Windows XP Toolbar Icons Deactivated and Disappear - no malware found

[Big_John]

In an attempt to sort my problem, I've downloaded and run the following:
cwshredder
rr-free-setup
spybotsd152
aaw2008
XP-ToolbarFix
SUPERAntiSpyware

and none of them have found or been able to fix my problem:

When I start Windows XP everything seems fine until I click on one of the Quick Launch Toolbar icons on the taskbar.
Then the Toolbar icons stop being clickable, and after an indeterminate period they disappear.
The place where each one was still has an alternative text available, but no icon, or potential action.

The same happens with my Desktop toolbar, which is on the lhs of my screen.
One icon clicked - I use right-click and Open, and then they don't work then they disappear.
(I use auto-hide - and when the toolbar appears it is blank).

I have run Spybot - full scan - but it fails to find any malware :-(

Here's the HJT log. What do I do next, please? I am impressed with the responses over the last few days on this forum,
but can't find a case quite like mine.

To cap it all, my wife's laptop - on the network - has a similar problem, but with no malware found either.
Will the solution for mine be the same for hers, since we probably were infected by the same email/attachment?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:58:57, on 19/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
E:\PhoneConnectorVMC.exe
E:\vmc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [FlashgetMini] C:\Program Files\FlashGet Network\Flashget\Temp\setup.exe
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: UseFlashGet - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: UseFlashGetDownloadAllLink - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204163253078
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB670C3-7408-40CD-BD81-BFC9CF7E71D4}: NameServer = 10.203.129.68 10.203.129.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFBF0A85-7597-4C8D-88EB-7795E5244572}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10629 bytes
:sad:

 

[katana]

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly

I apologize for the delay in responding, but as you can probably see the forums are quite busy.
Unfortunately there are far more people needing help than there are helpers.

----------------------------------------------------------------------------------------


If you still require help please post a fresh HJT log

 

[Big_John]

New HJT log

Hi Katana,

Thanks for coming back to me. Here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:29:00, on 25/06/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
E:\vmc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" /NoDialog
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [VMCL] C:\Program Files\vodafone\vmclite\DongleEnumerator.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: OpenOffice.org 2.4.lnk = OpenOffice.org 2.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: UseFlashGet - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bholink.htm
O8 - Extra context menu item: UseFlashGetDownloadAllLink - C:\Program Files\FlashGet Network\Flashget\ComDlls\Bhoall.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1204163253078
O17 - HKLM\System\CCS\Services\Tcpip\..\{7DB670C3-7408-40CD-BD81-BFC9CF7E71D4}: NameServer = 10.205.65.68 10.205.65.68
O17 - HKLM\System\CCS\Services\Tcpip\..\{DFBF0A85-7597-4C8D-88EB-7795E5244572}: NameServer = 192.168.0.1
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Google Desktop Manager 5.7.802.22438 (GoogleDesktopManager-022208-143751) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10493 bytes

 

[katana]

Hi Big_John,

There is no obvious malware showing, but let's get a couple more scans to make sure.

Note. Your Wife's machine may or may not have the same problem, so I wouldn't follow these instructions for that machine just yet.
Let's find out what is going on first.



Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

Bleeping Computer ComboFix Tutorial

Post the log from ComboFix when you've accomplished that.



Kaspersky Online Scanner .
Your Antivirus and/or Antispyware may give a warning during the scan. This is perfectly normal
NOTE:- This scan is best done from IE (Internet Explorer)
Go Here http://www.kaspersky.com/kos/eng/partner/default/kavwebscan.html

Read the Requirements and limitations before you click Accept.
Allow the ActiveX download if necessary
Once the database has downloaded, click Next.
Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
Click on "My Computer" and then put the kettle on!
When the scan has completed, click Save Report As...
Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.


**Note**

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



Installed Programs

Please could you give me a list of the programs that are installed.

• Start HijackThis
• Click on the Misc Tools button
• Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.



Logs/Information to Post in Reply
Please post the following logs/Information in your reply

• ComboFix Log
• Kaspersky Log
• Installed Programs List
• About how long has this been happening ?
• Did it start at about the same time on both machines ?
• Did you install any programs on both machines ?

 

[Big_John]

Windows XP Professional SP3 files

Hi
I'm following the instructions on
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
and need to install the Windows Recovery Console without a CD.
When I go to:
http://support.microsoft.com/kb/310994
It doesn't have a download for Windows XP Professional SP3, which I have installed.
Suggestions please.

 

[katana]

Use the instructions for SP2, the Recovery Console is the same for both versions

 

[Big_John]

Scan results

Here we go, Katana,

I appreciate your help. I enjoyed the cups of tea :laugh:

[*]ComboFix Log
ComboFix 08-06-16.5 - John Slee 2008-06-25 14:55:34.1 - NTFSx86
Running from: C:\Documents and Settings\John Slee.EPIPHANY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\John Slee.EPIPHANY\Desktop\WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\Cache

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_IPRIP
-------\Service_Iprip


((((((((((((((((((((((((( Files Created from 2008-05-25 to 2008-06-25 )))))))))))))))))))))))))))))))
.

2010-10-10 10:09 . 2010-10-10 10:09 <DIR> d-------- C:\Program Files\Realtek Sound Manager
2010-10-10 10:09 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\AvRack
2010-10-10 10:08 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\Realtek AC97
2008-06-24 14:37 . 2008-06-24 14:37 <DIR> d-------- C:\Documents and Settings\John Slee.EPIPHANY\Application Data\GlarySoft
2008-06-22 11:12 . 2003-06-25 16:05 266,360 --a------ C:\WINDOWS\system32\TweakUI.exe
2008-06-22 11:12 . 2002-06-21 15:09 160,217 --a------ C:\WINDOWS\system32\PowerToysLicense.rtf
2008-06-20 10:49 . 2008-06-20 10:49 <DIR> d-------- C:\Deckard
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\en
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\system32\bits
2008-06-19 16:16 . 2008-06-19 16:16 <DIR> d-------- C:\WINDOWS\l2schemas
2008-06-19 16:06 . 2008-06-19 16:17 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-06-19 12:44 . 2004-08-04 13:00 300,969 -----c--- C:\WINDOWS\system32\dllcache\viz.wmv
2008-06-19 12:43 . 2004-08-04 13:00 1,398 -----c--- C:\WINDOWS\system32\dllcache\taon.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,380 -----c--- C:\WINDOWS\system32\dllcache\taonh.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,380 -----c--- C:\WINDOWS\system32\dllcache\taoff.gif
2008-06-19 12:43 . 2004-08-04 13:00 1,367 -----c--- C:\WINDOWS\system32\dllcache\taoffh.gif
2008-06-19 12:41 . 2004-08-04 13:00 572,557 -----c--- C:\WINDOWS\system32\dllcache\rtuner.wmv
2008-06-19 12:41 . 2008-04-14 01:12 397,056 --------- C:\WINDOWS\system32\s3gnb.dll
2008-06-19 12:41 . 2008-04-14 01:12 290,304 --------- C:\WINDOWS\system32\rhttpaa.dll
2008-06-19 12:41 . 2004-08-03 22:29 166,912 --------- C:\WINDOWS\system32\drivers\s3gnbm.sys
2008-06-19 12:41 . 2008-04-13 18:28 66,725 -----c--- C:\WINDOWS\system32\dllcache\revert.wmz
2008-06-19 12:41 . 2008-04-14 01:12 32,768 --------- C:\WINDOWS\system32\setupn.exe
2008-06-19 12:41 . 2008-04-13 19:56 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2008-06-19 12:41 . 2008-04-13 19:40 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-06-19 12:39 . 2008-04-14 01:12 4,274,816 --------- C:\WINDOWS\system32\nv4_disp.dll
2008-06-19 12:39 . 2004-08-03 22:29 1,897,408 --------- C:\WINDOWS\system32\drivers\nv4_mini.sys
2008-06-19 12:39 . 2004-08-04 13:00 375,519 -----c--- C:\WINDOWS\system32\dllcache\nuskin.wmv
2008-06-19 12:39 . 2004-08-03 22:41 180,360 --------- C:\WINDOWS\system32\drivers\ntmtlfax.sys
2008-06-19 12:39 . 2008-04-14 01:12 144,384 --------- C:\WINDOWS\system32\onex.dll
2008-06-19 12:38 . 2008-04-14 01:12 176,640 --------- C:\WINDOWS\system32\napstat.exe
2008-06-19 12:38 . 2004-07-17 11:35 67,866 --------- C:\WINDOWS\system32\drivers\netwlan5.img
2008-06-19 12:38 . 2004-08-04 13:00 22,060 -----c--- C:\WINDOWS\system32\dllcache\npds.zip
2008-06-19 12:38 . 2004-08-04 13:00 403 -----c--- C:\WINDOWS\system32\dllcache\npdrmv2.zip
2008-06-19 12:36 . 2008-04-14 01:10 294,912 -----c--- C:\WINDOWS\system32\dllcache\msaud32.acm
2008-06-19 12:35 . 2008-04-14 01:11 397,312 --------- C:\WINDOWS\system32\mmcex.dll
2008-06-19 12:35 . 2008-04-14 01:11 184,320 --------- C:\WINDOWS\system32\microsoft.managementconsole.dll
2008-06-19 12:35 . 2008-04-14 01:11 106,496 --------- C:\WINDOWS\system32\mmcfxcommon.dll
2008-06-19 12:35 . 2004-08-04 13:00 97,117 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.hlp
2008-06-19 12:35 . 2008-04-14 01:12 33,792 --------- C:\WINDOWS\system32\mmcperf.exe
2008-06-19 12:35 . 2004-08-04 13:00 18,286 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.inf
2008-06-19 12:35 . 2004-08-04 13:00 2,778 -----c--- C:\WINDOWS\system32\dllcache\mplogoh.gif
2008-06-19 12:35 . 2004-08-04 13:00 2,545 -----c--- C:\WINDOWS\system32\dllcache\mplogo.gif
2008-06-19 12:35 . 2004-08-04 13:00 1,885 -----c--- C:\WINDOWS\system32\dllcache\mplayer2.cnt
2008-06-19 12:34 . 2004-08-04 13:00 457,607 -----c--- C:\WINDOWS\system32\dllcache\mdlib.wmv
2008-06-19 12:34 . 2008-04-14 01:11 86,016 --------- C:\WINDOWS\system32\mdmxsdk.dll
2008-06-19 12:34 . 2004-08-03 22:41 11,868 --------- C:\WINDOWS\system32\drivers\mdmxsdk.sys
2008-06-19 12:33 . 2008-04-14 01:09 290,816 -----c--- C:\WINDOWS\system32\dllcache\l3codeca.acm
2008-06-19 12:33 . 2008-04-14 01:11 37,376 --------- C:\WINDOWS\system32\l2gpstore.dll
2008-06-19 12:32 . 2008-04-14 01:11 61,440 --------- C:\WINDOWS\system32\kmsvc.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdpash.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdnepr.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdiultn.dll
2008-06-19 12:32 . 2008-04-14 01:09 6,144 --------- C:\WINDOWS\system32\kbdbhc.dll
2008-06-19 12:30 . 2007-06-21 06:52 974 --------- C:\WINDOWS\system32\pid.inf
2008-06-19 12:29 . 2008-04-13 19:45 46,592 --------- C:\WINDOWS\system32\drivers\irbus.sys
2008-06-19 12:29 . 2008-04-13 19:43 9,728 --------- C:\WINDOWS\system32\comsdupd.exe
2008-06-19 12:27 . 2004-08-03 22:41 1,041,536 --------- C:\WINDOWS\system32\drivers\hsfdpsp2.sys
2008-06-19 12:27 . 2004-08-03 22:41 685,056 --------- C:\WINDOWS\system32\drivers\hsfcxts2.sys
2008-06-19 12:27 . 2004-08-03 22:41 220,032 --------- C:\WINDOWS\system32\drivers\hsfbs2s2.sys
2008-06-19 12:27 . 2008-04-13 19:36 46,464 --------- C:\WINDOWS\system32\drivers\gagp30kx.sys
2008-06-19 12:27 . 2008-04-14 01:11 32,285 --------- C:\WINDOWS\system32\hsfcisp2.dll
2008-06-19 12:27 . 2008-04-13 19:46 25,600 --------- C:\WINDOWS\system32\drivers\hidbth.sys
2008-06-19 12:27 . 2008-04-13 19:45 19,200 --------- C:\WINDOWS\system32\drivers\hidir.sys
2008-06-19 12:25 . 2008-04-14 01:11 650,752 --------- C:\WINDOWS\system32\dot3ui.dll
2008-06-19 12:24 . 2008-04-14 01:11 233,472 --------- C:\WINDOWS\system32\azroles.dll
2008-06-19 12:24 . 2008-04-13 19:46 36,480 --------- C:\WINDOWS\system32\drivers\bthprint.sys
2008-06-19 12:24 . 2008-04-14 01:11 25,471 --------- C:\WINDOWS\system32\drivers\atv04nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 21,183 --------- C:\WINDOWS\system32\drivers\atv01nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 17,279 --------- C:\WINDOWS\system32\drivers\atv10nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 15,423 --------- C:\WINDOWS\system32\drivers\ch7xxnt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 14,143 --------- C:\WINDOWS\system32\drivers\atv06nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 11,359 --------- C:\WINDOWS\system32\drivers\atv02nt5.dll
2008-06-19 12:24 . 2008-04-14 01:11 7,168 --------- C:\WINDOWS\system32\bitsprx4.dll
2008-06-19 12:24 . 2004-08-04 13:00 999 -----c--- C:\WINDOWS\system32\dllcache\bktrh.gif
2008-06-19 12:22 . 2008-04-14 01:11 136,192 --------- C:\WINDOWS\system32\aaclient.dll
2008-06-19 12:22 . 2008-04-14 01:11 4,255 --------- C:\WINDOWS\system32\drivers\adv01nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,967 --------- C:\WINDOWS\system32\drivers\adv02nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,775 --------- C:\WINDOWS\system32\drivers\adv11nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,711 --------- C:\WINDOWS\system32\drivers\adv09nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,647 --------- C:\WINDOWS\system32\drivers\adv07nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,615 --------- C:\WINDOWS\system32\drivers\adv05nt5.dll
2008-06-19 12:22 . 2008-04-14 01:11 3,135 --------- C:\WINDOWS\system32\drivers\adv08nt5.dll
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Documents and Settings\John Slee.EPIPHANY\Application Data\SUPERAntiSpyware.com
2008-06-19 01:43 . 2008-06-19 01:43 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2008-06-18 23:49 . 2008-06-18 23:49 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-18 12:40 . 2008-06-18 14:02 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Lavasoft
2008-06-18 12:26 . 2008-06-19 01:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-18 11:16 . 2008-06-18 11:17 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-18 11:16 . 2008-06-18 12:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2008-06-18 09:54 . 2008-06-18 09:54 <DIR> d-------- C:\Program Files\RogueRemover FREE
2008-06-17 18:52 . 2005-02-03 18:58 425,984 --a------ C:\WINDOWS\system32\GeoCodec.dll
2008-06-17 18:52 . 2005-02-03 18:58 425,984 -ra------ C:\WINDOWS\GeoCodec.dll
2008-06-17 18:52 . 2001-05-04 12:05 413,760 --a------ C:\WINDOWS\mpg4c32.dll
2008-06-17 18:52 . 2005-03-08 17:02 92,105 --a------ C:\WINDOWS\Stable_7000.xml
2008-06-17 18:52 . 2003-12-02 10:03 12,045 --a------ C:\WINDOWS\buzzer.wav
2008-06-16 16:42 . 2008-06-16 16:42 <DIR> d-------- C:\Program Files\MozBackup
2008-06-13 13:46 . 2008-06-13 12:05 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys
2008-06-13 13:46 . 2008-05-08 15:02 203,136 -----c--- C:\WINDOWS\system32\dllcache\rmcast.sys
2008-06-13 02:51 . 2008-06-13 21:10 765 --a------ C:\camerades.inf
2008-06-13 01:21 . 2008-04-13 19:46 85,248 --a------ C:\WINDOWS\system32\drivers\nabtsfec.sys
2008-06-13 01:21 . 2008-04-13 19:46 19,200 --a------ C:\WINDOWS\system32\drivers\wstcodec.sys
2008-06-13 01:21 . 2008-04-13 19:46 17,024 --a------ C:\WINDOWS\system32\drivers\ccdecode.sys
2008-06-13 01:21 . 2008-04-14 01:12 16,384 --a------ C:\WINDOWS\system32\ipsink.ax
2008-06-13 01:21 . 2008-04-13 19:46 15,232 --a------ C:\WINDOWS\system32\drivers\streamip.sys
2008-06-13 01:21 . 2008-04-13 19:46 11,136 --a------ C:\WINDOWS\system32\drivers\slip.sys
2008-06-13 01:21 . 2008-04-13 19:46 10,880 --a------ C:\WINDOWS\system32\drivers\ndisip.sys
2008-06-13 01:21 . 2008-04-13 19:39 5,504 --a------ C:\WINDOWS\system32\drivers\mstee.sys
2008-05-27 10:50 . 2008-05-27 10:50 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-05-27 10:50 . 2008-05-27 10:50 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-25 14:06 1,893 ----a-w C:\WINDOWS\bcmwltrytmp.reg
2008-06-25 12:07 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-06-25 11:41 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\OpenOffice.org2
2008-06-24 23:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Google Updater
2008-06-20 12:03 --------- d-----w C:\Program Files\Java
2008-06-18 22:30 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-18 11:40 --------- d-----w C:\Program Files\Lavasoft
2008-06-18 09:39 --------- d-----w C:\Program Files\Email Marketing Pro 2008
2008-06-17 20:13 --------- d-----w C:\Program Files\QuickTime
2008-06-13 11:05 272,128 ----a-w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-13 00:29 --------- d-----w C:\Program Files\WebCam
2008-05-26 06:37 --------- d-----w C:\Program Files\palmOne
2008-05-25 21:16 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\AVGTOOLBAR
2008-05-25 21:07 9,388 ----a-w C:\WINDOWS\system32\drivers\iaStor.PNF
2008-05-25 21:07 7,280 ----a-w C:\WINDOWS\system32\drivers\viamraid.PNF
2008-05-25 21:07 63,240 ----a-w C:\WINDOWS\system32\drivers\Si3112r.PNF
2008-05-25 21:07 6,984 ----a-w C:\WINDOWS\system32\drivers\SiSRaid.PNF
2008-05-25 21:07 12,432 ----a-w C:\WINDOWS\system32\drivers\adpu320.PNF
2008-05-25 21:07 12,204 ----a-w C:\WINDOWS\system32\drivers\nvraid.PNF
2008-05-25 21:07 10,828 ----a-w C:\WINDOWS\system32\drivers\iaAHCI.PNF
2008-05-22 11:14 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\GeoSetter
2008-05-22 08:24 --------- d-----w C:\Program Files\GeoSetter
2008-05-18 09:35 --------- d-----w C:\Program Files\orange3
2008-05-17 19:46 96,520 ----a-w C:\WINDOWS\system32\drivers\avgldx86.sys
2008-05-17 19:46 75,272 ----a-w C:\WINDOWS\system32\drivers\avgtdix.sys
2008-05-17 19:46 --------- d-----w C:\Program Files\AVG
2008-05-17 19:46 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\avg8
2008-05-17 10:36 --------- d-----w C:\Program Files\Water Explorer
2008-05-15 23:01 --------- d-----w C:\Program Files\Gallery Remote
2008-05-15 22:22 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\PFrank
2008-05-15 22:09 --------- d-----w C:\Program Files\PFrank
2008-05-15 10:03 --------- d--h--w C:\Program Files\Zero G Registry
2008-05-08 14:02 203,136 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-05-06 15:56 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\BITS
2008-04-29 10:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 10:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 10:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-26 07:08 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Nokia Multimedia Player
2008-04-26 06:50 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-04-26 06:50 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf
2008-04-25 20:18 --------- d-----w C:\Program Files\Common Files\PCSuite
2008-04-25 20:18 --------- d-----w C:\Program Files\Common Files\Nokia
2008-04-25 20:17 --------- d-----w C:\Program Files\Nokia
2008-04-25 20:16 --------- d-----w C:\Program Files\PC Connectivity Solution
2008-04-25 20:12 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Installations
2008-04-25 15:43 --------- d-----w C:\Documents and Settings\John Slee.EPIPHANY\Application Data\PC Suite
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2007-04-21 14:32 80 ----a-w C:\Program Files\serial.txt
2007-01-10 15:37 278,528 ----a-w C:\Program Files\Common Files\FDEUnInstaller.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-04 10:08 68856]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 01:12 15360]
"ISUSPM"="C:\Documents and Settings\All Users.WINDOWS\Application Data\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-29 16:41 222128]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSync2.exe" [2008-03-26 18:41 1232896]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"VMCL"="C:\Program Files\vodafone\vmclite\DongleEnumerator.exe" [2007-08-17 14:35 131072]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"VTTimer"="VTTimer.exe" [2005-03-08 04:33 53248 C:\WINDOWS\system32\VTTimer.exe]
"VTTrayp"="VTtrayp.exe" [2005-11-01 05:15 163840 C:\WINDOWS\system32\VTTrayp.exe]
"SoundMan"="SOUNDMAN.EXE" [2006-03-01 17:22 577536 C:\WINDOWS\soundman.exe]
"SMSERIAL"="sm56hlpr.exe" [2005-11-10 05:44 557056 C:\WINDOWS\sm56hlpr.exe]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" [ ]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-20 06:20 29744]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-02-11 10:35 185632]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 01:12 110592 C:\WINDOWS\system32\bthprops.cpl]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12 49152]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-05-17 20:46 1177368]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 01:12 15360]

C:\Documents and Settings\John Slee.EPIPHANY\Start Menu\Programs\Startup\
OpenOffice.org 2.4.lnk - C:\Program Files\OpenOffice.org 2.4\program\quickstart.exe [1/21/2008 3:41:28 PM 393216]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/26/2006 8:56:55 AM 113664]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [10/26/2006 12:24:59 AM 125624]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [5/12/2005 12:23:26 AM 282624]
InterVideo WinCinema Manager.lnk - C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [1/1/2007 12:22:03 PM 98304]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1/21/2000 9:15:54 AM 65588]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)
"NoMovingBands"= 0 (0x0)
"NoCloseDragDropBands"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL,avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.mpg4"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg2"= C:\WINDOWS\mpg4c32.dll
"vidc.mpg3"= C:\WINDOWS\mpg4c32.dll
"vidc.GEOX"= C:\WINDOWS\system32\GeoCodec.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Azureus\\Azureus.exe"=
"C:\\Program Files\\Macromedia\\Dreamweaver MX 2004\\Dreamweaver.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=
"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping
"3540:UDP"= 3540:UDPeer Name Resolution Protocol (PNRP)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-05-17 20:46]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-05-17 20:46]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-05-17 20:46]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-05-17 20:46]
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys [2005-01-14 18:22]
S3 GoogleDesktopManager-022208-143751;Google Desktop Manager 5.7.802.22438;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-04-20 06:20]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]
S3 phil2vid;Philips USB VGA Camera;C:\WINDOWS\system32\DRIVERS\philcam2.sys [2001-08-17 14:04]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2008-04-14 01:12]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e60155-ee01-11dc-8457-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{28e60156-ee01-11dc-8457-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31a2c79a-f811-11dc-847f-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{31a2c79b-f811-11dc-847f-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{36fa1034-ee72-11dc-8458-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c32ba74-f006-11dc-845d-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf184a-f064-11dc-8461-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c7cf184b-f064-11dc-8461-000d888eddaa}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d51d1d4c-f872-11dc-8481-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d51d1d4d-f872-11dc-8481-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb227-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb228-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb229-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb22a-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d60bb22d-f6b6-11dc-847c-0014a59a0895}]
\Shell\AutoRun\command - E:\StartVMCLite.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-06-06 18:28:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 15:06:48
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
"ImagePath"="\"C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"C:\Program Files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\WLTRYSVC.EXE
C:\WINDOWS\system32\BCMWLTRY.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\system32\snmp.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\WLTRAY.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
E:\PhoneConnectorVMC.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.exe
C:\Program Files\OpenOffice.org 2.4\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\HP\Digital Imaging\bin\hpqste08.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2008-06-25 15:18:08 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-25 14:17:58

Pre-Run: 10,200,993,792 bytes free
Post-Run: 10,202,140,672 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

366 --- E O F --- 2008-06-20 14:13:37

[*]Kaspersky Log
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Wednesday, June 25, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Wednesday, June 25, 2008 16:49:01
Records in database: 882642
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
E:\

Scan statistics:
Files scanned: 203328
Threat name: 2
Infected objects: 1
Suspicious objects: 10
Duration of the scan: 05:18:35


File name / Threat name / Threats count
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\Local Folders\Inbox.sbd\shopping.sbd\Paypal Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Junk Suspicious: Trojan-Spy.HTML.Fraud.gen 2
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 6
C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\w2nw9ysm.default\Mail\Local Folders\Trash Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Program Files\Orange\setup\Orange_icons.EXE Infected: not-a-virus:AdWare.Win32.BHO.ahy 1

The selected area was scanned.

[*]Installed Programs List
Ad-Aware
Adobe Flash Player Plugin
Adobe Photoshop 6.0
Adobe Reader 8.1.2
Adobe SVG Viewer
Apple Mobile Device Support
Apple Software Update
AVG Free 8.0
Broadcom 802.11 Network Adapter
Family History Resource File Viewer 2.0
Family Tree Maker 7.5
FLV Player 2.0, build 23
Gallery Remote
GeoSetter 2.5.3
Google Desktop
Google Earth
Google Photos Screensaver
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
Google Updater
HijackThis 2.0.2
Hotfix for Windows Internet Explorer 7 (KB947864)
HP Extended Capabilities 5.3
HP Image Zone Express
HP Imaging Device Functions 5.3
HP PSC & OfficeJet 5.3.B
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
InterVideo WinDVD
iTunes
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 4
Java(TM) 6 Update 5
Java(TM) 6 Update 6
Larry's OpenOffice and StarOffice Indexer
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Malwarebytes' RogueRemover
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 1
Microsoft .NET Framework 3.0 Service Pack 1
Microsoft .NET Framework 3.5
Microsoft .NET Framework 3.5
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Kernel-Mode Driver Framework Feature Pack 1.5
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 SR-1 Professional
Microsoft Silverlight
Microsoft Visual C++ 2005 Redistributable
Motorola SM56 Data Fax Modem
Mozilla Firefox (3.0)
Mozilla Thunderbird (2.0.0.14)
MSN
MSVC80_x86
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MySQL Server 5.0
MySQL Tools for 5.0
Nokia Connectivity Cable Driver
Nokia PC Suite
Nokia PC Suite
OpenOffice.org 2.4
Palm Desktop
PC Connectivity Solution
Peter's Flexible RenAmiNg Kit (PFrank) 2.17
Picasa 2
QuickTime
RealPlayer
Realtek AC'97 Audio
Safari
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951698)
Spybot - Search & Destroy
SUPERAntiSpyware Free Edition
Tweak UI
VIA Rhine-Family Fast Ethernet Adapter
VIA/S3G Display Driver
Vodafone Mobile Connect Lite
WD Diagnostics
Windows Driver Package - Nokia Modem (03/05/2008 3.7)
Windows Driver Package - Nokia Modem (03/13/2008 6.86.0.1)
Windows Driver Package - Nokia Modem (10/12/2007 3.6)
Windows Driver Package - Nokia pccsmcfd (10/12/2007 6.85.4.0)
Windows Imaging Component
Windows XP Service Pack 3
WinMerge 2.6.14.0


[*]About how long has this been happening ?
Just over a week
[*]Did it start at about the same time on both machines ?
Yes
[*]Did you install any programs on both machines ?
upgraded to Mozilla Firefox 3, but I had done so on my laptop several days before the error occurred.

Happy Hunting!

 

[katana]

Well, there is still no dramatic malware showing .....

ComboFix removed a couple of remnants, and Kaspersky showed a couple of dubious e-mails (but they were mainly in Trash and Junk folders )

• C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\Local Folders\Inbox.sbd\shopping.sbd\Paypal Suspicious
  C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Junk Suspicious
  C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\2kkn9qs1.default\Mail\pop.nbepiphany.co-1.uk\Trash Suspicious
  C:\Documents and Settings\John Slee.EPIPHANY\Application Data\Thunderbird\Profiles\w2nw9ysm.default\Mail\Local Folders\Trash Suspicious

I recommend you empty these folders via Thunderbird

There does however look to be some problem with the system stability
ComboFix shows these files being created

• 2010-10-10 10:09 . 2010-10-10 10:09 <DIR> d-------- C:\Program Files\Realtek Sound Manager
  2010-10-10 10:09 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\AvRack
  2010-10-10 10:08 . 2008-01-29 11:49 <DIR> d-------- C:\Program Files\Realtek AC97

I don't know how you managed to time travel to 2010 ???!!!!!


Let's try a last couple of scans

NOTE:- It may be best if you attach these logs rather than posting them as they are quite large

1. Please download OTScanIt.exe from Bleeping Computer by OldTimer and save it to your desktop.
2. Double click on OTScanIt.exe to run it.
3. Click on Extract. Once done, you will be prompted. Click OK and click Close.
4. Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.
5. Under Drivers section, select Non-Microsoft.
6. Click on the Run Scan button at the top left hand corner.
7. OTScanIt will start running. Once done, Notepad will open. Please post the contents of this Notepad file in your next reply.

Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it


GetSystemInfo

Please download GetSystemInfo from HERE
Double click GetSysteminfo.exe
It will ask you where to save the report, please save it to your desktop or somewhere that you can find it easily.
It will display it's progress on your screen, when the box disappears it has finished.

 

[Big_John]

Trojan horse Generic10.ASCM

Good Morning, Katana.

[*]Double click on the OTScanIt folder. Double click on OTScanIt.exe to run it.

AVG Resident Shield is trapping this as a threat:

Trojan horse Generic10.ASCM

What do I do?

 

[katana]

You will need to disable AVG while you run the scan.
OTScanIt is perfectly safe, it is just the way the tool works that gets flagged.

 

[Big_John]

OTScanIt and sysinfo files

Hi again

5 files attached. (There's an individual file upload limit).

I've just had a thought if these don't enlighten us. (I hope that's allowed!) ATM I haven't got the Quick Launch or Desktop Toolbars activated. When I have QL activated, it is when I (right-)click on one of them that the other icons are de-activated. Is there a before and after scan that I could run that might tell you what has been run as a right of the right-click?

Regards

John

 

[katana]

Thoughts are always allowed :bigthumb:

Let me go through these logs and see if anything stands out.

Please be patient, as you can see there is a lot of info to look at there.

 

[katana]

OK, there doesn't appear to be any problems present in those logs either

How many icons do you have in the Quick Launch bar?
What programs are they for ?
Do you have any problems when you right-click anywhere else ?

Can you re-run OTScanIt please,
Under "Additional Scans" please put a check mark next to the following items

• Reg - Security Settings
  Reg - Software Policy Settings
  Reg - Desktop Components

now click "Run Scan" as before.

Also, please can you do the following, I doubt it is related to your problem but I would like to have a look at a file

Upload a File
Download suspicious file packer from here

Unzip it to desktop, open it & paste in the list of files below, press next & it will create an archive (zip/cab file) on desktop

C:\Program.exe

Go to spykiller

Please start a new thread Titled File/s for Katana and give the following information

• Name:-- Your name
• E-mail:-- Your E-mail (this is confidential and will not be displayed)
• Subject:-- File for Katana

In the main text window please put the following link
LINK here
you may also add any comments you wish
then press attach and upload the zip/cab file that was created.

Files can be uploaded by anybody but not downloaded at all except for those users that have been given special permissions.
You DO NOT need to be a member to upload, anybody can upload the files

 

[Big_John]

Sorry for delay

Sorry not to have replied before, Katana, but I didn't get an email notifying me of this post:sad:

OK, there doesn't appear to be any problems present in those logs either

How many icons do you have in the Quick Launch bar?
What programs are they for ?
Do you have any problems when you right-click anywhere else ?

I have 9 icons in the QL bar:
link to a folder
IE7
Mozilla Firefox
Mozilla Thunderbird
Quick Time Player
Show Desktop
Spybot S&D
Windows MediaPlayer
link to another folder

I have the same problem when I click on Desktop toolbar icons, but not icons on the desktop.
Will run the othere programs asap.

BW

John

 

[Big_John]

The Missing Link

In the main text window please put the following link
LINK here

I think you forgot the LINK!?

 

[katana]

I think you forgot the LINK!?

DOH !!!

http://forums.spybot.info/showthread.php?p=207324#post207324

That's what you get for rushing

 

[Big_John]

Desperate for help now!

Hi again Katana

Over the last 2 or 3 days something has prevented me from accessing my web hosting CPanel and my Webmail on just this computer. (i.e. I can access them on another computer on the network. The ports are http://nbepiphany.co.uk:2082/ and http://nbepiphany.co.uk:2095/

AFAICS it's not the Windows Firewall causing the problem, because I tried switching it off, and the problem remained. AFAIK I have only installed and run the programs you told me to run and Vodafone Mobile Connect for the first time in this period. I don't know how to tell which ports are blocked - if that is the problem.

Your guidance would be appreciated

TIA

John

 

[katana]

Have you been able to connect after running combofix ?
That is the only tool we have used that may have affected anything.
OTScanIt just scans.

If you can't sort it, it may be worth trying system restore.

 

[Big_John]

System Restored

If you can't sort it, it may be worth trying system restore.

Thanks for that advice, Katana.

I restored to 25th, and can access CPANEL again. Vodafone Mobile Connect Lite is working as well :laugh:

Unsurprisingly the (Quick Launch) Toolbar still exists.

 

[Big_John]

Correction

Thanks for that advice, Katana.
Unsurprisingly the (Quick Launch) Toolbar still exists.

Unsurprisingly the (Quick Launch) Toolbar problem still exists.