Post Reply  
 
 
Thread Tools Search this Thread
29-03-2008, 20:42   #1
John mac
Registered User
 
John mac's Avatar
 
Join Date: Aug 2001
Posts: 4,605
please help

Ok i am getting banner adds coming up for porn sites ( on bbc news site and on boards) i am pretty sure they are not supposed to be there.
i think i may have some kind of virus.
from the Trojan Issue thread i have run sid fix here is the report





SDFix: Version 1.164

Run by JOhn on 29/03/2008 at 17:36

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix

Checking Services :


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-29 17:42:16
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00025b00a326]
"00119fbf9eb7"=hex:9d,a2,38,6a,75,4d,29,ee,d6,d5,6b,62,30,fa,77,bb
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00025b00a326]
"00119fbf9eb7"=hex:9d,a2,38,6a,75,4d,29,ee,d6,d5,6b,62,30,fa,77,bb

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\Cyberlink\\PowerCinema\\PowerCinema.exe"="C:\\Program Files\\Cyberlink\\PowerCinema\\PowerCinema.exe:*:Enabled:CyberLink PowerCinema"
"C:\\Program Files\\Cyberlink\\PowerCinema\\PCMService.exe"="C:\\Program Files\\Cyberlink\\PowerCinema\\PCMService.exe:*:Enabled:CyberLink PowerCinema Resident Program"
"C:\\Program Files\\Kontiki\\KService.exe"="C:\\Program Files\\Kontiki\\KService.exe:*:Enabled:Delivery Manager Service"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"="C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe:*:Enabled:McAfee Network Agent"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe"="C:\\Program Files\\Joost\\xulrunner\\tvprunner.exe:*:Enabled:tvprunner"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"="C:\\Program Files\\Real\\RealPlayer\\realplay.exe:*:Enabled:RealPlayer"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :


File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Tue 15 May 2007 5,375,800 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 5 Mar 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 22 Dec 2004 76,568 ..SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\Setup.exe"
Thu 13 Jan 2005 11,360 A.SHR --- "C:\Program Files\Autodesk\Autodesk DWF Viewer\_Setupx.dll"
Thu 14 Feb 2008 20,487 A.SHR --- "C:\Program Files\McAfee\MQC\MRU.bak"
Thu 14 Feb 2008 211 A.SHR --- "C:\Program Files\McAfee\MQC\qcconf.bak"
Sun 28 Oct 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Thu 24 Jan 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\f7db876e78b88fd8276fd7d29cb7e4eb\BIT1.tmp"

Finished!

----------------------------------------------------------------------





then i ran Dss






Deckard's System Scanner v20071014.68
Run by JOhn on 2008-03-29 18:02:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
89: 2008-03-29 18:02:42 UTC - RP542 - Deckard's System Scanner Restore Point
88: 2008-03-29 09:20:41 UTC - RP541 - Removed 4oD.
87: 2008-03-28 21:25:57 UTC - RP540 - System Checkpoint
86: 2008-03-27 20:55:46 UTC - RP539 - Last known good configuration
85: 2008-03-27 20:55:42 UTC - RP538 - Installed WinZip 11.1


-- First Restore Point --
1: 2008-03-27 20:55:26 UTC - RP454 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as JOhn.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:07:33, on 29/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ABIT\uGuru\uGuru.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JOhn\Desktop\removal of virus\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\JOhn.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\nnnOIxVm.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {00a73069-5911-0019-ce24-519b62768f91} - {19f86726-b915-42ec-9100-119596037a00} - C:\WINDOWS\system32\kmhrfmwh.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {B7E8AE16-D750-44D5-A1AB-9C7F3BB27E8F} - C:\WINDOWS\system32\opnnkkHy.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKLM\..\Run: [d4f304e7] rundll32.exe "C:\WINDOWS\system32\fyqigvbs.dll",b
O4 - HKLM\..\Run: [BMd7c0377b] Rundll32.exe "C:\WINDOWS\system32\veldoidb.dll",s
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: TV Schedule Tray.lnk = C:\Program Files\Club 3D\ZAP-TV1101\yTvTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172059411531
O16 - DPF: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} (DigiMeldOcx Control) - http://www.digimeld.com/download/digimeldOcx.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: nnnOIxVm - C:\WINDOWS\SYSTEM32\nnnOIxVm.dll
O23 - Service: McAfee Application Installer Cleanup (0287401206781151) (0287401206781151mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\028740~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 10738 bytes

-- File Associations -----------------------------------------------------------

.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\notepad.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 UGURU - c:\windows\system32\drivers\uguru.sys <Not Verified; ABIT; ABIT uGuru Micro-Processor Device Driver>
R3 catchme - c:\docume~1\john\locals~1\temp\catchme.sys (file missing)

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 Memctl - c:\program files\abit\flashmenu\memctl.sys
S3 TCCrystalCpuInfo - c:\docume~1\john\locals~1\temp\tccpuinfo.sys (file missing)
S3 Winflash - c:\program files\abit\flashmenu\winflash.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CLCapSvc (CyberLink Background Capture Service (CBCS)) - "c:\program files\cyberlink\powercinema\kernel\tv\clcapsvc.exe" <Not Verified; ; CLCapSvc Module>
R2 CLSched (CyberLink Task Scheduler (CTS)) - "c:\program files\cyberlink\powercinema\kernel\tv\clsched.exe" <Not Verified; ; CLSched Module>
R2 CyberLink Media Library Service - "c:\program files\cyberlink\powercinema\kernel\clml_ntservice\clmlserver.exe" <Not Verified; Cyberlink; Cyberlink Media Library Server>
R2 RichVideo (Cyberlink RichVideo Service(CRVS)) - "c:\program files\cyberlink\shared files\richvideo.exe" <Not Verified; ; RichVideo Module>
R3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>

S2 0287401206781151mcinstcleanup (McAfee Application Installer Cleanup (0287401206781151)) - c:\windows\temp\028740~1.exe c:\progra~1\common~1\mcafee\instal~1\cleanup.ini -cleanup -nolog -service (file missing)


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC
Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_107A147B&REV_01\4&522B953&0&00E4
Manufacturer: Realtek Semiconductor Corp.
Name: Realtek RTL8168/8111 PCI-E Gigabit Ethernet NIC #2
PNP Device ID: PCI\VEN_10EC&DEV_8168&SUBSYS_107A147B&REV_01\4&522B953&0&00E4
Service: RTLE8023xp

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia Windows Portable Device Driver
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia 6630
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-03-29 17:13:00 268 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job
2008-03-25 19:55:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
2008-02-18 17:13:18 390 --a------ C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job
2007-02-21 16:28:46 348 --a------ C:\WINDOWS\Tasks\McDefragTask.job
2007-02-21 16:28:45 350 --a------ C:\WINDOWS\Tasks\McQcTask.job


-- Files created between 2008-02-29 and 2008-03-29 -----------------------------

2008-03-29 17:32:15 0 d-------- C:\WINDOWS\ERUNT
2008-03-29 17:27:33 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2008-03-29 17:27:33 0 d--h----- C:\Documents and Settings\Administrator\Recent
2008-03-29 17:27:33 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2008-03-29 17:27:33 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2008-03-29 17:27:33 0 d-------- C:\Documents and Settings\Administrator\My Documents
2008-03-29 17:27:33 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2008-03-29 17:27:33 0 d-------- C:\Documents and Settings\Administrator\Favorites
2008-03-29 17:27:33 0 d-------- C:\Documents and Settings\Administrator\Desktop
2008-03-29 17:27:33 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2008-03-29 17:27:33 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2008-03-29 17:27:33 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2008-03-29 17:27:32 0 d--h----- C:\Documents and Settings\Administrator\Templates
2008-03-29 17:27:32 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2008-03-29 17:27:32 524288 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2008-03-29 09:01:42 85568 --a------ C:\WINDOWS\system32\fyqigvbs.dll
2008-03-29 08:58:49 90176 --a------ C:\WINDOWS\system32\kmhrfmwh.dll
2008-03-29 08:58:42 86592 --a------ C:\WINDOWS\system32\veldoidb.dll
2008-03-28 08:59:55 93760 --a------ C:\WINDOWS\system32\uceuxmqw.dll
2008-03-28 08:56:55 93248 --a------ C:\WINDOWS\system32\eapsslcd.dll
2008-03-27 20:57:57 39424 --a------ C:\WINDOWS\system32\fccyXOef.dll
2008-03-27 20:55:15 213056 --ahs---- C:\WINDOWS\system32\yHkknnpo.ini2
2008-03-27 20:55:10 273920 --a------ C:\WINDOWS\system32\opnnkkHy.dll
2008-03-27 20:50:51 39424 --a------ C:\WINDOWS\system32\pmnkJdbb.dll
2008-03-27 20:50:06 39424 --a------ C:\WINDOWS\system32\nnnOIxVm.dll
2008-03-27 20:47:21 0 d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-20 20:46:43 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-20 20:46:43 20 --a------ C:\WINDOWS\popcinfot.dat
2008-03-20 20:46:43 0 d-------- C:\Program Files\PopCap Games
2008-03-14 21:59:23 0 d-------- C:\Jmw1DA.tmp
2008-03-14 21:35:55 0 d-------- C:\CBEEBIES
2008-03-05 11:23:45 0 d-------- C:\Program Files\Common Files\Adobe
2008-02-29 14:03:19 0 d-------- C:\Program Files\iPod
2008-02-29 14:01:48 0 d-------- C:\Program Files\QuickTime


-- Find3M Report ---------------------------------------------------------------

2008-03-29 10:01:01 0 d-------- C:\Program Files\DivX
2008-03-29 08:59:08 0 d-------- C:\Program Files\McAfee
2008-03-13 12:03:23 0 d-------- C:\Program Files\Java
2008-03-05 11:23:45 0 d-------- C:\Program Files\Common Files
2008-02-29 23:34:26 0 d-------- C:\Documents and Settings\JOhn\Application Data\uTorrent
2008-02-29 14:03:30 0 d-------- C:\Program Files\iTunes
2008-02-21 02:05:44 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 02:04:16 196608 --a------ C:\WINDOWS\system32\dtu100.dll <Not Verified; DivX, Inc.; DivX, Inc. dtu100>
2008-02-21 02:04:16 81920 --a------ C:\WINDOWS\system32\dpl100.dll <Not Verified; DivX, Inc.; DivX, Inc. dpl100>
2008-02-21 02:04:04 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll <Not Verified; DivX, Inc.; DivX?>
2008-02-21 02:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 02:04:04 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 02:04:04 682496 --a------ C:\WINDOWS\system32\DivX.dll <Not Verified; DivX, Inc.; DivX®>
2008-02-21 02:03:24 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-18 17:19:06 0 d-------- C:\Documents and Settings\JOhn\Application Data\Uniblue
2008-02-13 17:50:45 0 d-------- C:\Program Files\uTorrent
2008-02-10 17:30:02 0 d-------- C:\Program Files\Last.fm
2008-02-05 08:31:15 0 d-------- C:\Documents and Settings\JOhn\Application Data\Nokia Multimedia Player


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}]
27/03/2008 20:50 39424 --a------ C:\WINDOWS\system32\nnnOIxVm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{19f86726-b915-42ec-9100-119596037a00}]
29/03/2008 08:58 90176 --a------ C:\WINDOWS\system32\kmhrfmwh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{377C180E-6F0E-4D4C-980F-F45BD3D40CF4}]
19/09/2007 06:15 329032 --a------ C:\Program Files\McAfee\MSK\mcapbho.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7E8AE16-D750-44D5-A1AB-9C7F3BB27E8F}]
27/03/2008 20:55 273920 --a------ C:\WINDOWS\system32\opnnkkHy.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [29/07/2007 07:17]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 04:25]
"RTHDCPL"="RTHDCPL.EXE" [10/08/2007 14:21 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03/05/2005 17:43 C:\WINDOWS\Alcmtr.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" []
"BluetoothAuthenticationAgent"="bthprops.cpl" [04/08/2004 07:56 C:\WINDOWS\system32\bthprops.cpl]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [03/08/2007 22:33]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [19/02/2008 13:10]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [02/11/2004 20:24]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [31/01/2008 23:13]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [16/05/2006 16:35]
"d4f304e7"="C:\WINDOWS\system32\fyqigvbs.dll" [29/03/2008 09:01]
"BMd7c0377b"="C:\WINDOWS\system32\veldoidb.dll" [29/03/2008 08:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [10/11/2006 11:35]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [07/11/2007 17:35]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 07:56]
"ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [24/07/2006 13:21]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [10/12/2007 10:12]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog

C:\Documents and Settings\JOhn\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [10/02/2008 17:30:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}"= C:\WINDOWS\system32\nnnOIxVm.dll [27/03/2008 20:50 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnOIxVm]
nnnOIxVm.dll 27/03/2008 20:50 39424 C:\WINDOWS\system32\nnnOIxVm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\opnnkkHy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\mcmscsvc]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ




-- End of Deckard's System Scanner: finished at 2008-03-29 18:08:34 ------------




firefox is closing when i try and play a video from the bbc news website.
i can open the video while using ie7!

Please help .

Last edited by John mac; 30-03-2008 at 12:40.
John mac is offline  
Advertisement
30-03-2008, 12:47   #2
John mac
Registered User
 
John mac's Avatar
 
Join Date: Aug 2001
Posts: 4,605
have just run spy bot .
here is the log.
Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\eapsslcd.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\fyqigvbs.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\goprqrqa.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\kmhrfmwh.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\opnnkkHy.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\plwgwtih.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\uceuxmqw.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\veldoidb.dll

Virtumonde.dll: [SBI $8AEDD710] Library (File, nothing done)
C:\WINDOWS\system32\vqyunlrd.dll

Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{47c655ca-a78a-488c-b9d2-d6a6f1937a55}

Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{47c655ca-a78a-488c-b9d2-d6a6f1937a55}

Virtumonde.dll: [SBI $E6921A50] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{71D13D25-ECDF-423B-BA04-67D5F935F6A6}

Virtumonde.dll: [SBI $E6921A50] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{71D13D25-ECDF-423B-BA04-67D5F935F6A6}

Virtumonde.dll: [SBI $F62A486E] Library (File, nothing done)
C:\WINDOWS\system32\nnnOIxVm.dll

Virtumonde.dll: [SBI $F62A486E] Library (File, nothing done)
C:\WINDOWS\system32\pmnkJdbb.dll

Virtumonde.dll: [SBI $468A1B10] Browser helper object (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}

Virtumonde.dll: [SBI $468A1B10] Class ID (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{060BB0AB-4B09-4C51-9ECB-9580A6D08D7F}

WildTangent: [SBI $3A3BDC07] Program directory (Directory, nothing done)
C:\WINDOWS\wt\

WildTangent: [SBI $595CAE40] Library (File, nothing done)
C:\WINDOWS\wt\WDInUsePlugin.dll

WildTangent: [SBI $DFEDBBEE] Library (File, nothing done)
C:\WINDOWS\wt\webdriver.dll

WildTangent: [SBI $76830867] Program directory (Directory, nothing done)
C:\WINDOWS\wt\wtupdates\

WildTangent: [SBI $E30EC8B1] Program directory (Directory, nothing done)
C:\WINDOWS\wt\updater\

WildTangent: [SBI $7E3A8D37] Program directory (Directory, nothing done)
C:\WINDOWS\wt\webdriver\

Microsoft.Windows.AppFirewallBypass: [SBI $9FD0556E] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

Microsoft.Windows.AppFirewallBypass: [SBI $2AF14C29] Settings (Registry value, nothing done)
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\system32\usmt\migwiz.exe

Virtumonde: [SBI $42352499] User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-73586283-1123561945-839522115-1004\Software\Microsoft\rdfa

Virtumonde: [SBI $47E741CD] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: [SBI $7342F9D9] Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-73586283-1123561945-839522115-1004\Software\Microsoft\aldd

WebTrends live: Tracking cookie (Internet Explorer: JOhn) (Cookie, nothing done)


DoubleClick: Tracking cookie (Internet Explorer: JOhn) (Cookie, nothing done)


Cassava: Tracking cookie (Internet Explorer: JOhn) (Cookie, nothing done)


Right Media: Tracking cookie (Internet Explorer: JOhn) (Cookie, nothing done)


Cassava: Tracking cookie (Firefox: default) (Cookie, nothing done)


Cassava: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


Adviva: Tracking cookie (Firefox: default) (Cookie, nothing done)


Adviva: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


CasaleMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


HitBox: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: default) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)


Tradedoubler: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


AdRevolver: Tracking cookie (Firefox: default) (Cookie, nothing done)


WebTrends live: Tracking cookie (Firefox: default) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: default) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.5.2 (build: 20080128) ---

2008-01-28 blindman.exe (1.0.0.7)
2008-01-28 SDDelFile.exe (1.0.2.4)
2008-01-28 SDMain.exe (1.0.0.5)
2008-01-28 SDUpdate.exe (1.0.8.8)
2008-01-28 SDWinSec.exe (1.0.0.11)
2008-01-28 SpybotSD.exe (1.5.2.20)
2008-01-28 TeaTimer.exe (1.5.2.16)
2008-03-30 unins000.exe (51.49.0.0)
2008-01-28 Update.exe (1.4.0.6)
2008-01-28 advcheck.dll (1.5.4.5)
2007-04-02 aports.dll (2.1.0.0)
2007-11-17 DelZip179.dll (1.79.7.4)
2008-01-28 SDFiles.dll (1.5.1.19)
2008-01-28 SDHelper.dll (1.5.0.11)
2008-01-28 Tools.dll (2.1.3.3)
2008-03-26 Includes\Cookies.sbi (*)
2007-12-26 Includes\Dialer.sbi (*)
2008-03-26 Includes\DialerC.sbi (*)
2008-03-26 Includes\HeavyDuty.sbi (*)
2008-03-19 Includes\Hijackers.sbi (*)
2008-03-26 Includes\HijackersC.sbi (*)
2008-02-27 Includes\Keyloggers.sbi (*)
2008-03-26 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2008-03-26 Includes\Malware.sbi (*)
2008-03-26 Includes\MalwareC.sbi (*)
2008-03-26 Includes\PUPS.sbi (*)
2008-03-26 Includes\PUPSC.sbi (*)
2008-03-26 Includes\Revision.sbi (*)
2008-01-09 Includes\Security.sbi (*)
2008-03-26 Includes\SecurityC.sbi (*)
2008-03-19 Includes\Spybots.sbi (*)
2008-03-26 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2008-03-19 Includes\Trojans.sbi (*)
2008-03-26 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll



most of it i see are cookies but what i dont like is the
Virtumonde.dll

i am not going to try and do anything else. (i might make it worse)
John mac is offline  
30-03-2008, 14:52   #3
 
Join Date: Jan 2008
Posts: 332
http://www.411-spyware.com/remove-virtumonde

could be causing pop ups
masterwriter is offline  
30-03-2008, 17:42   #4
 
Join Date: Feb 2007
Posts: 1,963
I wouldn't waste your time with the below link. The scanner in that link is considered a rogue application, that will definitely not fix your problem

Do this

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    -----------------------------------------------------------
    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
      -----------------------------------------------------------
    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
    -----------------------------------------------------------
  4. Double click on combofix.exe & follow the prompts.
  5. When finished, it will produce a report for you.
  6. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
ActorSeeksJob is offline  
Thanks from:
30-03-2008, 18:22   #5
John mac
Registered User
 
John mac's Avatar
 
Join Date: Aug 2001
Posts: 4,605
ComboFix 08-03-30.2 - JOhn 2008-03-30 18:07:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1164 [GMT 1:00]
Running from: C:\Documents and Settings\JOhn\Desktop\removal of virus\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMd7c0377b.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aqrqrpog.ini
C:\WINDOWS\system32\eapsslcd.dll
C:\WINDOWS\system32\fccyXOef.dll
C:\WINDOWS\system32\fyqigvbs.dll
C:\WINDOWS\system32\goprqrqa.dll
C:\WINDOWS\system32\kmhrfmwh.dll
C:\WINDOWS\system32\nnnOIxVm.dll
C:\WINDOWS\system32\opnnkkHy.dll
C:\WINDOWS\system32\plwgwtih.dll
C:\WINDOWS\system32\pmnkJdbb.dll
C:\WINDOWS\system32\sbvgiqyf.ini
C:\WINDOWS\system32\uceuxmqw.dll
C:\WINDOWS\system32\veldoidb.dll
C:\WINDOWS\system32\vqyunlrd.dll
C:\WINDOWS\system32\yHkknnpo.ini
C:\WINDOWS\system32\yHkknnpo.ini2

.
((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 00:29 . 2008-03-30 18:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-30 00:29 . 2008-03-30 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 19:02 . 2008-03-29 19:02 <DIR> d-------- C:\Deckard
2008-03-29 18:32 . 2008-03-29 18:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-29 18:24 . 2008-03-29 18:44 <DIR> d-------- C:\SDFix
2008-03-28 10:03 . 2008-03-29 09:53 1,583,228 ---hs---- C:\WINDOWS\system32\aluqxkvu.ini
2008-03-27 21:47 . 2008-03-27 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-20 21:46 . 2008-03-29 10:04 <DIR> d-------- C:\Program Files\PopCap Games
2008-03-20 21:46 . 2008-03-21 17:19 20 --a------ C:\WINDOWS\popcinfot.dat
2008-03-20 21:46 . 2008-03-20 21:46 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-14 22:59 . 2008-03-14 22:59 <DIR> d-------- C:\Jmw1DA.tmp
2008-03-05 12:23 . 2008-03-05 12:23 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-29 15:03 . 2008-02-29 15:03 <DIR> d-------- C:\Program Files\iPod
2008-02-29 15:03 . 2008-03-30 18:12 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 15:03 . 2008-02-29 15:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 15:01 . 2008-02-29 15:02 <DIR> d-------- C:\Program Files\QuickTime
2008-02-21 03:05 . 2008-02-21 03:05 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 03:05 . 2008-02-21 03:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-21 03:05 . 2008-02-21 03:05 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-02-21 03:05 . 2008-02-21 03:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-21 03:05 . 2008-02-21 03:05 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-02-21 03:03 . 2008-02-21 03:03 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-02-21 03:03 . 2008-02-21 03:03 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-02-21 03:03 . 2008-02-21 03:03 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 03:03 . 2008-02-21 03:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-18 18:13 . 2008-02-18 18:19 <DIR> d-------- C:\Documents and Settings\JOhn\Application Data\Uniblue
2008-02-13 18:50 . 2008-02-13 18:50 <DIR> d-------- C:\Program Files\uTorrent
2008-02-13 18:50 . 2008-03-01 00:34 <DIR> d-------- C:\Documents and Settings\JOhn\Application Data\uTorrent
2008-02-11 00:25 . 2008-02-11 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-02-10 18:29 . 2008-02-10 18:30 <DIR> d-------- C:\Program Files\Last.fm
2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 10:01 --------- d-----w C:\Program Files\DivX
2008-03-29 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-29 08:59 --------- d-----w C:\Program Files\McAfee
2008-03-13 12:03 --------- d-----w C:\Program Files\Java
2008-02-29 14:03 --------- d-----w C:\Program Files\iTunes
2008-02-05 08:31 --------- d-----w C:\Documents and Settings\JOhn\Application Data\Nokia Multimedia Player
2007-12-09 14:12 20,928 ---ha-w C:\Program Files\fury3.GID
1995-08-23 00:00 645,120 ----a-w C:\Program Files\FURY3.EXE
1995-08-23 00:00 328,810 ----a-w C:\Program Files\FURY3.HLP
1995-08-23 00:00 31,891 ----a-w C:\Program Files\README.TXT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [2006-07-24 14:21 417792]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 11:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-29 08:17 1836544]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 15:21 16384000 C:\WINDOWS\RTHDCPL.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-05-16 17:35 147456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]

C:\Documents and Settings\JOhn\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-02-10 18:30:00 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnOIxVm]
nnnOIxVm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 14:46]
S2 0296571206871741mcinstcleanup;McAfee Application Installer Cleanup (0296571206871741);C:\WINDOWS\TEMP\029657~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini []
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 20:49]
S3 TCCrystalCpuInfo;TCCrystalCpuInfo;C:\DOCUME~1\JOhn\LOCALS~1\Temp\TCCpuInfo.sys []

*Newly Created Service* - 0296571206871741MCINSTCLEANUP
.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 19:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-02-21 16:28:46 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-02-21 16:28:45 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-03-29 17:13:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-18 17:13:18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 18:13:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-30 18:15:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-30 17:15:36
Pre-Run: 14,028,701,696 bytes free
Post-Run: 14,108,041,216 bytes free
.
2008-03-12 23:41:48 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:18:27, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ABIT\uGuru\uGuru.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: TV Schedule Tray.lnk = C:\Program Files\Club 3D\ZAP-TV1101\yTvTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172059411531
O16 - DPF: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} (DigiMeldOcx Control) - http://www.digimeld.com/download/digimeldOcx.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: nnnOIxVm - nnnOIxVm.dll (file missing)
O23 - Service: McAfee Application Installer Cleanup (0296571206871741) (0296571206871741mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\029657~1.EXE (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9908 bytes




There you go.
John mac is offline  
Advertisement
30-03-2008, 18:34   #6
 
Join Date: Feb 2007
Posts: 1,963
Hello

1. Please re-open HiJackThis and choose do a system scan only. Check the boxes next to ONLY the entries listed below(if present):

R3 - URLSearchHook: &Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O20 - Winlogon Notify: nnnOIxVm - nnnOIxVm.dll (file missing)


2. Now close all windows other than HiJackThis, including browsers, so that nothing other than HijackThis is open, then click Fix Checked. A box will pop up asking you if you wish to fix the selected items. Please choose YES. Once it has fixed them, please exit/close HijackThis.



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
File::
C:\WINDOWS\system32\aluqxkvu.ini

Folder::
C:\Jmw1DA.tmp

Driver::
0296571206871741mcinstcleanup
TCCrystalCpuInfo
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall




Reboot and post a new HijackThis log
ActorSeeksJob is offline  
Thanks from:
30-03-2008, 18:56   #7
John mac
Registered User
 
John mac's Avatar
 
Join Date: Aug 2001
Posts: 4,605
If i had a job to give i would offer you one!






ComboFix 08-03-30.2 - JOhn 2008-03-30 18:44:33.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1420 [GMT 1:00]
Running from: C:\Documents and Settings\JOhn\Desktop\removal of virus\ComboFix.exe
Command switches used :: C:\Documents and Settings\JOhn\Desktop\removal of virus\CFScript.txt
* Created a new restore point
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\aluqxkvu.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Jmw1DA.tmp
C:\Jmw1DA.tmp\VIDEO_TS\VTS_01_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_02_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_02_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_02_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_03_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_03_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_03_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_04_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_04_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_04_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_05_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_05_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_05_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_06_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_06_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_06_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_07_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_07_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_07_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_08_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_08_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_08_1.VOB
C:\Jmw1DA.tmp\VIDEO_TS\VTS_09_0.BUP
C:\Jmw1DA.tmp\VIDEO_TS\VTS_09_0.IFO
C:\Jmw1DA.tmp\VIDEO_TS\VTS_09_1.VOB
C:\WINDOWS\system32\aluqxkvu.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_0296571206871741MCINSTCLEANUP
-------\Legacy_TCCRYSTALCPUINFO
-------\Service_0296571206871741mcinstcleanup
-------\Service_TCCrystalCpuInfo


((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 00:29 . 2008-03-30 18:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-30 00:29 . 2008-03-30 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 19:02 . 2008-03-29 19:02 <DIR> d-------- C:\Deckard
2008-03-29 18:32 . 2008-03-29 18:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-29 18:24 . 2008-03-29 18:44 <DIR> d-------- C:\SDFix
2008-03-27 21:47 . 2008-03-27 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-20 21:46 . 2008-03-29 10:04 <DIR> d-------- C:\Program Files\PopCap Games
2008-03-20 21:46 . 2008-03-21 17:19 20 --a------ C:\WINDOWS\popcinfot.dat
2008-03-20 21:46 . 2008-03-20 21:46 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-05 12:23 . 2008-03-05 12:23 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-29 15:03 . 2008-02-29 15:03 <DIR> d-------- C:\Program Files\iPod
2008-02-29 15:03 . 2008-03-30 18:47 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 15:03 . 2008-02-29 15:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 15:01 . 2008-02-29 15:02 <DIR> d-------- C:\Program Files\QuickTime
2008-02-21 03:05 . 2008-02-21 03:05 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 03:05 . 2008-02-21 03:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-21 03:05 . 2008-02-21 03:05 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-02-21 03:05 . 2008-02-21 03:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-21 03:05 . 2008-02-21 03:05 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-02-21 03:03 . 2008-02-21 03:03 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-02-21 03:03 . 2008-02-21 03:03 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-02-21 03:03 . 2008-02-21 03:03 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 03:03 . 2008-02-21 03:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-18 18:13 . 2008-02-18 18:19 <DIR> d-------- C:\Documents and Settings\JOhn\Application Data\Uniblue
2008-02-13 18:50 . 2008-02-13 18:50 <DIR> d-------- C:\Program Files\uTorrent
2008-02-13 18:50 . 2008-03-01 00:34 <DIR> d-------- C:\Documents and Settings\JOhn\Application Data\uTorrent
2008-02-11 00:25 . 2008-02-11 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-02-10 18:29 . 2008-02-10 18:30 <DIR> d-------- C:\Program Files\Last.fm
2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 10:01 --------- d-----w C:\Program Files\DivX
2008-03-29 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-29 08:59 --------- d-----w C:\Program Files\McAfee
2008-03-13 12:03 --------- d-----w C:\Program Files\Java
2008-02-29 14:03 --------- d-----w C:\Program Files\iTunes
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-02-05 08:31 --------- d-----w C:\Documents and Settings\JOhn\Application Data\Nokia Multimedia Player
2008-01-04 15:18 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-04 15:18 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-09 14:12 20,928 ---ha-w C:\Program Files\fury3.GID
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:38 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-04 18:38 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
1995-08-23 00:00 645,120 ----a-w C:\Program Files\FURY3.EXE
1995-08-23 00:00 328,810 ----a-w C:\Program Files\FURY3.HLP
1995-08-23 00:00 31,891 ----a-w C:\Program Files\README.TXT
.

((((((((((((((((((((((((((((( snapshot@2008-03-30_18.15.26.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-30 10:07:28 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 17:17:02 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-30 10:07:28 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 17:17:02 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [2006-07-24 14:21 417792]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 11:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-29 08:17 1836544]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 15:21 16384000 C:\WINDOWS\RTHDCPL.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-05-16 17:35 147456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]

C:\Documents and Settings\JOhn\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-02-10 18:30:00 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 14:46]
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 20:49]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 19:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-02-21 16:28:46 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-02-21 16:28:45 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-03-29 17:13:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-18 17:13:18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 18:48:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
.
**************************************************************************
.
Completion time: 2008-03-30 18:50:00 - machine was rebooted [JOhn]
ComboFix-quarantined-files.txt 2008-03-30 17:49:57
ComboFix2.txt 2008-03-30 17:15:40
Pre-Run: 14,092,513,280 bytes free
Post-Run: 14,077,403,136 bytes free
.
2008-03-12 23:41:48 --- E O F ---





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:51:34, on 30/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\CyberLink\PowerCinema\PCMService.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\ABIT\uGuru\uGuru.exe
C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
C:\Program Files\Last.fm\LastFMHelper.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclMSBTSrv.exe
C:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\CyberLink\PowerCinema\PCMService.exe"
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [Nokia.PCSync] "C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" /NoDialog
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ABIT uGuruIII] C:\Program Files\ABIT\uGuru\uGuru.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Last.fm Helper.lnk = C:\Program Files\Last.fm\LastFMHelper.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart16.exe
O4 - Global Startup: TV Schedule Tray.lnk = C:\Program Files\Club 3D\ZAP-TV1101\yTvTray.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1172059411531
O16 - DPF: {8ACDC08B-DC64-4613-97F2-299B65F66E1D} (DigiMeldOcx Control) - http://www.digimeld.com/download/digimeldOcx.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - C:\Program Files\CyberLink\PowerCinema\Kernel\TV\CLSched.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\PowerCinema\Kernel\CLML_NTService\CLMLServer.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\Cyberlink\Shared Files\RichVideo.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9597 bytes
John mac is offline  
30-03-2008, 19:58   #8
 
Join Date: Feb 2007
Posts: 1,963
Looking good

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan. Check all the boxes and click Start Scan
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.


Also tell me how your PC is running
ActorSeeksJob is offline  
Thanks from:
30-03-2008, 20:52   #9
 
Join Date: Jan 2008
Posts: 332
Quote:
Originally Posted by masterwriter View Post

Sorry, I did not realise the above link was to Spyhunter.Avoid. See

http://www.spywarewarrior.com/rogue_...re.htm#sh_note
masterwriter is offline  
Advertisement
30-03-2008, 22:14   #10
John mac
Registered User
 
John mac's Avatar
 
Join Date: Aug 2001
Posts: 4,605

here you go
pc seems to be running better (bbc pages load a lot quicker)
only 2nd virus ever. not bad for 13 years on the net!
wont try looking for stuff for free any more. all my own fault....
thanks for the help



Malwarebytes' Anti-Malware 1.09
Database version: 569

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|K:\|L:\|)
Objects scanned: 214231
Time elapsed: 1 hour(s), 30 minute(s), 36 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Typelib\{50ccd00a-66b6-4d95-aaef-8ee959498f92} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\stfngdvw.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
John mac is offline  
30-03-2008, 22:22   #11
 
Join Date: Feb 2007
Posts: 1,963
Your logs are clean ! We need to do a few things

Now lets uninstall Combofix:
  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK
The above procedure will do the following:
  1. Delete ComboFix and its associated files and folders.
  2. Delete VundoFix backups, if present
  3. Delete the C:\Deckard folder, if present
  4. Delete the C:_OtMoveIt folder, if present
  5. Reset the clock settings.
  6. Hide file extensions, if required.
  7. Hide System/Hidden files, if required.
  8. Reset System Restore.



Below I have included a number of recommendations for how to protect your computer against malware infections.

* Keep Windows updated by regularly checking their website at :
http://windowsupdate.microsoft.com/
This will ensure your computer has always the latest security updates available installed on your computer.

* To reduce re-infection for malware in the future, I strongly recommend installing these free programs:
SpywareBlaster protects against bad ActiveX
IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all
Have a look at this tutorial for IE-Spyad here

* SpywareGuard offers realtime protection from spyware installation attempts.

Make Internet Explorer more secure
  • Click Start > Run
  • Type Inetcpl.cpl & click OK
  • Click on the Security tab
  • Click Reset all zones to default level
  • Make sure the Internet Zone is selected & Click Custom level
  • In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to "Prompt", and ("Initialize and Script ActiveX controls not marked as safe") to "Disable".
  • Next Click OK, then Apply button and then OK to exit the Internet Properties page.

* MVPS Hosts file replaces your current HOSTS file with one containing well known ad sites and other bad sites. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer, meaning it will be difficult to infect yourself in the future.

* Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more
secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in pop up
blocker (as an added benefit!) that I have ever seen. If you are interested, Firefox may be downloaded from
Here

* Take a good look at the following suggestions for malware prevention by reading Tony Klein’s article 'How Did I Get Infected In The First Place'
Here

Thank you for your patience, and performing all of the procedures requested.
ActorSeeksJob is offline  
Thanks from:
30-03-2008, 23:12   #12
John mac
Registered User
 
John mac's Avatar
 
Join Date: Aug 2001
Posts: 4,605
it ran combofix again here is the result.

(i did notice that the volume control that i have in the task bar was missing)

its back now though.

ps i rebooted prior to the last instruction (is me bad?)


I know how i got infected.... trying to get something for free.......


ComboFix 08-03-30.2 - JOhn 2008-03-30 22:58:44.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1391 [GMT 1:00]
Running from: C:\Documents and Settings\JOhn\Desktop\removal of virus\ComboFix.exe
Command switches used :: / u
* Resident AV is active


WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-02-28 to 2008-03-30 )))))))))))))))))))))))))))))))
.

2008-03-30 20:26 . 2008-03-30 20:26 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-30 20:26 . 2008-03-30 20:26 <DIR> d-------- C:\Documents and Settings\JOhn\Application Data\Malwarebytes
2008-03-30 20:26 . 2008-03-30 20:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-30 00:29 . 2008-03-30 18:00 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-30 00:29 . 2008-03-30 18:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-29 19:02 . 2008-03-29 19:02 <DIR> d-------- C:\Deckard
2008-03-29 18:32 . 2008-03-29 18:32 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-29 18:24 . 2008-03-29 18:44 <DIR> d-------- C:\SDFix
2008-03-27 21:47 . 2008-03-27 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2008-03-20 21:46 . 2008-03-29 10:04 <DIR> d-------- C:\Program Files\PopCap Games
2008-03-20 21:46 . 2008-03-21 17:19 20 --a------ C:\WINDOWS\popcinfot.dat
2008-03-20 21:46 . 2008-03-20 21:46 0 --a------ C:\WINDOWS\popcreg.dat
2008-03-05 12:23 . 2008-03-05 12:23 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-02-29 15:03 . 2008-02-29 15:03 <DIR> d-------- C:\Program Files\iPod
2008-02-29 15:03 . 2008-03-30 22:19 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-02-29 15:03 . 2008-02-29 15:03 1,409 --a------ C:\WINDOWS\QTFont.for
2008-02-29 15:01 . 2008-02-29 15:02 <DIR> d-------- C:\Program Files\QuickTime
2008-02-21 03:05 . 2008-02-21 03:05 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-02-21 03:05 . 2008-02-21 03:05 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-02-21 03:05 . 2008-02-21 03:05 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-02-21 03:05 . 2008-02-21 03:05 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-02-21 03:05 . 2008-02-21 03:05 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-02-21 03:03 . 2008-02-21 03:03 630,784 --a------ C:\WINDOWS\system32\divxdec.ax
2008-02-21 03:03 . 2008-02-21 03:03 352,401 --a------ C:\WINDOWS\system32\DivXMedia.ax
2008-02-21 03:03 . 2008-02-21 03:03 156,992 --a------ C:\WINDOWS\system32\DivXCodecVersionChecker.exe
2008-02-21 03:03 . 2008-02-21 03:03 12,288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2008-02-18 18:13 . 2008-02-18 18:19 <DIR> d-------- C:\Documents and Settings\JOhn\Application Data\Uniblue
2008-02-13 18:50 . 2008-02-13 18:50 <DIR> d-------- C:\Program Files\uTorrent
2008-02-13 18:50 . 2008-03-01 00:34 <DIR> d-------- C:\Documents and Settings\JOhn\Application Data\uTorrent
2008-02-11 00:25 . 2008-02-11 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Last.fm
2008-02-10 18:29 . 2008-02-10 18:30 <DIR> d-------- C:\Program Files\Last.fm
2008-02-01 00:13 . 2008-02-01 00:13 90,112 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2008-02-01 00:13 . 2008-02-01 00:13 57,344 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-29 10:01 --------- d-----w C:\Program Files\DivX
2008-03-29 09:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-03-29 08:59 --------- d-----w C:\Program Files\McAfee
2008-03-13 12:03 --------- d-----w C:\Program Files\Java
2008-02-29 14:03 --------- d-----w C:\Program Files\iTunes
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2008-02-21 02:04 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2008-02-21 02:04 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2008-02-21 02:04 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2008-02-21 02:04 682,496 ----a-w C:\WINDOWS\system32\DivX.dll
2008-02-21 02:04 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2008-02-21 02:04 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2008-02-21 02:04 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2008-02-21 02:04 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2008-02-21 02:04 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2008-02-21 02:04 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2008-02-05 08:31 --------- d-----w C:\Documents and Settings\JOhn\Application Data\Nokia Multimedia Player
2008-01-04 15:18 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2008-01-04 15:18 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-12-09 14:12 20,928 ---ha-w C:\Program Files\fury3.GID
2007-12-07 02:21 824,832 ----a-w C:\WINDOWS\system32\wininet.dll
2007-12-04 18:38 550,912 ----a-w C:\WINDOWS\system32\oleaut32.dll
2007-12-04 18:38 129,784 ------w C:\WINDOWS\system32\pxafs.dll
2007-12-04 18:38 120,056 ------w C:\WINDOWS\system32\pxcpyi64.exe
2007-12-04 18:38 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe
1995-08-23 00:00 645,120 ----a-w C:\Program Files\FURY3.EXE
1995-08-23 00:00 328,810 ----a-w C:\Program Files\FURY3.HLP
1995-08-23 00:00 31,891 ----a-w C:\Program Files\README.TXT
.

((((((((((((((((((((((((((((( snapshot@2008-03-30_18.15.26.75 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-30 14:52:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-30 19:13:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-30 14:52:10 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-30 19:13:57 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-30 19:13:57 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-30 10:07:28 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-30 21:23:48 58,800 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-30 10:07:28 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-30 21:23:48 392,626 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:56 15360]
"ABIT uGuruIII"="C:\Program Files\ABIT\uGuru\uGuru.exe" [2006-07-24 14:21 417792]
"PC Suite Tray"="C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 11:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-07-29 08:17 1836544]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"RTHDCPL"="RTHDCPL.EXE" [2007-08-10 15:21 16384000 C:\WINDOWS\RTHDCPL.exe]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [ ]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 08:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 21:24 32768]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"PCMService"="C:\Program Files\CyberLink\PowerCinema\PCMService.exe" [2006-05-16 17:35 147456]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 08:56 15360]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2007-11-07 18:35 1294336]

C:\Documents and Settings\JOhn\Start Menu\Programs\Startup\
Last.fm Helper.lnk - C:\Program Files\Last.fm\LastFMHelper.exe [2008-02-10 18:30:00 106496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PowerCinema.exe"=
"C:\\Program Files\\Cyberlink\\PowerCinema\\PCMService.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
"C:\\Program Files\\uTorrent\\uTorrent.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\Real\\RealPlayer\\realplay.exe"=

R0 UGURU;UGURU;C:\WINDOWS\system32\drivers\uGuru.sys [2006-05-03 14:46]
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys [2001-11-29 20:49]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-25 19:55:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-02-21 16:28:46 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2007-02-21 16:28:45 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
"2008-03-29 17:13:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-02-18 17:13:18 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-30 23:01:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-30 23:01:43
ComboFix-quarantined-files.txt 2008-03-30 22:01:35
ComboFix2.txt 2008-03-30 17:50:01
ComboFix3.txt 2008-03-30 17:15:40
Pre-Run: 14,081,454,080 bytes free
Post-Run: 14,066,540,544 bytes free
.
2008-03-12 23:41:48 --- E O F ---

Last edited by John mac; 30-03-2008 at 23:15. Reason: reason for infection!
John mac is offline  
30-03-2008, 23:27   #13
 
Join Date: Feb 2007
Posts: 1,963
Strange, that shouldn't have happened

Follow the rest of the steps in my previous post and tell me how they go

Also do this

Delete ComboFix.exe and the folders C:\qoobox and C:\ComboFix



Now we need to create a new System Restore point.

Click Start Menu > Run > type (or copy and paste)

%SystemRoot%\System32\restore\rstrui.exe

Press OK. Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created.

To close Disk Cleanup and remove the Temporary Internet Files detected in the initial scan click OK then choose Yes on the confirmation window.
ActorSeeksJob is offline  
Thanks from:
31-03-2008, 00:14   #14
John mac
Registered User
 
John mac's Avatar
 
Join Date: Aug 2001
Posts: 4,605
k thats done (missis on to me to go to bed!)
any more ?
John mac is offline  
31-03-2008, 00:32   #15
 
Join Date: Feb 2007
Posts: 1,963
Nope that is it

Your PC is clean, all remains of the trojan gone

Enjoy your sleep, am off as well
ActorSeeksJob is offline  
Thanks from:
Post Reply

Quick Reply
Message:
Remove Text Formatting
Bold
Italic
Underline

Insert Image
Wrap [QUOTE] tags around selected text
 
Decrease Size
Increase Size
Please sign up or log in to join the discussion

Thread Tools Search this Thread
Search this Thread:

Advanced Search



Share Tweet