Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Jump Virus - Help Need
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 07-04-2008, 05:33 PM   #1 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Jump Virus - Help Need
Hi, I appear to have a jump virus which is redirecting me after Google searches. Below is the output log from HJT. Can anyone lend a hand and have a look for me? I am assuming its the O2 entries?

TIA

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:25:26, on 05/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {733405B2-0F42-428D-859B-24DB634EE0BB} - C:\WINDOWS\system32\fccaWPfE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {95263BDC-6D58-4769-9A03-9D764A59745F} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1ABEE1E9\3077ahntdksr[1].dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\vtUnmLBr.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [50d3fa7e] rundll32.exe "C:\WINDOWS\system32\epbfyvbv.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-A6C3-4023-AE3A-22F2983D851D} - https://authenticate.gateway.gov.uk/...lInstaller.CAB
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169858129312
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://secure.tesl.com/NELX.cab
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.eu.blackberry.com/html/w...s/TOImport.cab
O20 - Winlogon Notify: vtUnmLBr - C:\WINDOWS\SYSTEM32\vtUnmLBr.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12629 bytes
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 07-09-2008, 06:42 AM   #2 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
Hello and welcome to TSF.

Sorry for the delayed response. If you have not received help elsewhere and still need help please follow the instructions in IMPORTANT - Read This Before Posting A Log and post the two text files, main.txt and extra.txt produced by the Deckard's System Scanner.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2008, 01:45 AM   #3 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
BUMP, please.

Hi, s requested, please find below the contents of the MAIN.TXT file produced by dss. The util did not outpu an EXTRA.TXT file.

Many thaks fo you helwith this....



Deckard's System Scanner v20071014.68
Run by cravenp on 2008-07-23 08:36:02
Computer is in Normal Mode.
--------------------------------------------------------------------------------

System Drive C: has 18.14 GiB (less than 15%) free.


-- HijackThis (run as cravenp.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:36:10, on 23/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\ehome\McrdSvc.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\USS\USS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\BitComet\BitComet.exe
C:\Downloads\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cravenp.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O2 - BHO: (no name) - {45AC119E-07F1-4E83-A9A6-7C9711D3AE17} - C:\WINDOWS\system32\fccaWPfE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\vtUnmLBr.dll
O2 - BHO: {b2705147-3a1d-ed28-1f04-ab6e29a36bcc} - {ccb63a92-e6ba-40f1-82de-d1a37415072b} - C:\WINDOWS\system32\izxgnl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [50d3fa7e] rundll32.exe "C:\WINDOWS\system32\ynnutjtk.dll",b
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-A6C3-4023-AE3A-22F2983D851D} - https://authenticate.gateway.gov.uk/...lInstaller.CAB
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/actives.../as2stubie.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169858129312
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://secure.tesl.com/NELX.cab
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.eu.blackberry.com/html/w...s/TOImport.cab
O20 - Winlogon Notify: vtUnmLBr - C:\WINDOWS\SYSTEM32\vtUnmLBr.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 12570 bytes

-- Files created between 2008-06-23 and 2008-07-23 -----------------------------

2008-07-23 08:30:02 0 d-------- C:\Program Files\Panda Security
2008-07-23 08:30:01 0 d-------- C:\WINDOWS\LastGood
2008-07-05 15:53:09 0 d-------- C:\Program Files\Lavasoft
2008-07-05 15:53:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-05 15:52:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-07-05 12:15:19 103424 --a------ C:\WINDOWS\system32\izxgnl.dll
2008-07-05 12:15:18 103424 --a------ C:\WINDOWS\system32\jvrsxnju.dll
2008-07-05 12:12:57 11776 --a------ C:\WINDOWS\system32\drivers\wasfsd.sys <Not Verified; AdwareProtector, Inc.; >
2008-07-05 12:12:55 0 d-------- C:\Program Files\USS
2008-07-05 12:12:18 4096 --a------ C:\WINDOWS\system32\prcjyvtd.exe
2008-07-05 12:12:18 2151081 --a------ C:\WINDOWS\system32\19.exe <Not Verified; ; USSMain_Setup>
2008-07-05 12:09:58 78336 --a------ C:\WINDOWS\system32\ynnutjtk.dll
2008-07-05 00:15:30 0 d-------- C:\Program Files\Trend Micro
2008-07-05 00:03:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-07-05 00:01:26 0 d-------- C:\Program Files\VideoLAN
2008-07-04 23:09:35 78848 --a------ C:\WINDOWS\system32\epbfyvbv.dll
2008-07-04 23:08:51 562141 --ahs---- C:\WINDOWS\system32\EfPWaccf.ini2
2008-07-04 23:08:43 322048 --a------ C:\WINDOWS\system32\fccaWPfE.dll
2008-07-04 23:03:49 0 d-------- C:\Program Files\Xilisoft
2008-07-04 23:03:41 25600 --a------ C:\WINDOWS\system32\vtUnmLBr.dll
2008-07-04 22:40:43 0 d-------- C:\Temp
2008-07-04 22:39:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-07-04 22:38:48 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-04 22:38:48 16512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-06-27 20:52:00 0 d-------- C:\Program Files\AMF Software
2008-06-27 15:26:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\CD-LabelPrint
2008-06-27 15:25:58 0 d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-27 14:58:18 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-27 14:57:59 0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-27 14:57:39 0 d--h----- C:\Program Files\CanonBJ
2008-06-26 22:21:10 0 d-------- C:\Program Files\Microsoft Small Business
2008-06-26 22:17:04 0 d-------- C:\Program Files\Microsoft SQL Server
2008-06-23 14:48:41 0 d--hs---- C:\WINDOWS\CSC


-- Find3M Report ---------------------------------------------------------------

2008-07-06 08:33:04 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-05 15:52:44 0 d-------- C:\Program Files\Common Files
2008-07-05 10:00:19 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-04 23:25:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-27 15:25:56 0 d-------- C:\Program Files\Canon
2008-06-27 15:03:42 0 d-------- C:\Program Files\Common Files\Canon
2008-06-26 22:18:25 0 d-------- C:\Program Files\Microsoft.NET
2008-06-21 20:23:24 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-06-21 20:14:25 0 d-------- C:\Program Files\Common Files\supportsoft
2008-06-21 20:11:44 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-21 20:10:47 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-21 20:10:07 0 d-------- C:\Program Files\Intuit
2008-06-21 15:46:14 0 d-------- C:\Program Files\Microsoft Silverlight


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{45AC119E-07F1-4E83-A9A6-7C9711D3AE17}]
04/07/2008 23:08 322048 --a------ C:\WINDOWS\system32\fccaWPfE.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE7E4CE1-8CBA-44A6-956F-462A667D3286}]
04/07/2008 23:03 25600 --a------ C:\WINDOWS\system32\vtUnmLBr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ccb63a92-e6ba-40f1-82de-d1a37415072b}]
05/07/2008 12:15 103424 --a------ C:\WINDOWS\system32\izxgnl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [05/08/2005 14:56]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [25/09/2006 10:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [10/12/2004 19:02]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [30/12/2004 15:19]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 12:50]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [19/07/2005 18:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [16/09/2007 17:09]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/01/2008 16:27]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [15/01/2008 04:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 23:16]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [22/02/2008 05:25]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [15/05/2007 02:01]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [04/04/2007 02:50]
"50d3fa7e"="C:\WINDOWS\system32\ynnutjtk.dll" [05/07/2008 12:10]
"USS"="C:\Program Files\USS\USS.exe" [19/06/2008 15:33]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [15/03/2006 13:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [20/02/2008 23:59]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [18/10/2007 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [18/10/2006 21:05]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FlashPlayerUpdate"=C:\WINDOWS\system32\Macromed\Flash\FlashUtil9e.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [20/10/2005 20:55:40]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [21/05/2008 05:44:48]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [19/10/2006 15:55:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [19/10/2006 15:53 293888]
"{BE7E4CE1-8CBA-44A6-956F-462A667D3286}"= C:\WINDOWS\system32\vtUnmLBr.dll [04/07/2008 23:03 25600]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtUnmLBr]
vtUnmLBr.dll 04/07/2008 23:03 25600 C:\WINDOWS\system32\vtUnmLBr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\fccaWPfE

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE




-- End of Deckard's System Scanner: finished at 2008-07-23 08:36:30 ------------
Attached Files
File Type: txt main.txt (20.3 KB, 1 views)
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2008, 02:01 AM   #4 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
Hi,

Quote:
System Drive C: has 18.14 GiB (less than 15%) free.
Many of the tools used need more disk space to run. You might like to transfer some of the documents, pictures and music files to an external storage device to gain some space. Uninstalling the old programs that you no longer use may also help.

================================

We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/comb...o-use-combofix


Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  1. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  2. Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you.

Please include the following reports for further review, and so we may continue cleansing the system:

C:\ComboFix.txt
New HijackThis log.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
Last edited by amateur; 07-23-2008 at 02:03 AM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-23-2008, 04:19 PM   #5 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
Hi there,

As requested, plese find attached the ComboFix log (log.txt). Also, I have attempted to upload the new hijackthis log file (hijackthis.log), but I am told the file is invalid? As such I have C+P the contents below.

Many thanks for your continued help!

P

-----------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:13:10, on 23/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\USS\USS.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [USS] "C:\Program Files\USS\USS.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: BitComet Search - {461CC20B-FB6E-4f16-8FE8-C29359DB100E} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.8.30.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-A6C3-4023-AE3A-22F2983D851D} - https://authenticate.gateway.gov.uk/...lInstaller.CAB
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169858129312
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://secure.tesl.com/NELX.cab
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.eu.blackberry.com/html/w...s/TOImport.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10709 bytes
Attached Files
File Type: txt log.txt (13.2 KB, 2 views)
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-24-2008, 01:49 AM   #6 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
Hi,

Thank you for the logs. Please read the following instructions carefully and follow them in the order they are presented without missing any step, especially the submitting of the zipped file created by Combofix.

I see that you are using BitComet, which is a p2p file sharing program. I would like to warn you that the nature of P2P filesharing is so that even if one is using a "clean" program, many of the files downloaded from non-documented sources have the potential of being infected. So, regardless of whether one is using a "clean" program, one may still be prone to infection by malware because more than half of all files available for download from peer-to-peer networks have been deliberately infected with some form of malware. Also by default, most P2P file sharing programs are configured to automatically launch at startup. They are also configured to allow other P2P users on the same network open access to a shared directory on your computer. The reason for this is simple, file sharing relies on its members giving and gaining unfettered access to computers across the P2P network. However, this practice can make you vulnerable to data and identity theft.
I recommend very strongly that you remove it from your system via Add/Remove Programs in Control Panel.

=====================================
  • Open notepad (Start>All programs>accessories>notepad )
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
(It must be notepad, not wordpad, or it won't work):

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/266050-jump-virus-help-need.html

KILLALL::

Collect::
C:\WINDOWS\system32\drivers\wasfsd.sys
C:\WINDOWS\system32\prcjyvtd.exe

File::
C:\WINDOWS\BM53e0c9e2.xml
C:\WINDOWS\system32\19.exe
C:\WINDOWS\system32\19.tmp

Suspect::
C:\Program Files\USS\USS.exe

DirLook::
C:\Program Files\USS

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"=-
"USS"=-
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\BitComet\\BitComet.exe"=-
Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK on the message box. A browser will open. Simply follow the instructions to copy/paste/send the requested file.

==========================================

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 7 and save it to your desktop.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
  • Click the "Download" button to the right.
  • Select the Windows platform from the dropdown menu.
  • Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
  • Click on the link to download Windows Offline Installation and save the file to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
  • Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.
  • After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
    • On the General tab, under Temporary Internet Files, click the Settings button.
    • Next, click on the Delete Files button
    • There are two options in the window to clear the cache - Leave BOTH Checked
      • Applications and Applets
        Trace and Log Files
    • Click OK on Delete Temporary Files Window
      Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
    • Click OK to leave the Temporary Files Window
    • Click OK to leave the Java Control Panel.

==========================================

Using Internet Explorer, visit http://www.kaspersky.nl/scanforvirus-en/kavwebscan.html

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.


  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs
  • Turn off the real time scanner of any existing antivirus program while performing the online scan

========================================

Make sure DSS.exe is on your Desktop
Press the Start->Run, copy/paste the following command into the box and press OK:
Quote:
"%userprofile%\desktop\dss.exe" /config
A configuration box will appear, click the Check All button, then un-check Extra Log and press Scan!

When finished, it shall produce the main.txt for you. Please post the main.txt along with the Combofix.txt and the Kaspersky scan results.

Also, please let me know how the system is running now.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-26-2008, 03:29 AM   #7 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
Hi there!

Okay, that lot took quite some time, so apologies for the delay in getting back to you. I have removed BitComet as you suggested. TBH I only ever really used it for download mgmt and resume start rather than file share. Either way, it has now gone. I then ran ComboFix against the script as published. ComboFix ran for a while, and then hung at stage 48. I left it for several hours, but alas had to reboot. The attached is the output in a zip. Also attached is the Kaspersky report and DSS report. I think thats everything?

Oh, and I also updated the Java... :)

In general, the system now seems quicker and I have not had any hijacks/jump in the past few hours, but I havent really used the PC in anger as the scanning has been running. I will keep an eye on it. Many thanks for you continued help!
Attached Files
File Type: zip [4]-Submit_2008-07-26@2.23.zip (68.5 KB, 3 views)
File Type: txt Kaspersky Report.txt (38.1 KB, 2 views)
File Type: txt main.txt (21.9 KB, 2 views)
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-26-2008, 04:31 AM   #8 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
Hi,

No problem about the delay in getting back. Glad to hear that you removed Bit Comet.

What you attached as the output of Combofix is the file you were supposed to submit to Channel 4 at BC.

Please go to the link below and submit the [4]-submit-2008-7-26@2.23.zip file for inspection.

http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know when you successfully submit it.

====================================

Combofix should have produced a log at C:\Combofix.txt. Please copy/paste the contents of it in your next reply.

===================================

While you're doing that, I'll paste the other logs here for easier review. Please do not attach them next time unless specifically asked to do so. I will wait until I see the combofix.txt for the next set of instructions.



Deckard's System Scanner v20071014.68
Run by cravenp on 2008-07-26 10:23:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
19: 2008-07-26 09:23:32 UTC - RP19 - Deckard's System Scanner Restore Point
18: 2008-07-26 07:34:57 UTC - RP18 - Software Distribution Service 3.0
17: 2008-07-26 01:23:30 UTC - RP17 - ComboFix created restore point
16: 2008-07-26 01:19:16 UTC - RP16 - Installed Java(TM) 6 Update 7
15: 2008-07-25 17:49:08 UTC - RP15 - Software Distribution Service 3.0

-- First Restore Point --
1: 2008-07-05 08:22:12 UTC - RP1 - System Checkpoint

Performed disk cleanup.

System Drive C: has 18.54 GiB (less than 15%) free.

-- HijackThis (run as cravenp.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:23, on 2008-07-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\ehome\RMSysTry.exe
C:\WINDOWS\ehome\RMSvc.exe
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\cravenp.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Extender Resource Monitor.lnk = C:\WINDOWS\ehome\RMSysTry.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00000000-A6C3-4023-AE3A-22F2983D851D} - https://authenticate.gateway.gov.uk/...lInstaller.CAB
O16 - DPF: {0D6709DD-4ED8-40CA-B459-2757AEEF7BEE} (Dldrv2 Control) - http://download.gigabyte.com.tw/object/Dldrv.ocx
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.nl/scanforvirus...an_unicode.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/tech...bs/tgctlsr.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.mail.live.com/mail/w1/re...s/MSNPUpld.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1169858129312
O16 - DPF: {6EEFD7B1-B26C-440D-B55A-1EC677189F30} (NELaunchCtrl Class) - https://secure.tesl.com/NELX.cab
O16 - DPF: {D6E0B119-DCF2-4CD6-8DFB-7CFF1B70F7FF} (TeamOn Import Object) - https://bis.eu.blackberry.com/html/w...s/TOImport.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: PIXMA Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SonicWALL NetExtender Service (SONICWALL_NetExtender) - SonicWALL Inc. - C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NEService.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10014 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080705-002128-285 O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20080705-002128-460 O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\vtUnmLBr.dll
backup-20080705-002128-538 O2 - BHO: (no name) - {F8270CB5-165C-4607-B3C3-82CF4838C399} - C:\WINDOWS\system32\wxsimsvh.dll (file missing)
backup-20080705-002128-902 O2 - BHO: (no name) - {733405B2-0F42-428D-859B-24DB634EE0BB} - C:\WINDOWS\system32\fccaWPfE.dll
backup-20080705-100605-303 O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\vtUnmLBr.dll
backup-20080705-100605-550 O2 - BHO: (no name) - {1E4A60AD-60F6-47CB-A101-ECE716A74F26} - C:\WINDOWS\system32\fccaWPfE.dll
backup-20080705-100605-574 O20 - Winlogon Notify: vtUnmLBr - C:\WINDOWS\SYSTEM32\vtUnmLBr.dll
backup-20080705-100605-654 O2 - BHO: (no name) - {95263BDC-6D58-4769-9A03-9D764A59745F} - C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\1ABEE1E9\3077ahntdksr[1].dll
backup-20080705-100606-409 O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
backup-20080705-100700-669 O2 - BHO: (no name) - {1E4A60AD-60F6-47CB-A101-ECE716A74F26} - C:\WINDOWS\system32\fccaWPfE.dll
backup-20080705-100700-811 O2 - BHO: (no name) - {BE7E4CE1-8CBA-44A6-956F-462A667D3286} - C:\WINDOWS\system32\vtUnmLBr.dll
backup-20080705-100700-948 O4 - HKLM\..\Run: [50d3fa7e] rundll32.exe "C:\WINDOWS\system32\epbfyvbv.dll",b
backup-20080705-100728-696 O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S3 catchme - c:\combofix\catchme.sys (file missing)
S3 RimUsb (BlackBerry Smartphone) - c:\windows\system32\drivers\rimusb.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 CCALib8 (Canon Camera Access Library 8) - c:\program files\canon\cal\calmain.exe <Not Verified; Canon Inc.; >
R2 IJPLMSVC (PIXMA Extended Survey Program) - c:\program files\canon\ijplm\ijplmsvc.exe <Not Verified; ; IJPLMSVC>
R2 RMSvc (Media Center Extender Resource Monitor) - c:\windows\ehome\rmsvc.exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S4 QBCFMonitorService - "c:\program files\common files\intuit\quickbooks\qbcfmonitorservice.exe" <Not Verified; Intuit; QuickBooks for Windows>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: NVIDIA nForce Networking Controller
Device ID: PCI\VEN_10DE&DEV_00D6&SUBSYS_E0001458&REV_A5\3&13C0B0C5&0&28
Manufacturer: Nvidia
Name: NVIDIA nForce Networking Controller
PNP Device ID: PCI\VEN_10DE&DEV_00D6&SUBSYS_E0001458&REV_A5\3&13C0B0C5&0&28
Service: NVENET

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B)
Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A131186&REV_01\4&2FF3801D&0&4050
Manufacturer: D-Link
Name: D-Link AirPlus DWL-G520 Wireless PCI Adapter(rev.B)
PNP Device ID: PCI\VEN_168C&DEV_0013&SUBSYS_3A131186&REV_01\4&2FF3801D&0&4050
Service: A3AB

-- Process Modules -------------------------------------------------------------

C:\WINDOWS\explorer.exe (pid 712)
2007-05-22 10:59:22 128512 --a------ C:\Program Files\WinRAR\RarExt.dll
2006-09-25 10:13:12 73728 --a------ C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll <Not Verified; ; ACE Context Menu>

-- Scheduled Tasks -------------------------------------------------------------

2008-07-26 02:15:29 426 --ah----- C:\WINDOWS\Tasks\User_Feed_Synchronization-{152CCF79-8C1E-417D-91CE-B9BC1C6ED428}.job
2008-07-02 23:38:01 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2008-06-26 and 2008-07-26 -----------------------------

2008-07-26 08:37:01 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-26 08:37:00 0 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-26 08:36:59 0 d-------- C:\WINDOWS\LastGood
2008-07-23 23:25:15 0 d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-23 23:23:04 0 d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-23 22:58:00 0 d-------- C:\cmdcons
2008-07-23 21:08:10 68096 --a------ C:\WINDOWS\zip.exe
2008-07-23 21:08:10 49152 --a------ C:\WINDOWS\VFind.exe
2008-07-23 21:08:10 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-07-23 21:08:10 98816 --a------ C:\WINDOWS\sed.exe
2008-07-23 21:08:10 80412 --a------ C:\WINDOWS\grep.exe
2008-07-23 21:08:10 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-07-23 21:08:09 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-07-23 21:08:09 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-07-23 08:30:02 0 d-------- C:\Program Files\Panda Security
2008-07-05 15:53:09 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-05 12:12:55 0 d-------- C:\Program Files\USS
2008-07-05 00:15:30 0 d-------- C:\Program Files\Trend Micro
2008-07-05 00:03:22 0 d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-07-05 00:01:26 0 d-------- C:\Program Files\VideoLAN
2008-07-04 22:40:43 0 d-------- C:\Temp
2008-07-04 22:39:21 0 d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-07-04 22:38:48 45056 --a------ C:\WINDOWS\system32\WNASPI32.DLL <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-07-04 22:38:48 16512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS <Not Verified; Adaptec; Adaptec's ASPI Layer>
2008-06-27 20:52:00 0 d-------- C:\Program Files\AMF Software
2008-06-27 15:26:15 0 d-------- C:\Documents and Settings\Administrator\Application Data\CD-LabelPrint
2008-06-27 15:25:58 0 d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-27 14:58:18 0 d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-27 14:57:59 0 d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-27 14:57:39 0 d--h----- C:\Program Files\CanonBJ
2008-06-26 22:21:10 0 d-------- C:\Program Files\Microsoft Small Business
2008-06-26 22:17:04 0 d-------- C:\Program Files\Microsoft SQL Server

-- Find3M Report ---------------------------------------------------------------

2008-07-26 02:25:47 0 d-------- C:\Program Files\Common Files
2008-07-26 02:21:12 0 d-------- C:\Program Files\BitComet
2008-07-26 02:20:11 0 d-------- C:\Program Files\Java
2008-07-23 20:53:43 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-23 20:29:49 0 d-------- C:\Program Files\BradstoneDPD
2008-07-05 10:00:19 0 d-------- C:\Program Files\Common Files\Roxio Shared
2008-07-04 23:25:01 0 d-------- C:\Program Files\Common Files\Symantec Shared
2008-06-27 15:25:56 0 d-------- C:\Program Files\Canon
2008-06-27 15:03:42 0 d-------- C:\Program Files\Common Files\Canon
2008-06-26 22:18:25 0 d-------- C:\Program Files\Microsoft.NET
2008-06-21 20:23:24 0 d-------- C:\Program Files\Common Files\SWF Studio
2008-06-21 20:11:44 0 d-------- C:\Program Files\Common Files\Intuit
2008-06-21 20:10:47 0 d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-21 20:10:07 0 d-------- C:\Program Files\Intuit
2008-06-21 15:46:14 0 d-------- C:\Program Files\Microsoft Silverlight

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 19:02]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 17:09]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 02:01]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 02:50]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 13:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-20 23:59]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 12:34]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 20:55:40]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 15:55:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=0 (0x0)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-10-19 15:53 293888]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE QWAVE

-- End of Deckard's System Scanner: finished at 2008-07-26 10:24:20 ------------

-------------------------------------------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 26, 2008 10:21:13 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/07/2008
Kaspersky Anti-Virus database records: 1010258
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
X:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 71916
Number of viruses found: 7
Number of infected objects: 33
Number of suspicious objects: 0
Duration of the scan process: 01:29:43

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\ApplicationHistory\CLI.EXE.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\temp\Perflib_Perfdata_4b4.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\temp\Perflib_Perfdata_9c4.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\temp\~DF9684.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\temp\~DF96DB.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\My Documents\My Downloads\Jelly Bean Key Finder\kf141.zip/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\My Documents\My Downloads\Jelly Bean Key Finder\kf141.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\My Documents\My Downloads\Jelly Bean Key Finder\kf141.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\My Documents\My Downloads\Jelly Bean Key Finder\kf141.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\Administrator\My Documents\My Downloads\Jelly Bean Key Finder\kf141.zip ZIP: infected - 4 skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.475.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.475.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000E.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000F.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010010.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010012.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010013.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010014.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010015.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010025.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy328.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf4.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_a24.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00D80000.VBN Infected: Trojan.Win32.Obfuscated.auw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0000.VBN Infected: Trojan.Win32.Obfuscated.auw skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07740000.VBN Infected: Trojan.Win32.Monderc.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C300000.VBN Infected: Trojan-Downloader.Win32.Delf.kkn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C300001.VBN Infected: Trojan-Downloader.Win32.Zlob.jbe skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F380000.VBN Infected: Trojan-Downloader.Win32.Delf.kkn skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\temp\Perflib_Perfdata_1d0.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Xilisoft DVD Ripper Platinum v5.0.35.0512 (SERIAL KEY INCLUDED)\x-dvd-ripper-platinum5.exe/data0000.cab/setup2.exe Infected: Trojan.Win32.Monderc.gen skipped
C:\Downloads\Xilisoft DVD Ripper Platinum v5.0.35.0512 (SERIAL KEY INCLUDED)\x-dvd-ripper-platinum5.exe/data0000.cab Infected: Trojan.Win32.Monderc.gen skipped
C:\Downloads\Xilisoft DVD Ripper Platinum v5.0.35.0512 (SERIAL KEY INCLUDED)\x-dvd-ripper-platinum5.exe Rsrc-Package: infected - 2 skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_36.trc Object is locked skipped
C:\Program Files\SonicWALL\SSL-VPN\NetExtender\NetExtender.dbg Object is locked skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080705-002128-460.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080705-002128-902.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080705-100605-303.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080705-100605-550.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080705-100605-654.dll Infected: Rootkit.Win32.Podnuha.tg skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080705-100700-669.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080705-100700-811.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\19.exe.vir/file4/file3 Infected: not-a-virus:FraudTool.Win32.ErrClean.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\19.exe.vir/file4 Infected: not-a-virus:FraudTool.Win32.ErrClean.a skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\19.exe.vir Inno: infected - 2 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\epbfyvbv.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fccaWPfE.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vtUnmLBr.dll.vir Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{100CD21A-250F-49C7-A75B-E42EF14487BA}\RP12\A0005355.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{100CD21A-250F-49C7-A75B-E42EF14487BA}\RP12\A0005356.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{100CD21A-250F-49C7-A75B-E42EF14487BA}\RP12\A0005360.dll Infected: Trojan.Win32.Monderc.gen skipped
C:\System Volume Information\_restore{100CD21A-250F-49C7-A75B-E42EF14487BA}\RP17\A0005632.exe/file4/file3 Infected: not-a-virus:FraudTool.Win32.ErrClean.a skipped
C:\System Volume Information\_restore{100CD21A-250F-49C7-A75B-E42EF14487BA}\RP17\A0005632.exe/file4 Infected: not-a-virus:FraudTool.Win32.ErrClean.a skipped
C:\System Volume Information\_restore{100CD21A-250F-49C7-A75B-E42EF14487BA}\RP17\A0005632.exe Inno: infected - 2 skipped
C:\System Volume Information\_restore{100CD21A-250F-49C7-A75B-E42EF14487BA}\RP18\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{49793FC6-5436-4CEB-9F82-C0630EAE176D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Transcod.evt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_8d8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
Last edited by amateur; 07-26-2008 at 04:38 AM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-26-2008, 09:28 AM   #9 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
Hi, sorry for the confusion. I have submitted the file to BC as requested. Please find below the ComboFix output file. I re-ran ConmboFix against the CFScript.txt as before. This time it completed successfully.... :)



ComboFix 08-07-22.4 - cravenp 2008-07-26 16:14:24.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.501 [GMT 1:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\BM53e0c9e2.xml
C:\WINDOWS\system32\19.exe
C:\WINDOWS\system32\19.tmp
C:\WINDOWS\system32\drivers\wasfsd.sys
C:\WINDOWS\system32\prcjyvtd.exe

.
((((((((((((((((((((((((( Files Created from 2008-06-26 to 2008-07-26 )))))))))))))))))))))))))))))))
.

2008-07-26 11:07 . 2008-07-26 11:07 593 --a------ C:\WINDOWS\system32\runkgb.lnk
2008-07-26 11:03 . 2008-07-26 11:03 <DIR> d-------- C:\Program Files\eMusic Download Manager
2008-07-26 11:03 . 2008-07-26 11:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\InstallShield
2008-07-26 10:33 . 2008-07-26 11:15 <DIR> d--hs---- C:\WINDOWS\system32\MPK
2008-07-26 10:33 . 2008-07-26 15:58 <DIR> d--hs---- C:\Documents and Settings\All Users\Application Data\MPK
2008-07-26 10:33 . 2008-07-26 11:07 593 --a------ C:\WINDOWS\system32\runrefog.lnk
2008-07-26 08:37 . 2008-07-26 08:37 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-07-26 08:37 . 2008-07-26 08:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-07-23 23:25 . 2008-07-23 23:25 <DIR> d-------- C:\WINDOWS\SQLTools9_KB948109_ENU
2008-07-23 23:23 . 2008-07-23 23:23 <DIR> d-------- C:\WINDOWS\SQL9_KB948109_ENU
2008-07-23 08:36 . 2008-07-23 08:36 <DIR> d-------- C:\Deckard
2008-07-23 08:30 . 2008-07-23 20:29 <DIR> d-------- C:\Program Files\Panda Security
2008-07-05 15:53 . 2008-07-05 15:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-07-05 12:12 . 2008-07-26 02:23 <DIR> d-------- C:\Program Files\USS
2008-07-05 00:15 . 2008-07-05 00:15 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-05 00:03 . 2008-07-05 00:03 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\vlc
2008-07-05 00:01 . 2008-07-05 00:01 <DIR> d-------- C:\Program Files\VideoLAN
2008-07-04 22:40 . 2008-07-04 23:06 <DIR> d-------- C:\Temp
2008-07-04 22:39 . 2008-07-04 22:39 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\dvdcss
2008-07-04 22:38 . 2008-05-06 07:01 45,056 --a------ C:\WINDOWS\system32\WNASPI32.DLL
2008-07-04 22:38 . 2008-05-06 07:01 16,512 --a------ C:\WINDOWS\system32\drivers\ASPI32.SYS
2008-06-27 20:52 . 2008-06-27 20:52 <DIR> d-------- C:\Program Files\AMF Software
2008-06-27 15:26 . 2008-06-27 15:26 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\CD-LabelPrint
2008-06-27 15:25 . 2008-06-27 15:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\CanonIJPLM
2008-06-27 14:58 . 2008-06-27 14:58 <DIR> d--h----- C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-06-27 14:58 . 2007-05-01 06:00 215,040 --a------ C:\WINDOWS\system32\CNMLM92.DLL
2008-06-27 14:57 . 2008-06-27 14:57 <DIR> d--h----- C:\WINDOWS\system32\CanonIJ Uninstaller Information
2008-06-27 14:57 . 2008-06-27 14:57 <DIR> d--h----- C:\Program Files\CanonBJ
2008-06-26 22:21 . 2008-06-26 22:25 <DIR> d-------- C:\Program Files\Microsoft Small Business
2008-06-26 22:17 . 2008-07-23 23:25 <DIR> d-------- C:\Program Files\Microsoft SQL Server

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-07-26 15:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-26 10:03 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-26 01:21 --------- d-----w C:\Program Files\BitComet
2008-07-26 01:20 --------- d-----w C:\Program Files\Java
2008-07-23 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-07-23 19:29 --------- d-----w C:\Program Files\BradstoneDPD
2008-07-05 09:00 --------- d-----w C:\Program Files\Common Files\Roxio Shared
2008-07-05 09:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio
2008-07-04 22:25 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-06-27 14:25 --------- d-----w C:\Program Files\Canon
2008-06-27 14:03 --------- d-----w C:\Program Files\Common Files\Canon
2008-06-26 21:18 --------- d-----w C:\Program Files\Microsoft.NET
2008-06-22 08:21 --------- d-----w C:\Documents and Settings\cravenc\Application Data\Roxio
2008-06-21 19:23 --------- d-----w C:\Program Files\Common Files\SWF Studio
2008-06-21 19:11 --------- d-----w C:\Program Files\Common Files\Intuit
2008-06-21 19:10 --------- d-----w C:\Program Files\Intuit
2008-06-21 19:10 --------- d-----w C:\Program Files\Common Files\AnswerWorks 4.0
2008-06-21 19:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-06-21 19:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\COMMON FILES
2008-06-21 14:46 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-05-07 04:55 1,288,192 ----a-w C:\WINDOWS\system32\quartz.dll
.

((((((((((((((((((((((((((((( snapshot@2008-07-23_23.09.49.18 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-08-03 21:14:31 461,416 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Owc11.dll
+ 2008-07-23 22:26:36 464,272 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Office.Interop.Owc11\11.0.0.0__71e9bce111e9429c\Microsoft.Office.Interop.Owc11.dll
- 2007-08-03 21:14:32 64,088 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
+ 2008-07-23 22:26:38 66,936 ----a-w C:\WINDOWS\assembly\GAC\Microsoft.Vbe.Interop\11.0.0.0__71e9bce111e9429c\Microsoft.Vbe.Interop.dll
- 2007-08-03 21:14:31 223,800 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2008-07-23 22:26:35 226,656 ----a-w C:\WINDOWS\assembly\GAC\office\11.0.0.0__71e9bce111e9429c\OFFICE.DLL
+ 2006-10-26 20:55:38 138,024 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.4518\IMPMAIL.DLL
+ 2006-10-27 15:16:36 46,864 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\00002119410000000000000000F01FEC\12.0.4518\OUTLRPC.DLL
+ 2003-07-14 21:57:34 38,968 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\AUTHZAX.DLL
+ 2003-07-14 21:53:06 94,768 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\AW.DLL
+ 2003-07-14 21:53:22 46,144 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\BLNMGRPS.DLL
+ 2003-07-14 21:51:44 87,104 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSENCODE.DLL
+ 2003-07-14 21:52:52 17,464 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSMH.DLL
+ 2003-07-14 21:57:16 120,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSOAUTH.DLL
+ 2003-07-14 21:52:52 27,704 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSODCW.DLL
+ 2003-07-14 21:52:56 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSOHTMED.EXE
+ 2003-07-14 21:52:54 28,224 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSOSTYLE.DLL
+ 2003-07-14 21:46:16 42,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSOXEV.DLL
+ 2003-07-14 21:45:12 55,360 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSOXMLED.EXE
+ 2003-07-14 21:45:12 39,488 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSOXMLMF.DLL
+ 2003-07-14 21:52:58 41,528 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSSH.DLL
+ 2003-07-14 22:00:54 145,984 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\MSWEBCAP.DLL
+ 2003-07-14 21:57:10 56,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\NAME.DLL
+ 2003-07-14 21:56:52 13,888 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\NPOFFICE.DLL
+ 2007-08-03 21:14:31 223,800 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\OFFICE.DLL
+ 2007-08-03 21:14:31 461,416 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\OWC11PIA.DLL
+ 2003-08-16 00:03:04 174,696 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\PJCALEND.DLL
+ 2003-05-08 20:54:00 77,824 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\REFEDIT.DLL
+ 2003-07-14 21:57:18 349,248 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\SELFCERT.EXE
+ 2003-07-14 21:57:08 58,944 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\SEQCHK10.DLL
+ 2007-08-03 21:14:32 64,088 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.5614\VBIDEPIA.DLL
+ 2004-03-09 10:00:06 416,584 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\COMPPRJ.DLL
+ 2004-03-10 23:41:32 908,200 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\CPICOFF.DLL
+ 2005-05-04 0028 465,640 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\MSDMENG.DLL
+ 2005-05-04 0030 1,411,816 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\MSDMINE.DLL
+ 2005-05-04 0024 199,408 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\MSMDUN80.DLL
+ 2006-09-26 21:01:30 2,113,536 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\MSOLAP80.DLL
+ 2005-02-23 17:22:36 347,040 ----a-r C:\WINDOWS\Installer\$PatchCache$\Managed\9040B30900063D11C8EF10054038389C\11.0.8173\VISPRJ.DLL
- 2008-04-08 21:05:44 135,168 ----a-r C:\WINDOWS\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2008-07-23 22:26:41 135,168 ----a-r C:\WINDOWS\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2008-04-08 21:05:44 4,096 ----a-r C:\WINDOWS\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2008-07-23 22:26:41 4,096 ----a-r C:\WINDOWS\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2008-04-08 21:05:43 147,456 ----a-r C:\WINDOWS\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe
+ 2008-07-23 22:26:41 147,456 ----a-r C:\WINDOWS\Installer\{903B0409-6000-11D3-8CFE-0150048383C9}\pj11icon.exe
- 2008-05-13 23:37:11 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
+ 2008-07-23 22:25:45 1,165,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\accicons.exe
- 2008-05-13 23:37:11 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
+ 2008-07-23 22:25:45 20,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\cagicon.exe
- 2008-05-13 23:37:11 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
+ 2008-07-23 22:25:45 217,864 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\misc.exe
- 2008-05-13 23:37:11 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
+ 2008-07-23 22:25:45 18,704 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\mspicons.exe
- 2008-05-13 23:37:11 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
+ 2008-07-23 22:25:46 35,088 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\oisicon.exe
- 2008-05-13 23:37:11 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
+ 2008-07-23 22:25:45 845,584 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\outicon.exe
- 2008-05-13 23:37:11 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
+ 2008-07-23 22:25:45 922,384 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pptico.exe
- 2008-05-13 23:37:11 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
+ 2008-07-23 22:25:45 272,648 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\pubs.exe
- 2008-05-13 23:37:11 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
+ 2008-07-23 22:25:45 888,080 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\wordicon.exe
- 2008-05-13 23:37:11 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2008-07-23 22:25:45 1,172,240 ----a-r C:\WINDOWS\Installer\{91120000-0014-0000-0000-0000000FF1CE}\xlicons.exe
+ 2007-02-10 04:09:12 127,856 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\batchparser90.dll
+ 2007-02-10 04:09:20 1,039,728 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\dbghelp.dll
+ 2007-02-10 04:15:30 1,160,560 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\dumpdatastore.dll
+ 2008-02-26 21:08:46 2,501,648 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\hotfix.exe
+ 2005-10-13 22:26:42 548,864 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\msvcp80.dll
+ 2005-10-13 22:26:42 626,688 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\msvcr80.dll
+ 2007-02-10 04:29:52 143,728 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\sqlcmd.exe
+ 2007-02-10 04:29:52 533,872 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\sqldiscoveryapi.dll
+ 2007-02-10 04:29:54 230,256 ----a-w C:\WINDOWS\SQL9_KB948109_ENU\sqlsetupvista.dll
+ 2007-02-10 04:09:12 127,856 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\batchparser90.dll
+ 2007-02-10 04:09:20 1,039,728 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\dbghelp.dll
+ 2007-02-10 04:15:30 1,160,560 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\dumpdatastore.dll
+ 2008-02-26 21:08:46 2,501,648 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\hotfix.exe
+ 2005-10-13 22:26:42 548,864 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\msvcp80.dll
+ 2005-10-13 22:26:42 626,688 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\msvcr80.dll
+ 2007-02-10 04:29:52 143,728 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\sqlcmd.exe
+ 2007-02-10 04:29:52 533,872 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\sqldiscoveryapi.dll
+ 2007-02-10 04:29:54 230,256 ----a-w C:\WINDOWS\SQLTools9_KB948109_ENU\sqlsetupvista.dll
- 2006-03-15 12:00:00 138,496 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
+ 2008-06-20 10:44:38 138,368 -c--a-w C:\WINDOWS\system32\dllcache\afd.sys
- 2008-02-20 05:32:43 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 -c--a-w C:\WINDOWS\system32\dllcache\dnsapi.dll
- 2006-03-15 12:00:00 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
+ 2008-06-20 17:41:10 245,248 -c--a-w C:\WINDOWS\system32\dllcache\mswsock.dll
- 2007-10-30 17:20:55 360,064 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
+ 2008-06-20 10:45:13 360,320 -c--a-w C:\WINDOWS\system32\dllcache\tcpip.sys
- 2006-08-16 09:37:30 225,664 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
+ 2008-06-20 09:52:06 225,920 -c--a-w C:\WINDOWS\system32\dllcache\tcpip6.sys
- 2008-02-20 05:32:43 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
+ 2008-06-20 17:41:10 148,992 ----a-w C:\WINDOWS\system32\dnsapi.dll
- 2006-10-26 14:10:08 1,190,688 ----a-w C:\WINDOWS\system32\FM20.DLL
+ 2007-06-06 09:53:34 1,195,888 ----a-w C:\WINDOWS\system32\FM20.DLL
- 2008-02-22 01:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-06-10 00:21:01 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2008-02-22 01:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-06-10 00:21:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2008-02-22 02:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-06-10 01:32:34 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 11:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 14:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 14:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2002-08-13 05:09:50 684,032 ----a-w C:\WINDOWS\system32\MPK\libeay32.dll
+ 2008-07-14 12:30:56 327,680 ----a-w C:\WINDOWS\system32\MPK\Mpk.dll
+ 2008-07-14 14:33:24 1,467,392 ----a-w C:\WINDOWS\system32\MPK\MPK.exe
+ 2008-07-14 12:32:08 397,312 ----a-w C:\WINDOWS\system32\MPK\Mpk64.dll
+ 2008-07-09 10:54:16 59,392 ----a-w C:\WINDOWS\system32\MPK\MPK64.exe
+ 2008-07-26 1036 5,331,222 ----a-w C:\WINDOWS\system32\MPK\MpkNetInstall.exe
+ 2008-07-14 14:33:06 2,927,616 ----a-w C:\WINDOWS\system32\MPK\MPKView.exe
+ 2007-06-18 12:45:16 362,029 ----a-w C:\WINDOWS\system32\MPK\sqlite3.dll
+ 2002-08-13 05:10:10 155,648 ----a-w C:\WINDOWS\system32\MPK\ssleay32.dll
+ 2008-07-26 10:07:11 58,837 ----a-w C:\WINDOWS\system32\MPK\unins000.dat
+ 2008-07-26 1036 685,849 ----a-w C:\WINDOWS\system32\MPK\unins000.exe
- 2008-05-29 23:35:11 17,486,968 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-06-25 16:15:46 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe
- 2008-06-26 21:20:18 89,064 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-07-23 22:24:21 88,948 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-06-26 21:20:18 477,292 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-07-23 22:24:21 476,984 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-11-30 11:18:51 17,272 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w C:\WINDOWS\system32\spmsg.dll
+ 2008-07-26 14:58:26 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7ac.dat
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-03-15 13:00 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-02-20 23:59 68856]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 12:34 5724184]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 14:56 64512]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-09-25 10:12 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-10 19:02 67184]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2005-07-19 18:32 221184]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-16 17:09 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-15 02:01 644696]
"CanonMyPrinter"="C:\Program Files\Canon\MyPrinter\BJMyPrt.exe" [2007-04-04 02:50 1603152]
"vptray"="C:\PROGRA~1\SYMANT~1\\vptray.exe" [2004-12-30 15:19 120640]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-03-15 13:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Extender Resource Monitor.lnk - C:\WINDOWS\ehome\RMSysTry.exe [2005-10-20 20:55:40 18432]
Windows Desktop Search.lnk - C:\Program Files\Windows Desktop Search\WindowsSearch.exe [2006-10-19 15:55:04 110080]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= "C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll" [2006-10-19 15:53 293888]

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Intuit\\QuickBooks 2008\\QBDBMgrN.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\pchealth\\helpctr\\binaries\\HelpCtr.exe"=
"C:\\WINDOWS\\system32\\MPK\\Mpk.exe"=
"C:\\WINDOWS\\system32\\MPK\\MpkView.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCP:@xpsp2res.dll,-22009
"3776:UDP"= 3776:UDP:Media Center Extender Service
"3390:TCP"= 3390:TCP:Remote Media Center Experience
"27427:TCP"= 27427:TCP:BitComet 27427 TCP
"27427:UDP"= 27427:UDP:BitComet 27427 UDP

R0 SiWinAcc;SiWinAcc;C:\WINDOWS\system32\drivers\SiWinAcc.sys [2004-11-01 21:21]
R2 IJPLMSVC;PIXMA Extended Survey Program;C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE [2007-04-13 17:20]
R2 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [2008-02-26 22:08]
R2 RMSvc;Media Center Extender Resource Monitor;C:\WINDOWS\ehome\RMSvc.exe [2005-10-20 20:55]
R3 SSLDrv;SSL-VPN NetExtender Adapter;C:\WINDOWS\system32\DRIVERS\SSLDrv.sys [2007-03-20 23:49]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINDOWS\system32\DRIVERS\A3AB.sys [2004-03-12 21:38]
S3 QWAVE;QWAVE service;C:\WINDOWS\system32\svchost.exe [2006-03-15 13:00]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
QWAVE REG_MULTI_SZ QWAVE
.
Contents of the 'Scheduled Tasks' folder
"2008-07-02 22:38:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-07-26 01:15:29 C:\WINDOWS\Tasks\User_Feed_Synchronization-{152CCF79-8C1E-417D-91CE-B9BC1C6ED428}.job"
- C:\WINDOWS\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-07-26 16:16:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-07-26 16:17:22
ComboFix-quarantined-files.txt 2008-07-26 15:17:19
ComboFix2.txt 2008-07-23 22:10:15

Pre-Run: 20,905,734,144 bytes free
Post-Run: 20,913,704,960 bytes free

297 --- E O F --- 2008-07-26 07:36:33
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 01:43 AM   #10 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
Hi,

Before we continue, it appears that you've recently installed a new program, KGB - Refog Keylogger. Did you knowingly install it yourself? I would have appreciated if you did not install any new applications other than the ones we are using for the cleaning process until we are done.

========================================

The following are reported by Kaspersky as infected, please delete them.

C:\Documents and Settings\Administrator\My Documents\My Downloads\Jelly Bean Key Finder\kf141.zip
C:\Downloads\Xilisoft DVD Ripper Platinum v5.0.35.0512 (SERIAL KEY INCLUDED)\x-dvd-ripper-platinum5.exe

C:\Program Files\Trend Micro\HijackThis\backups<======= delete the contents of this folder

=======================================

Quote:
I have removed BitComet as you suggested.
You can delete its associated folder as well.

C:\Program Files\BitComet

=======================================

How is the computer running now?
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 03:35 AM   #11 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
Hi, I have now removed all of the files and folders as you have suggested. I believe this problem has occured as a result of my son downloading and installing software and files etc. I installed REFOG in order to keep an eye on what he is doing. Appologies for installing it in the middle of this process, I should have informed you.

As for the PC, it now seems fine, I have not had any hijacks in the past couple of days.

As such, I think the problem is now solved.

I would just like to add that I really appreciate all of your support as I know this service is run by volunteers, and you have devoted a large amount of your time in assisting me.

Once again, many many thanks!
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 07:38 AM   #12 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
Hi,

Quote:
I installed REFOG in order to keep an eye on what he is doing. Apologies for installing it in the middle of this process, I should have informed you.
No problem.
Quote:
As for the PC, it now seems fine, I have not had any hijacks in the past couple of days. As such, I think the problem is now solved.

I would just like to add that I really appreciate all of your support as I know this service is run by volunteers, and you have devoted a large amount of your time in assisting me.

Once again, many many thanks!
You're welcome. We have a little more tidying up to do.

Using Windows Explorer (right click on Start, click on Explore) please locate and delete this folder:

C:\Program Files\USS

===================================

Go to Start > Run. Copy/Paste or type:

sc delete wasfsd and then click OK

===================================
  • Open notepad (Start>All programs>accessories>notepad )
  • Copy the entire contents of the Quote Box below to Notepad.
  • Name the file as CFScript.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
(It must be notepad, not wordpad, or it won't work):

Code:
Registry::
[-HKEY_CURRENT_USER\Software\DCScannerPlugin]
[-HKEY_CURRENT_USER\Software\USLst]
[-HKEY_CURRENT_USER\Software\USS]
[-HKEY_CLASSES_ROOT\CLSID\{_CLSID_WAShellExecuteCheck}]
[-HKEY_CLASSES_ROOT\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22}]
[-HKEY_CLASSES_ROOT\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}]
[-HKEY_CLASSES_ROOT\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95422}]
[-HKEY_CLASSES_ROOT\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42622}]
[-HKEY_CLASSES_ROOT\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}]	
[-HKEY_CLASSES_ROOT\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37422}]
[-HKEY_CLASSES_ROOT\wasfsd.CreationNotifier]
[-HKEY_CLASSES_ROOT\wasfsd.CreationNotifier.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{D1957FF4-EA22-4b4a-81A1-C62068479DED}_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\PCPrivacyTool Plugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\USS]
Save this as CFScript.txt



Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you. Post that log in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
Last edited by amateur; 07-27-2008 at 09:09 AM.
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 12:39 PM   #13 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
Hi. As instructed, I have removed C:\Program Files\USS, and deleted the wasfsd sevrice. However, I have tried to run ComboFix against the new CFScript.txt several times to no avail? Each time, ComboFix hangs in a different place? I'm not sure of the ComboFix syntax, but I assume the aim is to remove the registry entries in the CFScript.txt file? I can do that manually if you wish?

P.s. I have been sure not to mouse click the ComboFix window when the app is running. In fact, I have started CF against the script, and left the PC alone to run.... :(

TIA.
Last edited by PSC3377; 07-27-2008 at 12:40 PM.
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 01:52 PM   #14 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
Hi,

We'll try to remove them with a batch file.

Open notepad. It must be notepad, not wordpad.
Copy and paste the text inside the code box below into notepad, including the blank line at the end. Make sure that wordwrap is turned off in notepad - click the format menu and uncheck wordwrap.
Choose file save as and set file type to all files.
Type fixreg.reg in the file name and save it to your desktop. It should look like this:

Quote:
REGEDIT4

[-HKEY_CURRENT_USER\Software\DCScannerPlugin]
[-HKEY_CURRENT_USER\Software\USLst]
[-HKEY_CURRENT_USER\Software\USS]
[-HKEY_CLASSES_ROOT\CLSID\{_CLSID_WAShellExecuteCheck}]
[-HKEY_CLASSES_ROOT\CLSID\{ABCD4567-76B5-4bc7-AAC5-396D70925B22}]
[-HKEY_CLASSES_ROOT\Interface\{4567AB12-A884-4CA6-B739-CEDB12FEF096}]
[-HKEY_CLASSES_ROOT\Interface\{ABCD4567-4D73-43E9-85E5-53A2DBD95422}]
[-HKEY_CLASSES_ROOT\Interface\{ABCD4567-D8E8-4DF1-A3EA-D0AA72F42622}]
[-HKEY_CLASSES_ROOT\TypeLib\{4567AB12-AE24-4FD6-B479-E2B464F32DA6}]
[-HKEY_CLASSES_ROOT\TypeLib\{ABCD4567-7437-43EF-AB74-4AB1D3A37422}]
[-HKEY_CLASSES_ROOT\wasfsd.CreationNotifier]
[-HKEY_CLASSES_ROOT\wasfsd.CreationNotifier.1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_{D1957FF4-EA22-4b4a-81A1-C62068479DED}_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\USS_is1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\PCPrivacyTool Plugin]
[-HKEY_LOCAL_MACHINE\SOFTWARE\USS]
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Close notepad. Make sure that all windows are closed.

Find the fixreg.reg file on your desktop.
Double click it.
It will then ask if you want the file merged to your registry.
Answer yes.

Reboot your computer.

Please let me know how that went.
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 02:02 PM   #15 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
Hi, thanks for the speedy response. That all seemed to go ok. Would you like me to rerun ComboFix and provide the output log file?
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 02:04 PM   #16 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
No, that won't be necessary. How is the computer running?
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 02:08 PM   #17 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
All seems perfect thanks.
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 02:11 PM   #18 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
You're all set to go now.
  • Click Start then Run
  • Now type Combofix /u in the runbox and click OK. Notice the space between the Combofix and the /



    This will uninstall ComboFix. It will also implement some cleanup procedures and reset System Restore to prevent reinfection from old restore points.
A colleague of ours has excellent information and tips on the prevention of malware here
to keep your system safe and secure in future.

Happy surfing!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 02:15 PM   #19 (permalink)
Registered User
 
Join Date: Jul 2008
Posts: 10
OS: Win XP MCE


Re: Jump Virus - Help Need
Thank you very much for all of your help, I really do appreciate it!
PSC3377 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-27-2008, 02:17 PM   #20 (permalink)
Moderator, Analyst, Security Team ; Rangemaster, TSF Academy
 
amateur's Avatar
 
Join Date: Jun 2006
Location: USA
Posts: 7,479
OS: XP SP3


Re: Jump Virus - Help Need
You're welcome. Glad we could help. Stay safe!
__________________
My services are free. However, you can donate to TSF to help keep it running.




Member of ASAP since 2005
Member of UNITE since 2006
amateur is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 11:11 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85