32 replies to this topic

[Bazareth]

I have just started trying to fix my sisters computer as she complained it has been going very slow. I went thought and deleted some tool bars and advertising crap that she had some how installed with free programs.
the computer is running windows xp sp2, and running Norton internet security 2009. It IS linked on the network to my parents home/business computer and also my own computer, so I hope none of the risks can spread to us.

I have run Ad-aware and it found 114 issues, I told it to remove them all, and I have saved the Log from it if it is needed/useful, but i wont post it unless you want it.
after running Ad-aware I ran Malware bytes it had a count of 27 problems found when i last look, and then it seems to have frozen.
this is the hijackthis log, i will re scan with malware bytes.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:03:19 PM, on 15/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com...S01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [nmctxth] "C:\Program Files\Common Files\Pure Networks Shared\Platform\nmctxth.exe"
O4 - HKLM\..\Run: [nmapp] "C:\Program Files\Pure Networks\Network Magic\nmapp.exe" -autorun -nosplash
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\RunOnce: [AGCoreCleanup] CMD /C RD /S /Q "C:/Program Files/AGI"
O4 - HKLM\..\RunOnce: [AGCoreUserSettingsCleanup] CMD /C RD /S /Q "C:/Documents and Settings/User/Application Data/AGI"
O4 - HKLM\..\RunOnce: [MyWebSearch bar Uninstall] rundll32 C:\PROGRA~1\UNINST~1.DLL,O -2
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194070069250
O16 - DPF: {927FDDDE-257A-490F-A768-92DAF5F99DD2} (PNRPCtrl Class) - http://shift.collideascope.ca/pnrp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C41A07F-9E03-430A-AF7E-705A0257A5EE}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe
O23 - Service: Pure Networks Platform Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Common Files\Pure Networks Shared\Platform\nmsrvc.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE

--
End of file - 12508 bytes

EDIT:::
I ran malware bytes, it found 45 problems I told it to fix them all, and then after a few seconds it came up with an error saying out of memory??
it then closed when i pressed ok, and i cant seem to find any log saved.

EDIT 2:::
I re ran malware bytes, it found 35 probolems (on a quick scan instead of full system scan) and again I got runtime error, out of memory....???
i will now run spybot.

EDIT 3::
The things Found by Spybot were... Double Click x1 FunWebProducts x3 Microsoft.Windows.WppFirewallBypass x2 MyWay.MyWebSearch x2
all problems those problems were removed by spybot.

Edited by paulneedshelp, 15 March 2009 - 04:43 PM.

[Rocket Grannie]

Hello paulneedshelp. Welcome back to SWI.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

First of all:
Keep the infected computer off line as much as possible.

Did you, your parents or SpyBot set this restriction?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

'Control Panel present' restricts the ability to use 'Internet options' for the user. Sometimes, malware can change the settings to keep a user from changing a hijacked start page or from using 'Internet options'.

Navigate to the MBAM program folder, and change MBAM’s name to fluffybunny.exe
If it still won’t run, then uninstall/reinstall it, but rename it to fluffybunny when you save it.

Download Security Check by screen317 from here or here and save it to your Desktop.

• Unzip SecurityCheck.zip and a folder named Security Check should appear.
• Open the Security Check folder and double-click Security Check.bat
• Follow the onscreen instructions inside of the black box.
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

Download ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt, Security check report, MBAM log, and a fresh HijackThis log in your next reply for further review.

If you have any problems running ComboFix, then rename it to Combo-Fix.



Rocket Grannie

[Bazareth]

Thanks RG, Its good to be back, even if it means there is another problem.
My parents and me did NOT set that restriction, spybot is possible, but i could not tell you for sure.

Security Check Log:
Results of screen317's Security Check version 0.98.0
Windows XP Service Pack 2
Out of date service pack!!
``````````````````````````````
Antivirus/Firewall Check:
``````````````````````````````
Windows Firewall Disabled!
Norton Internet Security
Norton SystemWorks (Symantec Corporation)
Norton SystemWorks Basic Edition
Norton Utilities
Norton Cleanup
.Antivirus up to date!
``````````````````````````````
Anti-malware/Other Utilities Check:
``````````````````````````````
Spybot - Search & Destroy 1.4
Spybot - Search & Destroy
Out of date Spybot installed!
Malwarebytes' Anti-Malware
Ad-Aware
Ad-Aware
HijackThis 2.0.2
Java™ 6 Update 11
Java™ 6 Update 3
Out of date Java installed!
``````````````````````````````
Process Check:
objlist.exe by Laurent
``````````````````````````````
Malwarebytes' Anti-Malware fluffybunny.exe
``````````````````````````````
DNS Vulnerability Check:
``````````````````````````````
GREAT! (Very random)

Scan took 27 seconds.
`````````End of Log```````````


EDIT1::::
[b]Combo Fix Log

ComboFix 09-03-15.01 - User 2009-03-16 20:04:00.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2047.1463 [GMT 11:00]
Running from: c:\documents and settings\User\Desktop\ComboFix.exe
AV: Norton Internet Security *On-access scanning disabled* (Updated)
FW: Norton Internet Security *enabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\IE4 Error Log.txt
c:\windows\system32\_005137_.tmp.dll
c:\windows\system32\_005138_.tmp.dll
c:\windows\system32\_005139_.tmp.dll
c:\windows\system32\_005140_.tmp.dll
c:\windows\system32\_005147_.tmp.dll
c:\windows\system32\_005148_.tmp.dll
c:\windows\system32\_005149_.tmp.dll
c:\windows\system32\_005150_.tmp.dll
c:\windows\system32\_005152_.tmp.dll
c:\windows\system32\_005153_.tmp.dll
c:\windows\system32\_005156_.tmp.dll
c:\windows\system32\_005157_.tmp.dll
c:\windows\system32\_005158_.tmp.dll
c:\windows\system32\_005159_.tmp.dll
c:\windows\system32\_005160_.tmp.dll
c:\windows\system32\_005161_.tmp.dll
c:\windows\system32\_005162_.tmp.dll
c:\windows\system32\_005163_.tmp.dll
c:\windows\system32\_005164_.tmp.dll
c:\windows\system32\_005165_.tmp.dll
c:\windows\system32\_005166_.tmp.dll
c:\windows\system32\_005167_.tmp.dll
c:\windows\system32\_005168_.tmp.dll
c:\windows\system32\_005169_.tmp.dll
c:\windows\system32\_005170_.tmp.dll
c:\windows\system32\_005171_.tmp.dll
c:\windows\system32\_005172_.tmp.dll
c:\windows\system32\_005173_.tmp.dll
c:\windows\system32\_005174_.tmp.dll
c:\windows\system32\_005177_.tmp.dll
c:\windows\system32\_005178_.tmp.dll
c:\windows\system32\_005179_.tmp.dll
c:\windows\system32\_005180_.tmp.dll
c:\windows\system32\_005181_.tmp.dll
c:\windows\system32\_005182_.tmp.dll
c:\windows\system32\_005183_.tmp.dll
c:\windows\system32\_005184_.tmp.dll
c:\windows\system32\_005185_.tmp.dll
c:\windows\system32\_005186_.tmp.dll
c:\windows\system32\_005187_.tmp.dll
c:\windows\system32\_005188_.tmp.dll
c:\windows\system32\_005189_.tmp.dll
c:\windows\system32\_005190_.tmp.dll
c:\windows\system32\_005192_.tmp.dll
c:\windows\system32\_005193_.tmp.dll
c:\windows\system32\_005195_.tmp.dll
c:\windows\system32\_005197_.tmp.dll
c:\windows\system32\_005198_.tmp.dll
c:\windows\system32\_005199_.tmp.dll
c:\windows\system32\_005200_.tmp.dll
c:\windows\system32\_005202_.tmp.dll
c:\windows\system32\_005203_.tmp.dll
c:\windows\system32\_005204_.tmp.dll
c:\windows\system32\_005205_.tmp.dll
c:\windows\system32\_005206_.tmp.dll
c:\windows\system32\_005207_.tmp.dll
c:\windows\system32\_005208_.tmp.dll
c:\windows\system32\_005209_.tmp.dll
c:\windows\system32\_005210_.tmp.dll
c:\windows\system32\_005212_.tmp.dll
c:\windows\system32\_005213_.tmp.dll
c:\windows\system32\_005214_.tmp.dll
c:\windows\system32\_005215_.tmp.dll
c:\windows\system32\_005217_.tmp.dll
c:\windows\system32\_005219_.tmp.dll
c:\windows\system32\_005220_.tmp.dll
c:\windows\system32\_005221_.tmp.dll
c:\windows\system32\_005222_.tmp.dll
c:\windows\system32\_005223_.tmp.dll
c:\windows\system32\_005224_.tmp.dll
c:\windows\system32\_005225_.tmp.dll
c:\windows\system32\_005227_.tmp.dll
c:\windows\system32\_005228_.tmp.dll
c:\windows\system32\_005229_.tmp.dll
c:\windows\system32\_005230_.tmp.dll
c:\windows\system32\_005231_.tmp.dll
c:\windows\system32\_005232_.tmp.dll
c:\windows\system32\_005233_.tmp.dll
c:\windows\system32\_005234_.tmp.dll
c:\windows\system32\_005236_.tmp.dll
c:\windows\system32\_005237_.tmp.dll
c:\windows\system32\_005239_.tmp.dll
c:\windows\system32\_005240_.tmp.dll
c:\windows\system32\_005242_.tmp.dll
c:\windows\system32\_005243_.tmp.dll
c:\windows\system32\_005247_.tmp.dll
c:\windows\system32\_005248_.tmp.dll
c:\windows\system32\_005250_.tmp.dll
c:\windows\system32\_005253_.tmp.dll
c:\windows\system32\_005255_.tmp.dll
c:\windows\system32\_005256_.tmp.dll
c:\windows\system32\_005257_.tmp.dll
c:\windows\system32\_005258_.tmp.dll
c:\windows\system32\_005261_.tmp.dll
c:\windows\system32\_005262_.tmp.dll
c:\windows\system32\_005263_.tmp.dll
c:\windows\system32\_005264_.tmp.dll
c:\windows\system32\_005265_.tmp.dll
c:\windows\system32\_005270_.tmp.dll
c:\windows\system32\_005272_.tmp.dll
c:\windows\system32\_005273_.tmp.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_WINDRIVER
-------\Service_WinDriver


((((((((((((((((((((((((( Files Created from 2009-02-16 to 2009-03-16 )))))))))))))))))))))))))))))))
.

2009-03-15 14:21 . 2009-03-15 14:21 <DIR> d-------- c:\program files\Trend Micro
2009-03-15 14:03 . 2009-03-15 14:03 <DIR> d-------- c:\documents and settings\User\Application Data\Malwarebytes
2009-03-15 14:03 . 2009-02-11 10:19 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-03-15 14:03 . 2009-02-11 10:19 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-03-15 14:02 . 2009-03-16 19:58 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-03-15 14:02 . 2009-03-15 14:02 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-03-15 14:01 . 2009-03-10 06:06 15,688 --a------ c:\windows\system32\lsdelete.exe
2009-03-15 13:29 . 2009-03-15 13:28 410,984 --a------ c:\windows\system32\deploytk.dll
2009-03-15 13:27 . 2009-03-10 06:06 64,160 --a------ c:\windows\system32\drivers\Lbd.sys
2009-03-15 13:26 . 2009-03-15 13:27 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2009-03-15 13:26 . 2009-03-15 13:26 <DIR> d--h-c--- c:\documents and settings\All Users\Application Data\{7972B2E5-3E09-4E5E-81B7-FE5819D6772F}
2009-03-15 13:25 . 2009-03-15 13:26 <DIR> d-------- c:\program files\Lavasoft
2009-03-12 19:42 . 2009-03-16 20:07 <DIR> d-------- c:\documents and settings\User\Tracing
2009-03-12 19:38 . 2009-03-15 08:07 <DIR> d-------- c:\program files\Microsoft Silverlight
2009-03-12 19:38 . 2009-03-12 19:38 <DIR> d-------- c:\program files\Microsoft Office Outlook Connector
2009-03-12 19:38 . 2009-02-06 18:08 55,152 --a------ c:\windows\system32\drivers\fssfltr_tdi.sys
2009-03-12 19:36 . 2009-03-12 19:36 <DIR> d-------- c:\program files\Microsoft Sync Framework
2009-03-12 19:32 . 2009-03-12 19:38 <DIR> d-------- c:\program files\Microsoft
2009-03-12 19:31 . 2009-03-12 19:31 <DIR> d-------- c:\program files\Windows Live SkyDrive
2009-03-12 19:26 . 2009-03-12 19:26 <DIR> d-------- c:\program files\Common Files\Windows Live
2009-02-23 20:35 . 2009-03-15 13:09 <DIR> d-------- c:\program files\MySpace
2009-02-23 20:35 . 2009-02-23 20:35 <DIR> d-------- c:\documents and settings\User\Application Data\MySpace

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-03-15 04:36 --------- d-----w c:\program files\Spybot - Search & Destroy
2009-03-15 04:36 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-03-15 03:01 --------- d-----w c:\program files\MSN Messenger
2009-03-15 02:28 --------- d-----w c:\program files\Java
2009-03-15 02:28 --------- d-----w c:\documents and settings\All Users\Application Data\Downloaded Installations
2009-03-15 02:17 --------- d-----w c:\documents and settings\User\Application Data\Lavasoft
2009-03-12 08:37 --------- d-----w c:\program files\Windows Live Toolbar
2009-03-12 08:37 --------- d-----w c:\program files\Windows Live
2009-03-11 09:41 --------- d-----w c:\documents and settings\All Users\Application Data\Microsoft Help
2009-02-08 00:51 --------- d-----r c:\documents and settings\User\Application Data\Brother
2009-02-06 08:03 307,576 ----a-w c:\windows\WLXPGSS.SCR
2009-01-30 11:15 --------- d-----w c:\program files\Norton SystemWorks Basic Edition
2009-01-23 09:28 --------- d-----w c:\program files\PerformanceTest
2009-01-22 00:08 --------- d-----w c:\documents and settings\User\Application Data\Symantec
2009-01-21 23:50 --------- d-----w c:\program files\Common Files\Symantec Shared
2009-01-21 23:41 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-01-21 23:37 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-01-21 23:37 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-01-21 23:37 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-01-21 23:37 --------- d-----w c:\program files\Symantec
2009-01-21 23:37 --------- d-----w c:\documents and settings\All Users\Application Data\NortonSystemWorks
2009-01-21 23:28 --------- d-----r c:\program files\Norton Support
2009-01-21 23:26 --------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-01-21 23:25 36,272 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-01-21 23:25 --------- d-----w c:\program files\Windows Sidebar
2009-01-21 23:25 --------- d-----w c:\program files\Norton Internet Security
2009-01-21 23:15 --------- d-----w c:\program files\NortonInstaller
2009-01-21 23:15 --------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-01-21 23:15 --------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2008-03-01 23:02 0 -c--a-w c:\program files\temp01
2007-12-31 01:30 22,328 -c--a-w c:\documents and settings\User\Application Data\PnkBstrK.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"MsnMsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-07-13 8466432]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2007-07-13 81920]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"InCD"="c:\program files\Ahead\InCD\InCD.exe" [2006-03-23 1398272]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-15 136600]
"fssui"="c:\program files\Windows Live\Family Safety\fsui.exe" [2009-02-06 454000]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
"NSWosCheck"="c:\program files\Norton SystemWorks Basic Edition\osCheck.exe" [2008-09-25 160112]
"NswUiTray"="c:\program files\Norton SystemWorks Basic Edition\NswUiTray.exe" [2008-09-25 85360]
"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-03-10 515416]
"nwiz"="nwiz.exe" [2007-07-13 c:\windows\system32\nwiz.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 c:\windows\soundman.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2004-08-04 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nlsf"="move" [X]
"tscuninstall"="c:\windows\system32\tscupgrd.exe" [2004-08-03 44544]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ForceClassicControlPanel"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoViewOnDrive"= 0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
"c:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"67:UDP"= 67:UDP:DHCP Discovery Service

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-03-15 64160]
R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1002000.007\SymEFA.sys [2009-01-22 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1002000.007\BHDrvx86.sys [2009-01-22 255536]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1002000.007\cchpx86.sys [2009-01-22 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090310.003\IDSxpx86.sys [2009-03-12 276344]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [2009-03-12 55152]
R2 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [2009-02-06 533360]
R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-03-10 951632]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe [2009-01-22 115560]
R2 NProtectService;Norton UnErase Protection;c:\progra~1\NORTON~4\NORTON~1\NPROTECT.EXE [2008-09-25 95600]
R2 SeaPort;SeaPort;c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe [2009-01-14 226656]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2009-02-25 101936]
R3 wdpnp;WinDriver USB Client;c:\windows\system32\drivers\wdpnp.sys [2007-11-15 22748]
S3 ADM8511;ADMtek ADM8511/AN986 USB To Fast Ethernet Converter;c:\windows\system32\drivers\ADM8511.SYS [2007-10-24 20160]
S3 UnlockerDriver4;UnlockerDriver4 Driver;c:\windows\system32\UnlockerDriver4.sys [2007-10-23 3584]
.
Contents of the 'Scheduled Tasks' folder

2009-03-16 c:\windows\Tasks\Ad-Aware Update (Weekly).job
- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-03-10 06:06]

2009-03-16 c:\windows\Tasks\Norton SystemWorks One Button Checkup.job
- c:\program files\Norton SystemWorks Basic Edition\OBC.exe [2008-09-25 14:52]

2009-03-15 c:\windows\Tasks\OGADaily.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-03-16 c:\windows\Tasks\OGALogon.job
- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]
.
- - - - ORPHANS REMOVED - - - -

HKCU-Run-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
Notify-dimsntfy - (no file)


.
------- Supplementary Scan -------
.
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = <local>;*.local
uSearchURL,(Default) = hxxp://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
IE: {{d9288080-1baa-4bc4-9cf8-a92d743db949} - c:\documents and settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk
TCP: {2C41A07F-9E03-430A-AF7E-705A0257A5EE} = 203.12.160.35,203.12.160.36
Handler: symres - {AA1061FE-6C41-421f-9344-69640C9732AB} - c:\program files\Norton Internet Security\Engine\16.2.0.7\CoIEPlg.dll
DPF: CabBuilder - hxxp://kiw.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cab
DPF: {927FDDDE-257A-490F-A768-92DAF5F99DD2} - hxxp://shift.collideascope.ca/pnrp.cab
FF - ProfilePath - c:\documents and settings\User\Application Data\Mozilla\Firefox\Profiles\fv5dvav6.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Live Search
FF - prefs.js: browser.startup.homepage - www.google.com
FF - prefs.js: keyword.URL - hxxp://kwtb.search.imgag.com/?c=GNKIW29193&sbs=1&sc=2&f=web&vernum=1.0&uid=&did=f8d4a70c-98e2-4081-901d-01bf93043ede&q=
FF - prefs.js: network.proxy.type - 1
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\coFFPlgn\components\coFFPlgn.dll
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - plugin: c:\program files\Microsoft\Office Live\npOLW.dll
FF - plugin: c:\program files\Windows Live\Photo Gallery\NPWLPG.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-03-16 20:07:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Engine\16.2.0.7\diMaster.dll\" /prefetch:1"
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Ahead\InCD\InCDsrv.exe
c:\windows\system32\WgaTray.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\nvsvc32.exe
c:\windows\system32\PnkBstrA.exe
c:\progra~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.exe
c:\windows\system32\wbem\unsecapp.exe
.
**************************************************************************
.
Completion time: 2009-03-16 20:11:02 - machine was rebooted
ComboFix-quarantined-files.txt 2009-03-16 09:10:53

Pre-Run: 95,722,053,632 bytes free
Post-Run: 95,489,667,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect /noexecute=alwaysoff

326 --- E O F --- 2009-03-16 08:44:19

Malware Bytes still comes up with the same error, however I have been able to delete a bunch of files that it had in quarantine but it didn't give me a log. I will uninstall and re install it and try again now. Oh and Firefox has been re named Tagged by something I ran... combofix I think. why is that?

Edited by paulneedshelp, 16 March 2009 - 04:17 AM.

[Bazareth]

I am Still having trouble with MBAM, This is the Hijackthis Log after running everything else. I will continue trying to Get MBAM wo0rking, 2 things I have noticed with MBAM, if i click update, it updates to 1853, if i click it again it downloads again and says its updated from 1853 to 1853... doesn't it usually tell you your up to date rather than do that?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:43:23 PM, on 16/03/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Live\Family Safety\fsui.exe
C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Windows Live\Family Safety\fsssvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com...S01?FORM=TOOLBR
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Windows Live Family Safety Browser Helper - {4f3ed5cd-0726-42a9-87f5-d13f3d2976ac} - C:\Program Files\Windows Live\Family Safety\fssbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SearchHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {E15A8DC0-8516-42A1-81EA-DC94EC1ACF10} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O3 - Toolbar: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Windows Live Toolbar - {21FA44EF-376D-4D53-9B0F-8A89D3229068} - C:\Program Files\Windows Live\Toolbar\wltcore.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fsui.exe" -autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetupo.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\User\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1194070069250
O16 - DPF: {927FDDDE-257A-490F-A768-92DAF5F99DD2} (PNRPCtrl Class) - http://shift.collideascope.ca/pnrp.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.c...driveragent.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2C41A07F-9E03-430A-AF7E-705A0257A5EE}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~4\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~4\NORTON~1\SPEEDD~1\NOPDB.EXE

--
End of file - 11213 bytes

EDIT:::
on an upside on a quick scan MBAM now found 9 issues rather than the 35 last quick scan. I still got the runtime error out of memory, but I saved a log before I tryed to remove the threats..

MBAM LOG:
Malwarebytes' Anti-Malware 1.34
Database version: 1853
Windows 5.1.2600 Service Pack 2

16/03/2009 9:15:11 PM
mbam-log-2009-03-16 (21-15-04).txt

Scan type: Quick Scan
Objects scanned: 70168
Time elapsed: 25 minute(s), 18 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 2
Folders Infected: 1
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Hijack.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.

Folders Infected:
C:\_ (Backdoor.Bot) -> No action taken.

Files Infected:
C:\_\VIDEO_TS.BUP (Backdoor.Bot) -> No action taken.
C:\_\VIDEO_TS.IFO (Backdoor.Bot) -> No action taken.
C:\_\VTS_01_0.BUP (Backdoor.Bot) -> No action taken.
C:\_\VTS_01_0.IFO (Backdoor.Bot) -> No action taken.
C:\_\VTS_01_1.VOB (Backdoor.Bot) -> No action taken.
C:\_\VTS_01_2.VOB (Backdoor.Bot) -> No action taken.

Edited by paulneedshelp, 16 March 2009 - 05:17 AM.

[Rocket Grannie]

Hello paulneedshelp

Important:
Please disconnect this computer from the Internet. Isolate it completely.

I strongly suggest you scan the other computers with MBAM.

I'm afraid I have bad news.

Your log shows a dangerous trojan is residing on your computer which has a backdoor functionality. It is possible that a remote attacker has already breached your computer.

I would suggest you disconnect this computer from the Internet immediately.
If you do any banking or other financial transactions on the computer, or if it contains any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, your computer is very likely compromised and there is no way to be sure your computer can ever again be trusted.
Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the Operating System.

Visit the following sites for more information on internet theft and when to reformat!

How Do I Handle Possible Identity Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

Should you decide not to follow that advice, we will of course do our best to clean the computer of any infections that we can see but, as I already stated, we can in no way guarantee it to be trustworthy.

If you have any questions before making a final decision, please feel free to ask.


Rocket Grannie

[Bazareth]

Ah... oh.... Damn it!

ok... I'm on my computer, the infected computer is turned off. I will leve it aside for the moment... How can i be sure the other 2 computers are not and have not been infected?

I am running MBAM on my computer, I do this regularly since the last time i had issued, is there any chance that this is a 'spawn' of sorts from last time you helped me? (although it is a different computer infected).

Thanks for your help... Running MBAM as we speak.
Paul

[Bazareth]

ok, MBAM, on a quick scan found no issues on my computer.
is there a virus/trogan/malware called panda?

I will edit this post with a hijackthis log from my own computer, I am also running kaspersky online scaner.
My computer IS used for banking, how can I be SURE it is safe? one computer at a time, I will move to my parents once my computer is clean.

thanks again RG...
P.S. How does one get this backdoor trojen on a computer that has the latest antivirus?

EDIT:::
Hijackthis Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:27:45 PM, on 16/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [osCheck] C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202181052359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202205639765
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3499BC-8F22-4E9F-9AEA-0E3BCE51622F}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A72CD22-17AD-48AD-AEAE-DAB334EECFA5}: NameServer = 203.12.106.35,203.12.106.36
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Office Source Engine (ose) - Unknown owner - F:\ceedo\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 15023 bytes

P.S I know adaware and spybot is overkill and they will stop each other working, I do not usualy hvae both on the computer.

EDIT:::
Spybot found no isses when I scanned
Adaware found nothing, well one cookie.
Kaspersky found no Issues

I dont think its related, but at some point a while ago, I think it was when i had something not to bad on the computer that norton fixed, I all of a sudden had a bunch of desktop.ini files around the place.
another odd thing after that same fix, is that every time i start windows note pad opens twice, each with an error, I cant think fot the life of me what the error says but its something to do with not being able to siplay some characters i think.
probably not related, but just thought i would throw it into the mix while im here lol...

Edited by paulneedshelp, 16 March 2009 - 05:35 PM.

[Rocket Grannie]

Hello paulneedshelp

Please don’t run any scans or tools or do anything to the computers unless I ask you to.

How can i be sure the other 2 computers are not and have not been infected?

You can’t because of this:

It IS linked on the network to my parents home/business computer and also my own computer, so I hope none of the risks can spread to us.

Please see here for more detailed information.

Oh and Firefox has been re named Tagged by something I ran... combofix I think. why is that?

ComboFix would not rename FireFox.
Did you set FireFox to manual proxy configuration?

is there any chance that this is a 'spawn' of sorts from last time you helped me?

NO!!!

The bad news is---your computer is infected.

You also have the Control Panel restriction present.
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

However, we do not know yet whether your computer has been compromised.

Please locate, then double-click Malwarebytes click Update tab>>>Check for Updates.

• If an update is found, it will download and install the latest version.
• Once the program has finished updating please select Perform full scan, then click Scan.
• When the scan is complete, click OK, then Show Results to view the results.
• Be sure that everything is checked, and click Remove Selected.
• When completed, a log will open in Notepad. Please save it to a location you will remember.
• Copy and Paste that log into your next reply.

• Click here to use the F-Secure Online Scanner
• Then click the Start Scanning button below.
• You should get a notification (bar on top) to install the activeX.
• Click on it and select to install the ActiveX.
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
• Click the Full System Scan button.
• It will start to download scanner components and databases. This can take a while.
• The main scan will start.
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
• The cleaning can take a while, so please be patient.
• Then click the Show report button and copy/paste what is present under results in your next reply.

Next, please run a GMER Rootkit scan:

Download GMER's application from here:

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

Please post:
MBAM log
F-Secure report
Gmer log.
A fresh HJT log.


Rocket Grannie

[Bazareth]

Sorry for taking my own lead there, I guess I just felt a little helpless while i waited and thought they could not hurt, I will wait for your say so for anything else :-)

*bows head & raises hands* all hail Rocket Granny the Great Australian SWI King! ;-)

OK... up of my knees, all the things Requested *cough* master *cough*

(you are in the midst of saving my ass (computer wise) for the second time, getting on my knees (as in bowing down!) is the least i can do!)

oh, one question, should I run each of those scans on my parents computer?
I dont want to confuse things, so I will only work on one at a time in the forum, but to save time I can run these scans and save the logs for once this computer is secure.
(obviousely any steps past this I wont do, as the computer may not be infected/may have something different!)

I wont post the MBAM log as it finished having found nothing at all.

-----------------------------------------------------------------------------------------------------------------------
F-SECURE LOG
-----------------------------------------------------------------------------------------------------------------------
Scanning Report
Tuesday, March 17, 2009 19:54:38 - 21:19:55
Computer name: PAUL
Scanning type: Scan system for malware, rootkits
Target: C:\


--------------------------------------------------------------------------------

Result: 1 malware found
W32/Horst.gen33 (virus)
C:\PROGRAM FILES\IRIVER\IRIVER PLUS 3\JOCOMMLIB.DLL (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 57688
System: 4007
Not scanned: 12
Actions:
Disinfected: 0
Renamed: 0
Deleted: 0
None: 1
Submitted: 1
Files not scanned:
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\DRIVERS\SPTD.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\SYSTEM32\CONFIG\SAM
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_NPC.TRAY.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_UI.HOST.{1AFE47BB-FCF1-4096-9039-1FEBC9A0CCCF}0

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure USS: 3.0.0
F-Secure Hydra: 3.8.9080, 2009-03-17
F-Secure AVP: 7.0.171, 2009-03-17
F-Secure Pegasus: 1.20.0, 1970-00-01
F-Secure Blacklight: 0.0.0
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
Use Advanced heuristics

--------------------------------------------------------------------------------



-----------------------------------------------------------------------------------------------------------------------
GMER LOG
-----------------------------------------------------------------------------------------------------------------------
GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-18 02:08:01
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 89E6DC98 ZwAlertResumeThread
SSDT 89E6FDF8 ZwAlertThread
SSDT 89E80E60 ZwAllocateVirtualMemory
SSDT 89E8AC98 ZwAssignProcessToJobObject
SSDT 8A10E930 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA39F9040]
SSDT 89E69798 ZwCreateMutant
SSDT 89E87E68 ZwCreateSymbolicLinkObject
SSDT 89E6D7A0 ZwCreateThread
SSDT 89E8CB68 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA39F92C0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA39F9820]
SSDT 89F9CEA8 ZwDuplicateObject
SSDT sppi.sys ZwEnumerateKey [0xB9EC8CA2]
SSDT sppi.sys ZwEnumerateValueKey [0xB9EC9030]
SSDT 89EA1E68 ZwFreeVirtualMemory
SSDT 89E69868 ZwImpersonateAnonymousToken
SSDT 89E6D370 ZwImpersonateThread
SSDT 89E3C1A8 ZwLoadDriver
SSDT 89EA0BC8 ZwMapViewOfSection
SSDT 89E687E0 ZwOpenEvent
SSDT sppi.sys ZwOpenKey [0xB9EAB0C0]
SSDT 89E926A0 ZwOpenProcess
SSDT 89F9CE28 ZwOpenProcessToken
SSDT 89E8D548 ZwOpenSection
SSDT 89EB6E60 ZwOpenThread
SSDT 89E8A818 ZwProtectVirtualMemory
SSDT sppi.sys ZwQueryKey [0xB9EC9108]
SSDT sppi.sys ZwQueryValueKey [0xB9EC8F88]
SSDT 89DD5398 ZwResumeThread
SSDT 89EA1DE8 ZwSetContextThread
SSDT 89E9FD10 ZwSetInformationProcess
SSDT 89E8CC28 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA39F9A70]
SSDT 89E64730 ZwSuspendProcess
SSDT 89E6FEB8 ZwSuspendThread
SSDT 89F50288 ZwTerminateProcess
SSDT 89E9D828 ZwTerminateThread
SSDT 89E80A28 ZwUnmapViewOfSection
SSDT 89E80AA8 ZwWriteVirtualMemory

INT 0x62 ? 8A5CBBF8
INT 0x63 ? 8A563BF8
INT 0x73 ? 8A563BF8
INT 0x82 ? 8A5CBBF8
INT 0x94 ? 8A463BF8
INT 0xA4 ? 8A463BF8
INT 0xB4 ? 8A463BF8

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 23E0 80501C18 4 Bytes JMP 8E60A62D
.text ntkrnlpa.exe!ZwCallbackReturn + 2434 80501C6C 8 Bytes CALL 6727BCFA
.text ntkrnlpa.exe!ZwCallbackReturn + 26B8 80501EF0 4 Bytes CALL 1ADA0912
? sppi.sys The system cannot find the file specified. !
? SYMEFA.SYS The system cannot find the file specified. !
.text USBPORT.SYS!DllUnload B880E8AC 5 Bytes JMP 8A4631D8

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\Internet Explorer\iexplore.exe[4132] kernel32.dll!VirtualProtect + 1C 7C801AF0 7 Bytes JMP 03690034
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 42F0F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 430A187F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 430A1800 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 430A1844 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 430A178C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 430A17C6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 430A18BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 42F316F6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] ole32.dll!CoCreateInstanceEx 77500526 5 Bytes JMP 036900B8
.text C:\Program Files\Internet Explorer\iexplore.exe[4132] ole32.dll!CoGetClassObject 775156C5 5 Bytes JMP 0369013F

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EAC040] sppi.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EAC13C] sppi.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EAC0BE] sppi.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EAC7FC] sppi.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EAC6D2] sppi.sys
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EBBD92] sppi.sys

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[2052] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C52F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2052] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C52C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2052] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C52CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[2052] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C52CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00F12F20] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00F12C90] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00F12CF0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[3108] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00F12CC0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 8A5C91F8

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)

Device \FileSystem\Fastfat \FatCdrom 89EF9500
Device \FileSystem\Udfs \UdfsCdRom 89DF1500
Device \FileSystem\Udfs \UdfsDisk 89DF1500

AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBPDO-0 8A4621F8
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A5CD1F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A5CD1F8
Device \Driver\usbohci \Device\USBPDO-1 8A4621F8
Device \Driver\usbehci \Device\USBPDO-2 8A0B11F8

AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5611F8
Device \Driver\Cdrom \Device\CdRom0 89F082F0
Device \Driver\Cdrom \Device\CdRom1 89F082F0
Device \Driver\NetBT \Device\NetBt_Wins_Export 89DF0500
Device \Driver\NetBT \Device\NetbiosSmb 89DF0500
Device \Driver\NetBT \Device\NetBT_Tcpip_{3F3499BC-8F22-4E9F-9AEA-0E3BCE51622F} 89DF0500
Device \Driver\nvatabus \Device\00000088 8A5CB1F8

AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\nvatabus \Device\00000089 8A5CB1F8

AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbohci \Device\USBFDO-0 8A4621F8
Device \Driver\usbohci \Device\USBFDO-1 8A4621F8
Device \Driver\nvatabus \Device\NvAta0 8A5CB1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89E04500
Device \Driver\usbehci \Device\USBFDO-2 8A0B11F8
Device 89E04500
Device \Driver\Ftdisk \Device\FtControl 8A5611F8
Device \Driver\si3112 \Device\Scsi\si31121 8A5CC1F8
Device \Driver\si3112 \Device\Scsi\si31121Port0Path0Target0Lun0 8A5CC1F8
Device \Driver\iteraid \Device\Scsi\iteraid1 8A55F1F8
Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice 8A5CA1F8
AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation)

---- Processes - GMER 1.0.15 ----

Process C:\DOCUME~1\Paul\LOCALS~1\temp\OnlineScanner\Anti-Virus\fssm32.exe (*** hidden *** ) 2852

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E0368807-AA97-33CD-6B5C-A0C265BA8FDD}

---- EOF - GMER 1.0.15 ----



-----------------------------------------------------------------------------------------------------------------------
HIJACKTHIS LOG
-----------------------------------------------------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:09:16 AM, on 18/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\ALuNotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Paul\Desktop\gmer\gmer.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [osCheck] C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKLM\..\Policies\Explorer\Run: []

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202181052359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202205639765
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3499BC-8F22-4E9F-9AEA-0E3BCE51622F}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A72CD22-17AD-48AD-AEAE-DAB334EECFA5}: NameServer = 203.12.106.35,203.12.106.36
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Office Source Engine (ose) - Unknown owner - F:\ceedo\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 14888 bytes


so... what now then boss?

Edited by paulneedshelp, 17 March 2009 - 10:10 AM.

[Rocket Grannie]

Hello paulneedshelp

You’re a stubbie short of a six pack, you know that?

The good news is you do not have the Backdoor that is on your sister's computer.

oh, one question, should I run each of those scans on my parents computer?

Yes. If you want to run them now, that’s fine.

I wont post the MBAM log as it finished having found nothing at all.

That’s great!

Now, let's get rid of the virus on your computer.

Please print out these instructions, or copy them to a Notepad file. It will make it easier for you to follow the instructions and complete all of the necessary steps.

I see you have Viewpoint Manager installed.

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval. It is known to be intrusive, but there is some possibility that it is now being used by those companies to give them information about your habits. I suggest you remove it.

Go to Start -> Control Panel, double-click on Add or Remove Programs
Search the list, and uninstall the following programs by clicking the Remove or Change/Remove button.

• Viewpoint
• Viewpoint Manager
• Viewpoint Media Player
• Viewpoint Toolbar

Locate and delete this folder using Windows Explorer.(if present.)

C:\Program Files\Viewpoint<<<this folder.

Please reboot the computer.

Download the latest version of Kaspersky Virus Removal Tool

• Close all other applications and double-click and run the installer.
• When AVPTool starts, select all the scanable items except for CD-ROM drives.
• After that click on Security level (1) then choose Customize (2) then click on the tab that says Heuristic Analyzer (3) then choose Enable deep rootkit search (4) and then choose OK.
  
• Then choose OK again to go back to the main screen and click the Scan button.
• If malware is detected, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
• After the scan finishes, if any threat remains in the Scan window (Red exclamation point), click the Neutralize all button
• In the window that opens, place a checkmark in the Apply to all box, and click the Delete button (or Disinfect if the button is active).
• If advised that a special disinfection procedure is required which demands system reboot: click the Ok button to close the window.
• In the Scan window click the Reports button and select Save to file.
• Name the report AVPT.txt, and save it to the Desktop.
• Close AVPTool.
• You will be prompted if you want to uninstall the program; click Yes.
• You will then be prompted that to complete the uninstallation, the computer must be restarted. Select Yes to restart the system.
• Copy and paste the first part of the report (Detected) that you saved in your next reply. Do not include the longer list marked Events.

Please Open HijackThis.
Click Do a system scan only button, then place a check against each of the following:

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O4 - HKLM\..\Policies\Explorer\Run: []
O4 - HKUS\S-1-5-19\..\RunOnce: [] (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [] (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [] (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
Close HijackThis.

Please reboot the computer.

Please post:

Kaspersky report
A fresh HJT log.


Rocket Grannie

[Bazareth]

Hey RG,
I uninstalled Viewpoint, I didnt install that, so where did/does it come from?
I am running the Kaspersky scanner, is it normal that is says its going to take about 8 hours to scan?

Paul

P.S I like to think im the missing stuby, but I think thats a good thing!

[Rocket Grannie]

Hello paulneedshelp

is it normal that is says its going to take about 8 hours to scan?

Yep. It is checking everything.


Rocket Grannie

[Bazareth]

ok, Kaspersky found nothing at all, it did come up at one point and tell me a file had a password so could not be scanned, it was a .dll file that appeared to be random numbers, however it did not tell me the file name in the report log.

I did as you asked with hijackthis, however i noticed after the re start all those things i ticked were still in the hijack this log...

here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:45:54 PM, on 18/03/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Paul\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - (no file)
O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - (no file)
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [osCheck] C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202181052359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202205639765
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3499BC-8F22-4E9F-9AEA-0E3BCE51622F}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A72CD22-17AD-48AD-AEAE-DAB334EECFA5}: NameServer = 203.12.106.35,203.12.106.36
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Office Source Engine (ose) - Unknown owner - F:\ceedo\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 14647 bytes

[Rocket Grannie]

Hello paulneedshelp

Well done! Your logs appear to be clean.

i noticed after the re start all those things i ticked were still in the hijack this log...

Not quite all.
The 02 entries are just leftovers. They have no file. Please checkmark them again just to be tidy.
The malware 04 entries are gone.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.


Download and save to your Desktop the latest version of the Java Runtime Environment (JRE) from here.

Please download JavaRa and unzip it to your Desktop.

***Please close any instances of Internet Explorer before continuing!***


* Double-click on JavaRa.exe to start the program.
* From the drop-down menu, choose English and click on Select.
* JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
* Click Yes when prompted.
* When JavaRa is finished, a notice will appear that a logfile has been produced. Click OK.
* A logfile will pop up. Please save it to a convenient location.

Finally, reboot the computer, then install the Java you downloaded earlier.

I suggest you reset System Restore to make sure there are no infected files found in a restore point that was created earlier.

To Reset System Restore Points

• Click Start->Programs->Accessories->System Tools, click System Restore
• Check Create a restore point
• Click Next, then name the Restore Point
• Click Create
• When the confirmation screen shows the restore point has been created, click Close
  
• Click Start->Programs->Accessories->System Tools, click Disk Cleanup

Disk Cleanup will open and begin to calculate the amount of space that can be freed.
Once that is finished it will open the Disk Cleanup options screen.
Click the More Options tab, then click Clean up on the System Restore area and choose Yes at the confirmation window which will remove all previous restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files.
Click OK then choose Yes on the confirmation window.

Please delete the Gmer folder.

You can run Ad-Aware and SpyBot together.

Please post you parents’ logs.


Rocket Grannie

[Bazareth]

Great! one computer down. ok....
the logs for spybot(i know you dont need it, but just so you know what it removed), MBAM, F-Secure Hijackthis and GMER.

----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Spybot (just the fixes from the log)
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

--- Report generated: 2009-03-17 10:17 ---

DoubleClick: Tracking cookie (Internet Explorer: Mum and Dad) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


DoubleClick: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


WebTrends live: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


HitsLink: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


CasaleMedia: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


HitBox: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Zedo: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


LinkSynergy: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


LinkSynergy: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


Statcounter: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


FastClick: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)


MediaPlex: Tracking cookie (Firefox: Mum and Dad (default)) (Cookie, fixed)




-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
MBAM LOG
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Malwarebytes' Anti-Malware 1.34
Database version: 1856
Windows 5.1.2600 Service Pack 3

3/17/2009 1:51:49 PM
mbam-log-2009-03-17 (13-51-49).txt

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 317597
Time elapsed: 1 hour(s), 38 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\All Users\Documents\STORAGE\Rebecca's pics\SmileyCentralPFSetup2.2.60.11-2.ZNfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Documents\Paul's Back up Files\Burn\Paul's Stuff\Soreted\Paul's Downloads\Sony Vegas\DVD Architect 4.0.125\Sony DVD Architect v4.0 Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Documents\Paul's Back up Files\Burn\Paul's Stuff\Soreted\Paul's Downloads\Sony Vegas\Vegas 7.0a\Sony Vegas v7.0a Keygen.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
E:\Documents and Settings\All Users\Documents\STORAGE\Beck's private stuff\SmileyCentralPFSetup2.2.60.11-2.ZNfox000.exe (Adware.MyWeb) -> Quarantined and deleted successfully.
E:\RECYCLER\NPROTECT\00000038.exe (Trojan.Downloader) -> Quarantined and deleted successfully.


--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
F-SECURE Log
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Scanning Report
Wednesday, March 18, 2009 17:50:39 - 18:36:46

Computer name: OFFICE
Scanning type: Scan system for malware, rootkits
Target: C:\ E:\
Result: 2 malware found
TrackingCookie.2o7 (spyware)

* System

TrackingCookie.Questionmarket (spyware)

* System

Statistics
Scanned:

* Files: 49697
* System: 3790
* Not scanned: 10

Actions:

* Disinfected: 0
* Renamed: 0
* Deleted: 0
* None: 2
* Submitted: 0

Files not scanned:

* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SYSTEM32\CONFIG\SAM
* C:\WINDOWS\SYSTEM32\CONFIG\SECURITY
* C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE
* C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_AVPAPP_{BB639333-810A-4BF8-85F5-C537857F55FC}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{E8EFD4CD-DE52-4444-9511-EFF3B158724B}0
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NORTON\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NORTON\COMMON CLIENT\_LCK\_ISDATAPR_{FF9AC67A-E394-46AE-B150-B3365343F166}G
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\LAVASOFT\AD-AWARE\MINIMESSAGE\2

Options
Scanning engines:

* F-Secure USS: 3.0.0
* F-Secure Blacklight: 0.0.0
* F-Secure Hydra: 3.8.9080, 2009-03-18
* F-Secure Pegasus: 1.20.0, 1970-00-01
* F-Secure AVP: 7.0.171, 2009-03-17

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX ANI AVB BAT CMD JOB LSP MAP MHT MIF PHP POT SWF WMF NWS TAR
* Use Advanced heuristics



----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
HIJACKTHIS LOG
-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:27:52 AM, on 3/19/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\TomTom HOME 2\HOMERunner.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\ATKKBService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\IoctlSvc.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Mum and Dad\Desktop\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://search.live.com/sphome.aspx
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\IPSBHO.DLL
O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\System32\igfxpers.exe
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ASUSGamerOSD] C:\Program Files\ASUS\GamerOSD\GamerOSD.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [NSWosCheck] "C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe"
O4 - HKLM\..\Run: [NswUiTray] C:\Program Files\Norton SystemWorks Basic Edition\NswUiTray.exe
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA} (Java Plug-in 1.6.0_11) -
O17 - HKLM\System\CCS\Services\Tcpip\..\{9F210D84-2294-4B63-A7A5-9B81B0A831E2}: NameServer = 203.12.160.35,203.12.160.36
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\coIEPlg.dll
O23 - Service: ATK Keyboard Service (ATKKeyboardService) - ASUSTeK COMPUTER INC. - C:\WINDOWS\ATKKBService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.2.0.7\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe

--
End of file - 9407 bytes





_____________________________________
and the GMER LOG
_____________________________________

GMER 1.0.15.14939 - http://www.gmer.net
Rootkit scan 2009-03-19 11:18:09
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

SSDT 8A5A3D88 ZwAlertResumeThread
SSDT 8A2C9E50 ZwAlertThread
SSDT 8A2C9B60 ZwAllocateVirtualMemory
SSDT 8A4A3098 ZwAssignProcessToJobObject
SSDT 8A6F0C00 ZwConnectPort
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB55D8020]
SSDT 8A5871C0 ZwCreateMutant
SSDT 8A5C4FC0 ZwCreateSymbolicLinkObject
SSDT 8A32EE98 ZwCreateThread
SSDT 8A3FF098 ZwDebugActiveProcess
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB55D82A0]
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB55D8800]
SSDT 8A2CB3B0 ZwDuplicateObject
SSDT 8A525990 ZwFreeVirtualMemory
SSDT 8A5F6098 ZwImpersonateAnonymousToken
SSDT 8A60A530 ZwImpersonateThread
SSDT 8A6A8C40 ZwLoadDriver
SSDT 8A5257B0 ZwMapViewOfSection
SSDT 8A682A70 ZwOpenEvent
SSDT 8A524E80 ZwOpenProcess
SSDT 8A52B408 ZwOpenProcessToken
SSDT 8A555A98 ZwOpenSection
SSDT 8A50BA90 ZwOpenThread
SSDT 8A361D80 ZwProtectVirtualMemory
SSDT 8A414ED0 ZwResumeThread
SSDT 8A539ED0 ZwSetContextThread
SSDT 8A4C5788 ZwSetInformationProcess
SSDT 8A3DA098 ZwSetSystemInformation
SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB55D8A50]
SSDT 8A65B580 ZwSuspendProcess
SSDT 8A54F820 ZwSuspendThread
SSDT 8A6879F8 ZwTerminateProcess
SSDT 8A2CB8A0 ZwTerminateThread
SSDT 8A53AD38 ZwUnmapViewOfSection
SSDT 8A5CF758 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!ZwCallbackReturn + 2C94 80504530 2 Bytes [C0, 4F]
.text ntkrnlpa.exe!ZwCallbackReturn + 2C97 80504533 5 Bytes [8A, 98, EE, 32, 8A]
.text ntkrnlpa.exe!ZwCallbackReturn + 2D28 805045C4 2 Bytes [98, 60] {CWDE ; PUSHA }
? SYMEFA.SYS The system cannot find the file specified. !

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[252] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C72F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[252] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C72CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[252] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C72D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\WINDOWS\Explorer.EXE[252] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C72CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Mum and Dad\Desktop\gmer\gmer.exe[664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003B2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Mum and Dad\Desktop\gmer\gmer.exe[664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003B2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Mum and Dad\Desktop\gmer\gmer.exe[664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003B2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Documents and Settings\Mum and Dad\Desktop\gmer\gmer.exe[664] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003B2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[900] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01F52F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[900] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01F52CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[900] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01F52D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Logitech\QuickCam\Quickcam.exe[900] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01F52CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [003E2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [003E2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [003E2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)
IAT C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe[2492] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [003E2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.)

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs SYMEVENT.SYS (Symantec Event Library/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation)

---- EOF - GMER 1.0.15 ----

Edited by paulneedshelp, 18 March 2009 - 07:21 PM.

[Rocket Grannie]

Hello paulneedshelp

The good news is your logs appear to be clean.
The infections that were deleted were mostly tracking cookies.

Please Open HijackThis.
Click Do a system scan only button, then place a check against each of the following:

O2 - BHO: (no name) - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - (no file)
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then, close all other open windows, leaving only HijackThis open, and select Fix checked.
Close HijackThis.

Please reboot the computer.

I suggest you reset System Restore to make sure there are no infected files found in a restore point that was created earlier.

To Reset System Restore Points

• Click Start->Programs->Accessories->System Tools, click System Restore
• Check Create a restore point
• Click Next, then name the Restore Point
• Click Create
• When the confirmation screen shows the restore point has been created, click Close
  
• Click Start->Programs->Accessories->System Tools, click Disk Cleanup

Disk Cleanup will open and begin to calculate the amount of space that can be freed.
Once that is finished it will open the Disk Cleanup options screen.
Click the More Options tab, then click Clean up on the System Restore area and choose Yes at the confirmation window which will remove all previous restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files.
Click OK then choose Yes on the confirmation window.

Please delete the Gmer folder.

Empty the Recycle Bin on all drives/computers.

Please let me know your decision re your sister’s computer?


Rocket Grannie

[Bazareth]

That is fantastic news!

My sisters computer will be reformatted, however that poses me some issues on its own.

the first one is how can I keep some of her data and be sure it is clean/ clean it, so I dont just put the virus on the new computer.

the second issue is my parents seem to have miss placed the cd's for the hardware in the computer, so im not sure where to get the drivers for everthing, although I imagin windows will make most of it run 'ok'.

Thanks you so much for your help.
It is very very much apreciated by me and my family!!

So now to work out how to safely keep some of the stuff on my sisters computer.
It has not been turned on since you gave me the bad news, my sister (who is 13) has been missing it alot! lol.

[Rocket Grannie]

Hello paulneedshelp

how can I keep some of her data and be sure it is clean

To backup all of your important data: documents/photos/movies/songs-----

Copy the files to a CD or DVD disk, then scan the disk with MBAM., Spybot, and Ad-Aware.
Let them fix any infections found, then rescan.
This scan should be clean.

Warning: Do NOT backup any applications/installers or any .exe/.html/.htm/.scr/.zip/.rar files.
These files may be infected, and would only lead to your computer being reinfected at a later date.

Instructions how to format and reinstall Windows can be found here

so im not sure where to get the drivers for everthing, although I imagin windows will make most of it run 'ok'.

Go to Start --> Run, and type the following command:

DXDiag

Press Enter.

This will show you the manufacturer’s name for your devices.

Thanks you so much for your help.
It is very very much apreciated by me and my family!!

You are welcome.

Please let me know how it goes.
I will leave this topic open.


Rocket Grannie

[Bazareth]

I have a few very full days ahead, so it may be a week before i get the time.
If you want to close the topic off, to close lose ends please do so, I will ask for it reopened if something arises.
I'll give you a quick message once im done if the thread has been closed.

(my other issue is getting my sister to sort out what she wants, you know how 13yo can be with chore like things!)

Again thank you very much.
Perhaps you will be seeing more of me in the future on the forum, but in a more positive way :-)

thanks you again.
Paul

[Rocket Grannie]

Hello paulneedshelp

As I said, I'll leave this topic open in case you need any help.


Rocket Grannie

[Bazareth]

Just letting you know I have not abandonned you, my sister is still sorting through all her 'junk', that she wants to keep.

cheers
Paul

[Rocket Grannie]

Just remember:
Do NOT backup any applications/installers or any .exe/.html/.htm/.scr/.zip/.rar files.


Rocket Grannie

[Bazareth]

Hey RG,
I just did a scan with f-secure on my computer, Just as a routine thing, and it seems we never removed the virus it found...

Result: 1 malware found
W32/Horst.gen33 (virus)
C:\PROGRAM FILES\IRIVER\IRIVER PLUS 3\JOCOMMLIB.DLL (Submitted)

This was found again in my scan, and I realized it submitted it, but did not remove it, and the scanners we used after this never detected it at all...

[Rocket Grannie]

Hello paulneedshelp

Locate and delete the following file using Windows Explorer.

C:\PROGRAM FILES\IRIVER\IRIVER PLUS 3\JOCOMMLIB.DLL<<<this file

In Internet Explorer, please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.

• The program will install and then begin downloading the latest definition files.
• After the files have been downloaded on the left side of the page in the Scan section select My Computer.
• This will start the program and scan your system.
• The scan will take a while, so be patient and let it run.
• Once the scan is complete, click on View scan report
• Now, click on the Save Report as button.
• In the drop down box labeled Files of type change the type to Text file.
• Save the file to your Desktop.
• Copy and Paste that information in your next post.

To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.



Rocket Grannie

[Bazareth]

I deleted the file, and scanned with kaspersky, it found nothing again.
so is that that, just needed to delete it. nice and easy :-)

[Rocket Grannie]

Yep.

[Bazareth]

I'm All done! Finished Re-installing my sisters computer, using your instructions for a clean format and re install.
Found all the drivers with no worries on the INTERNET and she is up and running, with Norton, spy-bot and ad-aware installed.
Hopefully she does not go getting anything like that again!

Thanks you very very very much RG!!!
You have been a fantastic help, as per usual.

Thanks again
Paul

[Rocket Grannie]

You are welcome


Since this issue appears resolved ... this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.

[cnm]

Reopened at request of topic owner.

[Bazareth]

Ok, Thought it was all good, and then this popped up.
I ran a scan in Kaspersky online scanner, that found nothing
here is my HijackThis log, and MBAM log

MBAM
Malwarebytes' Anti-Malware 1.35
Database version: 1932
Windows 5.1.2600 Service Pack 3

2/04/2009 11:05:34 PM
mbam-log-2009-04-02 (23-05-34).txt

Scan type: Quick Scan
Objects scanned: 77762
Time elapsed: 8 minute(s), 51 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 9
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{08165ea0-e946-11cf-9c87-00aa005127ed} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7d559c10-9fe9-11d0-93f7-00aa0059ce02} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{7fc0b86e-5fa7-11d1-bc7c-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{abbe31d0-6dae-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f5175861-2688-11d0-9c5e-00aa00a45957} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{d8bd2030-6fc9-11d0-864f-00aa006809d9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e3a8bde6-abce-11d0-bc4b-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e6cc6978-6b6e-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{e8bb6dc0-6b4e-11d0-92db-00a0c90c2bd7} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{08165ea0-e946-11cf-9c87-00aa005127ed} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7d559c10-9fe9-11d0-93f7-00aa0059ce02} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7fc0b86e-5fa7-11d1-bc7c-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{abbe31d0-6dae-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{f5175861-2688-11d0-9c5e-00aa00a45957} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{d8bd2030-6fc9-11d0-864f-00aa006809d9} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{e3a8bde6-abce-11d0-bc4b-00c04fd929db} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{e6cc6978-6b6e-11d0-beca-00c04fd940be} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{e8bb6dc0-6b4e-11d0-92db-00a0c90c2bd7} (Trojan.BHO) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


HijackThis Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:45:21 AM, on 3/04/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\IoctlSvc.exe
C:\Program Files\Seagate\Sync\SeaSyncServices.exe
C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Documents and Settings\Paul\Desktop\Helper.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Link Helper - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\IPSBHO.DLL
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O4 - HKLM\..\Run: [USIUDF_Eject_Monitor] C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [StxTrayMenu] "C:\Program Files\Seagate\SystemTray\StxMenuMgr.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [osCheck] C:\Program Files\Norton SystemWorks Basic Edition\osCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LogitechDesktopMessenger.exe
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: CabBuilder - http://kiw.imgag.com...llerControl.cab
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebo...toUploader5.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace....ploader1006.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} - http://gfx1.hotmail....es/MSNPUpld.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitd...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1202181052359
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.mi...b?1202205639765
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} - http://wwwimages.ado...obat/nos/gp.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F3499BC-8F22-4E9F-9AEA-0E3BCE51622F}: NameServer = 203.12.160.35,203.12.160.36
O17 - HKLM\System\CCS\Services\Tcpip\..\{7A72CD22-17AD-48AD-AEAE-DAB334EECFA5}: NameServer = 203.12.106.35,203.12.106.36
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\coIEPlg.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: getPlus® Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe
O23 - Service: License Management Service ESD - element5 - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Engine\16.5.0.134\ccSvcHst.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\NPROTECT.EXE
O23 - Service: Office Source Engine (ose) - Unknown owner - F:\ceedo\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE (file missing)
O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe
O23 - Service: Seagate Sync Service - Seagate Technology LLC - C:\Program Files\Seagate\Sync\SeaSyncServices.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~3\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 14245 bytes

[Rocket Grannie]

Hello Bazareth

I ran a scan in Kaspersky online scanner, that found nothing

Your logs appear to be clean.

If you don't have any other issues, you are set to go.


Rocket Grannie

[Bazareth]

Well no more issues have come up,
so I guess we can close the scar back up.

thanks again RG
Baz

[Rocket Grannie]

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.