We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

virus

wayne
wayne Posts: 317 Forumite
in Techie Stuff
help.i seem to have downloaded a virus from somewhere.for last two days i have been trying to get rid of it.thinking on i dont know if it is a virus or malware.i managed to get on to the net and downloaded comodo anti virus(was using avg before)i now have some control over my computer but not all.i,ve run spybot search and destroyand got rid of afew adaware and what have you.my problem now is that when i boot up and log on in mine or my wifes name i only have limited access i.e. press start and only have a few items in there.cant access programs,control, panel search or run progs.i also have the words virus alert next to the clock m right hand corner.when i conect to the web my home page keeps coming up as pc-antispypro.com.i have been on internet options and changed it back to yahoo but each time i open a window it,s back to antispypro.i have started pooter in safe mode logged on as administrator and i can access the control panel and everything else.thought i would remove administartor from the computer so made my account administrator account to but when i go on user settings the choice to remove administrator from the pooter is not there.does anyone know any other way of doing this.hope this makes sense to someone.all thoughts gratefully received.
«1

Comments

  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    Please download Malwarebytes Anti-Malware and save it to your desktop.
    • Make sure you are connected to the Internet.
    • Double-click on mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad.
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply and exit MBAM.
    Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may make changes to your registry as part of its disinfection routine. If you're using other security programs that detect registry changes, they may alert you after scanning with MBAM. Please permit the program to allow the changes.
    Ex forum ambassador

    Long term forum member
  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    then after the reboot download this as well

    http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

    and produce a log, post that log and the one from MBAM back in this htread
    Ex forum ambassador

    Long term forum member
  • wayne
    wayne Posts: 317 Forumite
    hi browntoa,thanks for the super fast reply.here is the hijackthis report...mbam report to follow.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:43:55, on 26/10/2008
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal
    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\WINDOWS\VM_STI.EXE
    C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Rainlendar2\Rainlendar2.exe
    C:\Program Files\Logitech\MouseWare\system\em_exec.exe
    C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
    C:\Program Files\Comodo\Comodo AntiVirus\Cavaud.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://uk.yahoo.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://uk.search.yahoo.com
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo! UK & Ireland
    O2 - BHO: &Yahoo! Toolbar Helper - !!02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - !!06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - !!3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
    O2 - BHO: (no name) - !!53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Groove GFS Browser Helper - !!72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
    O2 - BHO: SSVHelper Class - !!761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: (no name) - !!82C80ED1-BBE3-4A3E-A990-DF3A1784F938} - C:\WINDOWS\system32\awtQgGvU.dll (file missing)
    O2 - BHO: Windows Live Sign-in Helper - !!9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Catcher Class - {ADECBED6-0366-4377-A739-E69DFBA04663} - C:\Program Files\Moyea\FLV Downloader\MoyeaCth.dll
    O2 - BHO: Cooliris Plug-In for Internet Explorer - {EAEE5C74-6D0D-4aca-9232-0DA4A7B866BA} - C:\Program Files\PicLensIE\cooliris.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [LaunchApp] Alaunch
    O4 - HKLM\..\Run: [ntiMUI] C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe
    O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
    O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
    O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
    O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
    O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [eRecoveryService] C:\Acer\Empowering Technology\eRecovery\eRAgent.exe
    O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
    O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
    O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
    O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Philips SPC 300NC PC Camera
    O4 - HKLM\..\Run: [cnfgCav] "C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_!!79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [Rainlendar2] C:\Program Files\Rainlendar2\Rainlendar2.exe
    O4 - HKCU\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
    O4 - HKCU\..\Run: [LDM] C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Acer WLAN 11g USB Dongle.lnk = C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
    O4 - Global Startup: TrayMin300.exe.lnk = ?
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O9 - Extra button: (no name) - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - !!08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra button: Send to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra 'Tools' menuitem: S&end to OneNote - !!2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
    O9 - Extra button: Launch Cooliris - !!3437D640-C91A-458f-89F5-B9095EA4C28B} - C:\Program Files\PicLensIE\cooliris.dll
    O9 - Extra button: Research - !!92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: !!0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: !!2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanced/2.0.2.3/cfweb_activex.camfrogweb.com-advanced-2.0.2.3_instmodule.exe
    O16 - DPF: !!30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: !!4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab
    O16 - DPF: !!5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-GB/a-UNO1/GAME_UNO1.cab
    O16 - DPF: !!67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
    O16 - DPF: !!6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/install/HPProductDetection.cab
    O16 - DPF: !!6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
    O16 - DPF: !!917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) - http://www.wrexham.gov.uk/webcam/AxisCamControl.bin
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {E62A8B6B-D91C-457C-B1FB-20CC2D96B4EC} (Comodo AV Scanner ActiveX) - http://www.personalfirewall.comodo.com/scan/ComodoAVScanner.cab
    O16 - DPF: {EAC139A9-D22D-4C29-8D1C-252BE63750F9} - http://www.cooliris.com/shared/plinstll.cab
    O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
    O16 - DPF: {F8C5C0F1-D884-43EB-A5A0-9E1C4A102FA8} (GoPetsWeb Control) - https://secure.gopetslive.com/dev/GoPetsWeb.cab
    O18 - Protocol: grooveLocalGWS - !!88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: monln - C:\WINDOWS\SYSTEM32\monln.dll
    O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
    O23 - Service: Comodo Anti-Virus and Anti-Spyware Service - Comodo Inc. - C:\Program Files\Comodo\common\CAVASpy\cavasm.exe
    O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
    O23 - Service: MioNet Service (MioNet) - Unknown owner - C:\Program Files\MioNet\MioNetManager.exe (file missing)
    O23 - Service: Wireless Adapter Configurator - Tech Mahindra- PUNE - C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
    O23 - Service: WUSB54GSv2SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    --
    End of file - 11455 bytes
  • wayne
    wayne Posts: 317 Forumite
    mbam as requested browntoa...
    Malwarebytes' Anti-Malware 1.30
    Database version: 1321
    Windows 5.1.2600 Service Pack 3
    26/10/2008 12:36:32
    mbam-log-2008-10-26 (12-36-32).txt
    Scan type: Quick Scan
    Objects scanned: 59551
    Time elapsed: 8 minute(s), 55 second(s)
    Memory Processes Infected: 0
    Memory Modules Infected: 2
    Registry Keys Infected: 36
    Registry Values Infected: 2
    Registry Data Items Infected: 15
    Folders Infected: 1
    Files Infected: 22
    Memory Processes Infected:
    (No malicious items detected)
    Memory Modules Infected:
    C:\WINDOWS\qnflkotm.dll (Trojan.Zlob) -> Delete on reboot.
    C:\WINDOWS\vwnskbot.dll (Trojan.Agent) -> Delete on reboot.
    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\!!224933bf-1890-44f7-96fa-0a41b1f55f76} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\rqriffet (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\!!224933bf-1890-44f7-96fa-0a41b1f55f76} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\!!0eb74dd1-c899-4e4a-81a3-b7c32b4c1e16} (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\!!2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\!!741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cf54be1c-9359-4395-8533-1657cf209cfe} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\!!147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{d518921a-4a03-425e-9873-b9a71756821e} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!07b18ea9-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!07b18ea1-a523-4961-b6bb-170de4475cca} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!00a6faf1-072e-44cf-8957-5838f569a31d} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\!!1d4db7d2-6ec9-47a3-bd87-1e41684e07bb} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!59c7fc09-1c83-4648-b3e6-003d2bbc7481} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!68af847f-6e91-45dd-9b68-d6a12c30e5d7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\!!9170b96c-28d4-4626-8358-27e6caeef907} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d1a71fa0-ff48-48dd-9b6d-7a13a3e42127} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{ddb1968e-ead6-40fd-8dae-ff14757f60c7} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{f138d901-86f0-4383-99b6-9cdd406036da} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\total secure 2009 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\TotalSecure2009 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\{cd17e3af-cb74-4ae0-80c7-3521d9e6f509} (Trojan.Agent) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\RunDll32Policy\f3ScrCtr.dll (Adware.MyWay) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\MediaHoldings (Adware.PlayMP3Z) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\TypeLib\!!51f1a3db-d1a8-4c14-8a27-b51ca3e46d9a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\!!34a9b7e0-e9e9-4828-a8f1-bf301c658fb8} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\!!82f29c84-3497-458d-bccb-7c6a050b8519} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\CLSID\!!85bb6d0c-0a38-436d-88a0-3c411cace93a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\!!85bb6d0c-0a38-436d-88a0-3c411cace93a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\!!85bb6d0c-0a38-436d-88a0-3c411cace93a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\VSPlugin (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bkqxdons.bxmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\bkqxdons.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\qnflkotm (Trojan.Zlob) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\vwnskbot (Trojan.Agent) -> Quarantined and deleted successfully.
    Registry Data Items Infected:
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2) Good: (http://www.google.com/) -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId (Trojan.FakeAlert) -> Bad: (VIRUS ALERT!) Good: (76487-OEM-0011903-00100) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\Control Panel\International\sTimeFormat (Trojan.FakeAlert) -> Bad: (HH:mm: VIRUS ALERT!) Good: (HH:mm:ss) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowControlPanel (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowRun (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoStartMenuMorePrograms (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoToolbarCustomize (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetFolders (Hijack.Explorer) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\NoDispCPL (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
    Folders Infected:
    C:\Program Files\TS-2009 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    Files Infected:
    C:\WINDOWS\system32\rqRiffEt.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
    C:\WINDOWS\qnflkotm.dll (Trojan.Zlob) -> Delete on reboot.
    C:\WINDOWS\system32\rqRJDsTN.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
    C:\Program Files\TS-2009\totalsecure.s2 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    C:\Program Files\TS-2009\totalsecure.s3 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    C:\Program Files\TS-2009\totalsecure.s6 (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    C:\Program Files\TS-2009\uninstall.exe (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    C:\WINDOWS\vwnskbot.dll (Trojan.Agent) -> Delete on reboot.
    C:\WINDOWS\woprdagt.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\aetlsrknwvf.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\WINDOWS\k.txt (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Start Menu\Programs\Total Secure 2009.lnk (Rogue.TotalSecure) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Application Data\TmpRecentIcons\Total Secure 2009.lnk (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Desktop\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\helen\Favorites\Malware Defender.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\helen\Favorites\Protect Your Privacy.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\user\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
    C:\Documents and Settings\helen\Favorites\System Error Fixer.url (Rogue.Link) -> Quarantined and deleted successfully.
  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    fix these in hijackthis

    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - !!3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)

    O2 - BHO: (no name) - !!7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

    O2 - BHO: (no name) - !!82C80ED1-BBE3-4A3E-A990-DF3A1784F938} - C:\WINDOWS\system32\awtQgGvU.dll (file missing)

    O16 - DPF: !!2357B3CF-7F8D-4451-8D81-FD6097610AEE} - http://activex.camfrogweb.com/advanc...instmodule.exe

    and tick "fix selected"
    Ex forum ambassador

    Long term forum member
  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    the MBAM log shows signs of a Vundo infection

    to be sure run Combifix

    http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    and post that log back here
    Ex forum ambassador

    Long term forum member
  • wayne
    wayne Posts: 317 Forumite
    hi browntoa.here,s the combofix log...
    ComboFix 08-10-25.01 - user 2008-10-26 17:34:51.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.510 [GMT 0:00]
    Running from: C:\Documents and Settings\user\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\user\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    * Created a new restore point
    .
    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
    C:\WINDOWS\Downloaded Program Files\setup.inf
    C:\WINDOWS\system32\UvGgQtwa.ini
    C:\WINDOWS\system32\UvGgQtwa.ini2
    BITS: Possible infected sites
    hxxp://megauplinkbindinstaller.com
    .
    ((((((((((((((((((((((((( Files Created from 2008-09-26 to 2008-10-26 )))))))))))))))))))))))))))))))
    .
    2008-10-26 12:43 . 2008-10-26 12:43 <DIR> d
    C:\Program Files\Trend Micro
    2008-10-26 12:25 . 2008-10-26 12:25 <DIR> d
    C:\Documents and Settings\user\Application Data\Malwarebytes
    2008-10-26 12:24 . 2008-10-26 12:25 <DIR> d
    C:\Program Files\Malwarebytes' Anti-Malware
    2008-10-26 12:24 . 2008-10-26 12:24 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Malwarebytes
    2008-10-26 12:24 . 2008-10-22 16:10 38,496 --a
    C:\WINDOWS\system32\drivers\mbamswissarmy.sys
    2008-10-26 12:24 . 2008-10-22 16:10 15,504 --a
    C:\WINDOWS\system32\drivers\mbam.sys
    2008-10-26 10:53 . 2008-10-26 10:53 <DIR> d
    C:\Program Files\TeaTimer (Spybot - Search & Destroy)
    2008-10-26 10:53 . 2008-10-26 10:53 <DIR> d
    C:\Program Files\SDHelper (Spybot - Search & Destroy)
    2008-10-26 10:46 . 2008-10-26 10:46 <DIR> d
    C:\Documents and Settings\helen\Application Data\TmpRecentIcons
    2008-10-26 10:44 . 2005-11-09 07:23 <DIR> d
    C:\Documents and Settings\helen\Application Data\Symantec
    2008-10-26 10:44 . 2008-10-26 10:44 <DIR> d
    C:\Documents and Settings\helen
    2008-10-26 06:07 . 2008-10-26 06:06 102,400 --a
    C:\WINDOWS\system32\drivers\cavasm.sys
    2008-10-26 06:07 . 2008-10-26 06:06 73,728 --a
    C:\WINDOWS\system32\CavEmLSP.dll
    2008-10-26 04:04 . 2008-10-26 04:04 <DIR> d
    C:\Documents and Settings\user\Application Data\Comodo
    2008-10-26 04:04 . 2008-10-26 04:04 <DIR> d
    C:\Documents and Settings\All Users\Comodo
    2008-10-25 06:38 . 2008-10-26 04:04 <DIR> d
    C:\Program Files\Comodo
    2008-10-25 06:38 . 2008-10-25 06:38 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Comodo
    2008-10-25 06:38 . 2008-10-26 06:06 216,576 --a
    C:\WINDOWS\system32\monln.dll
    2008-10-25 05:22 . 2008-10-25 05:44 1,393 --a
    C:\WINDOWS\imsins.BAK
    2008-10-24 07:14 . 2008-10-24 07:14 <DIR> d
    C:\Program Files\TVUPlayer
    2008-10-24 07:14 . 2008-10-24 07:14 <DIR> d
    C:\Documents and Settings\user\LocalLow
    2008-10-24 07:14 . 2008-10-24 07:14 <DIR> d
    C:\Documents and Settings\All Users\Application Data\TVU Networks
    2008-10-24 05:26 . 2008-10-15 16:34 337,408 --a
    C:\WINDOWS\system32\SET4.tmp
    2008-10-24 05:26 . 2008-10-15 16:34 337,408
    C:\WINDOWS\system32\dllcache\netapi32.dll
    2008-10-19 20:29 . 2008-10-19 20:29 <DIR> d
    C:\Documents and Settings\user\Application Data\ArcSoft
    2008-10-19 20:13 . 2005-05-23 00:34 2,920,448
    C:\WINDOWS\UNSIPPS.exe
    2008-10-19 20:13 . 2005-05-30 22:52 59,113
    C:\WINDOWS\UNSIPPS.cfg
    2008-10-19 20:12 . 2008-10-19 20:12 <DIR> d
    C:\Program Files\Common Files\ArcSoft
    2008-10-19 20:11 . 2008-10-19 20:11 <DIR> d
    C:\WINDOWS\Options
    2008-10-19 20:11 . 2008-10-19 20:11 <DIR> d
    C:\Program Files\Philips
    2008-10-19 20:11 . 2004-12-18 08:58 245,820 --a
    C:\WINDOWS\system32\VM31bPrp.Ax
    2008-10-19 20:11 . 2002-08-22 15:34 147,456 --a
    C:\WINDOWS\VMCap.exe
    2008-10-19 20:11 . 2005-02-26 15:25 91,527 --a
    C:\WINDOWS\system32\drivers\usbVM31b.sys
    2008-10-19 20:11 . 2003-05-15 16:17 61,440 --a
    C:\WINDOWS\system32\VM31bSTI.dll
    2008-10-19 20:11 . 2004-04-26 14:48 53,248 --a
    C:\WINDOWS\amcap.exe
    2008-10-19 20:11 . 2004-06-09 14:37 40,960 --a
    C:\WINDOWS\VM_STI.EXE
    2008-10-15 18:08 . 2008-10-15 18:08 268 --ah
    C:\sqmdata08.sqm
    2008-10-15 18:08 . 2008-10-15 18:08 244 --ah
    C:\sqmnoopt08.sqm
    2008-10-15 10:35 . 2008-08-14 10:11 2,189,184
    C:\WINDOWS\system32\dllcache\ntoskrnl.exe
    2008-10-15 10:35 . 2008-08-14 10:09 2,145,280
    C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
    2008-10-15 10:35 . 2008-08-14 09:33 2,066,048
    C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
    2008-10-15 10:35 . 2008-08-14 09:33 2,023,936
    C:\WINDOWS\system32\dllcache\ntkrpamp.exe
    2008-10-15 10:16 . 2008-09-08 10:41 333,824
    C:\WINDOWS\system32\dllcache\srv.sys
    2008-10-15 10:15 . 2008-09-15 12:12 1,846,400
    C:\WINDOWS\system32\dllcache\win32k.sys
    2008-10-14 18:19 . 2008-10-14 18:19 244 --ah
    C:\sqmnoopt07.sqm
    2008-10-14 18:19 . 2008-10-14 18:19 232 --ah
    C:\sqmdata07.sqm
    2008-10-11 18:53 . 2008-10-11 18:53 <DIR> d
    C:\Documents and Settings\user\Application Data\Yahoo!
    2008-10-11 18:53 . 2008-10-11 18:53 <DIR> d
    C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
    2008-10-11 05:57 . 2008-10-11 05:57 <DIR> d
    C:\Program Files\PicLensIE
    2008-10-04 09:40 . 2008-10-04 09:40 <DIR> d
    C:\WINDOWS\system32\en
    2008-10-04 09:40 . 2008-10-04 09:40 <DIR> d
    C:\WINDOWS\system32\bits
    2008-10-04 09:22 . 2008-10-04 09:22 0 --a----t- C:\WINDOWS\006203_.tmp
    2008-10-03 10:56 . 2008-04-14 00:12 4,274,816
    C:\WINDOWS\system32\nv4_disp.dll
    2008-10-03 10:55 . 2004-08-03 21:41 1,041,536
    C:\WINDOWS\system32\drivers\hsfdpsp2.sys
    2008-10-03 10:54 . 2008-04-14 00:11 1,888,992
    C:\WINDOWS\system32\ati3duag.dll
    2008-10-02 12:36 . 2008-10-25 05:42 <DIR> d
    C:\Program Files\Common Files\Ahead
    2008-10-02 12:36 . 2008-10-25 05:43 <DIR> d
    C:\Program Files\Ahead
    2008-10-01 15:15 . 2008-10-01 15:15 <DIR> d
    C:\Documents and Settings\All Users\Application Data\NtiDvdCopy
    2008-09-30 17:24 . 2008-09-30 17:24 268 --ah
    C:\sqmdata06.sqm
    2008-09-30 17:24 . 2008-09-30 17:24 244 --ah
    C:\sqmnoopt06.sqm
    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-10-26 17:42
    d
    w C:\Documents and Settings\All Users\Application Data\Kontiki
    2008-10-26 17:05
    d
    w C:\Program Files\Spybot - Search & Destroy
    2008-10-26 04:28
    d
    w C:\Program Files\SUPERAntiSpyware
    2008-10-26 03:57
    d
    w C:\Documents and Settings\All Users\Application Data\Avg8
    2008-10-25 05:44
    d
    w C:\Program Files\Oca History Tool
    2008-10-24 11:13
    d
    w C:\Documents and Settings\user\Application Data\uTorrent
    2008-10-19 20:12
    d--h--w C:\Program Files\InstallShield Installation Information
    2008-10-16 06:18
    d
    w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2008-10-11 18:50
    d
    w C:\Program Files\Yahoo!
    2008-10-11 18:48
    d
    w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2008-10-11 18:39
    d
    w C:\Documents and Settings\All Users\Application Data\WLInstaller
    2008-10-02 12:38
    d
    w C:\Program Files\Common Files\Nero
    2008-10-01 13:46
    d
    w C:\Program Files\NCH Software
    2008-09-18 13:47
    d
    w C:\Program Files\DivX
    2008-09-08 10:41 333,824 ----a-w C:\WINDOWS\system32\drivers\srv.sys
    2008-08-30 09:36
    d
    w C:\Program Files\YouTube Downloader
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4
    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 15360]
    "Rainlendar2"="C:\Program Files\Rainlendar2\Rainlendar2.exe" [2007-12-30 1365504]
    "kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 1032376]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "LaunchApp"="Alaunch" [X]
    "UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [X]
    "ntiMUI"="C:\Program Files\NewTech Infosystems\NTI CD & DVD-Maker 7\ntiMUI.exe" [2005-05-12 45056]
    "IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
    "MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 59392]
    "PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "eRecoveryService"="C:\Acer\Empowering Technology\eRecovery\eRAgent.exe" [2006-06-01 413696]
    "GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 33648]
    "MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [2003-08-18 53248]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "BigDogPath"="C:\WINDOWS\VM_STI.EXE" [2004-06-09 40960]
    "cnfgCav"="C:\Program Files\Comodo\Comodo AntiVirus\CMain.exe" [2008-10-26 110592]
    "SiSPower"="SiSPower.dll" [2005-07-13 C:\WINDOWS\system32\SiSPower.dll]
    "SoundMan"="SOUNDMAN.EXE" [2005-08-16 C:\WINDOWS\SOUNDMAN.EXE]
    "BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 C:\WINDOWS\system32\bthprops.cpl]
    "Logitech Utility"="Logi_MwX.Exe" [2003-11-07 C:\WINDOWS\LOGI_MWX.EXE]
    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 15360]
    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Acer WLAN 11g USB Dongle.lnk - C:\Program Files\Acer WLAN 11g USB Dongle\ZDWlan.exe [2005-11-17 745472]
    Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2008-03-12 113664]
    Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2000-08-06 69632]
    TrayMin300.exe.lnk - C:\Program Files\Philips\SPC 300NC PC Camera\TrayMin300.exe [2008-10-19 278528]
    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "!!5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 77824]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    2007-04-19 21:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\monln]
    2008-10-26 06:06 216576 C:\WINDOWS\system32\monln.dll
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "VIDC.JPEG"= jpegCode.dll
    "VIDC.MJPG"= jpegCode.dll
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
    backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Logitech Desktop Messenger.lnk
    backup=C:\WINDOWS\pss\Logitech Desktop Messenger.lnkCommon Startup
    [HKLM\~\startupfolder\C:^Documents and Settings^user^Start Menu^Programs^Startup^Adobe Media Player.lnk]
    path=C:\Documents and Settings\user\Start Menu\Programs\Startup\Adobe Media Player.lnk
    backup=C:\WINDOWS\pss\Adobe Media Player.lnkStartup
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Messenger (Yahoo!)]
    --a
    2008-09-19 16:34 4347120 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    2008-04-14 00:12 1695232 C:\Program Files\Messenger\msmsgs.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
    --a
    2007-10-18 10:34 5724184 C:\Program Files\Windows Live\Messenger\msnmsgr.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Openwares LiveUpdate]
    --a
    2003-10-29 17:15 65536 C:\Program Files\LIVEUPDATE\LiveUpdate.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
    --a
    2007-06-21 22:06 1318912 C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001
    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\uTorrent\\uTorrent.exe"=
    "C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\GROOVE.EXE"=
    "C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
    "C:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
    "C:\\Program Files\\Ares\\Ares.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
    "C:\\Program Files\\Soulseek\\slsk.exe"=
    "C:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager 1.0\\MediaManager.exe"=
    "C:\\Program Files\\Kontiki\\KService.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
    "1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
    "500:UDP"= 500:UDP:@xpsp2res.dll,-22017
    "1700:TCP"= 1700:TCP:MioNet Remote Drive Access
    "1641:TCP"= 1641:TCP:MioNet Remote Drive Verification
    R2 WUSB54GSv2SVC;WUSB54GSv2SVC;C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe WUSB54GSv2.exe [ ]
    R3 int15.sys;int15.sys;C:\Acer\Empowering Technology\eRecovery\int15.sys [2005-01-13 69632]
    S2 MioNet;MioNet Service;C:\Program Files\MioNet\MioNetManager.exe [ ]
    S3 CoachUsb;Dual Mode Digital Camera on USB;C:\WINDOWS\system32\DRIVERS\CoachUsb.sys [2002-10-08 39744]
    S3 Dual Mode;Dual Mode Video Capture;C:\WINDOWS\system32\DRIVERS\CoachVc.sys [2002-10-09 44928]
    S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys [2005-10-28 402432]
    .
    Contents of the 'Scheduled Tasks' folder
    2008-10-20 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
    .
    - - - - ORPHANS REMOVED - - - -
    HKCU-Run-BgMonitor_!!79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
    HKCU-Run-AVG7_CC - C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    HKCU-Run-LDM - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BackWeb-8876480.exe
    ShellExecuteHooks-!!224933BF-1890-44F7-96FA-0A41B1F55F76} - (no file)
    MSConfigStartUp-NBKeyScan - C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
    MSConfigStartUp-NeroFilterCheck - C:\WINDOWS\system32\NeroCheck.exe

    .
    Supplementary Scan
    .
    FireFox -: Profile - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\dn2gxfxw.default\
    FireFox -: prefs.js - SEARCH.DEFAULTURL - hxxp://uk.search.yahoo.com/search?ei=UTF-8&fr=ytff-divx&p=
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://uk.yahoo.com/
    FF -: plugin - C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\dn2gxfxw.default\extensions\firefox@tvunetworks.com\plugins\npTVUAx.dll
    FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
    FF -: plugin - C:\Program Files\Yahoo!\Common\npyaxmpb.dll
    FF -: plugin - C:\Program Files\Yahoo!\Shared\npYState.dll
    .
    **************************************************************************
    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-10-26 17:42:15
    Windows 5.1.2600 Service Pack 3 NTFS
    scanning hidden processes ...
    scanning hidden autostart entries ...
    scanning hidden files ...
    scan completed successfully
    hidden files: 0
    **************************************************************************
    .
    Other Running Processes
    .
    C:\Program Files\Comodo\Common\CAVASpy\cavasm.exe
    C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
    C:\Program Files\Kontiki\KService.exe
    C:\Program Files\Microsoft SQL Server\MSSQL\Binn\sqlservr.exe
    C:\Program Files\BT Home Hub\Wireless Configuration\WirelessDaemon.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WLService.exe
    C:\Program Files\Linksys Wireless-G USB Wireless Network Monitor\WUSB54GSv2.exe
    C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
    C:\Program Files\Comodo\Comodo AntiVirus\cavse.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
    C:\Program Files\Comodo\Comodo AntiVirus\CavAUD.exe
    .
    **************************************************************************
    .
    Completion time: 2008-10-26 17:46:22 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-10-26 17:46:12
    Pre-Run: 2,968,207,360 bytes free
    Post-Run: 2,949,828,608 bytes free
    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
    260 --- E O F --- 2008-10-26 03:42:02
  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    donwload pocket killbox

    http://www.bleepingcomputer.com/files/killbox.php

    Now run Pocket Killbox:

    Choose Tools -> Delete Temp Files and click Delete Selected Temp Files
    Then after it deletes the files click the Exit (Save Settings) button.

    Select:
    • Delete on Reboot
    • then Click on the All Files button.
    • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    C:\sqmdata08.sqm
    C:\sqmnoopt08.sqm
    C:\sqmnoopt07.sqm
    C:\sqmdata07.sqm
    C:\WINDOWS\006203_.tmp
    C:\sqmdata06.sqm
    C:\sqmnoopt06.sqm


    Return to Killbox, go to the File menu, and choose Paste from Clipboard.
    Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt

    If Killbox does not reboot or you get a Pending Operations type error message just reboot your PC yourself.
    Ex forum ambassador

    Long term forum member
  • Browntoa
    Browntoa Posts: 49,612 Forumite
    Part of the Furniture 10,000 Posts Name Dropper Photogenic
    then a new hijackthis log for me
    Ex forum ambassador

    Long term forum member
  • Reluctant_spender
    Reluctant_spender Posts: 2,785 Forumite
    Part of the Furniture Combo Breaker
    you also appear to have some leftover Symantec entries;

    Run this tool - ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352.4K Banking & Borrowing
  • 253.7K Reduce Debt & Boost Income
  • 454.4K Spending & Discounts
  • 245.5K Work, Benefits & Business
  • 601.3K Mortgages, Homes & Bills
  • 177.6K Life & Family
  • 259.4K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16K Discuss & Feedback
  • 37.7K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture