Jump to content
Sign in to follow this  
timeshock!

Storageprotector.com malware help please(resolved)

Recommended Posts

I posted in the help forum and was advised to put the Hijackthis log on here, I followed some previous post advice and edited some process' deleting CRSS.exe and CBABB,exe and CRSi.EXE(i Think) this seems to have solved most o the problems but the registry is coming up with an error on start up looking for two entries of CBABB.exe which I can not locate. Below is my original post followed by the log file.

 

Hi there, hope you can help because I have reached the end.

I got interrupted on Saturday at home and left my computer unattended connected to the net. When I got back a piece of software had installed itself by-passing and disabling my anti virus software AVG, Disabling GoBack, and resetting Windows System restore to after the program got hold of the computer.

 

The software gives information pop ups informing me of serious errors and also bubble information in the bottom right hand side of the screen. Two desktop icons have appeared the official Windows Update icon and the green Tick icon for help and support. If these are clicked they open windows explorer and take me to www.storageprotector .com to buy this bogus software to fix bogus problems. If they are deleted the instantly reappear. I am running Windows XP SP2

 

I have searched and searched the net, a lot of the same information comes up and is either wrong, unhelpful or worse taking back to the storage protector web site.

 

I have run ad-aware, spybot andTtrend live scan they have not identified storage protector and not fixed the machine. This is a nasty piece of work.

 

Some manual fixes on the net identify software to be removed and registry items to be deleted however neither the programs nor entries exist on my machine.

 

 

Grateful for any help

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 21:03:14, on 16/01/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe

C:\Program Files\PC Beginner Windows Tools 2007\FolderProtect.exe

C:\Program Files\NETGEAR\Media Server\ImmsService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Wanadoo

F3 - REG:win.ini: load=C:\WINDOWS\system32\cbaab.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Google Module - {28C703D0-B4A9-4b2f-9123-CE8294761861} - halifax1.dll (file missing)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - http://eshare.hpphoto.com/Download/HPeServicesLocalPrint.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124137546222

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.tynebridgewebcam.co.uk/camimage...sCamControl.ocx

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:f...red:/asinst.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8448B8C7-6D38-4E3B-802A-D3996171F84D}: NameServer = 192.168.2.1

O20 - Winlogon Notify: hzsqmoaa - hzsqmoaa.dll (file missing)

O20 - Winlogon Notify: qomnljg - qomnljg.dll (file missing)

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Integrated Multimedia Server - Unknown owner - C:\Program Files\NETGEAR\Media Server\ImmsService.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 8685 bytes

 

 

Cheers

Edited by timeshock!

Share this post


Link to post
Share on other sites

You're in luck I was just passing

 

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

 

F3 - REG:win.ini: load=C:\WINDOWS\system32\cbaab.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O2 - BHO: Google Module - {28C703D0-B4A9-4b2f-9123-CE8294761861} - halifax1.dll (file missing)

O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - (no file)

O20 - Winlogon Notify: hzsqmoaa - hzsqmoaa.dll (file missing)

O20 - Winlogon Notify: qomnljg - qomnljg.dll (file missing)

 

 

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

 

THEN

 

Please download the OTMoveIt2 by OldTimer.

  • Save it to your desktop.
  • Please double-click OTMoveIt2.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

     

    C:\WINDOWS\system32\cbaab.exe
    
    
  • Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

     

  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
  • Close OTMoveIt2
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

 

FINALLY FOR NOW

 

Download ComboFix from Here or Here to your Desktop.

  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

Logs required : Combofix and OTMoveit

Share this post


Link to post
Share on other sites

This is very frustrating, I have completed the first part but the link will not open, when I try alternative routes through google i am similary 'blocked'. I have no software firewall set, but whether it is the infestation doing this I am unsure. Incidently when returning to familiar sites my settings and login are not remembered as if the cookies have been affected. If you can help further that would be good, in the meantime I shall continue to try to download that file from somewhere.

 

Cheers

Share this post


Link to post
Share on other sites

OK managed to download the programs.

OTMOVEIT2 was anable to find CBAAB.exe so here are the requested logs

 

Thanks for looking at it

 

ComboFix 08-01-17.1 - Default 2008-01-16 22:17:44.1 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.481 [GMT 0:00]

Running from: C:\Documents and Settings\Default\Desktop\ComboFix.exe

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\Documents and Settings\Default\Application Data\SpyGuardPro

C:\Documents and Settings\Default\Application Data\SpyGuardPro\Logs\threats.log

C:\Documents and Settings\Default\Application Data\SpyGuardPro\Logs\update.log

C:\Documents and Settings\Default\Application Data\SpyGuardPro\PGE.dat

C:\Program Files\SpyGuardPro

C:\Program Files\SpyGuardPro\al.dat

C:\Program Files\SpyGuardPro\Config\pgs.xml

C:\Program Files\SpyGuardPro\Dat\Activate.dat

C:\Program Files\SpyGuardPro\Dat\BkSites.dat

C:\Program Files\SpyGuardPro\Dat\bnlink.dat

C:\Program Files\SpyGuardPro\Dat\cd.dat

C:\Program Files\SpyGuardPro\Dat\incmp.dat

C:\Program Files\SpyGuardPro\Dat\index.dat

C:\Program Files\SpyGuardPro\Dat\PGUpLst.dat

C:\Program Files\SpyGuardPro\Dat\pv.dat

C:\Program Files\SpyGuardPro\Engines\AWBase\database\enemies.dat

C:\Program Files\SpyGuardPro\Engines\AWBase\vbpv.dat

C:\Program Files\SpyGuardPro\Engines\PGBase\vbpv.dat

C:\Program Files\SpyGuardPro\Engines\plugins\vbpv.dat

C:\Program Files\SpyGuardPro\FWSettings.bin

C:\Program Files\SpyGuardPro\Graphics\cross.gif

C:\Program Files\SpyGuardPro\Graphics\ga6p.gif

C:\Program Files\SpyGuardPro\Graphics\kb.url

C:\Program Files\SpyGuardPro\Graphics\Online.url

C:\Program Files\SpyGuardPro\Graphics\rm.url

C:\Program Files\SpyGuardPro\Graphics\Support.url

C:\Program Files\SpyGuardPro\history.db

C:\Program Files\SpyGuardPro\LA\lapv.dat

C:\Program Files\SpyGuardPro\LA\License.rtf

C:\Program Files\SpyGuardPro\main.log

C:\Program Files\SpyGuardPro\ResErrors.log

C:\Program Files\SpyGuardPro\sr.log

C:\Program Files\SpyGuardPro\unins000.dat

C:\Program Files\SpyGuardPro\Up\ASupdater.dat

C:\Program Files\SpyGuardPro\Up\PGupdater.dat

C:\Program Files\SpyGuardPro\Up\UBupdater.dat

C:\Program Files\SpyGuardPro\Up\up.dat

C:\Program Files\SpyGuardPro\Up\updater.dat

C:\WINDOWS\Downloaded Program Files\UDC6_0001_D22M1709NetInstaller.exe

C:\WINDOWS\Downloaded Program Files\UGA6P_0001_N122M2210NetInstaller.exe

C:\WINDOWS\start.exe

C:\WINDOWS\SYSTEM32\baabc.ini

C:\WINDOWS\SYSTEM32\baabc.ini2

C:\WINDOWS\system32\conf.dat

C:\WINDOWS\system32\hzsqmoaa.dllbox

C:\WINDOWS\system32\mcrh.tmp

C:\WINDOWS\system32\pac.txt

 

.

((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))

.

 

2008-01-16 22:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-16 21:02 . 2008-01-16 21:02 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-15 19:42 . 2008-01-15 19:42 <DIR> dr-h----- C:\$VAULT$.AVG

2008-01-15 18:38 . 2008-01-15 18:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7

2008-01-15 18:38 . 2008-01-15 18:39 <DIR> d-------- C:\Documents and Settings\Default\Application Data\AVG7

2008-01-15 18:38 . 2008-01-15 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-01-15 18:31 . 2008-01-15 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

2008-01-15 16:56 . 2008-01-15 17:07 1,326 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2008-01-13 22:33 . 2008-01-13 22:33 <DIR> d-------- C:\Program Files\CleanMyPC

2008-01-13 22:33 . 2008-01-13 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP

2008-01-13 20:39 . 2008-01-13 20:39 <DIR> d-------- C:\kav

2008-01-13 19:59 . 2008-01-13 19:59 <DIR> d-------- C:\Program Files\XoftSpySE

2008-01-13 15:25 . 2008-01-13 15:25 <DIR> d-------- C:\Documents and Settings\Default\.housecall6.6

2008-01-13 12:02 . 2008-01-13 12:02 <DIR> d--hs---- C:\FOUND.038

2008-01-12 21:15 . 2008-01-12 21:15 1 --a------ C:\WINDOWS\SYSTEM32\rc.dat

2008-01-12 21:15 . 2008-01-12 21:15 1 --a------ C:\WINDOWS\SYSTEM32\ps1.dat

2008-01-12 21:15 . 2008-01-12 21:15 1 --a------ C:\WINDOWS\SYSTEM32\cs.dat

2008-01-12 21:12 . 2008-01-12 21:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01

2008-01-12 21:12 . 2008-01-12 21:12 <DIR> d-------- C:\temp\Ryuan1

2008-01-12 21:03 . 2008-01-12 21:03 53,248 --a------ C:\WINDOWS\SYSTEM32\halifax1.dll

2007-12-26 23:53 . 2007-12-26 23:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\AIM

2007-12-26 23:53 . 1997-06-23 09:06 330,000 --a------ C:\WINDOWS\SYSTEM32\MSEXCH35.DLL

2007-12-26 23:53 . 1997-06-23 09:06 250,128 --a------ C:\WINDOWS\SYSTEM32\MSPDOX35.DLL

2007-12-26 23:53 . 1997-06-23 09:06 166,160 --a------ C:\WINDOWS\SYSTEM32\MSLTUS35.DLL

2007-12-26 23:30 . 2007-12-26 23:30 <DIR> d-------- C:\Program Files\Maris Technologies

2007-12-26 18:15 . 2007-12-26 18:15 <DIR> d--hs---- C:\FOUND.037

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-24 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs

2007-11-24 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive

2007-11-24 20:22 --------- d-----w C:\Program Files\Common Files\Motive

2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll

2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll

2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\lsasrv.dll

2007-10-30 21:52 1,430,048 ----a-w C:\WINDOWS\SYSTEM32\AutoPartNt.exe

2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys

2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll

2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll

2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll

2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll

2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll

2007-08-29 11:16 124,184 ----a-w C:\Documents and Settings\Default\Application Data\GDIPFONTCACHEV1.DAT

2007-03-19 22:43 560 ----a-w C:\Documents and Settings\Default\DMOrganizer.dat

2006-12-20 21:33 37,744,640 ----a-w C:\Program Files\ppm8per_recovery_cd_8000061724_en.iso

2001-07-01 20:43 266 --sha-w C:\Program Files\desktop.ini

2001-07-01 20:43 11,079 ---ha-w C:\Program Files\folder.htt

2005-04-04 20:39 61 --sha-w C:\WINDOWS\cnerolf.dat

.

<pre>
----a-w		   219,136 2008-01-15 17:12:08  C:\Program Files\Grisoft\AVG7\avgw .exe
----a-w		   579,072 2008-01-15 17:10:54  C:\Program Files\Grisoft\AVG7\avgcc .exe
</pre>

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]

@={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]

@={8A814C29-D3CD-4F9E-9770-DF8704503ACA}

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]

@={7D688A77-C613-11D0-999B-00C04FD655E1}

 

[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]

2006-12-20 14:23 57344 --a------ C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectShellExtension.dll

 

[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]

2006-12-20 14:23 57344 --a------ C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectShellExtension.dll

 

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]

2007-10-26 03:36 8454656 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SystemTray"="SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-16 18:51 579072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-15 18:38 219136]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^12Ghosts Synchronize.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\12Ghosts Synchronize.lnk

backup=C:\WINDOWS\pss\12Ghosts Synchronize.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin 802.11g Wireless PCI Card Configuration Utility.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin 802.11g Wireless PCI Card Configuration Utility.lnk

backup=C:\WINDOWS\pss\Belkin 802.11g Wireless PCI Card Configuration Utility.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR Media Server.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR Media Server.lnk

backup=C:\WINDOWS\pss\NETGEAR Media Server.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SecureDoc.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SecureDoc.lnk

backup=C:\WINDOWS\pss\SecureDoc.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]

--a------ 2007-06-14 17:43 149024 C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]

--a------ 2007-06-14 17:52 1945712 C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

--a------ 2005-11-15 12:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2002-12-10 00:19 188416 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]

--a------ 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

C:\WINDOWS\system32\cbaab.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]

--a------ 2007-06-14 17:39 1169720 C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-06-03 21:54 282624 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

--a------ 2007-06-17 21:37 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search and Recover Disk Image Service]

C:\Program Files\iolo\Search and Recover 2\DiskImageService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-10-12 03:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

--a------ 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]

--a------ 2002-07-02 17:56 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

"STManager"="C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b

"Spyware Doctor"="C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE

"EM_EXEC"=C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

"InCD"=C:\Program Files\Ahead\InCD\InCD.exe

"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

"Creative Launcher"=C:\Program Files\Creative\Launcher\CTLauncher.exe

"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe

"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"

"HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM\hpztsb05.exe

"SideWinderTrayV4"=C:\PROGRA~1\MICROS~4\GAMECO~1\COMMON\SWTRAYV4.EXE

"sp"=regedit -s C:\WINDOWS\sp.reg

"BELT"=C:\WINDOWS\BELT.exe

"CriticalUpdate"=C:\WINDOWS\SYSTEM32\WUCRTUPD.EXE -startup

"Norton CrashGuard Monitor"="C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"

"CSAV_CheckViruses"=C:\PROGRA~1\COMMAN~1\COMMAN~1\VCHK.EXE

"untray"=C:\PROGRA~1\COMMAN~1\COMMAN~1\UNTRAY.EXE

"dvprpt"=C:\PROGRA~1\COMMAN~1\COMMAN~1\DVPRPT.EXE

"avtray"=C:\PROGRA~1\COMMAN~1\COMMAN~1\AVTRAY.EXE

"AVSchedScan"=C:\PROGRA~1\COMMAN~1\COMMAN~1\SCHSC9X.EXE

"NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

"BTopenworld"="C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial

"LoadQM"=loadqm.exe

"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

"Ad Rage"=d:\program files\adrage\adrage.exe

"McAfee Guardian"="C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU

"Symantec Core LC"=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

"Advanced Tools Check"=C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE

"Windows ServeAd"=C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]

"SchedulingAgent"=mstask.exe

"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

"GoBack Polling Service"=C:\Program Files\Adaptec\GoBack\GBPoll.exe

"PCCIOMON.EXE"="C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"

"avinit"=C:\PROGRA~1\COMMAN~1\COMMAN~1\AVINIT9X.EXE

"LoadDvpApi9x"=C:\PROGRA~1\COMMON~1\COMMAN~1\DVPAPI9X.EXE

 

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-10-02 10:39]

R2 cbxt3krn;YAMAHA CBX Driver;C:\WINDOWS\system32\drivers\cbxt3krn.sys [1999-09-15 08:05]

R2 FolderProtectService;FolderProtectService;C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe [2006-12-16 13:18]

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2004-12-26 23:00]

R3 FolderProtectDriver;FolderProtectDriver;C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectDriver.sys [2006-12-12 15:25]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]

RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_0546&PID_3155&MI_02\2USB&VID_0546&PID_3155&INST_0

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]

rundll32.exeadvpack.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]

C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

.

Contents of the 'Scheduled Tasks' folder

"2007-10-21 01:00:04 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"

- C:\WINDOWS\DEFRAG.EXE

"2008-01-01 00:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"

- C:\WINDOWS\CLEANMGR.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-17 22:23:05

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-17 22:26:26 - machine was rebooted

 

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 22:38:08, on 17/01/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe

C:\Program Files\PC Beginner Windows Tools 2007\FolderProtect.exe

C:\Program Files\NETGEAR\Media Server\ImmsService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgw.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - http://eshare.hpphoto.com/Download/HPeServicesLocalPrint.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124137546222

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.tynebridgewebcam.co.uk/camimage...sCamControl.ocx

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:filtered:/asinst.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8448B8C7-6D38-4E3B-802A-D3996171F84D}: NameServer = 192.168.2.1

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Integrated Multimedia Server - Unknown owner - C:\Program Files\NETGEAR\Media Server\ImmsService.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 8215 bytes

 

 

ComboFix-quarantined-files.txt 2008-01-17 22:26:22

.

2008-01-08 18:58:35 --- E O F ---

Share this post


Link to post
Share on other sites

Further update, everything seems to be working, computer boots up with no errors, forum and other sites remembering me, so we will see if you find anything else that needs tweaking.

 

Thanks for you help, this problem must be affecting others that is why I put the problem in the titile it may help others in a search, having helpful knowledgeable folk like everyone on here is truly excellent.

 

thanks again

Share this post


Link to post
Share on other sites

Still a bit to go as AVG is infected. You may need to re-install if this fix can not clean it

 

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

 

File::

C:\WINDOWS\SYSTEM32\rc.dat

C:\WINDOWS\SYSTEM32\ps1.dat

C:\WINDOWS\SYSTEM32\cs.dat

C:\WINDOWS\SYSTEM32\edcA01

C:\WINDOWS\SYSTEM32\halifax1.dll

 

Folder::

C:\temp\Ryuan1

 

Renv::

<pre>

----a-w 219,136 2008-01-15 17:12:08 C:\Program Files\Grisoft\AVG7\avgw .exe

----a-w 579,072 2008-01-15 17:10:54 C:\Program Files\Grisoft\AVG7\avgcc .exe

</pre>

 

Registry::

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

 

 

3. Save the above as CFScript.txt

 

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

 

Posted Image

 

 

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Share this post


Link to post
Share on other sites

That seemed to go painlessly, here are the requested logs

 

Cheers

 

ComboFix 08-01-17.1 - Default 2008-01-18 16:54:23.2 - FAT32x86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.435 [GMT 0:00]

Running from: C:\Documents and Settings\Default\Desktop\ComboFix.exe

Command switches used :: C:\Documents and Settings\Default\Desktop\cfscript.txt

* Created a new restore point

 

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

 

FILE

C:\WINDOWS\SYSTEM32\cs.dat

C:\WINDOWS\SYSTEM32\edcA01

C:\WINDOWS\SYSTEM32\halifax1.dll

C:\WINDOWS\SYSTEM32\ps1.dat

C:\WINDOWS\SYSTEM32\rc.dat

.

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

 

C:\temp\Ryuan1

C:\WINDOWS\SYSTEM32\cs.dat

C:\WINDOWS\SYSTEM32\halifax1.dll

C:\WINDOWS\SYSTEM32\ps1.dat

C:\WINDOWS\SYSTEM32\rc.dat

 

.

((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))

.

 

2008-01-16 22:16 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe

2008-01-16 21:02 . 2008-01-16 21:02 <DIR> d-------- C:\Program Files\Trend Micro

2008-01-15 19:42 . 2008-01-15 19:42 <DIR> dr-h----- C:\$VAULT$.AVG

2008-01-15 18:38 . 2008-01-15 18:38 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7

2008-01-15 18:38 . 2008-01-15 18:39 <DIR> d-------- C:\Documents and Settings\Default\Application Data\AVG7

2008-01-15 18:38 . 2008-01-15 18:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

2008-01-15 18:31 . 2008-01-15 18:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7

2008-01-15 16:56 . 2008-01-15 17:07 1,326 --a------ C:\WINDOWS\SYSTEM32\tmp.reg

2008-01-13 22:33 . 2008-01-13 22:33 <DIR> d-------- C:\Program Files\CleanMyPC

2008-01-13 22:33 . 2008-01-13 22:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP

2008-01-13 20:39 . 2008-01-13 20:39 <DIR> d-------- C:\kav

2008-01-13 19:59 . 2008-01-13 19:59 <DIR> d-------- C:\Program Files\XoftSpySE

2008-01-13 15:25 . 2008-01-13 15:25 <DIR> d-------- C:\Documents and Settings\Default\.housecall6.6

2008-01-13 12:02 . 2008-01-13 12:02 <DIR> d--hs---- C:\FOUND.038

2008-01-12 21:12 . 2008-01-12 21:12 <DIR> d-------- C:\WINDOWS\SYSTEM32\edcA01

2007-12-26 23:53 . 2007-12-26 23:53 <DIR> d-------- C:\WINDOWS\SYSTEM32\AIM

2007-12-26 23:53 . 1997-06-23 09:06 330,000 --a------ C:\WINDOWS\SYSTEM32\MSEXCH35.DLL

2007-12-26 23:53 . 1997-06-23 09:06 250,128 --a------ C:\WINDOWS\SYSTEM32\MSPDOX35.DLL

2007-12-26 23:53 . 1997-06-23 09:06 166,160 --a------ C:\WINDOWS\SYSTEM32\MSLTUS35.DLL

2007-12-26 23:30 . 2007-12-26 23:30 <DIR> d-------- C:\Program Files\Maris Technologies

2007-12-26 18:15 . 2007-12-26 18:15 <DIR> d--hs---- C:\FOUND.037

 

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2007-11-24 21:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\MotiveSysIDs

2007-11-24 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive

2007-11-24 20:22 --------- d-----w C:\Program Files\Common Files\Motive

2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\dllcache\jscript.dll

2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll

2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\dllcache\lsasrv.dll

2007-10-30 21:52 1,430,048 ----a-w C:\WINDOWS\SYSTEM32\AutoPartNt.exe

2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\SYSTEM32\dllcache\tcpip.sys

2007-10-30 10:16 3,058,688 ----a-w C:\WINDOWS\SYSTEM32\dllcache\mshtml.dll

2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\SYSTEM32\quartz.dll

2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\SYSTEM32\dllcache\quartz.dll

2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\wmasf.dll

2007-10-27 17:40 222,720 ----a-w C:\WINDOWS\SYSTEM32\dllcache\wmasf.dll

2007-10-26 03:36 8,454,656 ----a-w C:\WINDOWS\SYSTEM32\dllcache\shell32.dll

2007-08-29 11:16 124,184 ----a-w C:\Documents and Settings\Default\Application Data\GDIPFONTCACHEV1.DAT

2007-03-19 22:43 560 ----a-w C:\Documents and Settings\Default\DMOrganizer.dat

2006-12-20 21:33 37,744,640 ----a-w C:\Program Files\ppm8per_recovery_cd_8000061724_en.iso

2001-07-01 20:43 266 --sha-w C:\Program Files\desktop.ini

2001-07-01 20:43 11,079 ---ha-w C:\Program Files\folder.htt

2005-04-04 20:39 61 --sha-w C:\WINDOWS\cnerolf.dat

.

 

((((((((((((((((((((((((((((( snapshot@2008-01-17_22.25.28.35 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-01-16 22:17:24 2,072,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat

+ 2008-01-18 16:53:56 2,072,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\ntuser.dat

- 2008-01-16 22:17:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

+ 2008-01-18 16:53:56 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat

- 2008-01-16 22:17:24 2,072,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat

+ 2008-01-18 16:53:56 2,072,576 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\ntuser.dat

- 2008-01-16 22:17:24 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

+ 2008-01-18 16:53:56 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

- 2008-01-16 22:17:24 7,450,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat

+ 2008-01-18 16:53:56 7,450,624 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat

- 2008-01-16 22:17:24 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

+ 2008-01-18 16:53:58 245,760 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect0]

@={D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\FolderProtect1]

@={8A814C29-D3CD-4F9E-9770-DF8704503ACA}

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\SlowFile Icon Overlay]

@={7D688A77-C613-11D0-999B-00C04FD655E1}

 

[HKEY_CLASSES_ROOT\CLSID\{D7BC78F3-3624-455C-8C4B-9C77C3BFEE4E}]

2006-12-20 14:23 57344 --a------ C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectShellExtension.dll

 

[HKEY_CLASSES_ROOT\CLSID\{8A814C29-D3CD-4F9E-9770-DF8704503ACA}]

2006-12-20 14:23 57344 --a------ C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectShellExtension.dll

 

[HKEY_CLASSES_ROOT\CLSID\{7D688A77-C613-11D0-999B-00C04FD655E1}]

2007-10-26 03:36 8454656 --a------ C:\WINDOWS\SYSTEM32\SHELL32.DLL

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"SystemTray"="SysTray.Exe" [2001-08-23 12:00 3072 C:\WINDOWS\SYSTEM32\systray.exe]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-01-15 17:10 579072]

 

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-15 17:12 219136]

 

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

Authentication Packages REG_MULTI_SZ msv1_0 relog_ap

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^12Ghosts Synchronize.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\12Ghosts Synchronize.lnk

backup=C:\WINDOWS\pss\12Ghosts Synchronize.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Belkin 802.11g Wireless PCI Card Configuration Utility.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Belkin 802.11g Wireless PCI Card Configuration Utility.lnk

backup=C:\WINDOWS\pss\Belkin 802.11g Wireless PCI Card Configuration Utility.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk

backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^NETGEAR Media Server.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\NETGEAR Media Server.lnk

backup=C:\WINDOWS\pss\NETGEAR Media Server.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\RAMASST.lnk

backup=C:\WINDOWS\pss\RAMASST.lnkCommon Startup

 

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SecureDoc.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SecureDoc.lnk

backup=C:\WINDOWS\pss\SecureDoc.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acronis Scheduler2 Service]

--a------ 2007-06-14 17:43 149024 C:\Program Files\Common Files\Maxtor\Schedule2\schedhlp.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AcronisTimounterMonitor]

--a------ 2007-06-14 17:52 1945712 C:\Program Files\Maxtor\MaxBlast\TimounterMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]

--a------ 2005-11-15 12:12 473928 C:\Program Files\Microsoft AntiSpyware\gcasServ.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]

--a------ 2002-12-10 00:19 188416 C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection]

--a------ 2001-11-29 01:00 28672 C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

C:\WINDOWS\system32\dumprep 0 -k

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MaxBlastMonitor.exe]

--a------ 2007-06-14 17:39 1169720 C:\Program Files\Maxtor\MaxBlast\MaxBlastMonitor.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]

--a------ 2004-10-13 16:24 1694208 C:\Program Files\Messenger\msmsgs.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2006-06-03 21:54 282624 C:\Program Files\QuickTime\qttask.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]

--a------ 2007-06-17 21:37 214560 C:\Program Files\Real\RealPlayer\RealPlay.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Search and Recover Disk Image Service]

C:\Program Files\iolo\Search and Recover 2\DiskImageService.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpeedTouch USB Diagnostics]

--a------ 2004-01-26 11:38 866816 C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-10-12 03:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]

C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]

--a------ 2000-05-11 01:00 90112 C:\WINDOWS\UpdReg.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINDVDPatch]

--a------ 2002-07-02 17:56 24576 C:\WINDOWS\SYSTEM32\CTHELPER.EXE

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"msnmsgr"="C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background

"STManager"="C:\Program Files\SpeedTouch\Dr SpeedTouch\drst.exe" -b

"Spyware Doctor"="C:\PROGRAM FILES\SPYWARE DOCTOR\SWDOCTOR.EXE" /Q

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"StillImageMonitor"=C:\WINDOWS\SYSTEM32\STIMON.EXE

"EM_EXEC"=C:\PROGRA~1\LOGITECH\MOUSEW~1\SYSTEM\EM_EXEC.EXE

"WinampAgent"="C:\PROGRAM FILES\WINAMP\WINAMPa.exe"

"InCD"=C:\Program Files\Ahead\InCD\InCD.exe

"AdaptecDirectCD"="C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"

"AudioHQ"=C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE

"Creative Launcher"=C:\Program Files\Creative\Launcher\CTLauncher.exe

"Disc Detector"=C:\Program Files\Creative\ShareDLL\CtNotify.exe

"RealTray"=C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

"CloneCDTray"="C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"

"HPDJ Taskbar Utility"=C:\WINDOWS\SYSTEM\hpztsb05.exe

"SideWinderTrayV4"=C:\PROGRA~1\MICROS~4\GAMECO~1\COMMON\SWTRAYV4.EXE

"sp"=regedit -s C:\WINDOWS\sp.reg

"BELT"=C:\WINDOWS\BELT.exe

"CriticalUpdate"=C:\WINDOWS\SYSTEM32\WUCRTUPD.EXE -startup

"Norton CrashGuard Monitor"="C:\PROGRAM FILES\NORTON CRASHGUARD\CGMenu.EXE"

"CSAV_CheckViruses"=C:\PROGRA~1\COMMAN~1\COMMAN~1\VCHK.EXE

"untray"=C:\PROGRA~1\COMMAN~1\COMMAN~1\UNTRAY.EXE

"dvprpt"=C:\PROGRA~1\COMMAN~1\COMMAN~1\DVPRPT.EXE

"avtray"=C:\PROGRA~1\COMMAN~1\COMMAN~1\AVTRAY.EXE

"AVSchedScan"=C:\PROGRA~1\COMMAN~1\COMMAN~1\SCHSC9X.EXE

"NPROTECT"=C:\PROGRA~1\NORTON~1\ADVTOOLS\NPROTECT.EXE

"QuickTime Task"="C:\WINDOWS\SYSTEM32\qttask.exe" -atboottime

"BTopenworld"="C:\PROGRAM FILES\BT YAHOO! INTERNET\DialBTYahoo.exe" /ReInstallAutoDial

"LoadQM"=loadqm.exe

"msnappau"="c:\program files\MSN Apps\Updater\01.02.3000.1001\en-gb\msnappau.exe"

"SpeedTouch USB Diagnostics"="C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\setup\disabledrunkeys]

"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

"Ad Rage"=d:\program files\adrage\adrage.exe

"McAfee Guardian"="C:\PROGRAM FILES\MCAFEE\MCAFEE SHARED COMPONENTS\GUARDIAN\CMGRDIAN.EXE" /SU

"Symantec Core LC"=C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe start

"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

"Advanced Tools Check"=C:\PROGRA~1\NORTON~1\ADVTOOLS\ADVCHK.EXE

"Windows ServeAd"=C:\PROGRAM FILES\WINDOWS SERVEAD\WINSERVAD.EXE

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices-]

"SchedulingAgent"=mstask.exe

"LoadPowerProfile"=Rundll32.exe powrprof.dll,LoadCurrentPwrScheme

"GoBack Polling Service"=C:\Program Files\Adaptec\GoBack\GBPoll.exe

"PCCIOMON.EXE"="C:\Program Files\Trend PC-cillin 7.5\PCCIOMON.EXE"

"avinit"=C:\PROGRA~1\COMMAN~1\COMMAN~1\AVINIT9X.EXE

"LoadDvpApi9x"=C:\PROGRA~1\COMMON~1\COMMAN~1\DVPAPI9X.EXE

 

R0 hotcore2;hotcore2;C:\WINDOWS\system32\drivers\hotcore2.sys [2006-10-02 10:39]

R2 cbxt3krn;YAMAHA CBX Driver;C:\WINDOWS\system32\drivers\cbxt3krn.sys [1999-09-15 08:05]

R2 FolderProtectService;FolderProtectService;C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe [2006-12-16 13:18]

R2 SVKP;SVKP;C:\WINDOWS\system32\SVKP.sys [2004-12-26 23:00]

R3 FolderProtectDriver;FolderProtectDriver;C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectDriver.sys [2006-12-12 15:25]

S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;C:\PROGRA~1\Belkin\BELKIN~1.11G\DNINDIS5.SYS [2003-07-24 12:10]

S3 SWUSBFLT;Microsoft SideWinder VIA Filter Driver;C:\WINDOWS\system32\DRIVERS\SWUSBFLT.sys [2001-08-17 14:02]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>IEPerUser]

RUNDLL32.EXE IEDKCS32.DLL,BrandIE4 SIGNUP

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\MmoptPreferredAudioDevices]

rundll32.exe shell32.dll,Control_RunDLL mmsys.cpl,@0,SUSB\VID_0546&PID_3155&MI_02\2USB&VID_0546&PID_3155&INST_0

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:WIN9X /user /install

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:OE /CALLER:IE50 /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{44BBA851-CC51-11CF-AAFA-00AA00B6015C}]

rundll32.exeadvpack.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{7790769C-0471-11d2-AF11-00C04FA35D02}]

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:WIN9X /user /install

"C:\PROGRA~1\OUTLOO~1\setup50.exe" /APP:WAB /CALLER:IE50 /user /install

 

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}]

C:\WINDOWS\SYSTEM32\updcrl.exe -e -u C:\WINDOWS\SYSTEM\verisignpub1.crl

.

Contents of the 'Scheduled Tasks' folder

"2007-10-21 01:00:04 C:\WINDOWS\Tasks\Maintenance-Defragment programs.job"

- C:\WINDOWS\DEFRAG.EXE

"2008-01-01 00:30:02 C:\WINDOWS\Tasks\Maintenance-Disk cleanup.job"

- C:\WINDOWS\CLEANMGR.EXE

.

**************************************************************************

 

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-01-18 17:00:01

Windows 5.1.2600 Service Pack 2 FAT NTAPI

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

.

Completion time: 2008-01-18 17:02:12 - machine was rebooted

ComboFix-quarantined-files.txt 2008-01-18 17:02:10

ComboFix2.txt 2008-01-17 22:26:28

.

2008-01-08 18:58:35 --- E O F ---

 

 

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 17:06:09, on 18/01/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\DVDRAMSV.exe

C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\PC Beginner Windows Tools 2007\FolderProtect.exe

C:\Program Files\NETGEAR\Media Server\ImmsService.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\notepad.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

 

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O3 - Toolbar: Wanadoo - {8B68564D-53FD-4293-B80C-993A9F3988EE} - C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll

O4 - HKLM\..\Run: [systemTray] SysTray.Exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000

O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM

O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM

O8 - Extra context menu item: Search with Wanadoo - res://C:\PROGRA~1\Wanadoo\WSBar\WSBar.dll/VSearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\SYSTEM32\SHDOCVW.DLL

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15009/CTSUEng.cab

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab

O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab

O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab

O16 - DPF: {54D53429-945C-4188-B460-C81356541882} (SaveImageFiles Class) - http://eshare.hpphoto.com/Download/HPeServicesLocalPrint.CAB

O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1124137546222

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab

O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.tynebridgewebcam.co.uk/camimage...sCamControl.ocx

O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/:filtered:/asinst.cab

O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab

O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab

O16 - DPF: {EB387D2F-E27B-4D36-979E-847D1036C65D} (QDiagHUpdateObj Class) - http://h30043.www3.hp.com/hpdj/en/check/qdiagh.cab?326

O16 - DPF: {EE8B6D5F-FEF2-11D0-B13F-00A024798EF3} (Microsoft Search Settings Control) - http://lg.home.microsoft.com/search/lobby/searchsettings.cab

O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15009/CTPID.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{8448B8C7-6D38-4E3B-802A-D3996171F84D}: NameServer = 192.168.2.1

O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Maxtor\Schedule2\schedul2.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe

O23 - Service: FolderProtectService - Unknown owner - C:\Program Files\PC Beginner Windows Tools 2007\FolderProtectService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: Integrated Multimedia Server - Unknown owner - C:\Program Files\NETGEAR\Media Server\ImmsService.exe

O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\Win32\RpcDataSrv.exe

O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XII\RpcSandraSrv.exe

O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

 

--

End of file - 8164 bytes

Share this post


Link to post
Share on other sites

A couple of crashes but nothing new there. The forums seem to be remembering my details so I think you may have cracked it.

 

What I don't understand is how it by-passed the anti-virus and so effectively switched off systems. I have looked all over the web and a lot of people are suffering the same yet the big anti-virus companies are surprisingly quiet about it.

 

thanks again, I will be studying all the logs to try to help myself next time, I am no dummy when it comes to computers but this had me.

Share this post


Link to post
Share on other sites

This latest variant of Vundo is catching out a lot of AV vendors at the moment, most can now detect it but only after the fact

 

Now the best part of the day ----- Your log now appears clean :thumbsup:

 

You may now delete all the programmes I had you download

 

 

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

 

1. Select Start > All Programs > Accessories > System tools > System Restore.

2. On the dialogue box that appears select Create a Restore Point

3. Click NEXT

4. Enter a name e.g. Clean

5. Click CREATE

 

You now have a clean restore point, to get rid of the bad ones:

 

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.

2. In the Drop down box that appears select your main drive e.g. C

3. Click OK

4. The System will do some calculation and the display a dialogue box with TABS

5. Select the More Options Tab.

6. At the bottom will be a system restore box with a CLEANUP button click this

7. Accept the Warning and select OK again, the program will close and you are done

 

 

 

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:

  • SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

 

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

 

 

Keep safe :wave:

 

To speed your system up and reduce the frequency of crashes try this

 

Prefetch is clickable for more information

 

Click start then run, type prefetch then press enter, click edit then select all, (all files will highlight), right click any file, click delete, confirm

 

Click start then all programmes, accessories, system tools to run disc clean up

 

Reboot

 

Click start then all programmes, accessories, system tools to run defragmenter

 

Download, install and run Tune Up 2007 Trial

 

Run Tune Up disc clean up

 

Run Tune Up registry clean up

 

Then click Optimize and Improve to run Reg Defrag, the screen will lose colour during the process which can take a few minutes and then needs a reboot

 

Those will have cleared the drive of obsolete software errors

 

These are suggestions for making the most of the free trial

 

Click optimize and improve then system optimizer to optimize the computer, select computer with an internet connection from the drop down menu, this also requires a reboot

 

After the reboot, click optimize then system optimizer to accelerate downloads, select the speed just above your actual connection speed, this requires a reboot.

 

After the reboot, click optimize then system optimizer to run system advisor

Share this post


Link to post
Share on other sites
Sign in to follow this  

×
×
  • Create New...