documents\My Completed Downloads\New Folder\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\lcc\Desktop\norton smit fraud silent runner etc\SmitfraudFix\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\lcc\Desktop\norton smit fraud silent runner etc\SmitfraudFix\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\lcc\Desktop\norton smit fraud silent runner etc\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\lcc\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Windows Defender\FileTracker\{87C59C21-B72A-4077-883F-23086CF0E253} Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.218.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\GatherLogs\MyIndex\MyIndex.218.Crwl Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Idm.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Ntfy59.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2659.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\CiST0000.000 Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\NlFiles\DocId.Map Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\Build\Indexer\CiFiles\00010002.ci Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.Dir Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2660.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2661.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.idx Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0.Dir Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h0 Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1.Dir Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h1 Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h3 Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A.Dir Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4A Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B.Dir Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Hash.gthr.h4B Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2662.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2663.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2664.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2665.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Projects\MyIndex\MyIndex.Crwl2666.gthr Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\tmp.edb Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\MSS.log Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Applications\RSApp\Properties\RSApp.edb Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Logs\MAPI.txt Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf34.tmp Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Ntf35.tmp Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Microsoft\Desktop Search\Temp\rssgthrsvc\Perflib_Perfdata_f64.dat Object is locked skipped
C:\Documents and Settings\lcc\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\lcc\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\lcc\ntuser.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\System Volume Information\_restore{A12CDB5E-762E-4B0F-984B-8A2AC182E2D7}\RP32\A0002897.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{A12CDB5E-762E-4B0F-984B-8A2AC182E2D7}\RP42\A0039196.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{A12CDB5E-762E-4B0F-984B-8A2AC182E2D7}\RP113\change.log Object is locked skipped

Scan process completed.
 
Hi shelf life,
forgot to add that windows defender hasn't flagged anything but I checked all of defender's history and it's completely blank, like nothing has ever happened, don't know if this is 'cos my system was good or something more sinister. I'm probably getting really paranoid now after this downloader virus :D:
deano12345
 
hi deano12345,

not much in the kaspersky scan. those files it cant scan are part of windows operating system and are "locked" by windows.

so you did a recent scan with windows defender? and it came up clean?
rescan and post a new hjt log please, since its been awhile. see if anything has changed.

shelf life
 
Hi shelf life,
sorry about the delay in getting back to you but as you can guess I've been having problems with my computer.
I did a defender scan and will send you my new hjt log.
Thankyou,deano12345

Logfile of HijackThis v1.99.1
Scan saved at 19:08:25, on 23/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Analog Devices\SoundMAX\Smax4.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\MSN\MSNCoreFiles\msn6.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\big jack this\HijackThis.exe
C:\big jack this\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: (no name) - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [STManager] "C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearch.exe
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O4 - Global Startup: TeleSA.lnk = C:\Program Files\AVer Teletext\AVerSA.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147706307343
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by103fd.bay103.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{E04FDE82-D487-4F9E-9697-F1F047CABE1B}: NameServer = 212.67.120.148
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CAISafe - Unknown owner - DESKTOP\eTrust EZ Antivirus\ISafe.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Unknown owner - DESKTOP\eTrust EZ Antivirus\VetMsg.exe (file missing)

ps. What is the virus and the infections that kaspersky found ? I realise they are not a danger otherwise you would get rid of them for me, but it would be good for my computer education to know. :)
 
hi deano12345,

no problem.

What is the virus and the infections that kaspersky found ?
Click to expand...
i dont recogonize a virus in the list. the "infected" files are the components of the smitfraudFix.

iam at a loss to explain the tmp files found by norton.

looking back we have run quite afew removal tools, two diagnostic tools (silent runners,combofix) and did two on line scans. ive looked at the logs everyway but upside down, i cant find any clues in them unless iam missing something somewhere.

lets try this. that smitfraud fix you ran has since been updated. so please delete the smiftfraud folder and download the updated version from here:

http://siri.urz.free.fr/Fix/SmitfraudFix_En.php

extract it to its own folder like last time, click on the gear looking icon to launch, chose the first step (search). save the report somewhere. exit smitfraud. post the report in reply.

shelf life
 
Hi shelf life,
this is the 3rd time i've tried to send this as my computer keeps freezing. It sure is a tough one. I really appreciate your effort in trying to find a solution.
Here goes with the smitfraud fix report,
many thanks,
deano12345

SmitFraudFix v2.113

Scan done at 11:35:52.04, 24/10/2006
Run from C:\Documents and Settings\lcc\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lcc


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lcc\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\lcc\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components



»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

Great it worked :)
 
Hi shelf life,
I got a reply from spyware warriors about this problem. I asked for help same time as i asked you but they just replied to me.
I told them I was talking to you about this and I sent a log. I was speaking to blender and he told me to tell you that he suspects a rootkit,also I might ask you about Gmer and getting a bootlog.
You might also guide me through a scan with Blacklight and a couple other rootkit scanners.
I hope this helps shelf life, it's all double dutch to me of course.
also he asked me to post this link to you.
Thanks once again for all your time.
deano12345
http://www.spywarewarrior.com/viewtopic.php?t=22897&highlight=deano12345
 
hi deano12345,

good thanks for all the info. yes i think we have exhausted all are efforts for your general -run -of -the-mill malware. lets try f-secures blacklight first. you can download it here:

http://www.f-secure.com/blacklight/try_blacklight.html

click the iaccept button
click the first download button (version with grapichal user interface)
save it to your desktop, double click the icon on the desktop to launch (blbeta.exe)
click scan, after it finishes it should put a log on your desktop, please post the log.

shelf life
 
hi shelf life,
here is the blacklight report. looks like it didn't pick anything up.
It looks like a tough one.
many thanks,
deano12345


10/25/06 10:20:52 [Info]: BlackLight Engine 1.0.47 initialized
10/25/06 10:20:52 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/25/06 10:20:54 [Note]: 7019 4
10/25/06 10:20:54 [Note]: 7005 0
10/25/06 10:21:05 [Note]: 7006 0
10/25/06 10:21:06 [Note]: 7011 656
10/25/06 10:21:06 [Note]: 7026 0
10/25/06 10:21:06 [Note]: 7026 0
10/25/06 10:21:20 [Note]: FSRAW library version 1.7.1020
10/25/06 10:23:19 [Note]: 7007 0
 
Hi shelf life,
As requested the rootkit reveal log.
Many thanks,
deano12345

HKLM\SOFTWARE\Microsoft\MSSQLServer\Client\ConnectTo\DSQUERY 03/09/2006 06:54 9 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\SharedDefs\NAVNT_50_AP1 26/10/2006 10:27 104 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Symantec\SharedDefs\NAVNT_50_AP2 26/10/2006 10:27 104 bytes Data mismatch between Windows API and raw hive data.
C:\Program Files\Common Files\Symantec Shared\VirusDefs\20061025.039\vscanmsx.dat 26/10/2006 11:06 2.02 KB Hidden from Windows API.
C:\Program Files\Norton AntiVirus\Savrt\0977NAV~.TMP 26/10/2006 11:07 0 bytes Hidden from Windows API.
 
You must log in or register to reply here.
Back
Top