Assistance Please With Mass Mailer & Ie File Generator[INACTIVE]


Recommended Posts

Hi, I have spent days attempting to identify the source of an infection. It appears to be somehow embedded in the file: C:\WINNT\System 32\Services.exe

I am now running the antivirus and spyware application "The Shield Deluxe" after being dissatisfied with Nortons Antivirus Corporate Edition. I was also running PCTools spyware previously at the time of infection. The Shield Deluxe informs that a "modification of riskware, i.e. 'Mass-mailer software' has been detected with the above file system process "Services.exe".

I attach below my log from "Hijack This" in the hope you can pick any infiltration/issue:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:57:23 PM, on 16/04/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

F:\WINNT\System32\smss.exe

F:\WINNT\system32\winlogon.exe

F:\WINNT\system32\services.exe

F:\WINNT\system32\lsass.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\System32\svchost.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\system32\LEXPPS.EXE

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\Explorer.EXE

F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

F:\Program Files\Lexmark X74-X75\lxbbbmon.exe

F:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\WINNT\system32\ctfmon.exe

F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

F:\Program Files\Google\Google Updater\GoogleUpdater.exe

F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

F:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

F:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

F2 - REG:system.ini: UserInit=F:\WINNT\system32\Userinit.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)

O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - (no file)

O2 - BHO: Min stor proj. - {FFFFFFFF-D71D-41e4-A699-F506DBD097F0} - msindc.dll (file missing)

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKLM\..\Run: [AudioDeck] F:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1

O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O4 - Global Startup: Google Updater.lnk = F:\Program Files\Google\Google Updater\GoogleUpdater.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dll

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610

O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocx

O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165

O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O18 - Filter hijack: text/html - (no CLSID) - (no file)

O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)

O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)

O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)

O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXE

O23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

O23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O24 - Desktop Component 0: (no name) - file:///E:/Kathy's%20Japan%20Trip_2003/Family_2003/Wilmington/55229775_lrg.jpg

--

End of file - 9069 bytes

I trust this helps define my issue for looking.

With thanks, Tim

Link to post
Share on other sites

Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combofix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

-Ryan

Link to post
Share on other sites

Hi Ryan

Good (a relief) to hear from you. I am about to follow your below routine to the letter. I'll post again as soon as I have the information you have requested.

Tim

Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combofix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

-Ryan

Edited by timh
Link to post
Share on other sites

Hi Ryan

Please find enclosed logs from HijackThis and ComboFix. ComboFix appears to have removed my mass mail spammer (with many thanks). My virus and spyware application The Shield Deluxe 2008 (read: Kapernsky & spyware) no longer raises the alert of blocking a mass mailer and the email blocker application shows no emails are being generated. This is a great relief. (The email blocker demonstrated that over a 1,000 emails were being generated in a period of 20-30 minutes.)

This leaves the following as questions remaining:

1. ComboFix placed the "qoobox" directory under "Program Files".

- Do I need to hang on to this or can it be deleted? What purpose does it serve?

2. HijackThis references the following:

O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)

O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)

O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)

- Do I need to replace these files? Are they siginificant in the running of the PC?

O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dll

- I am concerned about this. I understand that viruses can "hook" via this protocol (service) to your email and internet activity. Is this anything to worry about?

3. The ComboFix log establishes that I do not have Console Recovery in my startup routine (XP, SP2) to access?

- Do I add this? What are the merits of having it?

4. There may be other matters I should turn my attention to which you pick-up as a concern.

- Please advise if this is the case - I will be directed by you.

5. This is my second post as I accidentally hit the escape key just prior to posting my reply (annoying).

- Is there any way of restoring the previous text where this happens?

Please find the two logs enclosed below as files.

Cheers, Tim

ComboFix.txt

hijackthis.txt

Welcome to BestTechie! I'm Ryan, and I'll be helping you clean your computer.

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

  1. Please, never rename Combofix unless instructed.
  2. Close any open browsers.
  3. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      -----------------------------------------------------------


  • Close any open browsers.
  • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
  • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
  • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------

[*]Double click on combofix.exe & follow the prompts.

[*]When finished, it will produce a report for you.

[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

-Ryan

Link to post
Share on other sites

There's still some work to be done.

== Install Recovery Console ==

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System.

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

== Fix HJT Entries ==

You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)

O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)

O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)

Close all open windows except for HiJack This and click fix checked.

Reboot your computer.

== CFScript ==

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

F:\WINNT\system32\csuwwinu.ini

F:\WINNT\system32\lnjvmcmp.ini

F:\WINNT\system32\mgsmpvgk.dll

F:\WINNT\system32\__c0063FF1.dat

F:\WINNT\system32\__c00AFDDB.dat

RenV::

----a-w 50,795,746 2003-11-13 21:53:42 F:\Documents and Settings\Tim Halls\My Documents\Shared Files\Applications\Partition Magic\Partition Magic 8 Pro FULL BY PILPELON .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Please post these directly as a reply (do not attach them), as it makes it easier for me to read them when they are on the forum.

-Ryan

Link to post
Share on other sites

Hi Ryan

I have incorporated your below instructions /guidance. All went well. I provide the log files your requested below with some screenshots of the PC's Event Viewer for (i) System and (ii) Application.

When running application "RegCure" I have been getting the blue screen of death. This application is a sophisticated registry cleaner. This occurs when scanning the PC some way in. STOP code is STOP: 0x00000050, 0x00000000, 0x8054AA32, 0x00000000) - PAGE_FAULT_IN_NONPAGED_AREA. I have read the Microsoft Knowledge Base (for what it's worth) and have eliminated poor SDRAM a the issue after running MEMtest. I believe it may be related to service install issues (which is why I included the screenshots of Event Viewer).

Overnight, I have also increased the size of the boot partition since I note it only had 53.4 Mb spare on a parition of 4.2 Gb. I have increased this partition to 10Gb approx. From memory the pagefile is directed to the larger second partition on this primary drive. I haven't altered this as yet. Can you advise is there a clear preference for the pagefile to be located on the boot partition or not? Also whether directing it to a second partition on primary drive is known to cause issues?

I thank you for yor assistance thus far in bringing this PC back to life. Here are the logs and screenshots:

Installation of Recovery Console

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINNT

[operating systems]

multi(0)disk(0)rdisk(0)partition(2)\WINNT="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Latest ComboFix

ComboFix 08-04-16.5 - Tim Halls 2008-04-17 16:28:35.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.501 [GMT 9.5:30]

Running from: F:\Documents and Settings\Tim Halls\Desktop\ComboFix.exe

Command switches used :: F:\Documents and Settings\Tim Halls\Desktop\CFScript.txt

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2008-03-17 to 2008-04-17 )))))))))))))))))))))))))))))))

.

2008-04-17 16:15 . 2008-04-17 16:15 <DIR> d-------- F:\Program Files\Trend Micro

2008-04-17 12:21 . 2008-04-17 12:21 0 --ah----- F:\WINNT\system32\drivers\Msft_Kernel_ccdcmb_01005.Wdf

2008-04-17 10:59 . 2008-04-17 10:59 <DIR> d-------- F:\CRAP

2008-04-16 14:42 . 2008-04-16 15:12 91,700 --a------ F:\WINNT\system32\drivers\klin.dat

2008-04-16 14:42 . 2008-04-16 15:12 85,860 --a------ F:\WINNT\system32\drivers\klick.dat

2008-04-16 14:41 . 2008-04-16 14:41 <DIR> d-------- F:\Program Files\PCSecurityShield

2008-04-16 14:41 . 2008-04-17 16:21 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\PCSecurityShield

2008-04-16 14:41 . 2008-04-17 16:32 4,671,776 --ahs---- F:\WINNT\system32\drivers\fidbox.dat

2008-04-16 14:41 . 2008-04-17 16:17 66,440 --ahs---- F:\WINNT\system32\drivers\fidbox.idx

2008-04-16 14:41 . 2008-04-17 16:32 19,744 --ahs---- F:\WINNT\system32\drivers\fidbox2.dat

2008-04-16 14:41 . 2008-04-17 16:17 2,732 --ahs---- F:\WINNT\system32\drivers\fidbox2.idx

2008-04-16 01:18 . 2008-04-16 01:18 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Grisoft

2008-04-16 01:12 . 2008-04-16 01:12 <DIR> d-------- F:\Program Files\CCleaner

2008-04-14 23:59 . 2005-06-14 19:35 104,576 -ra------ F:\WINNT\system32\drivers\WCEUSBSH.SYS

2008-04-14 23:59 . 2005-06-14 19:35 104,576 --a--c--- F:\WINNT\system32\dllcache\wceusbsh.sys

2008-04-14 23:59 . 2005-06-14 19:35 63,596 -ra------ F:\WINNT\system32\drivers\WCEUSBSH.INF

2008-04-10 02:30 . 2008-04-10 02:30 <DIR> d-------- F:\Program Files\Windows Media Connect 2

2008-04-09 23:38 . 2008-04-09 23:38 127 --a------ F:\WINNT\system32\MRT.INI

2008-04-09 22:38 . 2004-08-03 23:08 25,600 --a------ F:\WINNT\system32\drivers\usbser.sys

2008-04-09 22:38 . 2004-08-03 23:08 25,600 --a--c--- F:\WINNT\system32\dllcache\usbser.sys

2008-04-09 22:31 . 2008-04-09 22:31 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Nokia

2008-04-09 22:31 . 2008-02-01 15:17 138,112 --a------ F:\WINNT\system32\drivers\nmwcdnsu.sys

2008-04-09 22:31 . 2008-02-01 15:17 8,320 --a------ F:\WINNT\system32\drivers\nmwcdnsuc.sys

2008-04-09 22:30 . 2007-11-29 10:33 1,419,232 --a------ F:\WINNT\system32\wdfcoinstaller01005.dll

2008-04-09 22:30 . 2007-11-29 10:39 95,744 --a------ F:\WINNT\system32\nmwcdcocls.dll

2008-04-09 22:30 . 2007-11-29 10:39 19,328 --a------ F:\WINNT\system32\drivers\ccdcmbo.sys

2008-04-09 22:30 . 2007-11-29 10:39 16,896 --a------ F:\WINNT\system32\drivers\ccdcmb.sys

2008-04-09 22:30 . 2007-11-29 10:39 8,064 --a------ F:\WINNT\system32\drivers\usbser_lowerfltj.sys

2008-04-09 22:30 . 2007-11-29 10:39 8,064 --a------ F:\WINNT\system32\drivers\usbser_lowerflt.sys

2008-04-03 20:06 . 2005-10-21 11:17 30,592 --------- F:\WINNT\system32\drivers\rndismpx.sys

2008-04-03 20:06 . 2005-10-21 11:17 12,800 --------- F:\WINNT\system32\drivers\usb8023x.sys

2008-04-03 19:59 . 2008-04-03 20:00 1,653,718 ---hs---- F:\WINNT\system32\csuwwinu.ini

2008-04-02 17:20 . 2008-04-03 20:00 1,598,361 ---hs---- F:\WINNT\system32\lnjvmcmp.ini

2008-03-31 22:52 . 2008-03-31 22:52 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\SolidDocuments

2008-03-31 20:06 . 2008-03-31 20:06 <DIR> d-------- F:\WINNT\PTSD Checklist Scoring and Interpretation Generator

2008-03-31 17:56 . 2008-03-31 17:56 <DIR> d-------- F:\WINNT\DASS 21 Scoring and Interpretation Generator

2008-03-31 17:56 . 2008-03-31 20:06 <DIR> d-------- F:\Program Files\Clintools

2008-03-28 17:24 . 2008-03-28 17:24 <DIR> d-------- F:\Documents and Settings\Tim Halls\Application Data\Adlib Software

2008-03-28 17:24 . 2008-03-28 17:24 <DIR> d-------- F:\Documents and Settings\All Users\Application Data\Adlib Software

2008-03-28 17:18 . 1997-04-14 08:16 124,416 --a------ F:\WINNT\system32\dzip32.dll

2008-03-28 17:18 . 1998-03-05 22:00 78,096 --a------ F:\WINNT\system32\Gapi32.dll

2008-03-28 17:11 . 2008-03-28 17:12 <DIR> d-------- F:\Program Files\Easy Macro Recorder

2008-03-28 17:11 . 2008-03-28 17:12 <DIR> d-------- F:\Documents and Settings\Tim Halls\Application Data\Easy Macro Recorder

2008-03-28 17:11 . 1998-06-23 23:00 67,376 --a------ F:\WINNT\system32\SYSINFO.OCX

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-04-16 06:16 --------- d-----w F:\Documents and Settings\Tim Halls\Application Data\SolidDocuments

2008-04-16 04:59 --------- d-----w F:\Program Files\Symantec

2008-04-16 04:59 --------- d-----w F:\Program Files\Common Files\Symantec Shared

2008-04-15 23:40 --------- d---a-w F:\Documents and Settings\All Users\Application Data\TEMP

2008-04-15 17:05 --------- d-----w F:\Documents and Settings\All Users\Application Data\Google Updater

2008-04-14 17:36 --------- d-----w F:\Program Files\Lexmark X74-X75

2008-04-14 10:43 --------- d-----w F:\Documents and Settings\All Users\Application Data\Installations

2008-04-11 13:30 --------- d-----w F:\Documents and Settings\All Users\Application Data\PC Suite

2008-04-09 13:01 --------- d-----w F:\Program Files\Nokia

2008-04-09 12:41 --------- d-----w F:\Program Files\Common Files\Nokia

2008-03-28 08:08 --------- d-----w F:\Program Files\Common Files\InstallShield

2008-03-28 07:48 --------- d--h--w F:\Program Files\InstallShield Installation Information

2008-03-19 09:47 1,845,248 ----a-w F:\WINNT\system32\win32k.sys

2008-03-15 00:04 --------- d-----w F:\Documents and Settings\All Users\Application Data\Symantec

2008-03-14 07:53 --------- d-----w F:\Program Files\VIA

2008-03-13 12:53 --------- d-----w F:\Documents and Settings\All Users\Application Data\PC Drivers Headquarters

2008-03-13 12:51 --------- d-----w F:\Program Files\PC Drivers HeadQuarters

2008-03-10 14:03 --------- d-----w F:\Program Files\MSXML 6.0

2008-03-01 13:06 826,368 ----a-w F:\WINNT\system32\wininet.dll

2008-02-25 10:24 105,088 ----a-w F:\WINNT\system32\drivers\Rtnicxp.sys

2008-02-20 06:51 282,624 ----a-w F:\WINNT\system32\gdi32.dll

2008-02-20 05:32 45,568 ----a-w F:\WINNT\system32\dnsrslvr.dll

2008-02-01 05:47 90,624 ----a-w F:\WINNT\system32\nmwcdcls.dll

2003-08-23 10:18 271 --sh--w F:\Program Files\desktop.ini

2003-08-23 10:18 21,952 ---ha-w F:\Program Files\folder.htt

.

<pre>
----a-w 50,795,746 2003-11-13 21:53:42 F:\Documents and Settings\Tim Halls\My Documents\Shared Files\Applications\Partition Magic\Partition Magic 8 Pro FULL BY PILPELON .exe
</pre>

((((((((((((((((((((((((((((( snapshot@2008-04-17_10.04.15.91 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-04-17 00:24:44 2,048 --s-a-w F:\WINNT\bootstat.dat

+ 2008-04-17 06:49:12 2,048 --s-a-w F:\WINNT\bootstat.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"ctfmon.exe"="F:\WINNT\system32\ctfmon.exe" [2004-08-04 21:30 15360]

"PC Suite Tray"="F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" [2007-12-10 09:12 695808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"1A:Stardock TrayMonitor"="" []

"Lexmark X74-X75"="F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 14:09 57344]

"AVP"="F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe" [2007-08-23 14:16 200768]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

"1A:Stardock TrayMonitor"="" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]

"^SetupICWDesktop"="F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [2004-08-04 21:30 214528]

"tscuninstall"="F:\WINNT\system32\tscupgrd.exe" [2004-08-04 21:30 44544]

F:\Documents and Settings\Administrator\Start Menu\Programs\Startup\

Greetings Workshop Reminders.lnk - F:\Program Files\Greetings Workshop\GWREMIND.EXE [1997-09-04 50688]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]

"{93994DE8-8239-4655-B1D1-5F4E91300429}"= F:\PROGRA~1\DVDREG~1\DVDShell.dll [2003-08-26 09:58 49152]

"{EDB0E980-90BD-11D4-8599-0008C7D3B6F8}"= F:\Program Files\Qualcomm\Eudora\EuShlExt.dll [2001-04-12 17:05 77824]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]

@="Driver"

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]

path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk

backup=F:\WINNT\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKLM\~\startupfolder\F:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]

path=F:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk

backup=F:\WINNT\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]

--a------ 2006-01-12 20:52 483328 F:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]

-ra------ 2007-08-09 14:48 528384 F:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]

--a------ 2002-11-02 16:03 45056 F:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]

--a------ 2004-08-04 21:30 208952 F:\WINNT\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IntelliPoint]

--a------ 2005-12-04 16:39 461584 F:\Program Files\Microsoft IntelliPoint\ipoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]

F:\WINNT\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LanguageShortcut]

--a------ 2006-12-05 21:55 54832 F:\Program Files\CyberLink\PowerDVD\Language\Language.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X74-X75]

--------- 2002-10-14 14:09 57344 F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]

--a------ 2004-08-04 21:30 59392 F:\WINNT\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2001-07-09 10:50 155648 F:\WINNT\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Opware12]

--a------ 2002-08-01 03:49 49152 F:\Program Files\ScanSoft\OmniPagePro12.0\Opware12.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]

--a------ 2007-12-10 09:12 695808 F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]

--a------ 2007-11-07 16:35 1294336 F:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]

--a------ 2004-08-04 21:30 455168 F:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]

--a------ 2004-08-04 21:30 455168 F:\WINNT\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--------- 2006-11-23 14:10 56928 F:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Say the Time]

--a------ 2006-01-28 00:00 1253376 F:\Program Files\Say the Time\SayTime.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SDTray]

F:\Program Files\Spyware Doctor\SDTrayApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]

-ra------ 2007-08-17 03:45 23120680 F:\Program Files\Skype\Phone\Skype.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

-ra------ 2001-08-02 13:48 124416 F:\WINNT\SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2006-10-12 02:10 49263 F:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]

--a------ 2004-08-04 21:30 143360 F:\WINNT\system32\mobsync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\vptray]

F:\Program Files\NavNT\vptray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"TlntSvr"=3 (0x3)

"TermService"=3 (0x3)

"TapiSrv"=3 (0x3)

"SCardSvr"=3 (0x3)

"SCardDrv"=3 (0x3)

"RDSessMgr"=3 (0x3)

"RasMan"=3 (0x3)

"RasAuto"=3 (0x3)

"mnmsrvc"=3 (0x3)

"ERSvc"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"F:\\Program Files\\Caplio Software\\RGateL.exe"=

"F:\\WINNT\\system32\\LEXPPS.EXE"=

"F:\\WINNT\\system32\\rundll32.exe"=

"F:\\WINNT\\system32\\dpvsetup.exe"=

"F:\\Program Files\\Caplio Software\\RGateLXP.exe"=

"F:\\Program Files\\CuteFTP\\CUTFTP32.EXE"=

"F:\\StubInstaller.exe"=

"F:\\Program Files\\LimeWire\\LimeWire.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"F:\\Program Files\\Skype\\Phone\\Skype.exe"=

"F:\\Program Files\\CounterPath\\X-Lite\\x-lite.exe"=

"F:\\Program Files\\Common Files\\Nokia\\Service Layer\\A\\nsl_host_process.exe"=

"F:\\Program Files\\Nokia\\Nokia Software Updater\\nsu_ui_client.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"3587:TCP"= 3587:TCP:Windows Peer-to-Peer Grouping

"3540:UDP"= 3540:UDP:Peer Name Resolution Protocol (PNRP)

"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015

"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016

"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]

"AllowInboundEchoRequest"= 1 (0x1)

R0 videX32;videX32;F:\WINNT\system32\DRIVERS\videX32.sys [2007-09-21 16:49]

R1 VIAPFD;VIAPFD;F:\WINNT\system32\Drivers\VIAPFD.SYS [2001-05-04 16:54]

R2 ptssvc;ptssvc;F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe [2003-08-25 15:25]

S2 BT848;AVerMedia, AVerTV WDM Video Capture;F:\WINNT\system32\drivers\BT848.sys [2001-08-10 10:08]

S2 BTTUNER;AVerMedia, AVerTV WDM TvTuner;F:\WINNT\system32\drivers\BTTUNER.sys [2001-07-12 20:20]

S2 BTXBAR;AVerMedia, AVerTV WDM Crossbar;F:\WINNT\system32\drivers\BTXBAR.sys [1999-07-22 08:28]

S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;F:\WINNT\system32\Drivers\ousbehci.sys [2004-11-15 08:18]

S3 Eplpdx01;Eplpdx01;F:\WINNT\system32\Drivers\EPLPDX01.SYS [1998-05-25 19:30]

S3 FNC107;LevelOne 10/100Mbps Fast Ethernet Adapter NT Driver;F:\WINNT\system32\DRIVERS\FNC107.sys [2002-01-17 22:36]

S3 nmwcdnsu;Nokia USB Flashing Phone Parent;F:\WINNT\system32\drivers\nmwcdnsu.sys [2008-02-01 15:17]

S3 nmwcdnsuc;Nokia USB Flashing Generic;F:\WINNT\system32\drivers\nmwcdnsuc.sys [2008-02-01 15:17]

S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;F:\WINNT\system32\DRIVERS\ousb2hub.sys [2004-11-15 08:18]

S3 p2pgasvc;Peer Networking Group Authentication;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]

S3 p2pimsvc;Peer Networking Identity Manager;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]

S3 p2psvc;Peer Networking;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]

S3 PNRPSvc;Peer Name Resolution Protocol;F:\WINNT\system32\svchost.exe [2004-08-04 21:30]

S3 upperdev;upperdev;F:\WINNT\system32\DRIVERS\usbser_lowerflt.sys [2007-11-29 10:39]

S3 UsbserFilt;UsbserFilt;F:\WINNT\system32\DRIVERS\usbser_lowerfltj.sys [2007-11-29 10:39]

S3 VcomPort1;%VcomPort1.SVCDESC%;F:\WINNT\system32\DRIVERS\vcomric1.sys [2002-05-10 01:04]

S3 Winacpci;Winacpci;F:\WINNT\system32\DRIVERS\winacpci.sys [1999-09-24 23:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2007-09-05 11:11:25 F:\WINNT\Tasks\RegCure Program Check.job"

- F:\Program Files\RegCure\RegCure.exe

"2006-11-03 11:18:31 F:\WINNT\Tasks\RegCure.job"

- F:\Program Files\RegCure\RegCure.exe

.

**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-04-17 16:32:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-04-17 16:34:32

ComboFix-quarantined-files.txt 2008-04-17 07:04:22

Pre-Run: 44,262,158,336 bytes free

Post-Run: 44,255,780,864 bytes free

.

2008-04-13 15:00:22 --- E O F ---

Latest HijackThis

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:54:26 AM, on 18/04/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

F:\WINNT\System32\smss.exe

F:\WINNT\system32\winlogon.exe

F:\WINNT\system32\services.exe

F:\WINNT\system32\lsass.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\System32\svchost.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\system32\LEXBCES.EXE

F:\WINNT\system32\spoolsv.exe

F:\WINNT\system32\LEXPPS.EXE

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

F:\Program Files\CyberLink\Shared Files\RichVideo.exe

F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\Explorer.EXE

F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

F:\Program Files\Lexmark X74-X75\lxbbbmon.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\WINNT\system32\ctfmon.exe

F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

F:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

F:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O9 - Extra button: (no name) - SolidConverterPDF - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dll

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610

O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocx

O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165

O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXE

O23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

O23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

O24 - Desktop Component 0: (no name) - file:///E:/Kathy's%20Japan%20Trip_2003/Family_2003/Wilmington/55229775_lrg.jpg

--

End of file - 8218 bytes

Event Viewer Screenshots

- System -

Sorry Ryan - I will forward these later as have encountered a problem.

Cheers and thanks for now, Tim

There's still some work to be done.

== Install Recovery Console ==

Go to Microsoft's website => http://support.microsoft.com/kb/310994

Select the download that's appropriate for your Operating System.

Download the file & save it as it's originally named, next to ComboFix.exe.

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

== Fix HJT Entries ==

You will want to print out a copy of these instructions to follow while you complete this procedure, as you will not be able to access the internet later in the fix.

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

O20 - Winlogon Notify: mgsmpvgk - mgsmpvgk.dll (file missing)

O20 - Winlogon Notify: __c0063FF1 - __c0063FF1.dat (file missing)

O20 - Winlogon Notify: __c00AFDDB - __c00AFDDB.dat (file missing)

Close all open windows except for HiJack This and click fix checked.

Reboot your computer.

== CFScript ==

1. Please open Notepad

  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::

F:\WINNT\system32\csuwwinu.ini

F:\WINNT\system32\lnjvmcmp.ini

F:\WINNT\system32\mgsmpvgk.dll

F:\WINNT\system32\__c0063FF1.dat

F:\WINNT\system32\__c00AFDDB.dat

RenV::

----a-w 50,795,746 2003-11-13 21:53:42 F:\Documents and Settings\Tim Halls\My Documents\Shared Files\Applications\Partition Magic\Partition Magic 8 Pro FULL BY PILPELON .exe

3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

CFScript.gif

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

  • Combofix.txt
  • A new HijackThis log.

Please post these directly as a reply (do not attach them), as it makes it easier for me to read them when they are on the forum.

-Ryan

Link to post
Share on other sites

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

-Ryan

Link to post
Share on other sites

Hi Ryan

Have run Anti-malware wit update - as specified. It found one registry key infection. The log is below.

Malwarebytes' Anti-Malware 1.11

Database version: 652

Scan type: Full Scan (C:\|F:\|G:\|H:\|)

Objects scanned: 160406

Time elapsed: 2 hour(s), 55 minute(s), 56 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Can you tell me what the effect of the infected key would have been? Would it have contributed to STOP errors?

Other Matters

Ryan, on re-booting yesterday after running ComboFix the PC stated my User Profile was damaged. Overnight I raised a new profile and noted how much quicker the PC was running. I made the decision to migrate my User settings across to the new profile (which had Administrator rights like my original) but then found Office 2003 products were slow to load with the Windows MSI installer constantly providing an impasse. Moroever, Outlook would not load at all. I made the decision to uninstall and re-load all Office 2003 products. This resolved the problem.

I have not had the blue screen of death since raising the new profile and running Anti-malware. However I have not run RegCure as yet either. I wil do this shortly and see what the result is. I note looking at the Event Viewer that all applications apper to be loading A-OK now and the only system errors noted are those from last night when the issues with MS-Office were experienced.

Any further suggestions? I believe increasing the size of the boot parrtition on the primary drive and placing the pagefile there has contributed to the increased performance I have presently as well.

Cheers, Tim

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

-Ryan

Link to post
Share on other sites

Hi Ryan

Please find below my latest HijackTHis log, as requested.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:09:46 PM, on 4/20/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

F:\WINNT\System32\smss.exe

F:\WINNT\system32\winlogon.exe

F:\WINNT\system32\services.exe

F:\WINNT\system32\lsass.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\System32\svchost.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\system32\LEXBCES.EXE

F:\WINNT\system32\spoolsv.exe

F:\WINNT\system32\LEXPPS.EXE

F:\WINNT\Explorer.EXE

F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\WINNT\system32\ctfmon.exe

F:\Program Files\Microsoft ActiveSync\wcescomm.exe

F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

F:\Program Files\Lexmark X74-X75\lxbbbmon.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

F:\PROGRA~1\MICROS~4\rapimgr.exe

F:\Program Files\CyberLink\Shared Files\RichVideo.exe

F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

F:\WINNT\system32\svchost.exe

F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

F:\WINNT\system32\wuauclt.exe

F:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

F:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

--

End of file - 1651 bytes

Thanks for all of your support.

Tim

Please post a new HiJack This log.

-Ryan

Link to post
Share on other sites

Hi Ryan

Please ignore the previous post of HiJack This log. For some reason the notepad log failed to report the classes of the processes running beneath the file location information. The full log is enclosed below. I note the following entries in the log which refer to Spyware Doctor:

O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dll

Spyware Doctor has been removed and replaced with The Shield Deluxe 2008 software. It seems this is an artefact sitting in my registry. I confirm the program was removed from the Add/REemove Programs interface. Is there a means of removing this without causing disruption to the PC's directory?

The HiJack This log in full for your inspection follows:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:15:51 PM, on 4/20/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

F:\WINNT\System32\smss.exe

F:\WINNT\system32\winlogon.exe

F:\WINNT\system32\services.exe

F:\WINNT\system32\lsass.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\System32\svchost.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\system32\LEXBCES.EXE

F:\WINNT\system32\spoolsv.exe

F:\WINNT\system32\LEXPPS.EXE

F:\WINNT\Explorer.EXE

F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\WINNT\system32\ctfmon.exe

F:\Program Files\Microsoft ActiveSync\wcescomm.exe

F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

F:\Program Files\Lexmark X74-X75\lxbbbmon.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

F:\PROGRA~1\MICROS~4\rapimgr.exe

F:\Program Files\CyberLink\Shared Files\RichVideo.exe

F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

F:\WINNT\system32\svchost.exe

F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

F:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

F:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wikisend.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\Run: [ccleaner] "F:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - SolidConverterPDF - (no file)

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dll

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CAB

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610

O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocx

O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165

O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXE

O23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

O23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 10167 bytes

Thanks Tim

Please post a new HiJack This log.

-Ryan

Link to post
Share on other sites

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - SolidConverterPDF - (no file)

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dll

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

Close all open windows except for HiJack This and click fix checked.

Reboot your computer.

Please post an Uninstall List.

To obtain an Uninstall list.

  • Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)

-Ryan

Link to post
Share on other sites

Hi Ryan

Thanks for all the help thus far. It is taking time however the PC is gradually coming good. Before posting the HijackTHis Ininstall log you requested, I advise I ran Dr CureIt overnight in full scan mode. It was a long scan but I suspected there was something still afoot with viruses in the PC. Whilst I do not get the STOP: ox00000050 error anymore when running registry cleaner scans, both Registry Cleaner (RegClean) and Registry First Aid cause the PC to reboot of its own accord when run. I have not had this issue previously. I ran Dr CureIt with the aim of determining whether Trojan.Win32.Agent.aw (Tojan.Medude) was present. As you may be aware, this virus is known for this particular STOP/reboot error.

The outcome to this extensive scan was it found 3-4 of the same virus in files, however 8-9 in sections of my XP restore directory. I had the program either cure/delete all of the files involved. Following this, I also uninstalled the restore function with removal of all restore points and rebooted the PC ( wasn't traking any chances). On startup and re-entering Windows I established a new restore point just in case the system went down.

Any case, the Uninstall log from HijackThis you requested follows beneath.

25 Nature scenes 1.0. Screen Saver

Able2Extract v2.20

Adobe Acrobat 7.0.9 Professional

Adobe Flash Player ActiveX

Adobe Illustrator 10

Adobe PageMaker 7.0

Adobe Photoshop 7.0

Adobe SVG Viewer 3.0

ArcSoft PhotoImpression

aspi

Caplio Software

CCHelp

CCleaner (remove only)

CCScore

Cheetah DVD Burner

CuteFTP

DASS 21 Scoring and Interpretation Generator

DIY DataRecovery DiskPatch 2.1

Driver Detective

Driver Detective

DVD Decrypter (Remove Only)

DVD Region-Free 3.10

DVD Shrink 3.2

DVD Suite

Easy Macro Recorder 3.68

ESSAdpt

ESSANUP

ESSBrwr

ESSCAM

ESSCDBK

ESScore

ESSgui

ESShelp

ESSini

ESSPCD

ESSstore

ESSTUTOR

ESSvpaht

ESSvpot

Eudora

Google Toolbar for Internet Explorer

Google Toolbar for Internet Explorer

Google Updater

Greetings Workshop Deluxe

Harrison InnerView Australian Uninstall

HijackThis 2.0.2

Hotfix for Windows Internet Explorer 7 (KB947864)

Hotfix for Windows Media Format 11 SDK (KB929399)

Hotfix for Windows Media Player 11 (KB939683)

Hotfix for Windows XP (KB909394)

Hotfix for Windows XP (KB914440)

Hotfix for Windows XP (KB915865)

Hotfix for Windows XP (KB926239)

Hotfix for Windows XP (KB929120)

ImageToAVI 1.0.0.2

InterVideo WinDVD 5

iriver plus 2 (remove only)

J2SE Runtime Environment 5.0 Update 7

J2SE Runtime Environment 5.0 Update 9

Jasc Paint Shop Pro 9

Jasc Paint Shop Pro 9 GDI+ Patch

Jasc Paint Shop Pro 9.01 - (9.0.1.1)

Jasc Paint Shop Pro 9.01 Patch

Kodak EasyShare software

KPrint

KSU

Legal Billing v6

Lexmark X74-X75

LimeWire 4.12.6

LiveReg (Symantec Corporation)

Macromedia Dreamweaver 4

Macromedia Extension Manager

Macromedia Fireworks 4

Malwarebytes' Anti-Malware

Marketing Plan Pro 6.0

Meta Tag Builder

Microsoft .NET Framework 2.0 Service Pack 1

Microsoft ActiveSync 4.0

Microsoft Compression Client Pack 1.0 for Windows XP

Microsoft Data Access Components KB870669

Microsoft Internationalized Domain Names Mitigation APIs

Microsoft Kernel-Mode Driver Framework Feature Pack 1.5

Microsoft National Language Support Downlevel APIs

Microsoft Office FrontPage 2003

Microsoft Office Professional Edition 2003

Microsoft Office Visio Professional 2003

Microsoft User-Mode Driver Framework Feature Pack 1.5

Microsoft Visual C++ 2005 Redistributable

Microsoft Windows Journal Viewer

Microsoft XML Parser and SDK

MSVC80_x86

MSXML 4.0 SP2 (KB927978)

MSXML 4.0 SP2 (KB936181)

MSXML 6.0 Parser (KB933579)

MYOB Premier v5.0.2

Nero OEM

Nero Suite

Nokia Connectivity Cable Driver

Nokia Flashing Cable Driver

Nokia Multimedia Factory

Nokia Multimedia Factory

Nokia PC Suite

Nokia PC Suite

Nokia Software Updater

Nokia Video Manager

Nokia Video Manager

Norton Ghost

Notifier

NVIDIA Display Driver

OmniPage Pro 12.0

OTtBP

PC Connectivity Solution

PCDLNCH

Photodex Presenter

PowerDVD

PowerProducer

PowerQuest PartitionMagic 8.0

ProShow Gold

PTSD Checklist Scoring and Interpretation Generator

QuickTime

Registry First Aid

ScanSoft RealSpeak

Security Update for Windows Internet Explorer 7 (KB933566)

Security Update for Windows Internet Explorer 7 (KB937143)

Security Update for Windows Internet Explorer 7 (KB938127)

Security Update for Windows Internet Explorer 7 (KB939653)

Security Update for Windows Internet Explorer 7 (KB942615)

Security Update for Windows Internet Explorer 7 (KB944533)

Security Update for Windows Media Player (KB911564)

Security Update for Windows Media Player 11 (KB936782)

Security Update for Windows Media Player 6.4 (KB925398)

Security Update for Windows Media Player 9 (KB917734)

Security Update for Windows Media Player 9 (KB936782)

Security Update for Windows XP (KB890046)

Security Update for Windows XP (KB893756)

Security Update for Windows XP (KB896358)

Security Update for Windows XP (KB896422)

Security Update for Windows XP (KB896423)

Security Update for Windows XP (KB896424)

Security Update for Windows XP (KB896428)

Security Update for Windows XP (KB899587)

Security Update for Windows XP (KB899589)

Security Update for Windows XP (KB899591)

Security Update for Windows XP (KB900725)

Security Update for Windows XP (KB901017)

Security Update for Windows XP (KB901190)

Security Update for Windows XP (KB901214)

Security Update for Windows XP (KB902400)

Security Update for Windows XP (KB904706)

Security Update for Windows XP (KB905414)

Security Update for Windows XP (KB905749)

Security Update for Windows XP (KB908519)

Security Update for Windows XP (KB911562)

Security Update for Windows XP (KB911567)

Security Update for Windows XP (KB911927)

Security Update for Windows XP (KB912919)

Security Update for Windows XP (KB913580)

Security Update for Windows XP (KB914388)

Security Update for Windows XP (KB914389)

Security Update for Windows XP (KB916281)

Security Update for Windows XP (KB917159)

Security Update for Windows XP (KB917344)

Security Update for Windows XP (KB917422)

Security Update for Windows XP (KB917953)

Security Update for Windows XP (KB918118)

Security Update for Windows XP (KB918439)

Security Update for Windows XP (KB918899)

Security Update for Windows XP (KB919007)

Security Update for Windows XP (KB920213)

Security Update for Windows XP (KB920214)

Security Update for Windows XP (KB920670)

Security Update for Windows XP (KB920683)

Security Update for Windows XP (KB920685)

Security Update for Windows XP (KB921398)

Security Update for Windows XP (KB921503)

Security Update for Windows XP (KB921883)

Security Update for Windows XP (KB922616)

Security Update for Windows XP (KB922760)

Security Update for Windows XP (KB922819)

Security Update for Windows XP (KB923191)

Security Update for Windows XP (KB923414)

Security Update for Windows XP (KB923689)

Security Update for Windows XP (KB923694)

Security Update for Windows XP (KB923810)

Security Update for Windows XP (KB923980)

Security Update for Windows XP (KB924191)

Security Update for Windows XP (KB924270)

Security Update for Windows XP (KB924496)

Security Update for Windows XP (KB924667)

Security Update for Windows XP (KB925454)

Security Update for Windows XP (KB925486)

Security Update for Windows XP (KB925902)

Security Update for Windows XP (KB926255)

Security Update for Windows XP (KB926436)

Security Update for Windows XP (KB927779)

Security Update for Windows XP (KB927802)

Security Update for Windows XP (KB928090)

Security Update for Windows XP (KB928255)

Security Update for Windows XP (KB928843)

Security Update for Windows XP (KB929123)

Security Update for Windows XP (KB930178)

Security Update for Windows XP (KB931261)

Security Update for Windows XP (KB931768)

Security Update for Windows XP (KB931784)

Security Update for Windows XP (KB932168)

Security Update for Windows XP (KB933566)

Security Update for Windows XP (KB933729)

Security Update for Windows XP (KB935839)

Security Update for Windows XP (KB935840)

Security Update for Windows XP (KB936021)

Security Update for Windows XP (KB937894)

Security Update for Windows XP (KB938829)

Security Update for Windows XP (KB941202)

Security Update for Windows XP (KB941568)

Security Update for Windows XP (KB941569)

Security Update for Windows XP (KB941644)

Security Update for Windows XP (KB941693)

Security Update for Windows XP (KB943055)

Security Update for Windows XP (KB943460)

Security Update for Windows XP (KB943485)

Security Update for Windows XP (KB944653)

Security Update for Windows XP (KB945553)

Security Update for Windows XP (KB946026)

Security Update for Windows XP (KB948590)

Security Update for Windows XP (KB948881)

Serials 2000

SFR

SFR2

Skypeâ„¢ 3.5

SnagIt 5

SolidConverterPDF

Splats html

The Shield Deluxe 2008

The Shield Deluxe 2008

Time and Chaos

Time and Chaos 6

TimeZone Map

Ulead PhotoImpact XL ESD

Update for Windows XP (KB894391)

Update for Windows XP (KB898461)

Update for Windows XP (KB900485)

Update for Windows XP (KB904942)

Update for Windows XP (KB908531)

Update for Windows XP (KB910437)

Update for Windows XP (KB911280)

Update for Windows XP (KB916595)

Update for Windows XP (KB920872)

Update for Windows XP (KB922582)

Update for Windows XP (KB927891)

Update for Windows XP (KB929338)

Update for Windows XP (KB930916)

Update for Windows XP (KB931836)

Update for Windows XP (KB933360)

Update for Windows XP (KB938828)

Update for Windows XP (KB942763)

VIA Platform Device Manager

Windows Imaging Component

Windows Installer 3.1 (KB893803)

Windows Internet Explorer 7

Windows Media Encoder 9 Series

Windows Media Encoder 9 Series

Windows Media Format 11 runtime

Windows Media Format 11 runtime

Windows Media Player 11

Windows Media Player 11

Windows Media Player 9 Hotfix [see KB885492 for more information]

Windows XP Hotfix - KB885835

Windows XP Hotfix - KB885836

Windows XP Hotfix - KB886185

Windows XP Hotfix - KB887472

Windows XP Hotfix - KB887742

Windows XP Hotfix - KB888113

Windows XP Hotfix - KB888302

Windows XP Hotfix - KB890859

Windows XP Hotfix - KB891781

WinHTTrack Website Copier 3.23

WinMX

WinRAR archiver

WinZip

X-Lite 3.0

X-Seven XS-700 Player

With thanks, Tim

Open HiJack This and scan. When it finishes, put an X in the box next to these following item(s)

O4 - HKUS\S-1-5-19\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [spyware Doctor] "F:\Program Files\Spyware Doctor\swdoctor.exe" /Q (User 'NETWORK SERVICE')

O9 - Extra button: (no name) - SolidConverterPDF - (no file)

O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - F:\WINNT\system32\shdocvw.dll

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

Close all open windows except for HiJack This and click fix checked.

Reboot your computer.

Please post an Uninstall List.

To obtain an Uninstall list.

  • Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)

-Ryan

Link to post
Share on other sites

== Remove Programs ==

Please go to Add/Remove Programs in the Control Panel, and remove the following programs

  • J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9

Reboot your computer.

== Install Latest Java ==

Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.

Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.

Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.

Once it has finished downloading, double click it, and follow the prompts to install.

If it asks to reboot, select No.

== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Close all Internet Explorer, Firefox, and Opera windows before continuing.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please reboot your computer before continuing.

== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner

You will need to use Internet Explorer to do this

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

== Request Logs ==

Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.

-Ryan

Link to post
Share on other sites

Hi Ryan

All is not well with the PC! Followed your below instructions but the PC self-booted when one third the way into Kaspersky Online Scan. As mentioned previously, it displays the same intolerance when I run the registry checkers RegCure or Registry First Aid. Before this virus attack it never use to do this. I know this for a fact since I would run RegCure on a monthly basis to maintain a 'clean' registry.

There are a few potential clues I have alluded to in examining the PC more closely. It is running effortlessly and with efficiency I would say in loading and unloading memory - certainly the best it has been in a long while.

When uninstalling old programs on the primary drive using the "Add/Remove Programs" tool, I came across a directory which I cannot delete. The error message pops up when I attempt to stating: "Cannot delete Charity_Counselling (UK): Cannot find the specified file." I am wondering whether this file anomaly is responsible for the viral scanner baulking and re-starting Windows. In RegCure the PC re-boots when engaging the file scanner and not the foregoing registry or file pathname errors. The other matter raising my suspicion is that DrCureIt found what it considered "Possibly a Backdoor Trojan" in relation to the wider application associated with this file. The application was known as "WebPosition" - a search engine used to rank where your website sits with others in relation to specific subject content. "Counselling" was one of the topics for which a website ranking was sought.

Question: Is there a tool that can be specifically directed at suspicious files / directories with enought sophistication to remove them if somehow the inability to delete is related to hard disc addressing??

Alternatively, is there a viral tool that targets the eradication of STOP errors resulting from virus attack? I frankly do not know whether the above directory is virus laden (although with hidden files view 'on' nothing appears in the directory) or whether the inability to delete the directory is an addressing issue. :unsure:

Do you have any suggestions regarding this matter of the PC self-booting when the scanning applications are run? I have checked the RAM memory with Memtest. All was OK.

Over to you, with thanks

Tim

== Remove Programs ==

Please go to Add/Remove Programs in the Control Panel, and remove the following programs

  • J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9

Reboot your computer.

== Install Latest Java ==

Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.

Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.

Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.

Once it has finished downloading, double click it, and follow the prompts to install.

If it asks to reboot, select No.

== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Close all Internet Explorer, Firefox, and Opera windows before continuing.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please reboot your computer before continuing.

== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner

You will need to use Internet Explorer to do this

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

== Request Logs ==

Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.

-Ryan

Link to post
Share on other sites

Hi Ryan

Please find below the fresh HijackThis log you requested following the PC re-botting itself when running the extended Kaspersky Online Scanner.

I bring to your attention also that Malwarebytes Scanner run other evening also quarantined then deleted the following file from a rgistry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 11:26:21 PM, on 4/22/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

F:\WINNT\System32\smss.exe

F:\WINNT\system32\winlogon.exe

F:\WINNT\system32\services.exe

F:\WINNT\system32\lsass.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\System32\svchost.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\system32\LEXBCES.EXE

F:\WINNT\system32\spoolsv.exe

F:\WINNT\system32\LEXPPS.EXE

F:\WINNT\Explorer.EXE

F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

F:\WINNT\system32\ctfmon.exe

F:\Program Files\Lexmark X74-X75\lxbbbmon.exe

F:\Program Files\Microsoft ActiveSync\wcescomm.exe

F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\PROGRA~1\MICROS~4\rapimgr.exe

F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

F:\Program Files\CyberLink\Shared Files\RichVideo.exe

F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

F:\WINNT\system32\svchost.exe

F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

F:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

F:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.adam.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://wikisend.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - f:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program files\google\googletoolbar1.dll

O3 - Toolbar: Solid Converter PDF - {259F616C-A300-44F5-B04A-ED001A26C85C} - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\ExploreExtPDF.dll

O4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"

O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\Run: [ccleaner] "F:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O8 - Extra context menu item: Convert link target to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://F:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINNT\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINNT\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dll

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8} (Driver_Detective_v43_Members.DD_v43) - http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CAB

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1150564729610

O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) - https://www.plaxo.com/activex/plx_upldr-2k-xp.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://photos.extrafilm.com.au/en/Photo/XUpload.ocx

O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) - http://www.drivershq.com/members/DD_v4_Member.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165

O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-A441ADAC80F0}: NameServer = 192.168.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - F:\WINNT\system32\LEXBCES.EXE

O23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - F:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: SolidPDFConverterReadSpool (ScReadSpool) - VoyagerSoft, LLC - F:\Program Files\SolidDocuments\SolidConverterPDF\SCPDF\SolidPdfService.exe

O23 - Service: ScsiAccess - Unknown owner - F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--

End of file - 10411 bytes

Hope this post provides further clues as to PC's behaviour of self-booting.

Cheers, Tim

Hi Ryan

All is not well with the PC! Followed your below instructions but the PC self-booted when one third the way into Kaspersky Online Scan. As mentioned previously, it displays the same intolerance when I run the registry checkers RegCure or Registry First Aid. Before this virus attack it never use to do this. I know this for a fact since I would run RegCure on a monthly basis to maintain a 'clean' registry.

There are a few potential clues I have alluded to in examining the PC more closely. It is running effortlessly and with efficiency I would say in loading and unloading memory - certainly the best it has been in a long while.

When uninstalling old programs on the primary drive using the "Add/Remove Programs" tool, I came across a directory which I cannot delete. The error message pops up when I attempt to stating: "Cannot delete Charity_Counselling (UK): Cannot find the specified file." I am wondering whether this file anomaly is responsible for the viral scanner baulking and re-starting Windows. In RegCure the PC re-boots when engaging the file scanner and not the foregoing registry or file pathname errors. The other matter raising my suspicion is that DrCureIt found what it considered "Possibly a Backdoor Trojan" in relation to the wider application associated with this file. The application was known as "WebPosition" - a search engine used to rank where your website sits with others in relation to specific subject content. "Counselling" was one of the topics for which a website ranking was sought.

Question: Is there a tool that can be specifically directed at suspicious files / directories with enought sophistication to remove them if somehow the inability to delete is related to hard disc addressing??

Alternatively, is there a viral tool that targets the eradication of STOP errors resulting from virus attack? I frankly do not know whether the above directory is virus laden (although with hidden files view 'on' nothing appears in the directory) or whether the inability to delete the directory is an addressing issue. :unsure:

Do you have any suggestions regarding this matter of the PC self-booting when the scanning applications are run? I have checked the RAM memory with Memtest. All was OK.

Over to you, with thanks

Tim

== Remove Programs ==

Please go to Add/Remove Programs in the Control Panel, and remove the following programs

  • J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9

Reboot your computer.

== Install Latest Java ==

Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.

Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.

Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.

Once it has finished downloading, double click it, and follow the prompts to install.

If it asks to reboot, select No.

== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Close all Internet Explorer, Firefox, and Opera windows before continuing.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please reboot your computer before continuing.

== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner

You will need to use Internet Explorer to do this

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

== Request Logs ==

Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.

-Ryan

Link to post
Share on other sites

Let's see if a boot time scan reveals anything.

== Install avast! 4 Home ==

Download Avast! 4 Home and get your free Registration Key.

Install avast!, and restart your computer if needed.

== Update avast! ==

Right click on the a in the taskbar and select Updating, then select Program.

Avast! will tell you when it has completed the update. If core files were updated, you may get a message asking you to restart. Please allow the computer to restart if prompted.

== Schedule a Boot-Time Scan ==

After you have updated avast! right click the a icon in the taskbar and click Start Avast! AntiVirus.

After this, you will need to Schedule Boot-Time Scan with avast! While all the steps needed to perform this are listed below, you may find a visual tutorial helpful as well.

  • Click on the up arrow icon in the left corner, and select Schedule Boot-Time Scan.
    Next, choose:
    • Scan all local disks
    • scan archive files

Click on Schedule. Avast! will notify you that a system restart is needed. Please select Yes

Your computer will then restart, and avast! will perform the scan prior to Windows loading.

IMPORTANT NOTE: When avast! finds an infected item, it may give you a dialog box with recommended actions. If this happens, please select Move to Chest.

== Request logs ==

Please post the log of the avast scan. It can be found at C:\Program Files\Alwil Software\Avast4\DATA\report\AswBoot.txt

I would also like to see an Uninstall list. To obtain an uninstall list, please do the following:

  • Open HijackThis, click Config, click Misc Tools
    Click "Open Uninstall Manager"
    Click "Save List" (generates uninstall_list.txt)

-Ryan

Link to post
Share on other sites

Ryan, further to my last post wherein I completed all of your instructions below however the Kaspersky extended scan caused the PC to re-boot, I now enclose below my latest HijackThis log for your inspection.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:51:11 PM, on 4/23/2008Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

F:\WINNT\System32\smss.exe

F:\WINNT\system32\winlogon.exe

F:\WINNT\system32\services.exe

F:\WINNT\system32\lsass.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\System32\svchost.exe

F:\WINNT\system32\svchost.exe

F:\WINNT\system32\LEXBCES.EXE

F:\WINNT\system32\spoolsv.exe

F:\WINNT\system32\LEXPPS.EXE

F:\WINNT\Explorer.EXE

F:\Program Files\Lexmark X74-X75\lxbbbmgr.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\Program Files\Java\jre1.6.0_06\bin\jusched.exe

F:\WINNT\system32\ctfmon.exe

F:\Program Files\Microsoft ActiveSync\wcescomm.exe

F:\Program Files\Lexmark X74-X75\lxbbbmon.exe

F:\PROGRA~1\MICROS~4\rapimgr.exe

F:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

F:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

F:\Program Files\Kodak EasyShare software\bin\ptssvc.exe

F:\Program Files\CyberLink\Shared Files\RichVideo.exe

F:\Program Files\Photodex\ProShowGold\ScsiAccess.exe

F:\WINNT\system32\svchost.exe

F:\Program Files\PC Connectivity Solution\ServiceLayer.exe

F:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe

F:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe

F:\Program Files\Internet Explorer\iexplore.exe

F:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe

F:\Program Files\Common Files\Nokia\MPAPI\MPAPI3s.exe

F:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://www.adam.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =

http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =

http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext =

http://wikisend.com/

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-

784B7D6BE0B3} - F:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {259F616C-A300-44F5-B04A-ED001A26C85C} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} -

F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} -

f:\program files\google\googletoolbar1.dll

O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-

0445EE161910} - F:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll

O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-

CE66B5AD205D} - F:\Program Files\Google\GoogleToolbarNotifier\2.1.1119.1736

\swg.dll

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - F:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - f:\program

files\google\googletoolbar1.dll

O4 - HKLM\..\Run: [Lexmark X74-X75] "F:\Program Files\Lexmark X74-X75

\lxbbbmgr.exe"

O4 - HKLM\..\Run: [AVP] "F:\Program Files\PCSecurityShield\The Shield Deluxe

2008\avp.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "F:\Program Files\Java\jre1.6.0_06

\bin\jusched.exe"

O4 - HKCU\..\Run: [ctfmon.exe] F:\WINNT\system32\ctfmon.exe

O4 - HKCU\..\Run: [ccleaner] "F:\Program Files\CCleaner\CCleaner.exe" /AUTO

O4 - HKCU\..\Run: [H/PC Connection Agent] "F:\Program Files\Microsoft

ActiveSync\wcescomm.exe"

O4 - HKCU\..\Run: [PC Suite Tray] "F:\Program Files\Nokia\Nokia PC Suite 6

\PCSuite.exe" -onlytray

O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32

\tscupgrd.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] F:\Program Files\Internet

Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')

O8 - Extra context menu item: Convert link target to Adobe PDF -

res://F:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert link target to existing PDF -

res://F:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert selected links to Adobe PDF -

res://F:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html

O8 - Extra context menu item: Convert selected links to existing PDF -

res://F:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html

O8 - Extra context menu item: Convert selection to Adobe PDF -

res://F:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert selection to existing PDF -

res://F:\Program Files\Adobe\Acrobat 7.0

\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: Convert to Adobe PDF - res://F:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html

O8 - Extra context menu item: Convert to existing PDF - res://F:\Program

Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html

O8 - Extra context menu item: E&xport to Microsoft Excel - res://F:\PROGRA~1

\MICROS~2\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-

00401C608501} - F:\Program Files\Java\jre1.6.0_06\bin\ssv.dll

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-

AA4ACF32ED8E} - F:\Program Files\PCSecurityShield\The Shield Deluxe 2008

\scieplugin.dll

O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-

00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} -

F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3

-9307-00C04FAE2D4F} - F:\PROGRA~1\MICROS~4\INetRepl.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

F:\WINNT\bdoscandel.exe

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - F:\WINNT\bdoscandel.exe

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

F:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} -

F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7

-f2ba38496583} - F:\WINNT\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

F:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-

00C04F795683} - F:\Program Files\Messenger\msmsgs.exe

O9 - Extra button: (no name) - SolidConverterPDF - (no file) (HKCU)

O10 - Unknown file in Winsock LSP: f:\winnt\system32\nwprovau.dll

O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) -

http://www.drivershq.com/DD_v4.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {3C200107-2959-4C6E-91B8-F6D911B398A8}

(Driver_Detective_v43_Members.DD_v43) -

http://www.drivershq.com/cab/prod/Driver_D...v43_Members.CAB

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -

http://update.microsoft.com/windowsupdate/.../client/wuweb_s

ite.cab?1150564729610

O16 - DPF: {CDCC6BE5-720B-488D-A953-047E0598D996} (UpMan Class) -

https://www.plaxo.com/activex/plx_upldr-2k-xp.cab

O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload)

- http://photos.extrafilm.com.au/en/Photo/XUpload.ocx

O16 - DPF: {ED6D016A-12F8-4871-BEDC-CE13AAAB4F0B} (DD_v4_Member.DDv4) -

http://www.drivershq.com/members/DD_v4_Member.CAB

O17 - HKLM\System\CCS\Services\Tcpip\..\{83D3E1CC-BCBE-49FF-A428-

AE9A0F579EE4}: NameServer = 203.2.124.164,203.2.124.165

O17 - HKLM\System\CCS\Services\Tcpip\..\{FF82F7C1-7924-443F-BA96-

A441ADAC80F0}: NameServer = 192.168.1.1

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} -

F:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - F:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - F:\Program

Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe

O23 - Service: Google Updater Service (gusvc) - Google - F:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. -

F:\WINNT\system32\LEXBCES.EXE

O23 - Service: ptssvc - KODAK - F:\Program Files\Kodak EasyShare

software\bin\ptssvc.exe

O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner

- F:\Program Files\CyberLink\Shared Files\RichVideo.exe

O23 - Service: ScsiAccess - Unknown owner - F:\Program

Files\Photodex\ProShowGold\ScsiAccess.exe

O23 - Service: ServiceLayer - Nokia. - F:\Program Files\PC Connectivity

Solution\ServiceLayer.exe

--

End of file - 10009 bytes

Any suggestions regarding PC self-booting on file scan?

Cheers, Tim

== Remove Programs ==

Please go to Add/Remove Programs in the Control Panel, and remove the following programs

  • J2SE Runtime Environment 5.0 Update 7
    J2SE Runtime Environment 5.0 Update 9

Reboot your computer.

== Install Latest Java ==

Please go to THIS page, and click on the Download link that is in the Java Runtime Environment (JRE) 6 section.

Click the radio button next to Accept License Agreement after reviewing it. The page will refresh - this is normal.

Download the Windows Offline Installation, Multi-language. You will want to save this to a location you will remember.

Once it has finished downloading, double click it, and follow the prompts to install.

If it asks to reboot, select No.

== Clear Temporary Files ==

Please download ATF Cleaner by Atribune.

This program is for XP and Windows 2000 only

  • Close all Internet Explorer, Firefox, and Opera windows before continuing.
    Double-click ATF-Cleaner.exe to run the program.
    Under Main choose: Select All
    Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All
    Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

For Technical Support, double-click the e-mail address located at the bottom of each menu.

Please reboot your computer before continuing.

== Kaspersky Web Scanner ==

Please do an online scan with Kaspersky WebScanner

You will need to use Internet Explorer to do this

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT

  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:

    • Extended (if available otherwise Standard)

    • Scan Options:

    • Scan Archives
      Scan Mail Bases

    [*]Click OK

    [*]Now under select a target to scan:

    • Select My Computer

    [*]This will program will start and scan your system.

    [*]The scan will take a while so be patient and let it run.

    [*]Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:

    [*]Save the file to your desktop.

    [*]Copy and paste that information in your next post.

== Request Logs ==

Please post the log from the Kaspersky scan, along with a new HiJack This log, and let me know how the computer is running.

-Ryan

Link to post
Share on other sites
Guest
This topic is now closed to further replies.