Nasty Virtumonde/installer Attack, Help

Unknown

I went step by step through your process and managed to complete everything with two expceptions: the spybot S&D scan was incomplete, but then it launched on re-boot and I let it run for about 6 hours yesterday to completion. Panda buttons simply don't work for me at this time.

Note: Scroll to bottom for HJT log. Above that are logs from Adaware, Kasperski and bitdefender, also attached.

I have Norton Antivirus installed and am thinking I may get AVG and uninstall Norton until I use it again on my next system wipe. This bcs I think it may be affected by the virus.




Names of viruses, objects, messages found throughout this process:

• downloader (over and over)
• c:\docum...temporaryinternetfiles\caxoq9Lr.htlm
• malwarewipe
• ____________from standard spybot scan_____________
• virtumonde.dll (10 entries, fialed to remove)
• virtumonde (fixed)
• "microsoft WindowsSecurityCenter_disabled (fixed)
• ___________from spybot pre-boot scan______________
• hitbox
• virtumonde.dll
• many, many 'changes to registry' requests, I denied them all, one of them involved rundll32exe
• ___________also_________________________________
• evil site: http://scanner2.malware_scan/5_swp/?az=l&ed=z&tmn=mi;;&rff=http://www.down1
• win32error (apparently making components of Norton and spybot unrecognizable to windows such as upon install of spybot.
• "Not a valid win32 application
• error loading c:\windows\system32\vqtylyur.dll upon start up
• error loading c:\windows\system32\xwdyjque.dll
• a pop up window called, what was it? trusted virusware, or something that quickly throws up a second window that even shows a loading bar until I get there to close it.
• Another pop window with an okay button that tells me to protect my computer with their sofware, obviously from the bad guys.

In the end, I am under siege. When I am not killing pop ups or deleting quarentined items such as 'installer' from Norton, I am often maxing out my CPU processing power on idle. The CPU at such times tells me the power is being used by explorer. I've manually closed it times to continue my online scan or what not. Other times it is quieter, but I keep getting.

Not sure what else to add. Please let me know if there is any more info you require.

Your "steps to take" post alone has been invaluable. Thank you, thank you. And thanks in advance for any help you can provide to get me back to health. May the gods smile on you, your doings and all for whom you care.

Best,

Fidardorist

Adaware Log
Scan mode: Full
Scan time: 01:57:48
Number of objects scanned: 261557
Number of infections found: 7
Critical: 0
Privacy Objects: 7
Infections deleted: 0
Total infections quarantined: 0
Total infections ignored by scanner: 0


KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 06, 2008 2:53:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/05/2008
Kaspersky Anti-Virus database records: 742676

---

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
E:\
Scan Statistics:
Total number of scanned objects: 115014
Number of viruses found: 10
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 02:12:44
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\Robert Davey\~Running.ping Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-06_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Davey\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Robert Davey\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Robert Davey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robert Davey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robert Davey\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Davey\Local Settings\History\History.IE5\MSHist012008050620080507\index.dat Object is locked skipped
C:\Documents and Settings\Robert Davey\Local Settings\Temp\twmfmxke.dll Infected: Trojan.Win32.Monder.db skipped
C:\Documents and Settings\Robert Davey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Robert Davey\Local Settings\Temporary Internet Files\Content.IE5\S6O6IV6Y\kriv[1] Infected: Trojan.Win32.Monder.db skipped
C:\Documents and Settings\Robert Davey\My Documents\Downloads\Paradox Photoshop CS2 Keygen.zip/paradox photoshop cs2.exe Infected: Backdoor.Win32.Poison.ac skipped
C:\Documents and Settings\Robert Davey\My Documents\Downloads\Paradox Photoshop CS2 Keygen.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Robert Davey\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robert Davey\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0338NAV~.TMP Object is locked skipped
C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0655NAV~.TMP Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP132\A0048149.sys Infected: Rootkit.Win32.Agent.aii skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP133\A0048179.exe Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048228.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048228.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048228.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048230.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048230.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe CryptFF: infected - 2 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048270.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048270.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048270.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe CryptFF: infected - 5 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048289.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048289.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048289.exe CryptFF: infected - 1 skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050333.exe Infected: Trojan-Downloader.Win32.Small.ved skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050336.dll Infected: Trojan.Win32.Monder.da skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050340.dll Infected: Trojan.Win32.Monder.cz skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050341.dll Infected: Trojan.Win32.Monder.db skipped
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP137\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3CA52EFC-31DF-4F4A-9DFF-E334756C980E}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

Bitdefender Log

(trouble opening)

Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:10:36 PM, on 5/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
c:\winself.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://bfc.myway.com/search/de_srchlft.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://e/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d0b12059] rundll32.exe "C:\WINDOWS\system32\xwdyjqve.dll",b
O4 - HKLM\..\Run: [BMd38213c5] Rundll32.exe "C:\WINDOWS\system32\vqtylyur.dll",s
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MsSecurity Updated (MsSecurity1.209.4) - Unknown owner - c:\winself.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 12437 bytes

gringo_pr

Hello Fidardorist

:SDFix:

Download

SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)


Boot into Safe Mode

Reboot your computer in Safe Mode.

• If the computer is running, shut down Windows, and then turn off the power.
• Wait 30 seconds, and then turn the computer on.
• Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
• Ensure that the Safe Mode option is selected.
• Press Enter. The computer then begins to start in Safe mode.
• Login on your usual account.

:Run SDFix:

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

:run combofix:

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode.
This allows us to more easily help you should your computer have a problem after an attempted removal of malware.
It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.

Please include the report in your next post:

C:\ComboFix.txt


: uninstall list

Make an uninstall list using HijackThis To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.


:information and logs:

In your next post I need the following

1.log from SDfix 2.log from combofix 3.uninstall list 4.new log from hijackthis

Gringo

Fidardorist

Sorry for the delay. Let me say thank you very, very much for your help. Not sure how you become aware of my delayed reply, so I may try to contact you via email.

Followed your instructions to the letter and have included:
1. log from SDfix (attached)
2. log from combo fix (attached)
3. uninstall list pasted (pasted below)
4. new log from hijack this (attached)

Ad-Aware 2007
Adobe Acrobat - Reader 6.0.2 Update
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player ActiveX
Adobe Help Center 2.0
Adobe Photoshop CS2
Adobe Photoshop Elements 4.0
Adobe Reader 6.0.1
Adobe Stock Photos 1.0
ALPS Touch Pad Driver
America Online (Choose which version to remove)
AOL Coach Version 1.0(Build:20040229.1 en)
AOL Connectivity Services
AOLIcon
Apple Mobile Device Support
Apple Software Update
Bonjour
Broadcom Management Programs 2
CC_ccProxyExt
ccCommon
ccPxyCore
Conexant D110 MDC V.9x Modem
Dell Picture Studio v3.0
Dell Support 5.0.0 (630)
Digital Line Detect
EarthLink setup files
eFax Messenger 4.3
ESPNMotion
FEAR
FEAR Extraction Point
GemMaster Mystic
Get High Speed Internet!
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB926239)
Intel(R) PROSet/Wireless Software
Internal Network Card Power Management
Internet Explorer Default Page
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
Kaspersky Online Scanner
Learn2 Player (Uninstall Only)
LiveReg (Symantec Corporation)
LiveUpdate 3.0 (Symantec Corporation)
Macromedia Flash Player
mCore
mDrWiFi
mHlpDell
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office Professional Edition 2003
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
MSRedist
mSSO
MSXML 4.0 SP2 (KB936181)
mToolkit
Musicmatch® Jukebox
mWlsSafe
mXML
My Way Search Assistant
mZConfig
Netflix Movie Viewer
NetWaiting
NetZeroInstallers
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Norton WMI Update
NVIDIA Drivers
Otto
PowerDVD 5.5
QuickSet
QuickTime
RealPlayer Basic
Safari
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB941693)
Security Update for Windows XP (KB942615)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944338)
Security Update for Windows XP (KB944533)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB945553)
Security Update for Windows XP (KB946026)
Security Update for Windows XP (KB947864)
Security Update for Windows XP (KB948590)
Security Update for Windows XP (KB948881)
Security Update for Windows XP (KB950749)
Sid Meier's Civilization 4
Sid Meier's Civilization 4 - Beyond the Sword
Sonic DLA
Sonic Encoders
Sonic MyDVD LE
Sonic RecordNow Audio
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
SPBBC
Spybot - Search & Destroy
SpywareBlaster 4.0
Symantec Script Blocking Installer
SymNet
The BUG Mod
ubi.com
Update for Windows Media Player 10 (KB913800)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update for Windows XP (KB942840)
Update for Windows XP (KB946627)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 10
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Media Center Edition 2005 KB925766
WordPerfect Office 12

Anticipating your reply. Things have improved already, but there may still be something lurking...

Best,

Fidardorist

gringo_pr

Hello


Important: Do not attach any log or other material except as specifically instructed to do so by a helper. Normally, contents of logs should be posted directly into the thread (topic).

:P2P Warning!:

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitTorrent DNA

Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation

I'd like you to read the Guidelines for P2P Programs where we explain why it's not a good idea to have them.

References for the risk of these programs can be found in these links:

http://www.microsoft.com/windows/ie/community/columns/protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm

I would recommend that you uninstall BitTorrent DNA, however that choice is up to you. If you choose to remove these programs, you can do so via Control Panel >> Add or Remove Programs.

If you wish to keep it, please do not use it until your computer is cleaned.


:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

KILLALL::

File::
C:\WINDOWS\system32\onocwiha.ini
C:\WINDOWS\system32\ijljostu.exe
C:\WINDOWS\system32\flaigqek.ini
C:\WINDOWS\BMd38213c5.xml

Registry::

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4766DA87-A410-4F80-AFBE-8F95502EFFD5}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3102264-D09D-4322-B625-503FBF18DD7E}]
			
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB10C2DF-7FA3-4621-9873-8465CD44CCB8}]
			
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C462587E-ACC9-4077-B54C-8DD01C2D9345}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D382265B-332E-4C18-8821-7A20CA6BBC0F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0b12059"=-
"BMd38213c5"=-

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B3102264-D09D-4322-B625-503FBF18DD7E}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtttqQK]

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:information and logs:

In your next post I need the following

1.combofix log 2.new hijackthis log

Gringo

Fidardorist

That's funny, though I have used peer to peers before, I hadn't thought that I had installed one since my last system re-install. It wasn't on my programs list, but I found it under install/uninstall programs. The usage status was "rarely." Needless to say, I got rid of it.

Here are the two logs, sans attachements.

Thanks again for your expert assistance and your prompt replies! It's a great relief to have my computer back and on the road to complete health.

Best,

Fidardorist



Hijack This Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:27 AM, on 5/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://e/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\1.bin\deSrcAs.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {BB10C2DF-7FA3-4621-9873-8465CD44CCB8} - C:\WINDOWS\system32\wvUkHApp.dll (file missing)
O2 - BHO: (no name) - {C462587E-ACC9-4077-B54C-8DD01C2D9345} - C:\WINDOWS\system32\qoMcaaxX.dll (file missing)
O2 - BHO: (no name) - {D382265B-332E-4C18-8821-7A20CA6BBC0F} - C:\WINDOWS\system32\jkkJcDWm.dll (file missing)
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [d0b12059] rundll32.exe "C:\WINDOWS\system32\xwdyjqve.dll",b
O4 - HKLM\..\Run: [BMd38213c5] Rundll32.exe "C:\WINDOWS\system32\vqtylyur.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: awtttqQK - awtttqQK.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 12733 bytes


ComboFix

ComboFix 08-05-09.1 - Robert Davey 2008-05-18 11:31:58.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1446 [GMT -6:00]
Running from: C:\Documents and Settings\Robert Davey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Davey\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\BMd38213c5.xml
C:\WINDOWS\system32\flaigqek.ini
C:\WINDOWS\system32\ijljostu.exe
C:\WINDOWS\system32\onocwiha.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\BMd38213c5.xml
C:\WINDOWS\system32\flaigqek.ini
C:\WINDOWS\system32\onocwiha.ini
.
((((((((((((((((((((((((( Files Created from 2008-04-18 to 2008-05-18 )))))))))))))))))))))))))))))))
.
2008-05-10 15:16 . 2008-05-10 15:16 <DIR> d

---

C:\WINDOWS\ERUNT
2008-05-10 14:11 . 2008-05-16 14:49 <DIR> d

---

C:\SDFix
2008-05-06 15:07 . 2008-05-06 15:07 <DIR> d

---

C:\Program Files\Trend Micro
2008-05-05 17:40 . 2008-05-05 17:40 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 17:40 . 2008-05-05 17:40 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 17:20 . 2008-05-07 02:11 <DIR> d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 17:19 . 2008-05-05 17:33 <DIR> d

---

C:\Program Files\SpywareBlaster
2008-05-05 17:19 . 2005-08-25 18:19 115,920 --a

---

C:\WINDOWS\system32\MSINET.OCX
2008-05-05 13:11 . 2008-05-05 13:11 <DIR> d

---

C:\Program Files\Lavasoft
2008-05-05 13:11 . 2008-05-05 13:11 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 13:11 . 2008-05-05 13:13 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 11:58 . 2008-05-05 11:58 <DIR> d

---

C:\Program Files\Spybot - Search & Destroy
2008-05-05 11:58 . 2008-05-05 12:02 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-05 10:37 . 2008-05-05 11:28 <DIR> d

---

C:\WINDOWS\BDOSCAN8
2008-05-03 17:09 . 2004-08-10 04:00 4,224 --a

---

C:\WINDOWS\system32\beep.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-16 19:53

---

d

---

w C:\Program Files\Common Files\Symantec Shared
2008-05-03 18:20

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\AdobeUM
2008-04-28 17:53

---

d

---

w C:\Program Files\Norton Internet Security
2008-04-27 19:34

---

d

---

w C:\Program Files\Firaxis Games
2008-04-26 19:55

---

d

---

w C:\Program Files\Telltale Games
2008-04-26 18:34

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 18:32

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\My Games
2008-04-26 18:30

---

d

---

w C:\Program Files\EA GAMES
2008-04-21 06:43 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-21 06:43 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-04-13 17:30

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\Viewpoint
2008-04-13 06:14

---

d

---

w C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-12 14:04

---

d

---

w C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-04 22:02

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\Apple Computer
2008-04-04 18:43

---

d

---

w C:\Program Files\Safari
2008-04-04 18:36

---

d

---

w C:\Program Files\iTunes
2008-04-04 18:35

---

d

---

w C:\Program Files\iPod
2008-04-04 18:31

---

d

---

w C:\Program Files\QuickTime
2008-04-03 17:49

---

d

---

w C:\Program Files\Windows Media Connect 2
2008-04-03 07:20

---

d

---

w C:\Program Files\Microsoft Silverlight
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-27 08:12 151,583

---

w C:\WINDOWS\system32\dllcache\msjint40.dll
2008-03-26 21:25

---

d

---

w C:\Program Files\Ubisoft
2008-03-26 21:19

---

d

---

w C:\Program Files\Red Storm Entertainment
2008-03-25 20:11 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2008-03-23 19:11

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\SecondLife
2008-03-20 02:12 108,144 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2008-03-20 02:12

---

d--h--r C:\Documents and Settings\Robert Davey\Application Data\SecuROM
2008-03-20 02:02

---

d

---

w C:\Program Files\Sierra
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248

---

w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624

---

w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568

---

w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992

---

w C:\WINDOWS\system32\dllcache\dnsapi.dll
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2008-05-16_15.27.36.65"]snapshot@2008-05-16_15.27.36.65[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 19:47:44 17,730 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-05-18 07:35:29 17,730 ----a-w C:\WINDOWS\system32\nvModes.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB10C2DF-7FA3-4621-9873-8465CD44CCB8}]
C:\WINDOWS\system32\wvUkHApp.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C462587E-ACC9-4077-B54C-8DD01C2D9345}]
C:\WINDOWS\system32\qoMcaaxX.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D382265B-332E-4C18-8821-7A20CA6BBC0F}]
C:\WINDOWS\system32\jkkJcDWm.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 06:51 306688]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 22:05 4636672]
"nwiz"="nwiz.exe" [2004-11-30 22:05 921600 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48 32881]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 15:33 155648]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 13:59 385024]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 07:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-06-13 01:24 26112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 17:36 49512]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-09 15:08 100056]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 11:21 116224]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"d0b12059"="C:\WINDOWS\system32\xwdyjqve.dll" [ ]
"BMd38213c5"="C:\WINDOWS\system32\vqtylyur.dll" [ ]
C:\Documents and Settings\Robert Davey\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-06-13 01:24:03 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-13 01:15:51 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtttqQK]
awtttqQK.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 17:38:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-18 17:20:24 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Robert Davey.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-05-18 17:32:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-18 11:34:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-05-18 11:36:29
ComboFix-quarantined-files.txt 2008-05-18 17:35:58
ComboFix2.txt 2008-05-16 21:28:59
Pre-Run: 14,696,747,008 bytes free
Post-Run: 14,700,453,888 bytes free
175 --- E O F --- 2008-05-16 19:59:10

gringo_pr

Hello Fidardorist

It appears as if you have installed some illegal programs on your computer (Paradox Photoshop CS2 Keygen.zip)

This was a good part of why you got infected (C:\Documents and Settings\Robert Davey\My Documents\Downloads\Paradox Photoshop CS2 Keygen.zip/paradox photoshop cs2.exe Infected: Backdoor.Win32.Poison.ac)

The use of pirated software is not accepted here at Icrontic

If you would like me to keep helping you I need this program removed from your computer

Please let me know what you decide


Gringo

Fidardorist

The keygen is removed. I am not running any pirated software to my knowledge, though I wouldn't deny having done. Now I just have a legit copy of Photoshop light. I plan not to run any peer to peer or pirated software on my machine in any forseeable future.

Thanks,

Fidardorist

gringo_pr

Hello Fidardorist

It is very important to shut down some of you security program as they are interfearing with the fixes

Norton Internet Security please follow this link to stop this program

:disable Ad-Aware 2007:

First please disable Ad-Aware 2007 as it may interfere with repairs.

• Click the Settings button, Auto Scans tab, and under "Scan on Ad-Aware startup",
• be sure both selections for "No automated scan" are checked (green).
• Then click Save and close Ad-Aware.

:Run CFScript:

Open Notepad and copy/paste the text in the box into the window:

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB10C2DF-7FA3-4621-9873-8465CD44CCB8}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C462587E-ACC9-4077-B54C-8DD01C2D9345}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D382265B-332E-4C18-8821-7A20CA6BBC0F}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtttqQK]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d0b12059"=-
"BMd38213c5"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\E]

Save it to your desktop as CFScript.txt

Refering to the picture above, drag CFScript.txt into ComboFix.exe

This will let ComboFix run again.
Restart if you have to.
Save the produced logfile to your desktop.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

:information and logs:

In your next post I need the following

1.the log from combofix 2.let me know how the computer is doing

Gringo

Fidardorist

Thanks again, Gringo.

My computer is running well, but I have been staying offline. When I go back online, such as for your last set of instructions after which I beleive I stayed online, troubles then arise: things slow down, something is using up the power.

So then I go offline, run spybot S&D. In the last case I may have found nothing or perhaps one thing. Sorry, not sure. What seemed to make the big diff was clearing my temp internet files.

But I haven't really been online much since the last step - I use another computer - so it's hard to say if this rig will be attacked again when I do. I can always update this thread and/or drop you a message if it does.

Does this mean I may be cured?

Best,

Fidardorist

PS- I had to re-download combo fix for the latest version and I suppose I took a small risk by not re-installing the recovery console. Probably not wise for that one percent chance, but it worked out.


ComboFix 08-05-21.3 - Robert Davey 2008-05-24 8:44:37.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1563 [GMT -6:00]
Running from: C:\Documents and Settings\Robert Davey\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Robert Davey\Desktop\CFscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\Legacy_NAVAPSVC

((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))
.
2008-05-10 15:16 . 2008-05-10 15:16 <DIR> d

---

C:\WINDOWS\ERUNT
2008-05-10 14:11 . 2008-05-16 14:49 <DIR> d

---

C:\SDFix
2008-05-06 15:07 . 2008-05-06 15:07 <DIR> d

---

C:\Program Files\Trend Micro
2008-05-05 17:40 . 2008-05-05 17:40 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2008-05-05 17:40 . 2008-05-05 17:40 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-05-05 17:20 . 2008-05-07 02:11 <DIR> d-a

---

C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-05 17:19 . 2008-05-05 17:33 <DIR> d

---

C:\Program Files\SpywareBlaster
2008-05-05 17:19 . 2005-08-25 18:19 115,920 --a

---

C:\WINDOWS\system32\MSINET.OCX
2008-05-05 13:11 . 2008-05-05 13:11 <DIR> d

---

C:\Program Files\Lavasoft
2008-05-05 13:11 . 2008-05-05 13:11 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2008-05-05 13:11 . 2008-05-05 13:13 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-05 11:58 . 2008-05-05 11:58 <DIR> d

---

C:\Program Files\Spybot - Search & Destroy
2008-05-05 11:58 . 2008-05-05 12:02 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-05 10:37 . 2008-05-05 11:28 <DIR> d

---

C:\WINDOWS\BDOSCAN8
2008-05-03 17:09 . 2004-08-10 04:00 4,224 --a

---

C:\WINDOWS\system32\beep.sys
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-24 14:41

---

d

---

w C:\Program Files\Common Files\Symantec Shared
2008-05-24 14:14

---

d

---

w C:\Program Files\Norton Internet Security
2008-05-03 18:20

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\AdobeUM
2008-04-27 19:34

---

d

---

w C:\Program Files\Firaxis Games
2008-04-26 19:55

---

d

---

w C:\Program Files\Telltale Games
2008-04-26 18:34

---

d--h--w C:\Program Files\InstallShield Installation Information
2008-04-26 18:32

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\My Games
2008-04-26 18:30

---

d

---

w C:\Program Files\EA GAMES
2008-04-21 06:43 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-04-13 17:30

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\Viewpoint
2008-04-13 06:14

---

d

---

w C:\Documents and Settings\NetworkService\Application Data\Xfire
2008-04-12 14:04

---

d

---

w C:\Documents and Settings\LocalService\Application Data\Xfire
2008-04-04 22:02

---

d

---

w C:\Documents and Settings\Robert Davey\Application Data\Apple Computer
2008-04-04 18:43

---

d

---

w C:\Program Files\Safari
2008-04-04 18:36

---

d

---

w C:\Program Files\iTunes
2008-04-04 18:35

---

d

---

w C:\Program Files\iPod
2008-04-04 18:31

---

d

---

w C:\Program Files\QuickTime
2008-04-03 17:49

---

d

---

w C:\Program Files\Windows Media Connect 2
2008-04-03 07:20

---

d

---

w C:\Program Files\Microsoft Silverlight
2008-03-26 21:25

---

d

---

w C:\Program Files\Ubisoft
2008-03-26 21:19

---

d

---

w C:\Program Files\Red Storm Entertainment
.
((((((((((((((((((((((((((((( snapshot@2008-05-16_15.27.36.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-16 21:18:16 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-24 14:48:08 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2000-08-31 14:00:00 73,728 ----a-w C:\WINDOWS\fdsv.exe
+ 2000-08-31 14:00:00 89,504 ----a-w C:\WINDOWS\fdsv.exe
- 2008-05-16 19:47:44 17,730 ----a-w C:\WINDOWS\system32\nvModes.dat
+ 2008-05-24 08:38:53 17,730 ----a-w C:\WINDOWS\system32\nvModes.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2004-07-19 06:51 306688]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 10:24 1694208]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 13:56 64512]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-11-30 22:05 4636672]
"nwiz"="nwiz.exe" [2004-11-30 22:05 921600 C:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48 32881]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2004-09-13 15:33 155648]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2004-10-30 13:59 385024]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19 53248]
"mmtask"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe" [2004-09-14 07:50 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-06-13 01:24 26112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 00:05 127035]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-08 17:36 49512]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2008-02-09 15:08 100056]
"eFax 4.3"="C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" [2007-03-06 11:21 116224]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe" [2005-09-09 02:18 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-03-28 23:37 413696]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
C:\Documents and Settings\Robert Davey\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 20:16:50 113664]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-06-13 01:24:03 156784]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-06-13 01:15:51 24576]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless]
C:\Program Files\Intel\Wireless\Bin\LgNotify.dll 2004-09-07 15:08 110592 C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"FirewallDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"C:\\Program Files\\America Online 9.0\\waol.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Civilization4.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword.exe"=
"C:\\Program Files\\Firaxis Games\\Sid Meier's Civilization 4\\Beyond the Sword\\Civ4BeyondSword_PitBoss.exe"=
"C:\\Program Files\\Adobe\\Photoshop Elements 4.0\\AdobePhotoshopElementsMediaServer.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEAR.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARMP.exe"=
"C:\\Program Files\\Sierra\\FEAR\\FEARXP\\FEARXP.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\autorun.exe
*Newly Created Service* - NAVAPSVC
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 17:38:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-24 13:34:49 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Robert Davey.job"
- C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/task:
"2008-05-24 14:57:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDetect.exe
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-24 08:48:42
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.

---

Other Running Processes

---

.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKEEPER.exe
C:\Program Files\Common Files\Symantec Shared\CCPROXY.EXE
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\ehome\ehrecvr.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\Dell\NicConfigSvc\NicConfigSvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\symwsc.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\Apoint\ApntEx.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
.
**************************************************************************
.
Completion time: 2008-05-24 8:58:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-24 14:57:55
ComboFix2.txt 2008-05-24 14:35:41
ComboFix3.txt 2008-05-18 17:36:30
ComboFix4.txt 2008-05-16 21:28:59
Pre-Run: 14,128,398,336 bytes free
Post-Run: 14,117,908,480 bytes free
191 --- E O F --- 2008-05-16 19:59:10

gringo_pr

Hello Fidardorist

some programs are interfering with the fixes

please go here to disable norton internet security
http://service1.symantec.com/SUPPORT/nip.nsf/docid/2003071515220236
( after we are done you can reable it )

:disable Ad-Aware 2007:

First please disable Ad-Aware 2007 as it may interfere with repairs.

• Click the Settings button, Auto Scans tab, and under "Scan on Ad-Aware startup",
• be sure both selections for "No automated scan" are checked (green).
• Then click Save and close Ad-Aware.

:Clean temp files:

Download and Run ATF Cleaner Download

ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.Double-click ATF Cleaner.exe to open it.

Under Main choose:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

if you use Firefox:

Click

Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

if you use Opera:

Click

Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Click Exit on the Main menu to close the program


: Malwarebytes' Anti-Malware :

Please download

Malwarebytes' Anti-Malware to your desktop.

[*]Double-click mbam-setup.exe and follow the prompts to install the program.
[*]At the end, be sure a checkmark is placed next to

• Update Malwarebytes' Anti-Malware
• and Launch Malwarebytes' Anti-Malware

[*] then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select Perform full scan, then click Scan.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Be sure that everything is checked, and click Remove Selected.
[*]When completed, a log will open in Notepad. please copy and paste the log into your next reply

• If you accidently close it, the log file is saved here and will be named like this:
• C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt

:Run Kaspersky Online AV Scanner:

Order to use it you have to use Internet Explorer. Go to

Kaspersky and click the Accept button at the end of the page.

• Read the Requirements and limitations before you click Accept.
• Allow the ActiveX download if necessary.
• Once the database has downloaded, click Next.
• Click Scan Settings and change the "Scan using the following antivirus database" from standard to extended and then click OK.
• Click on "My Computer"
• When the scan has completed, click Save Report As...
• Enter a name for the file in the Filename: text box and then click the down arrow to the right of Save as type: and select text file (*.txt)
• Click Save - by default the file will be saved to your Desktop, but you can change this if you wish.

Copy and paste the report into your next reply


I was looking at your antivirus and noticed it is a little old,
are you still recieving updates for it?
some of the newer nortons are alot easyer on a system than the older ones.

:information and logs:

In your next post I need the following

1.log from MBAM 2.log from kaspersky 3.new log from hijackthis 4.are you still recieving updates for norton?

Gringo

Fidardorist

My Norton is subscribed through this month next year and I manually updated it twice since I got your message. Perhaps it wasn't updated due to the fact I've kept mostly offline with this computer during this period. Just trying to find my way to the update scheduling screen (which they've hidden so well) on Norton to schedule daily updates.

So here are the logs for this week. It is evident that we still got company. At first I lowered more or less all the Norton defenses and that may have brought on a fresh wave of invaders. Later I re-read your post again and lowered the internet security and only the internet security function. [Note: this does take down the firewall.] Is this what you intended? Needless to say they are all back up now. Found 5 trojans in the quarantine this morning.

Not sure how to ask Kaspersky to clean all that stuff instead of the option it chose 'skipped.' Looks like norton ran some of them and I can run another Spybot S&D now to see what it picks up.

In any case, major thanks again for all this help. Where do I find out how you are able to provide all this incredible service, and where to contribute a bit?

Best,

Fidardorist


Malwarebytes' Anti-Malware 1.12
Database version: 786
Scan type: Full Scan (C:\|)
Objects scanned: 156945
Time elapsed: 54 minute(s), 51 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 4
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 11
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks\{4d25f926-b9fe-4682-bf72-8ab8210d6d75} (Adware.MyWay) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048227.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048260.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048263.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0049330.exe (Adware.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0049331.exe (Adware.SearchAid) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050333.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP136\A0050357.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP137\A0053376.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP137\A0053383.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP140\A0056461.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP140\A0056471.dll (Trojan.Vundo) -> Quarantined and deleted successfully.




KASPERSKY ONLINE SCANNER REPORT
Monday, May 26, 2008 8:21:17 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/05/2008
Kaspersky Anti-Virus database records: 800639


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
E:\

Scan Statistics
Total number of scanned objects 116815
Number of viruses found 14
Number of infected objects 48
Number of suspicious objects 0
Duration of the scan process 02:10:24
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\eFax Messenger 4.3 Output\Robert Davey\~Running.ping Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_5b150187-0f05-4c72-917c-77c8e6964ac4 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\QSLLPSVCShare Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2008-05-26_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Robert Davey\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Robert Davey\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\History\History.IE5\MSHist012008052620080527\index.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\Temp\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Robert Davey\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Robert Davey\ntuser.dat.LOG Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped

C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10A72009.857 Infected: Trojan.Win32.Monder.gen skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10AA4A05.914 Infected: Trojan.Win32.Monder.gen skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10AA4A05.967 Infected: Trojan.Win32.Monder.gen skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10AD7401.968 Infected: Trojan.Win32.Monder.gen skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\10AD7401.987 Infected: Trojan.Win32.Monder.gen skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0266NAV~.TMP Object is locked skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0647NAV~.TMP Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP132\A0048149.sys Infected: Rootkit.Win32.Agent.aii skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP133\A0048179.exe Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048228.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048228.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048228.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048229.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048230.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048230.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.y skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048266.exe CryptFF: infected - 2 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048270.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048270.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048270.exe CryptFF: infected - 1 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048271.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.423 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048272.exe CryptFF: infected - 5 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048289.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048289.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048289.exe CryptFF: infected - 1 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP134\A0048290.exe Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050314.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050334.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.gb skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050334.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050336.dll Infected: Trojan.Win32.Monder.da skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050338.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050339.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050340.dll Infected: Trojan.Win32.Monder.cz skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP135\A0050341.dll Infected: Trojan.Win32.Monder.db skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP137\A0053377.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP137\A0053384.dll Infected: Trojan.Win32.Monder.gen skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP140\A0056460.exe Infected: Trojan.Win32.DNSChanger.cze skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP140\A0056463.dll Infected: Trojan.Win32.Monder.dl skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP140\A0056466.dll Infected: Trojan.Win32.Monder.dm skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP140\A0056467.dll Infected: Trojan.Win32.Zapchast.gr skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP140\A0056472.sys Infected: Rootkit.Win32.Agent.aii skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP147\A0056816.sys Infected: Rootkit.Win32.Agent.aii skipped

C:\System Volume Information\_restore{3DBD88D2-9FFC-498B-A689-A4771362F918}\RP157\change.log Object is locked skipped

C:\WINDOWS\CSC\00000001 Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ModemLog_Conexant D110 MDC V.9x Modem.txt Object is locked skipped

C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{55EC1BF3-5CA4-4765-9E44-04D2807B5925}.crmlog Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped

C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:17 AM, on 5/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Norton Internet Security\ISSVC.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Common Files\Symantec Shared\AdBlocking\NSMdtr.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://e/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [eFax 4.3] "C:\Program Files\eFax Messenger 4.3\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 4.0\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx2.hotmail.com/mail/w2/resources/MSNPUpld.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 11914 bytes

gringo_pr

Hello Fidardorist

It is evident that we still got company.

The logs are perfect, what you see is in the system restore and we will clear those next

Where do I find out how you are able to provide all this incredible service, and where to contribute a bit?

where did I learn how to fight? I learned at MRW there is a link in my signiture


:uninstall some programs:

1. click on start
2. then go to settings
3. after that you need control panel
4. look for the icon add remove programs
click on the following programs

Java 2 Runtime Environment, SE v1.4.2_03
My Way Search Assistant


and click on remove


: Update Java :

Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to update.

• Download the latest version of Java(TM) SE Runtime Environment 6u6.
• Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
• Click the "Download" button to the right.
• Check the box that says: "Accept License Agreement".
• The page will refresh.
• Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
• Close any programs you may have running - especially your web browser.
• Then from your desktop double-click on the download to install the newest version.

This is my general post for when your logs show no more signs of malware - Please let me know if you still are having problems with your computer and what these problems are

:Time for some housekeeping:

• Click START then RUN
• Now type Combofix /u in the runbox and click OK
• 

:remove tools:

Let's clear out the programmes we've been using to clean up your computer, they are not suitable for general malware removal and could cause damage if used inappropriately.


Please download OTMoveIt and save it to desktop.

• Double click OTMoveIt.exe to launch the programme.
• Click on the CleanUp! button.
• OTMoveIt will download a list from the Internet, if your firewall or other defensive programmes alerts you, allow it access.
• Select Yes when the "Begin cleanup Process?" prompt appears.
• If you are prompted to Reboot during the cleanup, select Yes.
• When finished exit out of OTMoveIt
• The tool will delete itself once it finishes, if not delete it by yourself.

:Set correct settings for files:

• Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
• Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
• If unchecked please check Hide protected operating system files (Recommended)
• If necessary check "Display content of system folders"
• If necessary Uncheck Hide file extensions for known file types.
• Click OK

:clear system restore points:

This is a good time to clear your existing system restore points and establish a new clean restore point:

• Go to Start > All Programs > Accessories > System Tools > System Restore
• Select Create a restore point, and Ok it.
• Next, go to Start > Run and type in cleanmgr
• Select the More options tab
• Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.


:Make your Internet Explorer more secure:

• From within Internet Explorer click on the Tools menu and then click on Options.
• Click once on the Security tab
• Click once on the Internet icon so it becomes highlighted.
• Click once on the Custom Level button.
• Change the Download signed ActiveX controls to Prompt
• Change the Download unsigned ActiveX controls to Disable
• Change the Initialise and script ActiveX controls not marked as safe to Disable
• Change the Installation of desktop items to Prompt
• Change the Launching programs and files in an IFRAME to Prompt
• Change the Navigate sub-frames across different domains to Prompt
• When all these settings have been made, click on the OK button.
• If it prompts you as to whether or not you want to save the settings, press the Yes button.
  Next press the Apply button and then the OK to exit the Internet Properties page.

:Turn On Automatic Updates:

Turn On Automatic Updates 1. Click

Start, click Run, type sysdm.cpl, and then press ENTER.
2. Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended) Automatically download recommended updates for my computer and install them

If you click this setting, click to select the day and time for scheduled updates to occur. You can schedule Automatic Updates for any time of day. Remember, your computer must be on at the scheduled time for updates to be installed. After you set this option, Windows recognizes when you are online and uses your Internet connection to find updates on the Windows Update Web site or on the Microsoft Update Web site that apply to your computer. Updates are downloaded automatically in the background, and you are not notified or interrupted during this process. An icon appears in the notification area of your taskbar when the updates are being downloaded. You can point to the icon to view the download status. To pause or to resume the download, right-click the icon, and then click Pause or Resume. When the download is completed, another message appears in the notification area so that you can review the updates that are scheduled for installation. If you choose not to install at that time, Windows starts the installation on your set schedule.

or visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



:antispyware programs:

you have a couple of good antispyware programs on this computer but you still can try some of these others to see if you like them also I would reccomend the download and installation of some or all of the following programs (all free),

and the updating of them regularly:

• WinPatrol As a robust security monitor, WinPatrol will alert you to hijackings, malware attacks and critical changes made to your computer without your permission. WinPatrol takes snapshot of your critical system resources and alerts you to any changes that may occur without your knowledge.
  
• Spybot Search & Destroy - Spybot is a tool like Ad-Aware SE whereas it seeks out and removes known spyware from your machine. These two tools (Ad-Aware & spybot) are perfect complements to each other as one will most always find something the other missed.
  
• Spyware Blaster - By altering your registry, this program stops harmful sites from installing things like ActiveX Controls on your machines.
  
• IE_Spyad - Works by placing known "bad" sites into your Internet Explorer "Restricted Zones" prohibiting them from doing potentially problematic things to your computer.
  

Consider a custom hosts file

Consider a custom hosts file such as

MVPS HOSTS. This custom hosts file effectively blocks a wide range of unwanted ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers.
For information on how to download and install, please read this tutorial by WinHelp2002
Note: Be sure to follow the instructions to disable the DNS Client service before installing a custom hosts file.


Also please read this great article by Tony Klein So How Did I Get Infected In First Place

Now you have followed my advice - it's time to lodge a complaint against what you have suffered.........

Malware Complaints
If you were infected .... Stand Up and be Counted.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can then be closed.


Gringo

gringo_pr

Glad we could be of assistance! The help you received here was free.

As this topic looks to be resolved This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead
_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.