tim.halls Posted April 16, 2008 Report Share Posted April 16, 2008 Hi, I have spent days attempting to identify the source of an infection. It appears to be somehow embedded in the file: C:\WINNT\System 32\Services.exeI am now running the antivirus and spyware application "The Shield Deluxe" after being dissatisfied with Nortons Antivirus Corporate Edition. I was also running PCTools spyware previously at the time of infection. The Shield Deluxe informs that a "modification of riskware, i.e. 'Mass-mailer software' has been detected with the above file system process "Services.exe".I attach below my log from "Hijack This" in the hope you can pick any infiltration/issue:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:57:23 PM, on 16/04/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:F:\WINNT\System32\smss.exeF:\WINNT\system32\winlogon.exeF:\WINNT\system32\services.exeF:\WINNT\system32\lsass.exeF:\WINNT\system32\svchost.exeF:\WINNT\System32\svchost.exeF:\WINNT\system32\svchost.exeF:\WINNT\system32\LEXPPS.EXEF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\WINNT\system32\svchost.exeF:\WINNT\Explorer.EXEF:\Program Files\Lexmark X74-X75\lxbbbmgr.exeF:\Program Files\Lexmark X74-X75\lxbbbmon.exeF:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\WINNT\system32\ctfmon.exeF:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeF:\Program Files\Google\Google Updater\GoogleUpdater.exeF:\Program Files\PC Connectivity Solution\ServiceLayer.exeF:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeF:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeF:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostF2 - REG:system.ini: UserInit=F:\WINNT\system32\Userinit.exeO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dllO2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)O2 - BHO: Min stor proj. - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - msindc.dll (file missing)O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dllO3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kO4 - HKLM\..\Run: [AudioDeck] F:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exeO4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\GoogleUpdater.exeO9 - Extra button: (no name) - SolidConverterPDF - (no file)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dllO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CABO16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CABO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cabO16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocxO16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO18 - Filter hijack: text/html - (no CLSID) - (no file)O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeO23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXEO23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeO23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exeO23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exeO24 - Desktop Component 0: (no name) - file:///E:/Kathy's%20Japan%20Trip_2003/Family_2003/Wilmington/55229775_lrg.jpg--End of file - 9069 bytesI trust this helps define my issue for looking.With thanks, Tim Link to post Share on other sites
rmurphy Posted April 16, 2008 Report Share Posted April 16, 2008 Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.-----------------------------------------------------------[*]Double click on combofix.exe & follow the prompts.[*]When finished, it will produce a report for you. [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**-Ryan Link to post Share on other sites
tim.halls Posted April 16, 2008 Author Report Share Posted April 16, 2008 (edited) Hi RyanGood (a relief) to hear from you. I am about to follow your below routine to the letter. I'll post again as soon as I have the information you have requested.TimWelcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.-----------------------------------------------------------[*]Double click on combofix.exe & follow the prompts.[*]When finished, it will produce a report for you. [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**-Ryan Edited April 17, 2008 by timh Link to post Share on other sites
tim.halls Posted April 17, 2008 Author Report Share Posted April 17, 2008 Hi RyanPlease find enclosed logs from HijackThis and ComboFix. ComboFix appears to have removed my mass mail spammer (with many thanks). My virus and spyware application The Shield Deluxe 2008 (read: Kapernsky & spyware) no longer raises the alert of blocking a mass mailer and the email blocker application shows no emails are being generated. This is a great relief. (The email blocker demonstrated that over a 1,000 emails were being generated in a period of 20-30 minutes.)This leaves the following as questions remaining:1. ComboFix placed the "qoobox" directory under "Program Files".- Do I need to hang on to this or can it be deleted? What purpose does it serve?2. HijackThis references the following:O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)- Do I need to replace these files? Are they siginificant in the running of the PC?O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dll- I am concerned about this. I understand that viruses can "hook" via this protocol (service) to your email and internet activity. Is this anything to worry about?3. The ComboFix log establishes that I do not have Console Recovery in my startup routine (XP, SP2) to access?- Do I add this? What are the merits of having it?4. There may be other matters I should turn my attention to which you pick-up as a concern.- Please advise if this is the case - I will be directed by you.5. This is my second post as I accidentally hit the escape key just prior to posting my reply (annoying).- Is there any way of restoring the previous text where this happens?Please find the two logs enclosed below as files.Cheers, TimComboFix.txthijackthis.txtWelcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.Please download ComboFix from Here or Here to your Desktop.**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**Please, never rename Combofix unless instructed.Close any open browsers.Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.-----------------------------------------------------------Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.-----------------------------------------------------------Close any open browsers. WARNING: Combofix will disconnect your machine from the Internet as soon as it startsPlease do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.If there is no internet connection after running Combofix, then restart your computer to restore back your connection.-----------------------------------------------------------[*]Double click on combofix.exe & follow the prompts.[*]When finished, it will produce a report for you. [*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**-Ryan Link to post Share on other sites
rmurphy Posted April 17, 2008 Report Share Posted April 17, 2008 There's still some work to be done.== Install Recovery Console ==Go to Microsoft's website => http://support.microsoft.com/kb/310994Select the download that's appropriate for your Operating System. Download the file & save it as it's originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.== Fix HJT Entries ==You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)Close all open windows except for HiJack This and click fix checked.Reboot your computer.== CFScript ==1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::F:\WINNT\system32\csuwwinu.iniF:\WINNT\system32\lnjvmcmp.iniF:\WINNT\system32\mgsmpvgk.dllF:\WINNT\system32\__c0063FF1.datF:\WINNT\system32\__c00AFDDB.datRenV::----a-w 50,795,746 2003-11-13 21:53:42 F:\Documents and Settings\Tim Halls\My Documents\Shared Files\Applications\Partition Magic\Partition Magic 8 Pro FULL BY PILPELON .exe3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.Please post these directly as a reply (do not attach them), as it makes it easier for me to read them when they are on the forum.-Ryan Link to post Share on other sites
tim.halls Posted April 17, 2008 Author Report Share Posted April 17, 2008 Hi RyanI have incorporated your below instructions /guidance. All went well. I provide the log files your requested below with some screenshots of the PC's Event Viewer for (i) System and (ii) Application.When running application "RegCure" I have been getting the blue screen of death. This application is a sophisticated registry cleaner. This occurs when scanning the PC some way in. STOP code is STOP: 0x00000050, 0x00000000, 0x8054AA32, 0x00000000) - PAGE_FAULT_IN_NONPAGED_AREA. I have read the Microsoft Knowledge Base (for what it's worth) and have eliminated poor SDRAM a the issue after running MEMtest. I believe it may be related to service install issues (which is why I included the screenshots of Event Viewer).Overnight, I have also increased the size of the boot partition since I note it only had 53.4 Mb spare on a parition of 4.2 Gb. I have increased this partition to 10Gb approx. From memory the pagefile is directed to the larger second partition on this primary drive. I haven't altered this as yet. Can you advise is there a clear preference for the pagefile to be located on the boot partition or not? Also whether directing it to a second partition on primary drive is known to cause issues?I thank you for yor assistance thus far in bringing this PC back to life. Here are the logs and screenshots:Installation of Recovery ConsoleWindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe[boot loader]timeout=2default=multi(0)disk(0)rdisk(0)partition(2)\WINNT[operating systems]multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetectC:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdconsLatest ComboFixComboFix 08-04-16.5 - Tim Halls 2008-04-17 16:28:35.2 - NTFSx86Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.501 [GMT 9.5:30]Running from: F:\Documents and Settings\Tim Halls\Desktop\ComboFix.exeCommand switches used :: F:\Documents and Settings\Tim Halls\Desktop\CFScript.txt * Created a new restore point.((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 ))))))))))))))))))))))))))))))).2008-04-17 16:15 . 2008-04-17 16:15 <DIR> d-------- F:\Program Files\Trend Micro2008-04-17 12:21 . 2008-04-17 12:21 0 --ah----- F:\WINNT\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf2008-04-17 10:59 . 2008-04-17 10:59 <DIR> d-------- F:\CRAP2008-04-16 14:42 . 2008-04-16 15:12 91,700 --a------ F:\WINNT\system32\drivers\klin.dat2008-04-16 14:42 . 2008-04-16 15:12 85,860 --a------ F:\WINNT\system32\drivers\klick.dat2008-04-16 14:41 . 2008-04-16 14:41 <DIR> d-------- F:\Program Files\PCSecurityShield2008-04-16 14:41 . 2008-04-17 16:21 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\PCSecurityShield2008-04-16 14:41 . 2008-04-17 16:32 4,671,776 --ahs---- F:\WINNT\system32\drivers\fidbox.dat2008-04-16 14:41 . 2008-04-17 16:17 66,440 --ahs---- F:\WINNT\system32\drivers\fidbox.idx2008-04-16 14:41 . 2008-04-17 16:32 19,744 --ahs---- F:\WINNT\system32\drivers\fidbox2.dat2008-04-16 14:41 . 2008-04-17 16:17 2,732 --ahs---- F:\WINNT\system32\drivers\fidbox2.idx2008-04-16 01:18 . 2008-04-16 01:18 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Grisoft2008-04-16 01:12 . 2008-04-16 01:12 <DIR> d-------- F:\Program Files\CCleaner2008-04-14 23:59 . 2005-06-14 19:35 104,576 -ra------ F:\WINNT\system32\drivers\WCEUSBSH.SYS2008-04-14 23:59 . 2005-06-14 19:35 104,576 --a--c--- F:\WINNT\system32\dllcache\wceusbsh.sys2008-04-14 23:59 . 2005-06-14 19:35 63,596 -ra------ F:\WINNT\system32\drivers\WCEUSBSH.INF2008-04-10 02:30 . 2008-04-10 02:30 <DIR> d-------- F:\Program Files\Windows Media Connect 22008-04-09 23:38 . 2008-04-09 23:38 127 --a------ F:\WINNT\system32\MRT.INI2008-04-09 22:38 . 2004-08-03 23:08 25,600 --a------ F:\WINNT\system32\drivers\usbser.sys2008-04-09 22:38 . 2004-08-03 23:08 25,600 --a--c--- F:\WINNT\system32\dllcache\usbser.sys2008-04-09 22:31 . 2008-04-09 22:31 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Nokia2008-04-09 22:31 . 2008-02-01 15:17 138,112 --a------ F:\WINNT\system32\drivers\nmwcdnsu.sys2008-04-09 22:31 . 2008-02-01 15:17 8,320 --a------ F:\WINNT\system32\drivers\nmwcdnsuc.sys2008-04-09 22:30 . 2007-11-29 10:33 1,419,232 --a------ F:\WINNT\system32\wdfcoinstaller01005.dll2008-04-09 22:30 . 2007-11-29 10:39 95,744 --a------ F:\WINNT\system32\nmwcdcocls.dll2008-04-09 22:30 . 2007-11-29 10:39 19,328 --a------ F:\WINNT\system32\drivers\ccdcmbo.sys2008-04-09 22:30 . 2007-11-29 10:39 16,896 --a------ F:\WINNT\system32\drivers\ccdcmb.sys2008-04-09 22:30 . 2007-11-29 10:39 8,064 --a------ F:\WINNT\system32\drivers\usbser_lowerfltj.sys2008-04-09 22:30 . 2007-11-29 10:39 8,064 --a------ F:\WINNT\system32\drivers\usbser_lowerflt.sys2008-04-03 20:06 . 2005-10-21 11:17 30,592 --------- F:\WINNT\system32\drivers\rndismpx.sys2008-04-03 20:06 . 2005-10-21 11:17 12,800 --------- F:\WINNT\system32\drivers\usb8023x.sys2008-04-03 19:59 . 2008-04-03 20:00 1,653,718 ---hs---- F:\WINNT\system32\csuwwinu.ini2008-04-02 17:20 . 2008-04-03 20:00 1,598,361 ---hs---- F:\WINNT\system32\lnjvmcmp.ini2008-03-31 22:52 . 2008-03-31 22:52 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SolidDocuments2008-03-31 20:06 . 2008-03-31 20:06 <DIR> d-------- F:\WINNT\PTSD Checklist Scoring and Interpretation Generator2008-03-31 17:56 . 2008-03-31 17:56 <DIR> d-------- F:\WINNT\DASS 21 Scoring and Interpretation Generator2008-03-31 17:56 . 2008-03-31 20:06 <DIR> d-------- F:\Program Files\Clintools2008-03-28 17:24 . 2008-03-28 17:24 <DIR> d-------- F:\Documents and Settings\Tim Halls\Application Data\Adlib Software2008-03-28 17:24 . 2008-03-28 17:24 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Adlib Software2008-03-28 17:18 . 1997-04-14 08:16 124,416 --a------ F:\WINNT\system32\dzip32.dll2008-03-28 17:18 . 1998-03-05 22:00 78,096 --a------ F:\WINNT\system32\Gapi32.dll2008-03-28 17:11 . 2008-03-28 17:12 <DIR> d-------- F:\Program Files\Easy Macro Recorder2008-03-28 17:11 . 2008-03-28 17:12 <DIR> d-------- F:\Documents and Settings\Tim Halls\Application Data\Easy Macro Recorder2008-03-28 17:11 . 1998-06-23 23:00 67,376 --a------ F:\WINNT\system32\SYSINFO.OCX.(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))).2008-04-16 06:16 --------- d-----w F:\Documents and Settings\Tim Halls\Application Data\SolidDocuments2008-04-16 04:59 --------- d-----w F:\Program Files\Symantec2008-04-16 04:59 --------- d-----w F:\Program Files\Common Files\Symantec Shared2008-04-15 23:40 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP2008-04-15 17:05 --------- d-----w F:\Documents and Settings\All Users\Application Data\Google Updater2008-04-14 17:36 --------- d-----w F:\Program Files\Lexmark X74-X752008-04-14 10:43 --------- d-----w F:\Documents and Settings\All Users\Application Data\Installations2008-04-11 13:30 --------- d-----w F:\Documents and Settings\All Users\Application Data\PC Suite2008-04-09 13:01 --------- d-----w F:\Program Files\Nokia2008-04-09 12:41 --------- d-----w F:\Program Files\Common Files\Nokia2008-03-28 08:08 --------- d-----w F:\Program Files\Common Files\InstallShield2008-03-28 07:48 --------- d--h--w F:\Program Files\InstallShield Installation Information2008-03-19 09:47 1,845,248 ----a-w F:\WINNT\system32\win32k.sys2008-03-15 00:04 --------- d-----w F:\Documents and Settings\All Users\Application Data\Symantec2008-03-14 07:53 --------- d-----w F:\Program Files\VIA2008-03-13 12:53 --------- d-----w F:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters2008-03-13 12:51 --------- d-----w F:\Program Files\PC Drivers HeadQuarters2008-03-10 14:03 --------- d-----w F:\Program Files\MSXML 6.02008-03-01 13:06 826,368 ----a-w F:\WINNT\system32\wininet.dll2008-02-25 10:24 105,088 ----a-w F:\WINNT\system32\drivers\Rtnicxp.sys2008-02-20 06:51 282,624 ----a-w F:\WINNT\system32\gdi32.dll2008-02-20 05:32 45,568 ----a-w F:\WINNT\system32\dnsrslvr.dll2008-02-01 05:47 90,624 ----a-w F:\WINNT\system32\nmwcdcls.dll2003-08-23 10:18 271 --sh--w F:\Program Files\desktop.ini2003-08-23 10:18 21,952 ---ha-w F:\Program Files\folder.htt.<pre>----a-w 50,795,746 2003-11-13 21:53:42 F:\Documents and Settings\Tim Halls\My Documents\Shared Files\Applications\Partition Magic\Partition Magic 8 Pro FULL BY PILPELON .exe</pre>((((((((((((((((((((((((((((( snapshot@2008-04-17_10.04.15.91 ))))))))))))))))))))))))))))))))))))))))).- 2008-04-17 00:24:44 2,048 --s-a-w F:\WINNT\bootstat.dat+ 2008-04-17 06:49:12 2,048 --s-a-w F:\WINNT\bootstat.dat.((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))..*Note* empty entries & legit default entries are not shown REGEDIT4[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"ctfmon.exe"="F:\WINNT\system32\ctfmon.exe" [2004-08-04 21:30 15360]"PC Suite Tray"="F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 09:12 695808][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]"1A:Stardock TrayMonitor"="" []"Lexmark X74-X75"="F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 14:09 57344]"AVP"="F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [2007-08-23 14:16 200768][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]"1A:Stardock TrayMonitor"="" [][HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]"^SetupICWDesktop"="F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 21:30 214528]"tscuninstall"="F:\WINNT\system32\tscupgrd.exe" [2004-08-04 21:30 44544]F:\Documents and Settings\Administrator\Start Menu\Programs\Startup\Greetings Workshop Reminders.lnk - F:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688][hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]"{93994DE8-8239-4655-B1D1-5F4E91300429}"= F:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-08-26 09:58 49152]"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= F:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2001-04-12 17:05 77824][HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]@="Driver"[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]@="Driver"[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnkbackup=F:\WINNT\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnkbackup=F:\WINNT\pss\Google Updater.lnkCommon Startup[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]--a------ 2006-01-12 20:52 483328 F:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]-ra------ 2007-08-09 14:48 528384 F:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]--a------ 2002-11-02 16:03 45056 F:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]--a------ 2004-08-04 21:30 208952 F:\WINNT\IME\imjp8_1\IMJPMIG.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]--a------ 2005-12-04 16:39 461584 F:\Program Files\Microsoft IntelliPoint\ipoint.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]F:\WINNT\system32\dumprep 0 -k[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]--a------ 2006-12-05 21:55 54832 F:\Program Files\CyberLink\PowerDVD\Language\Language.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]--------- 2002-10-14 14:09 57344 F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]--a------ 2004-08-04 21:30 59392 F:\WINNT\system32\IME\PINTLGNT\ImScInst.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]--a------ 2001-07-09 10:50 155648 F:\WINNT\system32\NeroCheck.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware12]--a------ 2002-08-01 03:49 49152 F:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]--a------ 2007-12-10 09:12 695808 F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]--a------ 2007-11-07 16:35 1294336 F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]--a------ 2004-08-04 21:30 455168 F:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]--a------ 2004-08-04 21:30 455168 F:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector][HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]--------- 2006-11-23 14:10 56928 F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Say the Time]--a------ 2006-01-28 00:00 1253376 F:\Program Files\Say the Time\SayTime.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]F:\Program Files\Spyware Doctor\SDTrayApp.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]-ra------ 2007-08-17 03:45 23120680 F:\Program Files\Skype\Phone\Skype.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]-ra------ 2001-08-02 13:48 124416 F:\WINNT\SOUNDMAN.EXE[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]--a------ 2006-10-12 02:10 49263 F:\Program Files\Java\jre1.5.0_09\bin\jusched.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]--a------ 2004-08-04 21:30 143360 F:\WINNT\system32\mobsync.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]F:\Program Files\NavNT\vptray.exe[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]"TlntSvr"=3 (0x3)"TermService"=3 (0x3)"TapiSrv"=3 (0x3)"SCardSvr"=3 (0x3)"SCardDrv"=3 (0x3)"RDSessMgr"=3 (0x3)"RasMan"=3 (0x3)"RasAuto"=3 (0x3)"mnmsrvc"=3 (0x3)"ERSvc"=2 (0x2)[HKEY_LOCAL_MACHINE\software\microsoft\security center]"AntiVirusOverride"=dword:00000001[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]"DisableMonitoring"=dword:00000001[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]"EnableFirewall"= 0 (0x0)[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]"%windir%\\system32\\sessmgr.exe"="F:\\Program Files\\Caplio Software\\RGateL.exe"="F:\\WINNT\\system32\\LEXPPS.EXE"="F:\\WINNT\\system32\\rundll32.exe"="F:\\WINNT\\system32\\dpvsetup.exe"="F:\\Program Files\\Caplio Software\\RGateLXP.exe"="F:\\Program Files\\CuteFTP\\CUTFTP32.EXE"="F:\\StubInstaller.exe"="F:\\Program Files\\LimeWire\\LimeWire.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe"="F:\\Program Files\\Skype\\Phone\\Skype.exe"="F:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"="F:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"="F:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016"500:UDP"= 500:UDP:@xpsp2res.dll,-22017[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]"AllowInboundEchoRequest"= 1 (0x1)R0 videX32;videX32;F:\WINNT\system32\DRIVERS\videX32.sys [2007-09-21 16:49]R1 VIAPFD;VIAPFD;F:\WINNT\system32\Drivers\VIAPFD.SYS [2001-05-04 16:54]R2 ptssvc;ptssvc;F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe [2003-08-25 15:25]S2 BT848;AVerMedia, AVerTV WDM Video Capture;F:\WINNT\system32\drivers\BT848.sys [2001-08-10 10:08]S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;F:\WINNT\system32\drivers\BTTUNER.sys [2001-07-12 20:20]S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;F:\WINNT\system32\drivers\BTXBAR.sys [1999-07-22 08:28]S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;F:\WINNT\system32\Drivers\ousbehci.sys [2004-11-15 08:18]S3 Eplpdx01;Eplpdx01;F:\WINNT\system32\Drivers\EPLPDX01.SYS [1998-05-25 19:30]S3 FNC107;LevelOne 10/100Mbps Fast Ethernet Adapter NT Driver;F:\WINNT\system32\DRIVERS\FNC107.sys [2002-01-17 22:36]S3 nmwcdnsu;Nokia USB Flashing Phone Parent;F:\WINNT\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]S3 nmwcdnsuc;Nokia USB Flashing Generic;F:\WINNT\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;F:\WINNT\system32\DRIVERS\ousb2hub.sys [2004-11-15 08:18]S3 p2pgasvc;Peer Networking Group Authentication;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]S3 p2pimsvc;Peer Networking Identity Manager;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]S3 p2psvc;Peer Networking;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]S3 PNRPSvc;Peer Name Resolution Protocol;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]S3 upperdev;upperdev;F:\WINNT\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]S3 UsbserFilt;UsbserFilt;F:\WINNT\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]S3 VcomPort1;%VcomPort1.SVCDESC%;F:\WINNT\system32\DRIVERS\vcomric1.sys [2002-05-10 01:04]S3 Winacpci;Winacpci;F:\WINNT\system32\DRIVERS\winacpci.sys [1999-09-24 23:55][HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc*Newly Created Service* - CATCHME.Contents of the 'Scheduled Tasks' folder"2007-09-05 11:11:25 F:\WINNT\Tasks\RegCure Program Check.job"- F:\Program Files\RegCure\RegCure.exe"2006-11-03 11:18:31 F:\WINNT\Tasks\RegCure.job"- F:\Program Files\RegCure\RegCure.exe.**************************************************************************catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.netRootkit scan 2008-04-17 16:32:35Windows 5.1.2600 Service Pack 2 NTFSscanning hidden processes ... scanning hidden autostart entries ...scanning hidden files ... scan completed successfullyhidden files: 0**************************************************************************.Completion time: 2008-04-17 16:34:32ComboFix-quarantined-files.txt 2008-04-17 07:04:22Pre-Run: 44,262,158,336 bytes freePost-Run: 44,255,780,864 bytes free.2008-04-13 15:00:22 --- E O F --- Latest HijackThisLogfile of Trend Micro HijackThis v2.0.2Scan saved at 7:54:26 AM, on 18/04/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:F:\WINNT\System32\smss.exeF:\WINNT\system32\winlogon.exeF:\WINNT\system32\services.exeF:\WINNT\system32\lsass.exeF:\WINNT\system32\svchost.exeF:\WINNT\System32\svchost.exeF:\WINNT\system32\svchost.exeF:\WINNT\system32\LEXBCES.EXEF:\WINNT\system32\spoolsv.exeF:\WINNT\system32\LEXPPS.EXEF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeF:\Program Files\Kodak EasyShare software\bin\ptssvc.exeF:\Program Files\CyberLink\Shared Files\RichVideo.exeF:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeF:\Program Files\Photodex\ProShowGold\ScsiAccess.exeF:\WINNT\system32\svchost.exeF:\WINNT\Explorer.EXEF:\Program Files\Lexmark X74-X75\lxbbbmgr.exeF:\Program Files\Lexmark X74-X75\lxbbbmon.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\WINNT\system32\ctfmon.exeF:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeF:\Program Files\PC Connectivity Solution\ServiceLayer.exeF:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeF:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeF:\Program Files\Internet Explorer\iexplore.exeF:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhostO2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dllO3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exeO4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O9 - Extra button: (no name) - SolidConverterPDF - (no file)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dllO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CABO16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CABO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cabO16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocxO16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeO23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXEO23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeO23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exeO23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exeO24 - Desktop Component 0: (no name) - file:///E:/Kathy's%20Japan%20Trip_2003/Family_2003/Wilmington/55229775_lrg.jpg--End of file - 8218 bytesEvent Viewer Screenshots- System - Sorry Ryan - I will forward these later as have encountered a problem.Cheers and thanks for now, TimThere's still some work to be done.== Install Recovery Console ==Go to Microsoft's website => http://support.microsoft.com/kb/310994Select the download that's appropriate for your Operating System. Download the file & save it as it's originally named, next to ComboFix.exe. Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.== Fix HJT Entries ==You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)Close all open windows except for HiJack This and click fix checked.Reboot your computer.== CFScript ==1. Please open Notepad Click Start , then RunType notepad .exe in the Run Box.2. Now copy/paste the entire content of the codebox below into the Notepad window:File::F:\WINNT\system32\csuwwinu.iniF:\WINNT\system32\lnjvmcmp.iniF:\WINNT\system32\mgsmpvgk.dllF:\WINNT\system32\__c0063FF1.datF:\WINNT\system32\__c00AFDDB.datRenV::----a-w 50,795,746 2003-11-13 21:53:42 F:\Documents and Settings\Tim Halls\My Documents\Shared Files\Applications\Partition Magic\Partition Magic 8 Pro FULL BY PILPELON .exe3. Save the above as CFScript.txt4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:Combofix.txt A new HijackThis log.Please post these directly as a reply (do not attach them), as it makes it easier for me to read them when they are on the forum.-Ryan Link to post Share on other sites
rmurphy Posted April 17, 2008 Report Share Posted April 17, 2008 Please download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.-Ryan Link to post Share on other sites
tim.halls Posted April 19, 2008 Author Report Share Posted April 19, 2008 Hi RyanHave run Anti-malware wit update - as specified. It found one registry key infection. The log is below.Malwarebytes' Anti-Malware 1.11Database version: 652Scan type: Full Scan (C:\|F:\|G:\|H:\|)Objects scanned: 160406Time elapsed: 2 hour(s), 55 minute(s), 56 second(s)Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 1Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 0Memory Processes Infected:(No malicious items detected)Memory Modules Infected:(No malicious items detected)Registry Keys Infected:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.Registry Values Infected:(No malicious items detected)Registry Data Items Infected:(No malicious items detected)Folders Infected:(No malicious items detected)Files Infected:(No malicious items detected)Can you tell me what the effect of the infected key would have been? Would it have contributed to STOP errors?Other MattersRyan, on re-booting yesterday after running ComboFix the PC stated my User Profile was damaged. Overnight I raised a new profile and noted how much quicker the PC was running. I made the decision to migrate my User settings across to the new profile (which had Administrator rights like my original) but then found Office 2003 products were slow to load with the Windows MSI installer constantly providing an impasse. Moroever, Outlook would not load at all. I made the decision to uninstall and re-load all Office 2003 products. This resolved the problem.I have not had the blue screen of death since raising the new profile and running Anti-malware. However I have not run RegCure as yet either. I wil do this shortly and see what the result is. I note looking at the Event Viewer that all applications apper to be loading A-OK now and the only system errors noted are those from last night when the issues with MS-Office were experienced.Any further suggestions? I believe increasing the size of the boot parrtition on the primary drive and placing the pagefile there has contributed to the increased performance I have presently as well.Cheers, TimPlease download Malwarebytes' Anti-Malware from Here or HereDouble Click mbam-setup.exe to install the application.Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.If an update is found, it will download and install the latest version.Once the program has loaded, select "Perform Full Scan", then click Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy&Paste the entire report in your next reply.Extra Note:If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.-Ryan Link to post Share on other sites
rmurphy Posted April 19, 2008 Report Share Posted April 19, 2008 Please post a new HiJack This log.-Ryan Link to post Share on other sites
tim.halls Posted April 20, 2008 Author Report Share Posted April 20, 2008 Hi RyanPlease find below my latest HijackTHis log, as requested.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:09:46 PM, on 4/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:F:\WINNT\System32\smss.exeF:\WINNT\system32\winlogon.exeF:\WINNT\system32\services.exeF:\WINNT\system32\lsass.exeF:\WINNT\system32\svchost.exeF:\WINNT\System32\svchost.exeF:\WINNT\system32\svchost.exeF:\WINNT\system32\LEXBCES.EXEF:\WINNT\system32\spoolsv.exeF:\WINNT\system32\LEXPPS.EXEF:\WINNT\Explorer.EXEF:\Program Files\Lexmark X74-X75\lxbbbmgr.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\WINNT\system32\ctfmon.exeF:\Program Files\Microsoft ActiveSync\wcescomm.exeF:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeF:\Program Files\Lexmark X74-X75\lxbbbmon.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeF:\Program Files\Kodak EasyShare software\bin\ptssvc.exeF:\PROGRA~1\MICROS~4\rapimgr.exeF:\Program Files\CyberLink\Shared Files\RichVideo.exeF:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeF:\Program Files\Photodex\ProShowGold\ScsiAccess.exeF:\WINNT\system32\svchost.exeF:\Program Files\PC Connectivity Solution\ServiceLayer.exeF:\WINNT\system32\wuauclt.exeF:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeF:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeF:\Program Files\Internet Explorer\iexplore.exeF:\Program Files\Trend Micro\HijackThis\HijackThis.exe--End of file - 1651 bytesThanks for all of your support.TimPlease post a new HiJack This log.-Ryan Link to post Share on other sites
tim.halls Posted April 20, 2008 Author Report Share Posted April 20, 2008 Hi RyanPlease ignore the previous post of HiJack This log. For some reason the notepad log failed to report the classes of the processes running beneath the file location information. The full log is enclosed below. I note the following entries in the log which refer to Spyware Doctor:O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dllSpyware Doctor has been removed and replaced with The Shield Deluxe 2008 software. It seems this is an artefact sitting in my registry. I confirm the program was removed from the Add/REemove Programs interface. Is there a means of removing this without causing disruption to the PC's directory?The HiJack This log in full for your inspection follows:Logfile of Trend Micro HijackThis v2.0.2Scan saved at 8:15:51 PM, on 4/20/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:F:\WINNT\System32\smss.exeF:\WINNT\system32\winlogon.exeF:\WINNT\system32\services.exeF:\WINNT\system32\lsass.exeF:\WINNT\system32\svchost.exeF:\WINNT\System32\svchost.exeF:\WINNT\system32\svchost.exeF:\WINNT\system32\LEXBCES.EXEF:\WINNT\system32\spoolsv.exeF:\WINNT\system32\LEXPPS.EXEF:\WINNT\Explorer.EXEF:\Program Files\Lexmark X74-X75\lxbbbmgr.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\WINNT\system32\ctfmon.exeF:\Program Files\Microsoft ActiveSync\wcescomm.exeF:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeF:\Program Files\Lexmark X74-X75\lxbbbmon.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeF:\Program Files\Kodak EasyShare software\bin\ptssvc.exeF:\PROGRA~1\MICROS~4\rapimgr.exeF:\Program Files\CyberLink\Shared Files\RichVideo.exeF:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeF:\Program Files\Photodex\ProShowGold\ScsiAccess.exeF:\WINNT\system32\svchost.exeF:\Program Files\PC Connectivity Solution\ServiceLayer.exeF:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeF:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeF:\Program Files\Internet Explorer\iexplore.exeF:\Program Files\Trend Micro\HijackThis\HijackThis.exeR1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wikisend.com/O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dllO3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exeO4 - HKCU\..\Run: [ccleaner] "F:\Program Files\CCleaner\CCleaner.exe" /AUTOO4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - SolidConverterPDF - (no file)O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dllO9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dllO9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dllO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CABO16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CABO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cabO16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocxO16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeO23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXEO23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeO23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exeO23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe--End of file - 10167 bytesThanks TimPlease post a new HiJack This log.-Ryan Link to post Share on other sites
rmurphy Posted April 20, 2008 Report Share Posted April 20, 2008 Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')O9 - Extra button: (no name) - SolidConverterPDF - (no file)O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dllO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)Close all open windows except for HiJack This and click fix checked.Reboot your computer.Please post an Uninstall List.To obtain an Uninstall list.Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryan Link to post Share on other sites
tim.halls Posted April 21, 2008 Author Report Share Posted April 21, 2008 Hi RyanThanks for all the help thus far. It is taking time however the PC is gradually coming good. Before posting the HijackTHis Ininstall log you requested, I advise I ran Dr CureIt overnight in full scan mode. It was a long scan but I suspected there was something still afoot with viruses in the PC. Whilst I do not get the STOP: ox00000050 error anymore when running registry cleaner scans, both Registry Cleaner (RegClean) and Registry First Aid cause the PC to reboot of its own accord when run. I have not had this issue previously. I ran Dr CureIt with the aim of determining whether Trojan.Win32.Agent.aw (Tojan.Medude) was present. As you may be aware, this virus is known for this particular STOP/reboot error.The outcome to this extensive scan was it found 3-4 of the same virus in files, however 8-9 in sections of my XP restore directory. I had the program either cure/delete all of the files involved. Following this, I also uninstalled the restore function with removal of all restore points and rebooted the PC ( wasn't traking any chances). On startup and re-entering Windows I established a new restore point just in case the system went down.Any case, the Uninstall log from HijackThis you requested follows beneath.25 Nature scenes 1.0. Screen SaverAble2Extract v2.20Adobe Acrobat 7.0.9 ProfessionalAdobe Flash Player ActiveXAdobe Illustrator 10Adobe PageMaker 7.0Adobe Photoshop 7.0Adobe SVG Viewer 3.0ArcSoft PhotoImpressionaspiCaplio SoftwareCCHelpCCleaner (remove only)CCScoreCheetah DVD BurnerCuteFTPDASS 21 Scoring and Interpretation GeneratorDIY DataRecovery DiskPatch 2.1Driver DetectiveDriver DetectiveDVD Decrypter (Remove Only)DVD Region-Free 3.10DVD Shrink 3.2DVD SuiteEasy Macro Recorder 3.68ESSAdptESSANUPESSBrwrESSCAMESSCDBKESScoreESSguiESShelpESSiniESSPCDESSstoreESSTUTORESSvpahtESSvpotEudoraGoogle Toolbar for Internet ExplorerGoogle Toolbar for Internet ExplorerGoogle UpdaterGreetings Workshop DeluxeHarrison InnerView Australian UninstallHijackThis 2.0.2Hotfix for Windows Internet Explorer 7 (KB947864)Hotfix for Windows Media Format 11 SDK (KB929399)Hotfix for Windows Media Player 11 (KB939683)Hotfix for Windows XP (KB909394)Hotfix for Windows XP (KB914440)Hotfix for Windows XP (KB915865)Hotfix for Windows XP (KB926239)Hotfix for Windows XP (KB929120)ImageToAVI 1.0.0.2InterVideo WinDVD 5iriver plus 2 (remove only)J2SE Runtime Environment 5.0 Update 7J2SE Runtime Environment 5.0 Update 9Jasc Paint Shop Pro 9Jasc Paint Shop Pro 9 GDI+ PatchJasc Paint Shop Pro 9.01 - (9.0.1.1)Jasc Paint Shop Pro 9.01 PatchKodak EasyShare softwareKPrintKSULegal Billing v6Lexmark X74-X75LimeWire 4.12.6LiveReg (Symantec Corporation)Macromedia Dreamweaver 4Macromedia Extension ManagerMacromedia Fireworks 4Malwarebytes' Anti-MalwareMarketing Plan Pro 6.0Meta Tag BuilderMicrosoft .NET Framework 2.0 Service Pack 1Microsoft ActiveSync 4.0Microsoft Compression Client Pack 1.0 for Windows XPMicrosoft Data Access Components KB870669Microsoft Internationalized Domain Names Mitigation APIsMicrosoft Kernel-Mode Driver Framework Feature Pack 1.5Microsoft National Language Support Downlevel APIsMicrosoft Office FrontPage 2003Microsoft Office Professional Edition 2003Microsoft Office Visio Professional 2003Microsoft User-Mode Driver Framework Feature Pack 1.5Microsoft Visual C++ 2005 RedistributableMicrosoft Windows Journal ViewerMicrosoft XML Parser and SDKMSVC80_x86MSXML 4.0 SP2 (KB927978)MSXML 4.0 SP2 (KB936181)MSXML 6.0 Parser (KB933579)MYOB Premier v5.0.2Nero OEMNero SuiteNokia Connectivity Cable DriverNokia Flashing Cable DriverNokia Multimedia FactoryNokia Multimedia FactoryNokia PC SuiteNokia PC SuiteNokia Software UpdaterNokia Video ManagerNokia Video ManagerNorton GhostNotifierNVIDIA Display DriverOmniPage Pro 12.0OTtBPPC Connectivity SolutionPCDLNCHPhotodex PresenterPowerDVDPowerProducerPowerQuest PartitionMagic 8.0ProShow GoldPTSD Checklist Scoring and Interpretation GeneratorQuickTimeRegistry First AidScanSoft RealSpeakSecurity Update for Windows Internet Explorer 7 (KB933566)Security Update for Windows Internet Explorer 7 (KB937143)Security Update for Windows Internet Explorer 7 (KB938127)Security Update for Windows Internet Explorer 7 (KB939653)Security Update for Windows Internet Explorer 7 (KB942615)Security Update for Windows Internet Explorer 7 (KB944533)Security Update for Windows Media Player (KB911564)Security Update for Windows Media Player 11 (KB936782)Security Update for Windows Media Player 6.4 (KB925398)Security Update for Windows Media Player 9 (KB917734)Security Update for Windows Media Player 9 (KB936782)Security Update for Windows XP (KB890046)Security Update for Windows XP (KB893756)Security Update for Windows XP (KB896358)Security Update for Windows XP (KB896422)Security Update for Windows XP (KB896423)Security Update for Windows XP (KB896424)Security Update for Windows XP (KB896428)Security Update for Windows XP (KB899587)Security Update for Windows XP (KB899589)Security Update for Windows XP (KB899591)Security Update for Windows XP (KB900725)Security Update for Windows XP (KB901017)Security Update for Windows XP (KB901190)Security Update for Windows XP (KB901214)Security Update for Windows XP (KB902400)Security Update for Windows XP (KB904706)Security Update for Windows XP (KB905414)Security Update for Windows XP (KB905749)Security Update for Windows XP (KB908519)Security Update for Windows XP (KB911562)Security Update for Windows XP (KB911567)Security Update for Windows XP (KB911927)Security Update for Windows XP (KB912919)Security Update for Windows XP (KB913580)Security Update for Windows XP (KB914388)Security Update for Windows XP (KB914389)Security Update for Windows XP (KB916281)Security Update for Windows XP (KB917159)Security Update for Windows XP (KB917344)Security Update for Windows XP (KB917422)Security Update for Windows XP (KB917953)Security Update for Windows XP (KB918118)Security Update for Windows XP (KB918439)Security Update for Windows XP (KB918899)Security Update for Windows XP (KB919007)Security Update for Windows XP (KB920213)Security Update for Windows XP (KB920214)Security Update for Windows XP (KB920670)Security Update for Windows XP (KB920683)Security Update for Windows XP (KB920685)Security Update for Windows XP (KB921398)Security Update for Windows XP (KB921503)Security Update for Windows XP (KB921883)Security Update for Windows XP (KB922616)Security Update for Windows XP (KB922760)Security Update for Windows XP (KB922819)Security Update for Windows XP (KB923191)Security Update for Windows XP (KB923414)Security Update for Windows XP (KB923689)Security Update for Windows XP (KB923694)Security Update for Windows XP (KB923810)Security Update for Windows XP (KB923980)Security Update for Windows XP (KB924191)Security Update for Windows XP (KB924270)Security Update for Windows XP (KB924496)Security Update for Windows XP (KB924667)Security Update for Windows XP (KB925454)Security Update for Windows XP (KB925486)Security Update for Windows XP (KB925902)Security Update for Windows XP (KB926255)Security Update for Windows XP (KB926436)Security Update for Windows XP (KB927779)Security Update for Windows XP (KB927802)Security Update for Windows XP (KB928090)Security Update for Windows XP (KB928255)Security Update for Windows XP (KB928843)Security Update for Windows XP (KB929123)Security Update for Windows XP (KB930178)Security Update for Windows XP (KB931261)Security Update for Windows XP (KB931768)Security Update for Windows XP (KB931784)Security Update for Windows XP (KB932168)Security Update for Windows XP (KB933566)Security Update for Windows XP (KB933729)Security Update for Windows XP (KB935839)Security Update for Windows XP (KB935840)Security Update for Windows XP (KB936021)Security Update for Windows XP (KB937894)Security Update for Windows XP (KB938829)Security Update for Windows XP (KB941202)Security Update for Windows XP (KB941568)Security Update for Windows XP (KB941569)Security Update for Windows XP (KB941644)Security Update for Windows XP (KB941693)Security Update for Windows XP (KB943055)Security Update for Windows XP (KB943460)Security Update for Windows XP (KB943485)Security Update for Windows XP (KB944653)Security Update for Windows XP (KB945553)Security Update for Windows XP (KB946026)Security Update for Windows XP (KB948590)Security Update for Windows XP (KB948881)Serials 2000SFRSFR2Skypeâ„¢ 3.5SnagIt 5SolidConverterPDFSplats htmlThe Shield Deluxe 2008The Shield Deluxe 2008Time and ChaosTime and Chaos 6TimeZone MapUlead PhotoImpact XL ESDUpdate for Windows XP (KB894391)Update for Windows XP (KB898461)Update for Windows XP (KB900485)Update for Windows XP (KB904942)Update for Windows XP (KB908531)Update for Windows XP (KB910437)Update for Windows XP (KB911280)Update for Windows XP (KB916595)Update for Windows XP (KB920872)Update for Windows XP (KB922582)Update for Windows XP (KB927891)Update for Windows XP (KB929338)Update for Windows XP (KB930916)Update for Windows XP (KB931836)Update for Windows XP (KB933360)Update for Windows XP (KB938828)Update for Windows XP (KB942763)VIA Platform Device ManagerWindows Imaging ComponentWindows Installer 3.1 (KB893803)Windows Internet Explorer 7Windows Media Encoder 9 SeriesWindows Media Encoder 9 SeriesWindows Media Format 11 runtimeWindows Media Format 11 runtimeWindows Media Player 11Windows Media Player 11Windows Media Player 9 Hotfix [see KB885492 for more information]Windows XP Hotfix - KB885835Windows XP Hotfix - KB885836Windows XP Hotfix - KB886185Windows XP Hotfix - KB887472Windows XP Hotfix - KB887742Windows XP Hotfix - KB888113Windows XP Hotfix - KB888302Windows XP Hotfix - KB890859Windows XP Hotfix - KB891781WinHTTrack Website Copier 3.23WinMXWinRAR archiverWinZipX-Lite 3.0X-Seven XS-700 PlayerWith thanks, TimOpen HiJack This and scan. When it finishes, put an X in the box next to these following item(s)O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')O9 - Extra button: (no name) - SolidConverterPDF - (no file)O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dllO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)Close all open windows except for HiJack This and click fix checked.Reboot your computer.Please post an Uninstall List.To obtain an Uninstall list.Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryan Link to post Share on other sites
rmurphy Posted April 21, 2008 Report Share Posted April 21, 2008 == Remove Programs ==Please go to Add/Remove Programs in the Control Panel, and remove the following programsJ2SE Runtime Environment 5.0 Update 7J2SE Runtime Environment 5.0 Update 9Reboot your computer.== Install Latest Java ==Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.Once it has finished downloading, double click it, and follow the prompts to install.If it asks to reboot, select No.== Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please reboot your computer before continuing.== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScannerYou will need to use Internet Explorer to do thisClick on AcceptYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.== Request Logs ==Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.-Ryan Link to post Share on other sites
tim.halls Posted April 22, 2008 Author Report Share Posted April 22, 2008 Hi RyanAll is not well with the PC! Followed your below instructions but the PC self-booted when one third the way into Kaspersky Online Scan. As mentioned previously, it displays the same intolerance when I run the registry checkers RegCure or Registry First Aid. Before this virus attack it never use to do this. I know this for a fact since I would run RegCure on a monthly basis to maintain a 'clean' registry.There are a few potential clues I have alluded to in examining the PC more closely. It is running effortlessly and with efficiency I would say in loading and unloading memory - certainly the best it has been in a long while.When uninstalling old programs on the primary drive using the "Add/Remove Programs" tool, I came across a directory which I cannot delete. The error message pops up when I attempt to stating: "Cannot delete Charity_Counselling (UK): Cannot find the specified file." I am wondering whether this file anomaly is responsible for the viral scanner baulking and re-starting Windows. In RegCure the PC re-boots when engaging the file scanner and not the foregoing registry or file pathname errors. The other matter raising my suspicion is that DrCureIt found what it considered "Possibly a Backdoor Trojan" in relation to the wider application associated with this file. The application was known as "WebPosition" - a search engine used to rank where your website sits with others in relation to specific subject content. "Counselling" was one of the topics for which a website ranking was sought.Question: Is there a tool that can be specifically directed at suspicious files / directories with enought sophistication to remove them if somehow the inability to delete is related to hard disc addressing??Alternatively, is there a viral tool that targets the eradication of STOP errors resulting from virus attack? I frankly do not know whether the above directory is virus laden (although with hidden files view 'on' nothing appears in the directory) or whether the inability to delete the directory is an addressing issue. Do you have any suggestions regarding this matter of the PC self-booting when the scanning applications are run? I have checked the RAM memory with Memtest. All was OK.Over to you, with thanksTim== Remove Programs ==Please go to Add/Remove Programs in the Control Panel, and remove the following programsJ2SE Runtime Environment 5.0 Update 7J2SE Runtime Environment 5.0 Update 9Reboot your computer.== Install Latest Java ==Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.Once it has finished downloading, double click it, and follow the prompts to install.If it asks to reboot, select No.== Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please reboot your computer before continuing.== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScannerYou will need to use Internet Explorer to do thisClick on AcceptYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.== Request Logs ==Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.-Ryan Link to post Share on other sites
tim.halls Posted April 22, 2008 Author Report Share Posted April 22, 2008 Hi RyanPlease find below the fresh HijackThis log you requested following the PC re-botting itself when running the extended Kaspersky Online Scanner.I bring to your attention also that Malwarebytes Scanner run other evening also quarantined then deleted the following file from a rgistry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 11:26:21 PM, on 4/22/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:F:\WINNT\System32\smss.exeF:\WINNT\system32\winlogon.exeF:\WINNT\system32\services.exeF:\WINNT\system32\lsass.exeF:\WINNT\system32\svchost.exeF:\WINNT\System32\svchost.exeF:\WINNT\system32\svchost.exeF:\WINNT\system32\LEXBCES.EXEF:\WINNT\system32\spoolsv.exeF:\WINNT\system32\LEXPPS.EXEF:\WINNT\Explorer.EXEF:\Program Files\Lexmark X74-X75\lxbbbmgr.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\Program Files\Java\jre1.6.0_06\bin\jusched.exeF:\WINNT\system32\ctfmon.exeF:\Program Files\Lexmark X74-X75\lxbbbmon.exeF:\Program Files\Microsoft ActiveSync\wcescomm.exeF:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\PROGRA~1\MICROS~4\rapimgr.exeF:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeF:\Program Files\Kodak EasyShare software\bin\ptssvc.exeF:\Program Files\CyberLink\Shared Files\RichVideo.exeF:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeF:\Program Files\Photodex\ProShowGold\ScsiAccess.exeF:\WINNT\system32\svchost.exeF:\Program Files\PC Connectivity Solution\ServiceLayer.exeF:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeF:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeF:\Program Files\Internet Explorer\iexplore.exeF:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wikisend.com/O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dllO3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dllO4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exeO4 - HKCU\..\Run: [ccleaner] "F:\Program Files\CCleaner\CCleaner.exe" /AUTOO4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINNT\bdoscandel.exeO9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINNT\bdoscandel.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dllO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CABO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CABO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cabO16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocxO16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeO23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXEO23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exeO23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exeO23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe--End of file - 10411 bytesHope this post provides further clues as to PC's behaviour of self-booting.Cheers, TimHi RyanAll is not well with the PC! Followed your below instructions but the PC self-booted when one third the way into Kaspersky Online Scan. As mentioned previously, it displays the same intolerance when I run the registry checkers RegCure or Registry First Aid. Before this virus attack it never use to do this. I know this for a fact since I would run RegCure on a monthly basis to maintain a 'clean' registry.There are a few potential clues I have alluded to in examining the PC more closely. It is running effortlessly and with efficiency I would say in loading and unloading memory - certainly the best it has been in a long while.When uninstalling old programs on the primary drive using the "Add/Remove Programs" tool, I came across a directory which I cannot delete. The error message pops up when I attempt to stating: "Cannot delete Charity_Counselling (UK): Cannot find the specified file." I am wondering whether this file anomaly is responsible for the viral scanner baulking and re-starting Windows. In RegCure the PC re-boots when engaging the file scanner and not the foregoing registry or file pathname errors. The other matter raising my suspicion is that DrCureIt found what it considered "Possibly a Backdoor Trojan" in relation to the wider application associated with this file. The application was known as "WebPosition" - a search engine used to rank where your website sits with others in relation to specific subject content. "Counselling" was one of the topics for which a website ranking was sought.Question: Is there a tool that can be specifically directed at suspicious files / directories with enought sophistication to remove them if somehow the inability to delete is related to hard disc addressing??Alternatively, is there a viral tool that targets the eradication of STOP errors resulting from virus attack? I frankly do not know whether the above directory is virus laden (although with hidden files view 'on' nothing appears in the directory) or whether the inability to delete the directory is an addressing issue. Do you have any suggestions regarding this matter of the PC self-booting when the scanning applications are run? I have checked the RAM memory with Memtest. All was OK.Over to you, with thanksTim== Remove Programs ==Please go to Add/Remove Programs in the Control Panel, and remove the following programsJ2SE Runtime Environment 5.0 Update 7J2SE Runtime Environment 5.0 Update 9Reboot your computer.== Install Latest Java ==Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.Once it has finished downloading, double click it, and follow the prompts to install.If it asks to reboot, select No.== Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please reboot your computer before continuing.== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScannerYou will need to use Internet Explorer to do thisClick on AcceptYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.== Request Logs ==Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.-Ryan Link to post Share on other sites
rmurphy Posted April 22, 2008 Report Share Posted April 22, 2008 Let's see if a boot time scan reveals anything.== Install avast! 4 Home == Download Avast! 4 Home and get your free Registration Key.Install avast!, and restart your computer if needed.== Update avast! == Right click on the a in the taskbar and select Updating, then select Program.Avast! will tell you when it has completed the update. If core files were updated, you may get a message asking you to restart. Please allow the computer to restart if prompted.== Schedule a Boot-Time Scan == After you have updated avast! right click the a icon in the taskbar and click Start Avast! AntiVirus.After this, you will need to Schedule Boot-Time Scan with avast! While all the steps needed to perform this are listed below, you may find a visual tutorial helpful as well.Click on the up arrow icon in the left corner, and select Schedule Boot-Time Scan.Next, choose:Scan all local disksscan archive filesClick on Schedule. Avast! will notify you that a system restart is needed. Please select YesYour computer will then restart, and avast! will perform the scan prior to Windows loading.IMPORTANT NOTE: When avast! finds an infected item, it may give you a dialog box with recommended actions. If this happens, please select Move to Chest.== Request logs == Please post the log of the avast scan. It can be found at C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txtI would also like to see an Uninstall list. To obtain an uninstall list, please do the following:Open HijackThis, click Config, click Misc ToolsClick "Open Uninstall Manager"Click "Save List" (generates uninstall_list.txt)-Ryan Link to post Share on other sites
tim.halls Posted April 23, 2008 Author Report Share Posted April 23, 2008 Ryan, further to my last post wherein I completed all of your instructions below however the Kaspersky extended scan caused the PC to re-boot, I now enclose below my latest HijackThis log for your inspection.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 10:51:11 PM, on 4/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16640)Boot mode: NormalRunning processes:F:\WINNT\System32\smss.exeF:\WINNT\system32\winlogon.exeF:\WINNT\system32\services.exeF:\WINNT\system32\lsass.exeF:\WINNT\system32\svchost.exeF:\WINNT\System32\svchost.exeF:\WINNT\system32\svchost.exeF:\WINNT\system32\LEXBCES.EXEF:\WINNT\system32\spoolsv.exeF:\WINNT\system32\LEXPPS.EXEF:\WINNT\Explorer.EXEF:\Program Files\Lexmark X74-X75\lxbbbmgr.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\Program Files\Java\jre1.6.0_06\bin\jusched.exeF:\WINNT\system32\ctfmon.exeF:\Program Files\Microsoft ActiveSync\wcescomm.exeF:\Program Files\Lexmark X74-X75\lxbbbmon.exeF:\PROGRA~1\MICROS~4\rapimgr.exeF:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeF:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeF:\Program Files\Kodak EasyShare software\bin\ptssvc.exeF:\Program Files\CyberLink\Shared Files\RichVideo.exeF:\Program Files\Photodex\ProShowGold\ScsiAccess.exeF:\WINNT\system32\svchost.exeF:\Program Files\PC Connectivity Solution\ServiceLayer.exeF:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exeF:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exeF:\Program Files\Internet Explorer\iexplore.exeF:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exeF:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exeF:\Program Files\Trend Micro\HijackThis\HijackThis.exeR0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wikisend.com/O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dllO2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dllO2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dllO3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dllO3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dllO4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exeO4 - HKCU\..\Run: [ccleaner] "F:\Program Files\CCleaner\CCleaner.exe" /AUTOO4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytrayO4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.htmlO8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.htmlO8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.htmlO8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.htmlO8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dllO9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dllO9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dllO9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINNT\bdoscandel.exeO9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINNT\bdoscandel.exeO9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLLO9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exeO9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exeO9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dllO16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CABO16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cabO16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CABO16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cabO16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/.../client/wuweb_site.cab?1150564729610O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cabO16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocxO16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CABO17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLLO23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exeO23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exeO23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exeO23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXEO23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exeO23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exeO23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exeO23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe--End of file - 10009 bytesAny suggestions regarding PC self-booting on file scan?Cheers, Tim== Remove Programs ==Please go to Add/Remove Programs in the Control Panel, and remove the following programsJ2SE Runtime Environment 5.0 Update 7J2SE Runtime Environment 5.0 Update 9Reboot your computer.== Install Latest Java ==Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.Once it has finished downloading, double click it, and follow the prompts to install.If it asks to reboot, select No.== Clear Temporary Files ==Please download ATF Cleaner by Atribune.This program is for XP and Windows 2000 onlyClose all Internet Explorer, Firefox, and Opera windows before continuing.Double-click ATF-Cleaner.exe to run the program.Under Main choose: Select AllClick the Empty Selected button.If you use Firefox browserClick Firefox at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.If you use Opera browserClick Opera at the top and choose: Select AllClick the Empty Selected button.NOTE: If you would like to keep your saved passwords, please click No at the prompt.Click Exit on the Main menu to close the program.For Technical Support, double-click the e-mail address located at the bottom of each menu.Please reboot your computer before continuing.== Kaspersky Web Scanner ==Please do an online scan with Kaspersky WebScannerYou will need to use Internet Explorer to do thisClick on AcceptYou will be promted to install an ActiveX component from Kaspersky, Click Yes.The program will launch and then begin downloading the latest definition files:Once the files have been downloaded click on NEXTNow click on Scan SettingsIn the scan settings make that the following are selected:Scan using the following Anti-Virus database:Extended (if available otherwise Standard)Scan Options:Scan ArchivesScan Mail Bases[*]Click OK[*]Now under select a target to scan:Select My Computer[*]This will program will start and scan your system.[*]The scan will take a while so be patient and let it run.[*]Once the scan is complete it will display if your system has been infected.Now click on the Save as Text button:[*]Save the file to your desktop.[*]Copy and paste that information in your next post.== Request Logs ==Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.-Ryan Link to post Share on other sites
rmurphy Posted April 23, 2008 Report Share Posted April 23, 2008 Please redo the instructions at http://www.besttechie.net/forums/index.php...st&p=113160 (including downloading Combofix and post the latest ComboFix report.-Ryan Link to post Share on other sites
Recommended Posts