Virtumonde infection

A

ad astra

New member
Hi.....and a big thank you
As requested have started a fresh topic
Have tried using Spyware Doctor & ESET NOD32 to no avail (only ever run one at any given time)
also Zone Alarm pro
HJT log as follows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:06:01, on 10/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
F:\dfrag\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
F:\dfrag\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\WINDOWS\system32\rundll32.exe
F:\OPERA\Opera.exe
C:\Program Files\Outlook Express\msimn.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0786bf9b-1faa-4bef-ae95-3b720a759a94} - C:\WINDOWS\system32\sosilore.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [20ae1e2e] rundll32.exe "C:\WINDOWS\system32\hahohetu.dll",b
O4 - HKLM\..\Run: [vimebuyure] Rundll32.exe "C:\WINDOWS\system32\lepefihi.dll",s
O4 - HKLM\..\Run: [CPM239d2db2] Rundll32.exe "c:\windows\system32\poruzowo.dll",a
O4 - HKCU\..\Run: [userinit] C:\WINDOWS\system32\ntos.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: c:\windows\system32\lizazopi.dll c:\windows\system32\poruzowo.dll c:\windows\system32\vivuyayo.dll C:\WINDOWS\system32\gedekuye.dll c:\windows\system32\nijopido.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\poruzowo.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\poruzowo.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FolderProtectService - Unknown owner - F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: GEARSecurity - GEAR Software Inc. - (no file)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - F:\dfrag\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - F:\dfrag\PDEngine.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Aqua Real 3D - 7db39a0d-580f-4be9-9195-8bfcd226f6c2
O24 - Desktop Component 2: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 6097 bytes
 
Hi ad astra

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but I can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
 
Hi Shaba and meny thanks for your reply wow !
I think, with your good help would like to try the clean option first
Bank statements up to yesterday (not online) show nothing untoward
 
We will begin with ComboFix.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

whatnext.png


Click on Yes, to continue scanning for malware.

When finished, it will produce a log for you. Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log.

This tool is not a toy and not for everyday use.
ComboFix SHOULD NOT be used unless requested by a forum helper

If you need help, see this link:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
 
ComboFix 09-01-13.04 - admin 2009-01-15 12:37:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1553 [GMT 0:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Application Data\inst.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\afihowus.ini
c:\windows\system32\asizizag.ini
c:\windows\system32\awefulit.ini
c:\windows\system32\begakipu.dll
c:\windows\system32\bewijeze.dll
c:\windows\system32\biniyogi.dll
c:\windows\system32\dahihiwi.dll
c:\windows\system32\devoresi.dll
c:\windows\system32\eragovap.ini
c:\windows\system32\ezejiweb.ini
c:\windows\system32\fyziov.dll
c:\windows\system32\fztdpk.dll
c:\windows\system32\garayudi.dll
c:\windows\system32\gazizisa.dll
c:\windows\system32\gejanojo.dll
c:\windows\system32\hahohetu.dll
c:\windows\system32\ibevedim.ini
c:\windows\system32\iduyarag.ini
c:\windows\system32\igoyinib.ini
c:\windows\system32\iifefEww.dll
c:\windows\system32\ilizubap.ini
c:\windows\system32\izewekor.ini
c:\windows\system32\jayoriji.dll
c:\windows\system32\kujonage.dll
c:\windows\system32\ljJBRlKE.dll
c:\windows\system32\midevebi.dll
c:\windows\system32\musesiwo.dll
c:\windows\system32\nijopido.dll
c:\windows\system32\ntos.exe
c:\windows\system32\nugebini.dll
c:\windows\system32\pavogare.dll
c:\windows\system32\Pncrt.dll
c:\windows\system32\poruzowo.dll
c:\windows\system32\rokewezi.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\suwohifa.dll
c:\windows\system32\suwuwari.dll
c:\windows\system32\tayanage.dll
c:\windows\system32\tedegeru.dll
c:\windows\system32\tovebogi.dll
c:\windows\system32\uregedet.ini
c:\windows\system32\utehohah.ini
c:\windows\system32\vivuyayo.dll
c:\windows\system32\vojijaje.dll
c:\windows\system32\wogutopa.dll
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\system32\yetugayu.dll
c:\windows\system32\yifiroso.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISODRIVE
-------\Service_ISODrive


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-14 10:17 . 2008-04-14 00:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-01-10 11:18 . 2009-01-10 11:19 15,083,520 --a------ c:\program files\spybotsd160.exe
2009-01-10 10:04 . 2009-01-10 10:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:23 . 2009-01-05 12:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-05 12:23 . 2009-01-05 12:22 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-05 12:21 . 2009-01-05 12:23 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-05 12:12 . 2009-01-05 12:12 <DIR> d-------- c:\documents and settings\admin\Application Data\PC Tools
2009-01-05 12:12 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-05 12:12 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-05 12:12 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 12:12 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-23 12:06 . 2008-12-23 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-23 11:10 . 2008-12-23 11:10 <DIR> d-------- c:\program files\VSO
2008-12-23 11:10 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-12-23 11:10 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-12-23 11:10 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-12-23 11:10 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-12-23 11:10 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-12-23 11:10 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-12-23 11:10 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-12-18 13:07 . 2008-12-18 13:07 <DIR> d-------- c:\documents and settings\admin\Application Data\WinCare2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 15:40 --------- d-----w c:\documents and settings\admin\Application Data\Vso
2009-01-08 10:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 10:23 --------- d-----w c:\documents and settings\admin\Application Data\wsInspector
2008-12-17 11:53 --------- d-----w c:\documents and settings\admin\Application Data\Uniblue
2008-07-22 16:15 4 ----a-w c:\documents and settings\admin\Application Data\wklnhst.dat
2008-07-21 07:11 37,072 ----a-w c:\documents and settings\admin\Application Data\GDIPFONTCACHEV1.DAT
2008-06-10 15:43 47,360 ----a-w c:\documents and settings\admin\Application Data\pcouffin.sys
2007-08-24 16:17 1,164,456 ----a-w c:\program files\install_flash_player.exe
2007-12-10 09:16 848 --sha-w c:\windows\system32\KGyGaAvL.sys
1601-01-01 00:12 21,504 --sha-w c:\windows\system32\mubohome.dll
1601-01-01 00:12 67,072 --sha-w c:\windows\system32\mulirowo.dll
1601-01-01 00:12 103,936 --sha-w c:\windows\system32\nakakoye.dll
1601-01-01 00:12 67,072 --sha-w c:\windows\system32\renayoli.dll
1601-01-01 00:12 77,824 --sha-w c:\windows\system32\robejaku.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 16:05 348160 --a------ f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 16:05 348160 --a------ f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"AsioReg"="CTASIO.DLL" [2003-06-20 c:\windows\system32\CTASIO.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\nugebini.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Spyware Doctor\\Spyware Doctor 6.0.0.386\\Spyware Doctor\\pctsGui.exe"=
"f:\\Spyware Doctor\\Spyware Doctor 6.0.0.386\\Spyware Doctor\\pctsTray.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMAgent.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-09-09 28544]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-04-23 33800]
R1 FolderProtectDriver;FolderProtectDriver;f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-04-04 15616]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-05 160792]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-04-23 472320]
R4 FolderProtectService;FolderProtectService;f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2008-04-04 10240]
R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120]
S3 4dfa7b48ee276595;4dfa7b48ee276595;C:\4dfa7b48ee276595.dat [2000-05-31 4576]
S3 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7996bf3-0b76-11dd-a899-000ea67c278f}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\RegCure Program Check.job
- f:\regcure\RegCure.exe [2008-08-23 11:52]

2008-08-23 c:\windows\Tasks\RegCure.job
- f:\regcure\RegCure.exe [2008-08-23 11:52]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0786bf9b-1faa-4bef-ae95-3b720a759a94} - c:\windows\system32\vojijaje.dll
BHO-{42611340-2fc1-4df2-acaa-8f95c7ff17d0} - c:\windows\system32\fztdpk.dll


.
------- Supplementary Scan -------
.
uStart Page =
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 12:47:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4dfa7b48ee276595]
"ImagePath"="\??\C:\4dfa7b48ee276595.dat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4D122310-A357-B2A5-17E7-DD7C2100E56B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3a,4f,07,a2,42,66,58,70,e8,74,b7,a3,0b,b2,65,1a,a8,60,16,1d,69,4d,c9,
87,fb,8d,45,a0,c8,6d,e3,5b,75,04,da,3b,27,3a,be,90,f1,9f,52,3f,8e,eb,cc,fc,\
"??"=hex:db,f4,c1,c3,71,77,a4,14,cb,bd,17,2a,7a,20,db,54
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(800)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Norton Ghost\Agent\VProSvc.exe
f:\dfrag\PDAgent.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
f:\dfrag\PDEngine.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
**************************************************************************
.
Completion time: 2009-01-15 12:49:09 - machine was rebooted [admin]
ComboFix-quarantined-files.txt 2009-01-15 12:48:42

Pre-Run: 24,832,434,176 bytes free
Post-Run: 24,754,966,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

246 --- E O F --- 2008-12-18 13:22:46

ComboFix 09-01-13.04 - admin 2009-01-15 12:37:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1553 [GMT 0:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\admin\Application Data\inst.exe
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\windows\system32\afihowus.ini
c:\windows\system32\asizizag.ini
c:\windows\system32\awefulit.ini
c:\windows\system32\begakipu.dll
c:\windows\system32\bewijeze.dll
c:\windows\system32\biniyogi.dll
c:\windows\system32\dahihiwi.dll
c:\windows\system32\devoresi.dll
c:\windows\system32\eragovap.ini
c:\windows\system32\ezejiweb.ini
c:\windows\system32\fyziov.dll
c:\windows\system32\fztdpk.dll
c:\windows\system32\garayudi.dll
c:\windows\system32\gazizisa.dll
c:\windows\system32\gejanojo.dll
c:\windows\system32\hahohetu.dll
c:\windows\system32\ibevedim.ini
c:\windows\system32\iduyarag.ini
c:\windows\system32\igoyinib.ini
c:\windows\system32\iifefEww.dll
c:\windows\system32\ilizubap.ini
c:\windows\system32\izewekor.ini
c:\windows\system32\jayoriji.dll
c:\windows\system32\kujonage.dll
c:\windows\system32\ljJBRlKE.dll
c:\windows\system32\midevebi.dll
c:\windows\system32\musesiwo.dll
c:\windows\system32\nijopido.dll
c:\windows\system32\ntos.exe
c:\windows\system32\nugebini.dll
c:\windows\system32\pavogare.dll
c:\windows\system32\Pncrt.dll
c:\windows\system32\poruzowo.dll
c:\windows\system32\rokewezi.dll
c:\windows\system32\skinboxer43.dll
c:\windows\system32\suwohifa.dll
c:\windows\system32\suwuwari.dll
c:\windows\system32\tayanage.dll
c:\windows\system32\tedegeru.dll
c:\windows\system32\tovebogi.dll
c:\windows\system32\uregedet.ini
c:\windows\system32\utehohah.ini
c:\windows\system32\vivuyayo.dll
c:\windows\system32\vojijaje.dll
c:\windows\system32\wogutopa.dll
c:\windows\system32\wsnpoem
c:\windows\system32\wsnpoem\audio.dll
c:\windows\system32\wsnpoem\video.dll
c:\windows\system32\yetugayu.dll
c:\windows\system32\yifiroso.dll

----- BITS: Possible infected sites -----

hxxp://77.74.48.105
Infected copy of c:\windows\system32\userinit.exe was found and disinfected
Restored copy from - c:\windows\$NtServicePackUninstall$\userinit.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_ISODRIVE
-------\Service_ISODrive


((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-14 10:17 . 2008-04-14 00:12 26,112 --a------ c:\windows\system32\stu2.exe
2009-01-10 11:18 . 2009-01-10 11:19 15,083,520 --a------ c:\program files\spybotsd160.exe
2009-01-10 10:04 . 2009-01-10 10:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:23 . 2009-01-05 12:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-05 12:23 . 2009-01-05 12:22 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-05 12:21 . 2009-01-05 12:23 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-05 12:12 . 2009-01-05 12:12 <DIR> d-------- c:\documents and settings\admin\Application Data\PC Tools
2009-01-05 12:12 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-05 12:12 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-05 12:12 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 12:12 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-23 12:06 . 2008-12-23 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-23 11:10 . 2008-12-23 11:10 <DIR> d-------- c:\program files\VSO
2008-12-23 11:10 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-12-23 11:10 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-12-23 11:10 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-12-23 11:10 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-12-23 11:10 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-12-23 11:10 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-12-23 11:10 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-12-18 13:07 . 2008-12-18 13:07 <DIR> d-------- c:\documents and settings\admin\Application Data\WinCare2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 15:40 --------- d-----w c:\documents and settings\admin\Application Data\Vso
2009-01-08 10:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 10:23 --------- d-----w c:\documents and settings\admin\Application Data\wsInspector
2008-12-17 11:53 --------- d-----w c:\documents and settings\admin\Application Data\Uniblue
2008-07-22 16:15 4 ----a-w c:\documents and settings\admin\Application Data\wklnhst.dat
2008-07-21 07:11 37,072 ----a-w c:\documents and settings\admin\Application Data\GDIPFONTCACHEV1.DAT
2008-06-10 15:43 47,360 ----a-w c:\documents and settings\admin\Application Data\pcouffin.sys
2007-08-24 16:17 1,164,456 ----a-w c:\program files\install_flash_player.exe
2007-12-10 09:16 848 --sha-w c:\windows\system32\KGyGaAvL.sys
1601-01-01 00:12 21,504 --sha-w c:\windows\system32\mubohome.dll
1601-01-01 00:12 67,072 --sha-w c:\windows\system32\mulirowo.dll
1601-01-01 00:12 103,936 --sha-w c:\windows\system32\nakakoye.dll
1601-01-01 00:12 67,072 --sha-w c:\windows\system32\renayoli.dll
1601-01-01 00:12 77,824 --sha-w c:\windows\system32\robejaku.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 16:05 348160 --a------ f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 16:05 348160 --a------ f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"AsioReg"="CTASIO.DLL" [2003-06-20 c:\windows\system32\CTASIO.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages REG_MULTI_SZ scecli c:\windows\system32\nugebini.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Spyware Doctor\\Spyware Doctor 6.0.0.386\\Spyware Doctor\\pctsGui.exe"=
"f:\\Spyware Doctor\\Spyware Doctor 6.0.0.386\\Spyware Doctor\\pctsTray.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMAgent.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-09-09 28544]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-04-23 33800]
R1 FolderProtectDriver;FolderProtectDriver;f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-04-04 15616]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-05 160792]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-04-23 472320]
R4 FolderProtectService;FolderProtectService;f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2008-04-04 10240]
R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120]
S3 4dfa7b48ee276595;4dfa7b48ee276595;C:\4dfa7b48ee276595.dat [2000-05-31 4576]
S3 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7996bf3-0b76-11dd-a899-000ea67c278f}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\RegCure Program Check.job
- f:\regcure\RegCure.exe [2008-08-23 11:52]

2008-08-23 c:\windows\Tasks\RegCure.job
- f:\regcure\RegCure.exe [2008-08-23 11:52]
.
- - - - ORPHANS REMOVED - - - -

BHO-{0786bf9b-1faa-4bef-ae95-3b720a759a94} - c:\windows\system32\vojijaje.dll
BHO-{42611340-2fc1-4df2-acaa-8f95c7ff17d0} - c:\windows\system32\fztdpk.dll


.
------- Supplementary Scan -------
.
uStart Page =
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 12:47:22
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4dfa7b48ee276595]
"ImagePath"="\??\C:\4dfa7b48ee276595.dat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4D122310-A357-B2A5-17E7-DD7C2100E56B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3a,4f,07,a2,42,66,58,70,e8,74,b7,a3,0b,b2,65,1a,a8,60,16,1d,69,4d,c9,
87,fb,8d,45,a0,c8,6d,e3,5b,75,04,da,3b,27,3a,be,90,f1,9f,52,3f,8e,eb,cc,fc,\
"??"=hex:db,f4,c1,c3,71,77,a4,14,cb,bd,17,2a,7a,20,db,54
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(744)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(800)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\Norton Ghost\Agent\VProSvc.exe
f:\dfrag\PDAgent.exe
c:\program files\Analog Devices\SoundMAX\SMAgent.exe
c:\windows\system32\MsPMSPSv.exe
f:\dfrag\PDEngine.exe
c:\windows\system32\msdtc.exe
c:\windows\system32\wscntfy.exe
f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
c:\program files\ESET\ESET NOD32 Antivirus\egui.exe
.
**************************************************************************
.
Completion time: 2009-01-15 12:49:09 - machine was rebooted [admin]
ComboFix-quarantined-files.txt 2009-01-15 12:48:42

Pre-Run: 24,832,434,176 bytes free
Post-Run: 24,754,966,528 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

246 --- E O F --- 2008-12-18 13:22:46
 
HI Shaba,
and my apologies for the late reply
HijackThis log as follows ..........

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:24:58, on 15/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
F:\dfrag\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
F:\dfrag\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\Explorer.EXE
F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
F:\OPERA\Opera.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FolderProtectService - Unknown owner - F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: GEARSecurity - GEAR Software Inc. - (no file)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - F:\dfrag\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - F:\dfrag\PDEngine.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Aqua Real 3D - 7db39a0d-580f-4be9-9195-8bfcd226f6c2
O24 - Desktop Component 2: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 5158 bytes
 
I'd like you to check a file for malware.
c:\windows\system32\stu2.exe
Click to expand...
  • Copy/Paste the first file on the list into the white Upload a file box.
  • Click Send/Submit, and the file will upload to VirusTotal/Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Save the complete results in a Notepad/Word document on your desktop.
  • Post back results here. please.
 
VirusTotal scan .....

Suomi | ihMdI | | עברית | | Slovenščina | Dansk | Русский | Română | Türkçe |
Nederlands | Ελληνικά | Français | Svenska | Português | Italiano | | | Magyar |
Deutsch | Česky | Polski | Español
Virustotal is a service that analyzes suspicious files and facilitates the quick
detection of viruses, worms, trojans, and all kinds of malware detected by
antivirus engines. More information...

File stu2.exe received on 01.15.2009 17:43:50 (CET)
Current status: finished
Result: 0/39 (0%)

Compact

Print results

Antivirus Version Last Update Result
a-squared 4.0.0.73 2009.01.15 -
AhnLab-V3 2009.1.15.0 2009.01.15 -
AntiVir 7.9.0.54 2009.01.15 -
Authentium 5.1.0.4 2009.01.15 -
Avast 4.8.1281.0 2009.01.15 -
AVG 8.0.0.229 2009.01.15 -
BitDefender 7.2 2009.01.15 -
CAT-QuickHeal 10.00 2009.01.15 -
ClamAV 0.94.1 2009.01.15 -
Comodo 932 2009.01.15 -
DrWeb 4.44.0.09170 2009.01.15 -
eSafe 7.0.17.0 2009.01.15 -
eTrust-Vet 31.6.6309 2009.01.15 -
F-Prot 4.4.4.56 2009.01.15 -
F-Secure 8.0.14470.0 2009.01.15 -
Fortinet 3.117.0.0 2009.01.15 -
GData 19 2009.01.15 -
Ikarus T3.1.1.45.0 2009.01.15 -
K7AntiVirus 7.10.584 2009.01.09 -
Kaspersky 7.0.0.125 2009.01.15 -
McAfee 5495 2009.01.14 -
McAfee+Artemis 5495 2009.01.14 -
Microsoft 1.4205 2009.01.15 -
NOD32 3769 2009.01.15 -
Norman 5.93.01 2009.01.15 -
nProtect 2009.1.8.0 2009.01.15 -
Panda 9.5.1.2 2009.01.14 -
PCTools 4.4.2.0 2009.01.15 -
Prevx1 V2 2009.01.15 -
Rising 21.12.32.00 2009.01.15 -
SecureWeb-Gateway 6.7.6 2009.01.15 -
Sophos 4.37.0 2009.01.15 -
Sunbelt 3.2.1831.2 2009.01.09 -
Symantec 10 2009.01.15 -
TheHacker 6.3.1.4.220 2009.01.14 -
TrendMicro 8.700.0.1004 2009.01.15 -
VBA32 3.12.8.10 2009.01.14 -
ViRobot 2009.1.15.1560 2009.01.15 -
VirusBuster 4.5.11.0 2009.01.15 -
Additional information
File size: 26112 bytes
MD5...: a93aee1928a9d7ce3e16d24ec7380f89
SHA1..: 513f8bdf67a5a9e09803cfb61f590b39f2683853
SHA256: 944cd2135e171af338352568aa7fe1b8004733a4281395ad6723e0cf43d5f53f
SHA512: b4df088a96dda785b1a2edb32ef72554fb8000d01a29668f0da0614f6100c8ea
59c31790d5248e551543efd36684b12b687df55cbeaa36b8c31decf686980f42
ssdeep: 768:0RMJi8jDLIDSAaQFxfftjaLacmkLGKOq:0RMJbDMDSA7FxffJaLaSLG9q
PEiD..: -
TrID..: File type identification
Win32 Executable MS Visual C++ (generic) (65.2%)
Win32 Executable Generic (14.7%)
Win32 Dynamic Link Library (generic) (13.1%)
Generic Win/DOS Executable (3.4%)
DOS Executable Generic (3.4%)
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x10054ad
timedatestamp.....: 0x480251a8 (Sun Apr 13 18:32:08 2008)
machinetype.......: 0x14c (I386)

( 3 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x520e 0x5400 5.95 099b53205ad3f1c3b853a5310d08a9b1
.data 0x7000 0x14c 0x200 1.86 0bb948f267e82975313a03d8c0e8a1cf
.rsrc 0x8000 0xb50 0xc00 3.27 bac832e39f87c4f5f640e5d5c6a1c2fc

( 9 imports )
> USER32.dll: CreateWindowExW, DestroyWindow, RegisterClassExW, DefWindowProcW,
LoadRemoteFonts, wsprintfW, GetSystemMetrics, GetKeyboardLayout,
SystemParametersInfoW, GetDesktopWindow, LoadStringW, MessageBoxW, ExitWindowsEx,
CharNextW
> ADVAPI32.dll: RegOpenKeyExA, ReportEventW, RegisterEventSourceW,
DeregisterEventSource, OpenProcessToken, RegCreateKeyExW, RegSetValueExW,
GetUserNameW, RegQueryValueExW, RegOpenKeyExW, RegQueryInfoKeyW, RegCloseKey,
RegQueryValueExA
> CRYPT32.dll: CryptProtectData
> WINSPOOL.DRV: SpoolerInit
> ntdll.dll: RtlLengthSid, RtlCopySid, _itow, RtlFreeUnicodeString, DbgPrint,
wcslen, wcscpy, wcscat, wcscmp, RtlInitUnicodeString, NtOpenKey, NtClose, _wcsicmp,
memmove, RtlConvertSidToUnicodeString, NtQueryInformationToken
> NETAPI32.dll: DsGetDcNameW, NetApiBufferFree
> WLDAP32.dll: -, -, -, -, -, -
> msvcrt.dll: __setusermatherr, _initterm, __getmainargs, _acmdln, _adjust_fdiv,
_XcptFilter, _exit, _c_exit, __p__commode, __p__fmode, __set_app_type, _except_handler3,
_controlfp, _cexit, exit
> KERNEL32.dll: CompareFileTime, LoadLibraryW, GetProcAddress, FreeLibrary,
lstrcpyW, CreateProcessW, lstrlenW, GetVersionExW, LocalFree, LocalAlloc,
GetEnvironmentVariableW, CloseHandle, lstrcatW, WaitForSingleObject,
DelayLoadFailureHook, GetStartupInfoA, GetModuleHandleA,
SetUnhandledExceptionFilter, UnhandledExceptionFilter, TerminateProcess,
GetSystemTimeAsFileTime, GetCurrentThreadId, GetTickCount,
QueryPerformanceCounter, LoadLibraryA, InterlockedCompareExchange, LocalReAlloc,
GetSystemTime, lstrcmpW, GetCurrentThread, SetThreadPriority,
ExpandEnvironmentStringsW, SearchPathW, GetLastError, CreateThread,
GetFileAttributesExW, GetSystemDirectoryW, SetCurrentDirectoryW, FormatMessageW,
lstrcmpiW, GetCurrentProcess, GetUserDefaultLangID, GetCurrentProcessId,
SetEvent, OpenEventW, Sleep, SetEnvironmentVariableW

( 0 exports )
ThreatExpert info: <a href='http://www.threatexpert.com/report.aspx?md5=a93aee1928a9d7ce3e16d24ec7380f89'
target='_blank'>http://www.threatexpert.com/report.aspx?md5=a93aee1928a9d7ce3e16d24ec7380f89</a>

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are
no guarantees about the availability and continuity of this service. Although
the detection rate afforded by the use of multiple antivirus engines is far
superior to that offered by just one product, these results DO NOT guarantee the
harmlessness of a file. Currently, there is not any solution that offers a 100%
effectiveness rate for detecting viruses and malware.

VirusTotal © Hispasec Sistemas - Blog - Contact: info@virustotal.com - Terms of
Service & Privacy Policy
 
Thanks for information.

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
c:\windows\system32\stu2.exe
c:\windows\system32\mubohome.dll
c:\windows\system32\mulirowo.dll
c:\windows\system32\nakakoye.dll
c:\windows\system32\renayoli.dll
c:\windows\system32\robejaku.dll

DirLook::
c:\documents and settings\admin\Application Data\WinCare2008

Registry::
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa] 
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScriptB-4.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
 
ComboFix 09-01-13.04 - admin 2009-01-15 18:20:17.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2047.1609 [GMT 0:00]
Running from: c:\documents and settings\admin\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\admin\Desktop\CFScript.txt
AV: ESET NOD32 Antivirus 3.0 *On-access scanning disabled* (Updated)
AV: Spyware Doctor with AntiVirus *On-access scanning disabled* (Updated)
FW: ZoneAlarm Pro Firewall *disabled*
* Created a new restore point

FILE ::
c:\windows\system32\mubohome.dll
c:\windows\system32\mulirowo.dll
c:\windows\system32\nakakoye.dll
c:\windows\system32\renayoli.dll
c:\windows\system32\robejaku.dll
c:\windows\system32\stu2.exe
.

((((((((((((((((((((((((( Files Created from 2008-12-15 to 2009-01-15 )))))))))))))))))))))))))))))))
.

2009-01-10 11:18 . 2009-01-10 11:19 15,083,520 --a------ c:\program files\spybotsd160.exe
2009-01-10 10:04 . 2009-01-10 10:04 <DIR> d-------- c:\program files\Trend Micro
2009-01-05 12:23 . 2009-01-05 12:23 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2009-01-05 12:23 . 2009-01-05 12:22 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys
2009-01-05 12:21 . 2009-01-05 12:23 <DIR> d-------- c:\program files\Common Files\PC Tools
2009-01-05 12:12 . 2009-01-05 12:12 <DIR> d-------- c:\documents and settings\admin\Application Data\PC Tools
2009-01-05 12:12 . 2008-08-25 12:36 81,288 --a------ c:\windows\system32\drivers\iksyssec.sys
2009-01-05 12:12 . 2008-08-25 12:36 66,952 --a------ c:\windows\system32\drivers\iksysflt.sys
2009-01-05 12:12 . 2008-08-25 12:36 40,840 --a------ c:\windows\system32\drivers\ikfilesec.sys
2009-01-05 12:12 . 2008-06-02 16:19 29,576 --a------ c:\windows\system32\drivers\kcom.sys
2008-12-23 12:06 . 2008-12-23 12:06 <DIR> d-------- c:\documents and settings\All Users\Application Data\vsosdk
2008-12-23 11:10 . 2008-12-23 11:10 <DIR> d-------- c:\program files\VSO
2008-12-23 11:10 . 2006-05-20 16:16 1,184,984 --a------ c:\windows\system32\wvc1dmod.dll
2008-12-23 11:10 . 2006-05-11 19:21 626,688 --a------ c:\windows\system32\vp7vfw.dll
2008-12-23 11:10 . 2006-09-29 12:24 217,127 --a------ c:\windows\system32\drv43260.dll
2008-12-23 11:10 . 2006-09-29 12:25 208,935 --a------ c:\windows\system32\drv33260.dll
2008-12-23 11:10 . 2006-09-29 12:26 176,165 --a------ c:\windows\system32\drv23260.dll
2008-12-23 11:10 . 2002-12-10 02:20 102,439 --a------ c:\windows\system32\sipr3260.dll
2008-12-23 11:10 . 2007-03-18 20:37 65,602 --a------ c:\windows\system32\cook3260.dll
2008-12-18 13:07 . 2008-12-18 13:07 <DIR> d-------- c:\documents and settings\admin\Application Data\WinCare2008

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 15:40 --------- d-----w c:\documents and settings\admin\Application Data\Vso
2009-01-08 10:26 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP
2009-01-06 10:23 --------- d-----w c:\documents and settings\admin\Application Data\wsInspector
2008-12-17 11:53 --------- d-----w c:\documents and settings\admin\Application Data\Uniblue
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 14:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 14:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 14:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 14:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 14:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 14:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 14:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 14:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 14:06 268,648 ----a-w c:\windows\system32\mucltui.dll
2008-10-16 14:06 208,744 ----a-w c:\windows\system32\muweb.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
2008-07-22 16:15 4 ----a-w c:\documents and settings\admin\Application Data\wklnhst.dat
2008-07-21 07:11 37,072 ----a-w c:\documents and settings\admin\Application Data\GDIPFONTCACHEV1.DAT
2008-06-10 15:43 47,360 ----a-w c:\documents and settings\admin\Application Data\pcouffin.sys
2007-08-24 16:17 1,164,456 ----a-w c:\program files\install_flash_player.exe
2007-12-10 09:16 848 --sha-w c:\windows\system32\KGyGaAvL.sys
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\admin\Application Data\WinCare2008 ----



((((((((((((((((((((((((((((( snapshot@2009-01-15_12.47.55.12 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-15 17:56:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_7a4.dat
+ 2009-01-15 17:56:25 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_840.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]
@="{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}"
[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]
2007-12-02 16:05 348160 --a------ f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]
@="{8A814C29-D3CD-4F9E-9770-DF8704503ACA}"
[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]
2007-12-02 16:05 348160 --a------ f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectShellExtension.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ptipbmf"="ptipbmf.dll" [2003-06-20 c:\windows\system32\ptipbmf.dll]
"AsioReg"="CTASIO.DLL" [2003-06-20 c:\windows\system32\CTASIO.DLL]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.xvid"= xvid.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ PDBoot.exe\0autocheck autochk *

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\lxcfcoms.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"f:\\Spyware Doctor\\Spyware Doctor 6.0.0.386\\Spyware Doctor\\pctsGui.exe"=
"f:\\Spyware Doctor\\Spyware Doctor 6.0.0.386\\Spyware Doctor\\pctsTray.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Symantec\\LiveUpdate\\AluSchedulerSvc.exe"=
"c:\\Program Files\\Analog Devices\\SoundMAX\\SMAgent.exe"=
"c:\\WINDOWS\\system32\\ati2evxx.exe"=
"c:\\WINDOWS\\system32\\dllhost.exe"=

R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [2008-09-09 28544]
R1 epfwtdir;epfwtdir;c:\windows\system32\drivers\epfwtdir.sys [2008-04-23 33800]
R1 FolderProtectDriver;FolderProtectDriver;f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectDriver.sys [2008-04-04 15616]
R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2009-01-05 160792]
R3 SymSnapService;SymSnapService;c:\program files\Norton Ghost\Shared\Drivers\SymSnapService.exe [2007-12-20 1553896]
R4 ekrn;Eset Service;c:\program files\ESET\ESET NOD32 Antivirus\ekrn.exe [2008-04-23 472320]
R4 FolderProtectService;FolderProtectService;f:\power suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe [2008-04-04 10240]
R4 Symantec SymSnap VSS Provider;Symantec SymSnap VSS Provider;c:\windows\system32\dllhost.exe [2004-08-04 5120]
S3 4dfa7b48ee276595;4dfa7b48ee276595;C:\4dfa7b48ee276595.dat [2000-05-31 4576]
S3 sdAuxService;PC Tools Auxiliary Service;f:\spyware doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsAuxs.exe [2009-01-05 356920]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7996bf3-0b76-11dd-a899-000ea67c278f}]
\Shell\AutoRun\command - H:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder

2009-01-15 c:\windows\Tasks\RegCure Program Check.job
- f:\regcure\RegCure.exe [2008-08-23 11:52]

2008-08-23 c:\windows\Tasks\RegCure.job
- f:\regcure\RegCure.exe [2008-08-23 11:52]
.
.
------- Supplementary Scan -------
.
uStart Page =
uInternet Connection Wizard,ShellNext = iexplore
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
LSP: c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
FF - ProfilePath -
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-15 18:21:09
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\4dfa7b48ee276595]
"ImagePath"="\??\C:\4dfa7b48ee276595.dat"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4D122310-A357-B2A5-17E7-DD7C2100E56B}*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-343818398-1454471165-682003330-1004\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
"??"=hex:3a,4f,07,a2,42,66,58,70,e8,74,b7,a3,0b,b2,65,1a,a8,60,16,1d,69,4d,c9,
87,fb,8d,45,a0,c8,6d,e3,5b,75,04,da,3b,27,3a,be,90,f1,9f,52,3f,8e,eb,cc,fc,\
"??"=hex:db,f4,c1,c3,71,77,a4,14,cb,bd,17,2a,7a,20,db,54
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(732)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'lsass.exe'(788)
c:\program files\Common Files\PC Tools\LSP\PCTLsp.dll
.
Completion time: 2009-01-15 18:22:27
ComboFix-quarantined-files.txt 2009-01-15 18:22:10
ComboFix2.txt 2009-01-15 18:04:10
ComboFix3.txt 2009-01-15 12:49:10

Pre-Run: 24,747,507,712 bytes free
Post-Run: 24,734,257,152 bytes free

176 --- E O F --- 2008-12-18 13:22:46
 
Please upload this to jotti as well and post results here:

C:\4dfa7b48ee276595.dat
 
File: 4dfa7b48ee276595.dat
Status: OK
MD5: eeb283bab1f4c6f1749238a8668698fe
Packers detected: -

Scanner results
Scan taken on 15 Jan 2009 18:47:30 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing
 
Download gmer.zip and save to your desktop.
alternate download site 1
alternate download site 2
  • Unzip/extract the file to its own folder. (Click here for information on how to do this if not sure. Win 2000 users click here.
  • When you have done this, disconnect from the Internet and close all running programs.
    There is a small chance this application may crash your computer so save any work you have open.
  • Double-click on Gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • If it gives you a warning at program start about rootkit activity and asks if you want to run a scan...click NO.
  • Click on "Settings", then check the first five settings:
    *System Protection and Tracing
    *Processes
    *Save created processes to the log
    *Drivers
    *Save loaded drivers to the log
  • You will be prompted to restart your computer. Please do so.

Run Gmer again and click on the Rootkit tab.
  • Look at the right hand side (under Files) and uncheck all drives with the exception of your C drive.
  • Make sure all other boxes on the right of the screen are checked, EXCEPT for "Show All".
  • Click on the "Scan" and wait for the scan to finish.
    Note: Before scanning, make sure all other running programs are closed and no other actions like a scheduled antivirus scan will occur while this scan completes. Also do not use your computer during the scan.
  • When completed, click on the Copy button and right-click on your Desktop, choose "New" > Text document. Once the file is created, open it and right-click again and choose Paste or Ctrl+V. Save the file as gmer.txt and copy the information in your next reply.
  • Note: If you have any problems, try running GMER in SAFE MODE"
Important! Please do not select the "Show all" checkbox during the scan..
 
Hi again Shaba Gmer log ..........

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-15 19:46:19
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB0931930]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xB093CA80]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB0931F20]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xB093D6E0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xB093D440]
SSDT sple.sys ZwEnumerateKey [0xF74F6CA2]
SSDT sple.sys ZwEnumerateValueKey [0xF74F7030]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB093D8B0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB0931D70]
SSDT sple.sys ZwOpenKey [0xF74D90C0]
SSDT sple.sys ZwQueryKey [0xF74F7108]
SSDT sple.sys ZwQueryValueKey [0xF74F6F88]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xB093E250]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB093DCB0]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB093E080]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB0932120]
SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xB093D140]

INT 0x62 ? 8A3CFBF8
INT 0x63 ? 8A35EBF8
INT 0x82 ? 8A3CFBF8
INT 0x84 ? 8A35EBF8
INT 0xA4 ? 8A35EBF8
INT 0xA4 ? 8A35EBF8

---- Kernel code sections - GMER 1.0.14 ----

? sple.sys The system cannot find the file specified. !
? srescan.sys The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B901B8AC 5 Bytes JMP 8A35E1D8

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1544] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A3614B8
IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F74FF6D0] sple.sys
IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7503708] sple.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74DA046] sple.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74DA142] sple.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74DA0C4] sple.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74DA7CE] sple.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74DA6A4] sple.sys
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A35E2D8
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E5D7A] sple.sys
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [B0947330] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [B09325C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [B0932770] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [B09322D0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [B0932670] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)

---- Devices - GMER 1.0.14 ----

Device \FileSystem\Ntfs \Ntfs 8A35D1F8

AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)

Device \FileSystem\Fastfat \FatCdrom 88FE9500
Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\NetBT \Device\NetBT_Tcpip_{15BABC24-DA90-4A0A-89E6-BEFF927E213F} 877BE500
Device \Driver\usbuhci \Device\USBPDO-0 891352D0
Device \Driver\usbuhci \Device\USBPDO-1 891352D0
Device \Driver\usbuhci \Device\USBPDO-2 891352D0
Device \Driver\usbuhci \Device\USBPDO-3 891352D0
Device \Driver\usbehci \Device\USBPDO-4 890F11F8
Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A35F1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 eamon.sys (Amon monitor/ESET)

Device \Driver\Ftdisk \Device\HarddiskVolume2 8A35F1F8

AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 eamon.sys (Amon monitor/ESET)

Device \Driver\Cdrom \Device\CdRom0 89073500
Device \Driver\Cdrom \Device\CdRom1 89073500
Device \Driver\NetBT \Device\NetBt_Wins_Export 877BE500
Device \Driver\NetBT \Device\NetbiosSmb 877BE500
Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\usbuhci \Device\USBFDO-0 891352D0
Device \Driver\usbuhci \Device\USBFDO-1 891352D0
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88733500
Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC)
Device \Driver\usbuhci \Device\USBFDO-2 891352D0
Device \FileSystem\MRxSmb \Device\LanmanRedirector 88733500
Device \Driver\usbuhci \Device\USBFDO-3 891352D0
Device \Driver\usbehci \Device\USBFDO-4 890F11F8
Device \Driver\Ftdisk \Device\FtControl 8A35F1F8
Device \FileSystem\Fastfat \Fat 88FE9500

AttachedDevice \FileSystem\Fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)

Device \FileSystem\Cdfs \Cdfs 88717500

---- Registry - GMER 1.0.14 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x4B 0xAE 0xA7 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x4B 0xAE 0xA7 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x4B 0xAE 0xA7 ...
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{4D122310-A357-B2A5-17E7-DD7C2100E56B}

---- EOF - GMER 1.0.14 ----
 
That looks like to be fine so it was catchme bug then.

Please go to Kaspersky website and perform an online antivirus scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select ''Run as administrator'' to perform this scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.

If you need a tutorial, see here
 
Hi Shaba
Karpersky site was telling me I need install/update java !! anyway have done so
Karpersky scan....................

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Friday, January 16, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, January 15, 2009 19:43:05
Records in database: 1627282
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan statistics:
Files scanned: 81614
Threat name: 7
Infected objects: 9
Suspicious objects: 3
Duration of the scan: 03:11:59


File name / Threat name / Threats count
C:\Documents and Settings\admin\Local Settings\Application Data\Identities\{FE1358E3-7514-4ABB-A5D1-A2AD4589CEEC}\Microsoft\Outlook Express\Sent Items.dbx Suspicious: Trojan-Spy.HTML.Fraud.gen 3
C:\Qoobox\Quarantine\C\WINDOWS\system32\bewijeze.dll.vir Infected: Trojan.Win32.Monder.amxj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\gazizisa.dll.vir Infected: Trojan.Win32.Monder.amxj 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\midevebi.dll.vir Infected: Trojan.Win32.Monder.amxr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\nakakoye.dll.vir Infected: Trojan-Spy.Win32.Agent.jbw 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\robejaku.dll.vir Infected: Trojan.Win32.Agent.bfdf 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\rokewezi.dll.vir Infected: Trojan.Win32.Monder.amxr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\suwohifa.dll.vir Infected: Trojan.Win32.Monder.aidz 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\tedegeru.dll.vir Infected: Trojan.Win32.Monder.amxr 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan-Downloader.Win32.Injecter.btn 1

The selected area was scanned.

Also HJT scan,,,,,,,,,,,,,

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:28:40, on 16/01/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
F:\dfrag\PDAgent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
F:\dfrag\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtect.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\wuauclt.exe
F:\OPERA\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\OFFICE~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe
O23 - Service: FolderProtectService - Unknown owner - F:\Power Suit\Spotmau WinCare 2008\sub\FSDRIVER\FolderProtectService.exe
O23 - Service: GEARSecurity - GEAR Software Inc. - (no file)
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: lxcf_device - Unknown owner - C:\WINDOWS\system32\lxcfcoms.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: PDAgent - Raxco Software, Inc. - F:\dfrag\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - F:\dfrag\PDEngine.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - F:\Spyware Doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - F:\Spyware Doctor\Spyware Doctor 6.0.0.386\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SymSnapService - Symantec - C:\Program Files\Norton Ghost\Shared\Drivers\SymSnapService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component 1: Aqua Real 3D - 7db39a0d-580f-4be9-9195-8bfcd226f6c2
O24 - Desktop Component 2: Aqua Real - 7db39a0d-580f-4be9-9195-8bfcd226f6c2

--
End of file - 5827 bytes
 
"Karpersky site was telling me I need install/update java !! anyway have done so "

Yes you had old java :)

Empty this folder:

C:\Qoobox\Quarantine

Empty Recycle Bin.

Still problems?
 
You must log in or register to reply here.
Back
Top