We’d like to remind Forumites to please avoid political debate on the Forum.

This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.

📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!

Need Help Urgently Might Have Been Attacked

2

Comments

  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    TICK and FIX these ~
    C:\Program Files\0Spam.com Express\Express.exe
    R3 - URLSearchHook: (no name) - *{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
    O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O2 - BHO: Winamp Toolbar Loader - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - (no file)
    O2 - BHO: (no name) - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - (no file)
    O3 - Toolbar: (no name) - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - (no file)
    O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [0Spam.com Express] C:\Program Files\0Spam.com Express\Express.exe /silent
    O4 - HKCU\..\RunOnce: [Shockwave Updater] C:\WINXP\system32\Adobe\Shockwave 11\SwHelper_1150595.exe -Update -1150595 -"Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) ; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)" -"http://www8.agame.com/games/shockwave/d/dance_trends_3d/dance_trends_3d_games_ co_uk.htm"
    O8 - Extra context menu item: &Winamp Search - C:\Documents and Settings\All Users.WINXP\Application Data\Winamp Toolbar\ieToolbar\resources\en-US\local\search.html
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - (no file)
    O23 - Service: Retrospect Launcher (RetroLauncher) - Unknown owner - C:\Program Files\Dantz\Retrospect\retrorun.exe (file missing)


    run LSP FIX
    :idea:
  • kah22
    kah22 Posts: 1,886 Forumite
    Part of the Furniture 1,000 Posts Name Dropper I've been Money Tipped!
    And this is the latest log. The computer seems to be running ok now, in fact it is not as sluggish as it was previous and I've also noted that it is not freezing like it had a habit of doing. But maybe I'm running ahead of myself ???

    Logfile of Trend Micro HijackThis v2.0.3 (BETA)
    Scan saved at 00:18:10, on 23/02/2010
    Platform: Windows XP SP3 (WinNT 5.01.2600)
    MSIE: Internet Explorer v8.00 (8.00.6001.18702)
    Boot mode: Normal

    Running processes:
    C:\WINXP\System32\smss.exe
    C:\WINXP\system32\winlogon.exe
    C:\WINXP\system32\services.exe
    C:\WINXP\system32\lsass.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\svchost.exe
    C:\WINXP\Explorer.EXE
    C:\WINXP\system32\spoolsv.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINXP\System32\svchost.exe
    C:\WINXP\System32\wltrysvc.exe
    C:\WINXP\System32\bcmwltry.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\WINXP\system32\ctfmon.exe
    C:\WINXP\System32\svchost.exe
    C:\WINXP\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINXP\system32\msiexec.exe
    C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
    O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [P3000x_S2P] C:\PROGRAM FILES\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe
    O4 - HKLM\..\Run: [SBAMTray] C:\Program Files\Sunbelt Software\VIPRE\SBAMTray.exe
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKCU\..\Run: [uTorrent] "C:\Documents and Settings\Owner.WINDMILL\Desktop\Downloads\utorrent.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINXP\system32\ctfmon.exe
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINXP\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINXP\System32\CTFMON.EXE (User 'Default user')
    O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINXP\System32\shdocvw.dll
    O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\WINXP\System32\shdocvw.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINXP\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {138E6DC9-722B-4F4B-B09D-95D191869696} (Bebo Uploader Control) - http://www.bebo.com/files/BeboUploader.5.8.05.cab
    O16 - DPF: {A3256902-51FA-45A0-8A97-FC1143C169D9} (Diagnostics ActiveX WebControl) - http://support.microsoft.com/mats/DiagWebControl.cab
    O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/Optimize3/pcpitstop2.dll
    O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXP\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXP\System32\browseui.dll
    O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
    O23 - Service: Retrospect Launcher (RetroLauncher) - Unknown owner - C:\Program Files\Dantz\Retrospect\retrorun.exe (file missing)
    O23 - Service: VIPRE Antivirus + Antispyware (SBAMSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\VIPRE\SBAMSvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINXP\System32\wltrysvc.exe

    --
    End of file - 6579 bytes


    This must be one of the most helpful forums on the internet.

    Kevin
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Open notepad and copy/paste the text in RED below

    File::
    c:\winxp\options.dat
    c:\winxp\system32\sbbd.exe
    c:\winxp\system32\ezsidmv.dat
    C:\results_p5_4.bin


    Save this as "CFScript" (FULL file will be 'CFScript.txt' EXACTLY as shown)

    Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

    CFScript.gif


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply

    Combofix should never take more that 30 minutes including the reboot if malware is detected.
    If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
    :idea:
  • kah22
    kah22 Posts: 1,886 Forumite
    Part of the Furniture 1,000 Posts Name Dropper I've been Money Tipped!
    Here's the new log. CombFix is still advising me that AVG is running, yet I've tried AVG's own un-installer, removing files/folders manually, can't find it anywhere I look and from what I've been reading other people seem to have the same trouble.

    Anyway here's the log.

    ComboFix 10-02-22.07 - Owner 23/02/2010 12:50:25.2.1 - x86
    Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.510.278 [GMT 0:00]
    Running from: c:\documents and settings\Owner.WINDMILL\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Owner.WINDMILL\Desktop\Anne's Tax\CFScript.txt
    AV: AVG Anti-Virus Free *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}
    AV: Sunbelt VIPRE *On-access scanning disabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}

    FILE ::
    "C:\results_p5_4.bin"
    "c:\winxp\options.dat"
    "c:\winxp\system32\ezsidmv.dat"
    "c:\winxp\system32\sbbd.exe"
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\results_p5_4.bin
    c:\winxp\options.dat
    c:\winxp\system32\ezsidmv.dat
    c:\winxp\system32\sbbd.exe

    .
    ((((((((((((((((((((((((( Files Created from 2010-01-23 to 2010-02-23 )))))))))))))))))))))))))))))))
    .

    2010-02-22 16:39 . 2010-02-22 16:39 388096 ----a-r- c:\documents and settings\Owner.WINDMILL\Application Data\Microsoft\Installer\{0761C9A8-8F3A-4216-B4A7-B7AFBF24A24A}\HiJackThis.exe
    2010-02-22 16:39 . 2010-02-22 16:39
    d
    w- c:\program files\TrendMicro
    2010-02-22 11:58 . 2010-02-22 11:58
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\Malwarebytes
    2010-02-22 11:58 . 2010-01-07 16:07 38224 ----a-w- c:\winxp\system32\drivers\mbamswissarmy.sys
    2010-02-22 11:58 . 2010-02-22 11:58
    d
    w- c:\documents and settings\All Users.WINXP\Application Data\Malwarebytes
    2010-02-22 11:58 . 2010-01-07 16:07 19160 ----a-w- c:\winxp\system32\drivers\mbam.sys
    2010-02-22 11:58 . 2010-02-22 12:00
    d
    w- c:\program files\Malwarebytes' Anti-Malware
    2010-02-22 07:31 . 2010-02-22 07:31
    d-sh--w- c:\documents and settings\Administrator.LAPTOP_1.0000\IETldCache
    2010-02-21 20:50 . 2010-02-21 20:50
    d
    w- c:\winxp\system32\wbem\Repository
    2010-02-21 20:47 . 2010-02-21 20:47
    d
    w- c:\program files\Microsoft ATS
    2010-02-19 16:16 . 2010-02-19 16:16
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\ElevatedDiagnostics
    2010-02-15 01:02 . 2010-02-15 01:38
    d
    w- c:\program files\Evisoft
    2010-02-13 22:13 . 2010-02-23 00:34
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\dvdcss
    2010-02-10 18:23 . 2010-02-10 18:23
    d
    w- C:\temp
    2010-02-10 18:23 . 2009-05-28 16:52 425984 ----a-w- c:\temp\ZbotUtility.exe
    2010-02-09 22:12 . 2010-02-09 22:12
    d
    w- c:\documents and settings\Administrator.LAPTOP_1\Application Data\Sunbelt
    2010-02-09 22:12 . 2010-02-09 22:12
    d
    w- c:\documents and settings\Administrator.LAPTOP_1\IETldCache
    2010-02-09 22:12 . 2010-02-11 22:08
    d
    w- c:\documents and settings\Administrator.LAPTOP_1\Local Settings\Application Data\Microsoft
    2010-02-09 22:12 . 2010-02-11 22:08
    d-s---w- c:\documents and settings\Administrator.LAPTOP_1
    2010-02-07 22:18 . 2010-02-07 22:18
    d
    w- c:\documents and settings\Owner.WINDMILL\Local Settings\Application Data\MicroVision Applications
    2010-02-07 13:08 . 2010-02-07 22:58
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\Vso
    2010-02-07 13:08 . 2010-02-07 22:58 47360 ----a-w- c:\documents and settings\Owner.WINDMILL\Application Data\pcouffin.sys
    2010-02-07 13:08 . 2010-02-07 13:08 47360 ----a-w- c:\winxp\system32\drivers\pcouffin.sys
    2010-02-06 15:50 . 2010-02-07 23:21
    d
    w- c:\program files\Common Files\Nero
    2010-02-03 12:07 . 2010-02-03 12:12
    d
    w- c:\program files\Port Forwarding Wizard
    2010-02-02 22:50 . 2010-02-23 00:35
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\vlc
    2010-02-02 20:15 . 2010-02-02 20:15
    d
    w- c:\program files\VideoLAN
    2010-02-02 09:07 . 2010-02-02 09:07
    d
    w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Talkback
    2010-02-02 09:06 . 2010-02-02 09:07
    d
    w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Thunderbird
    2010-02-02 09:06 . 2010-02-02 09:07
    d
    w- c:\documents and settings\LocalService.NT AUTHORITY\Application Data\Thunderbird
    2010-01-31 00:07 . 2010-01-31 00:07
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\DivX
    2010-01-30 23:44 . 2010-02-06 13:25
    d
    w- c:\program files\DivX
    2010-01-28 17:19 . 2010-02-23 12:46
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\uTorrent
    2010-01-28 10:46 . 2010-01-28 10:46
    d
    w- c:\documents and settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Mozilla

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2010-02-23 00:01 . 2009-02-21 23:42
    d
    w- c:\program files\Winamp Toolbar
    2010-02-22 22:18 . 2004-12-22 21:17
    d
    w- c:\program files\Mozilla Thunderbird
    2010-02-22 21:53 . 2009-04-30 14:55
    d
    w- c:\documents and settings\All Users.WINXP\Application Data\Google Updater
    2010-02-11 22:14 . 2008-12-31 12:47
    d
    w- c:\program files\RadarSync
    2010-02-11 22:14 . 2007-10-22 21:37
    d
    w- c:\program files\Keyword Elite
    2010-02-09 22:04 . 2009-11-14 12:24
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\Skype
    2010-02-09 21:38 . 2009-11-14 16:07
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\skypePM
    2010-02-06 20:44 . 2005-11-20 17:45
    d
    w- c:\program files\Ahead
    2010-01-30 22:52 . 2004-03-09 00:26
    d
    w- c:\program files\Common Files\Adobe
    2010-01-27 15:47 . 2009-11-01 13:00
    d
    w- c:\program files\Common Files\Adobe AIR
    2010-01-27 15:47 . 2009-11-01 13:00 38784 ----a-w- c:\documents and settings\Default User.WINXP\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-01-27 15:47 . 2008-10-01 10:19 38784 ----a-w- c:\documents and settings\Owner.WINDMILL\Application Data\Macromedia\Flash Player\https://www.macromedia.com\bin\airappinstaller\airappinstaller.exe
    2010-01-23 10:03 . 2008-10-24 19:12
    d
    w- c:\program files\0Spam.com Express
    2010-01-22 22:41 . 2010-01-22 22:41
    d
    w- c:\documents and settings\Owner.WINDMILL\Application Data\Sunbelt
    2010-01-22 22:40 . 2010-01-22 22:40
    d
    w- c:\documents and settings\All Users.WINXP\Application Data\Sunbelt
    2010-01-22 22:34 . 2010-01-22 22:34
    d
    w- c:\program files\Sunbelt Software
    2009-12-31 16:50 . 2003-07-16 20:46 353792 ----a-w- c:\winxp\system32\drivers\srv.sys
    2009-12-23 20:49 . 2009-12-23 20:49 3584 ----a-r- c:\documents and settings\Owner.WINDMILL\Application Data\Microsoft\Installer\{121634B0-2F4B-11D3-ADA3-00C04F52DD52}\Icon386ED4E3.exe
    2009-12-21 19:14 . 2005-06-17 23:49 916480
    w- c:\winxp\system32\wininet.dll
    2009-12-19 00:07 . 2009-07-28 14:06 1 ----a-w- c:\documents and settings\Owner.WINDMILL\Application Data\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
    2009-12-16 18:43 . 2005-11-19 17:51 343040 ----a-w- c:\winxp\system32\mspaint.exe
    2009-12-14 07:08 . 2003-07-16 20:26 33280 ----a-w- c:\winxp\system32\csrsrv.dll
    2009-12-08 19:27 . 2003-07-16 20:39 2189184
    w- c:\winxp\system32\ntoskrnl.exe
    2009-12-08 18:43 . 2002-08-29 01:04 2066048
    w- c:\winxp\system32\ntkrnlpa.exe
    2009-12-04 18:22 . 2003-07-16 20:34 455424 ----a-w- c:\winxp\system32\drivers\mrxsmb.sys
    2009-11-29 18:47 . 2003-02-21 04:42 348160 ----a-w- c:\winxp\system32\msvcr71.dll
    2009-11-29 18:47 . 2003-03-18 22:14 499712 ----a-w- c:\winxp\system32\msvcp71.dll
    2009-11-27 17:11 . 2003-07-16 20:42 1291776 ----a-w- c:\winxp\system32\quartz.dll
    2009-11-27 17:11 . 2001-08-17 22:36 17920 ----a-w- c:\winxp\system32\msyuv.dll
    2009-11-27 16:07 . 2003-07-16 20:36 28672 ----a-w- c:\winxp\system32\msvidc32.dll
    2009-11-27 16:07 . 2001-08-17 22:36 8704 ----a-w- c:\winxp\system32\tsbyuv.dll
    2009-11-27 16:07 . 2003-07-16 20:36 11264 ----a-w- c:\winxp\system32\msrle32.dll
    2009-11-27 16:07 . 2003-07-16 20:24 84992 ----a-w- c:\winxp\system32\avifil32.dll
    2009-11-27 16:07 . 2001-08-17 22:36 48128 ----a-w- c:\winxp\system32\iyuv_32.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "uTorrent"="c:\documents and settings\Owner.WINDMILL\Desktop\Downloads\utorrent(2).exe" [2010-02-11 319280]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-25 149280]
    "P3000x_S2P"="c:\program files\DELL\DELL LASER MFP 1600N\PSU\ScanToPc.exe" [2004-10-27 57344]
    "SBAMTray"="c:\program files\Sunbelt Software\VIPRE\SBAMTray.exe" [2010-01-04 959824]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-12-22 35760]
    "Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2009-12-11 948672]
    "TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2010-02-03 198160]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="c:\winxp\System32\CTFMON.EXE" [2008-04-14 15360]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "RunNarrator"="Narrator.exe" [2008-04-14 53760]

    c:\documents and settings\Kevin\Start Menu\Programs\Startup\
    PowerReg Scheduler V3.exe [2005-10-11 225280]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{93994DE8-8239-4655-B1D1-5F4E91300429}"= "c:\program files\DVDIdle Pro\DVDShell.dll" [2004-10-09 49152]

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SBAMSvc]
    @="Service"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
    2009-12-22 01:57 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
    2009-10-09 13:11 25623336 ----a-r- c:\program files\Skype\Phone\Skype.exe

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Macromedia\\Dreamweaver MX\\Dreamweaver.exe"=
    "c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
    "c:\\Program Files\\Ipswitch\\WS_FTP Professional\\wsftpgui.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
    "c:\\Program Files\\Real\\RealPlayer\\realplay.exe"=
    "c:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
    "c:\\Program Files\\old-SmartFTP Client\\SmartFTP.exe"=
    "c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
    "c:\\Program Files\\Skype\\Phone\\Skype.exe"=
    "c:\\Documents and Settings\\Owner.WINDMILL\\Desktop\\Downloads\\utorrent.exe"=
    "c:\\Documents and Settings\\Owner.WINDMILL\\Desktop\\Downloads\\utorrent(2).exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "45682:TCP"= 45682:TCP:torrent

    R1 sbaphd;sbaphd;c:\winxp\system32\drivers\sbaphd.sys [23/01/2010 11:36 13360]
    R1 SBRE;SBRE;c:\winxp\system32\drivers\SBREDrv.sys [13/10/2009 08:22 95024]
    R1 sbtis;sbtis;c:\winxp\system32\drivers\sbtis.sys [23/01/2010 11:31 203056]
    R2 sbapifs;sbapifs;c:\winxp\system32\drivers\sbapifs.sys [23/01/2010 11:36 69936]
    S1 SASKUTIL;SASKUTIL;\??\c:\program files\SUPERAntiSpyware\SASKUTIL.sys --> c:\program files\SUPERAntiSpyware\SASKUTIL.sys [?]
    S2 SBAMSvc;VIPRE Antivirus + Antispyware;c:\program files\Sunbelt Software\VIPRE\SBAMSvc.exe [04/01/2010 17:02 1012080]
    S3 NaiAvFilter101;NAI Anti Virus;\Device\NaiAvFilter101.sys --> \Device\NaiAvFilter101.sys [?]
    S3 NaiAvFilter102;NAI Anti Virus;\Device\NaiAvFilter102.sys --> \Device\NaiAvFilter102.sys [?]
    S3 NaiAvFilter103;NAI Anti Virus;\Device\NaiAvFilter103.sys --> \Device\NaiAvFilter103.sys [?]
    S4 Mrapncktnde;Mrapncktnde; [x]
    .
    Contents of the 'Scheduled Tasks' folder

    2010-02-18 c:\winxp\Tasks\Disk Cleanup.job
    - c:\winxp\system32\cleanmgr.exe [2003-07-16 00:12]

    2010-02-23 c:\winxp\Tasks\Google Software Updater.job
    - c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2009-04-30 14:55]
    .
    .
    Supplementary Scan
    .
    uStart Page = hxxp://www.msn.com
    uSearchMigratedDefaultURL = hxxp://search.msn.co.uk/previewx.aspx?q={searchTerms}&FORM=CBPW&first=1&noredir=1
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
    FF - ProfilePath - c:\documents and settings\Owner.WINDMILL\Application Data\Mozilla\Firefox\Profiles\zf5wex5l.default\
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.co.uk/
    FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/search?fr=yhs-avgb&type=yahoo_avg_hs2-tb-web_uk&p=
    FF - component: c:\program files\Real\RealPlayer\browserrecord\firefox\ext\components\nprpffbrowserrecordext.dll
    FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
    FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\winxp\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

    ---- FIREFOX POLICIES ----
    FF - user.js: yahoo.homepage.dontask - true.
    - - - - ORPHANS REMOVED - - - -

    WebBrowser-{3041D03E-FD4B-44E0-B742-2D9B88305F98} - c:\program files\AskBarDis\bar\bin\askBar.dll



    **************************************************************************

    catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2010-02-23 12:59
    Windows 5.1.2600 Service Pack 3 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    LOCKED REGISTRY KEYS

    [HKEY_LOCAL_MACHINE\software\Classes\CLSID\{F71B406A-64B6-7890-A4E79C228CB5B5C7}\{B2D97AB2-1AAA-0E19-47D2DF75F80031A6}\{B1F98325-4C85-36BE-448BCE0A416EDA34}*]
    "1D1OWFM6WKF6TLM3S2BGKKUUDG1"=hex:01,00,01,00,00,00,00,00,71,4a,e0,45,b7,4f,44,
    fb,35,81,92,71,e8,29,5a,84,14,35,16,70,d8,6e,ff,61
    .
    DLLs Loaded Under Running Processes

    - - - - - - - > 'winlogon.exe'(820)
    c:\winxp\System32\BCMLogon.dll

    - - - - - - - > 'lsass.exe'(876)
    c:\winxp\system32\POP3Intercept_lsp.dll
    .
    Completion time: 2010-02-23 13:04:29
    ComboFix-quarantined-files.txt 2010-02-23 13:04
    ComboFix2.txt 2010-02-22 18:28

    Pre-Run: 7,339,970,560 bytes free
    Post-Run: 7,316,393,984 bytes free

    - - End Of File - - CCE1F48A5EFD5D9E6681E0E1EE52260C
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Try cleaning up the system ~


    Download CCLEANER
    http://www.ccleaner.com/download/builds/downloading-slim
    Run the CLEANER scan (UNTICK 'cookies')
    Then run the REGISTRY scan (Backup the registry when it asks)


    reboot

    Download GLARY UTILITIES
    http://www.glaryutilities.com/download/gusetup_slim.exe
    Run the ONE CLICK scan
    Goto MODULES / SYSTEM TOOLS / WINDOWS STANDARD TOOLS / then run SYSTEM FILE CHECKER
    :idea:
  • kah22
    kah22 Posts: 1,886 Forumite
    Part of the Furniture 1,000 Posts Name Dropper I've been Money Tipped!
    aliEnRIK wrote: »
    Try cleaning up the system ~

    Clean-up complete. :j

    Is that it? Have you won back my computer? If so :beer: on me

    Kevin
  • aliEnRIK
    aliEnRIK Posts: 17,741 Forumite
    Part of the Furniture Combo Breaker
    Id say your good to go :)
    :idea:
  • kah22
    kah22 Posts: 1,886 Forumite
    Part of the Furniture 1,000 Posts Name Dropper I've been Money Tipped!
    aliEnRIK wrote: »
    Id say your good to go :)

    Thank you for your help and support

    Kevin
  • danceoftheshamen
    danceoftheshamen Posts: 2 Newbie
    Hi can anyone help? I have a virus which came out of a spoof email marked "UPS PARCEL DELIVERY PROBLEM with your delivery!" Immediately the thing sparang into action & now i just get repeated scary message windows opening up telling me my pc is under attack, my personal info may be being stolen etc etc.. It also seems to have taken over my firewall options & windows security centre! i think it may be called the "XP ANTISPYWARE 2010 VIRUS?".

    i'M NOT TOO HOT WITH PC'S BUT CAN ANYONE HELP?
  • fiddiwebb
    fiddiwebb Posts: 1,806 Forumite
    edited 4 March 2010 at 12:16AM
    danceoftheshamen

    Best thing to do first is start a new thread with your problem.

    Removal instructions here .......................

    http://forums.malwarebytes.org/index.php?showtopic=38629

    If you get stuck or are not sure about anything just ask
This discussion has been closed.
Meet your Ambassadors

🚀 Getting Started

Hi new member!

Our Getting Started Guide will help you get the most out of the Forum

Categories

  • All Categories
  • 352K Banking & Borrowing
  • 253.5K Reduce Debt & Boost Income
  • 454.2K Spending & Discounts
  • 245K Work, Benefits & Business
  • 600.6K Mortgages, Homes & Bills
  • 177.4K Life & Family
  • 258.8K Travel & Transport
  • 1.5M Hobbies & Leisure
  • 16.2K Discuss & Feedback
  • 37.6K Read-Only Boards

Is this how you want to be seen?

We see you are using a default avatar. It takes only a few seconds to pick a picture.
Update Your Picture