|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
08-10-2008, 03:24 PM
|
#1 (permalink) |
|
Registered User
Join Date: Feb 2008
Posts: 22
OS: XP
|
windows xp 2008 virus scan
I keep getting a blue screen on my desktop with this message and my pc keeps asking to be shutdown before there is " damage to my system". Can anyone help?
Many thanks!  Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 13:13:34, on 10/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Virgin Broadband\PCguard\Fws.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\zHotkey.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\lphct2qj0eldp.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\WINDOWS\system32\pphct2qj0eldp.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Opera\Opera.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Java\jre1.6.0_04\bin\jucheck.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...ys=DTP&M=E4040 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [lphct2qj0eldp] C:\WINDOWS\system32\lphct2qj0eldp.exe O4 - HKLM\..\Run: [SMrhcp2qj0eldp] C:\Program Files\rhcp2qj0eldp\rhcp2qj0eldp.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f006.mail.lycos.co.uk/app/upl...leUploader.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- End of file - 8358 bytes |
|
     |
| Important Information |
|
Join the #1 Tech Support Forum Today - It's Totally Free!
TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free. Join TechSupportforum.com Today - Click Here |
|
08-13-2008, 07:41 AM
|
#2 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: windows xp 2008 virus scan
Hello and welcome to TSF
Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
======= Logs Required C:\Deckard\System Scanner\main.txt C:\Deckard\System Scanner\extra.txt<----Attached |
|
|
|
|
08-14-2008, 05:56 AM
|
#3 (permalink) |
|
Registered User
Join Date: Feb 2008
Posts: 22
OS: XP
|
Re: windows xp 2008 virus scan
Hi
I never got the extra.txt when I ran DSS? Cheers! Deckard's System Scanner v20071014.68 Run by Andrew on 2008-08-14 12:55:14 Computer is in Normal Mode. -------------------------------------------------------------------------------- Percentage of Memory in Use: 76% (more than 75%). Total Physical Memory: 383 MiB (512 MiB recommended). -- HijackThis (run as Andrew.exe) ---------------------------------------------- Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:55:15, on 14/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Virgin Broadband\PCguard\Fws.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\Program Files\Raxco\PerfectDisk\PDEngine.exe C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\zHotkey.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe C:\WINDOWS\eHome\ehmsas.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\iPod\bin\iPodService.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Opera\Opera.exe C:\Documents and Settings\Andrew\Desktop\dss.exe C:\PROGRA~1\TRENDM~1\HIJACK~1\Andrew.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...ys=DTP&M=E4040 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [sysrest32.exe] C:\WINDOWS\system32\sysrest32.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f006.mail.lycos.co.uk/app/upl...leUploader.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- End of file - 8056 bytes -- Files created between 2008-07-14 and 2008-08-14 ----------------------------- 2008-08-14 08:34:11 0 d-------- C:\WINDOWS\LastGood 2008-08-13 17:17:06 0 d--h----- C:\WINDOWS\system32\GroupPolicy 2008-08-13 17:02:41 0 d-------- C:\WINDOWS\pss 2008-08-13 12:07:48 0 d-------- C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot 2008-08-13 11:47:01 0 d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes 2008-08-13 11:46:53 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-13 11  49 94208 -----n--- C:\WINDOWS\system32\pphct2qj0eldp.exe2008-08-12 08:15:05 0 d-------- C:\Program Files\Enigma Software Group 2008-08-12 07:37:26 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-12 07:37:11 0 d-------- C:\Program Files\SUPERAntiSpyware 2008-08-12 07:37:11 0 d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com 2008-08-10 02:04:47 0 d-------- C:\Documents and Settings\Andrew\Application Data\rhcp2qj0eldp 2008-08-10 00:01:32 0 d-------- C:\Program Files\rhcp2qj0eldp 2008-08-09 23:28:34 60928 --a------ C:\WINDOWS\system32\blphct2qj0eldp.scr <Not Verified; Sysinternals; Sysinternals Blue Screen> 2008-08-09 21:42:45 0 d-------- C:\Program Files\Microsoft Common 2008-08-04 23:00:47 0 d-------- C:\WINDOWS\system32\CatRoot_bak 2008-07-16 21:11:06 0 d-------- C:\Program Files\iPod 2008-07-16 21:10:51 0 d-------- C:\Program Files\iTunes 2008-07-16 21:09:39 0 d-------- C:\Program Files\Bonjour 2008-07-16 20:59:50 0 d-------- C:\Program Files\Safari -- Find3M Report --------------------------------------------------------------- 2008-08-14 01:20:38 0 d-------- C:\Program Files\Soulseek 2008-08-13 12:29:53 0 d-------- C:\Program Files\Common Files 2008-08-10 14:08:34 0 d-------- C:\Program Files\Java 2008-08-02 14:29:49 0 d-------- C:\Documents and Settings\Andrew\Application Data\Apple Computer 2008-07-29 23:37:53 1324 --a------ C:\WINDOWS\system32\d3d9caps.dat 2008-07-16 21:09:06 0 d-------- C:\Program Files\QuickTime 2008-07-01 23:53:21 0 d-------- C:\Program Files\Audacity -- Registry Dump --------------------------------------------------------------- *Note* empty entries & legit default entries are not shown [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [06/08/2005 05:56] "SoundMan"="SOUNDMAN.EXE" [26/09/2005 15:07 C:\WINDOWS\soundman.exe] "CHotkey"="zHotkey.exe" [08/12/2004 17:57 C:\WINDOWS\zHotkey.exe] "Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" [] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [27/01/2003 18:16] "Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [21/04/2006 16:41] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [30/03/2007 17:40] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [06/06/2005 23:46] "CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [19/03/2002 18:30] "Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [07/08/2007 19:49] "-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [05/09/2007 15:10] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11/01/2008 22:16] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [10/07/2008 09:47] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [27/05/2008 10:50] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [10/07/2008 10:51] "sysrest32.exe"="C:\WINDOWS\system32\sysrest32.exe" [] [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [10/08/2004 20:00] "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/10/2004 00:24] [HKEY_USERS\.default\software\microsoft\windows\currentversion\run] "Power2GoExpress"=NA [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\image file execution options\explorer.exe] Debugger=C:\Program Files\Microsoft Common\wuauclt.exe [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mey64.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MalwareRemovalBot] C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe -boot [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SMrhcp2qj0eldp] C:\Program Files\rhcp2qj0eldp\rhcp2qj0eldp.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] AutoRun\command- E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{221a7163-c63e-11da-8201-806d6172696f}] AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 -- End of Deckard's System Scanner: finished at 2008-08-14 12:55:35 ------------ |
|
|
|
|
08-14-2008, 06:51 AM
|
#4 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: windows xp 2008 virus scan
Hello again
Your logs suggest the possibility that your computer was attacked by a backdoor trojan. This type of infection allows hackers to remotely control your computer, steal critical system information and download and execute files without your knowledge. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation. Please read this: How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud? =========== Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe. ======== Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear, a lack of symptoms does not mean that it is no longer present. Please DO NOT Attach logs to your posts unless you are advised to do so. ======== Click start> run> type(or copy/paste): C:\Deckard\System Scanner The extra.txt should be inside one of the folders, next to the main.txt. If you are still unable to locate the extra.txt, please do this instead. Hijackthis Uninstall List * Start HijackThis * Click on the Config button * Click on the Misc Tools button * Click on the Open Uninstall Manager button. * You can click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad into your next reply. ========= Please visit this webpage for instructions for downloading and running ComboFix: http://www.bleepingcomputer.com/comb...o-use-combofix Please ensure you read this guide carefully and install the Recovery Console first. The Windows Recovery Console will allow you to boot up into a special recovery mode. This allows us to help you in the case that your computer has a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time. Once the Recovery Console is installed using ComboFix, you should see a message that says: The Recovery Console was successfully installed.  Please continue as follows: Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. Click Yes to allow ComboFix to continue scanning for malware. When the tool is finished, it will produce a report for you. Note: If you already have the recovery console installed, do not proceed with installation of the recovery console. ========= Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. ========= Logs Required C:\Combofix.txt Hijackthis Log |
|
|
|
|
08-14-2008, 11:06 AM
|
#5 (permalink) |
|
Registered User
Join Date: Feb 2008
Posts: 22
OS: XP
|
Re: windows xp 2008 virus scan
ComboFix 08-08-13.05 - Andrew 2008-08-14 17:38:38.6 - NTFSx86
Running from: C:\Documents and Settings\Andrew\Desktop\ComboFix.exe . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . . ---- Previous Run ------- . C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\interclick.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\interclick.com\ud.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol C:\Documents and Settings\Andrew\Application Data\rhcp2qj0eldp C:\Documents and Settings\Andrew\Cookies.\andrew@ebay.co[1].txt C:\kmd.exe C:\Program Files\rhcp2qj0eldp C:\WINDOWS\system32\blphct2qj0eldp.scr C:\WINDOWS\system32\config\systemprofile\Application Data\rhcp2qj0eldp C:\WINDOWS\system32\pphct2qj0eldp.exe . ((((((((((((((((((((((((((((((((((((((( Drivers/Services ))))))))))))))))))))))))))))))))))))))))))))))))) . -------\Legacy_TCPSR ((((((((((((((((((((((((( Files Created from 2008-07-14 to 2008-08-14 ))))))))))))))))))))))))))))))) . 2008-08-14 12:53 . 2008-08-14 12:53 <DIR> d-------- C:\Deckard 2008-08-13 17:17 . 2008-08-13 17:17 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-08-13 12:07 . 2008-08-13 12:09 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot 2008-08-13 11:47 . 2008-08-13 11:47 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes 2008-08-13 11:46 . 2008-08-13 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-12 08:15 . 2008-08-12 08:15 <DIR> d-------- C:\Program Files\Enigma Software Group 2008-08-12 07:37 . 2008-08-13 11:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-08-12 07:37 . 2008-08-13 11:57 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com 2008-08-12 07:37 . 2008-08-12 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-09 21:42 . 2008-08-09 21:42 <DIR> d-------- C:\Program Files\Microsoft Common 2008-08-04 23:00 . 2008-08-04 23:33 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak 2008-07-16 21:11 . 2008-07-16 21:11 <DIR> d-------- C:\Program Files\iPod 2008-07-16 21:10 . 2008-07-16 21:11 <DIR> d-------- C:\Program Files\iTunes 2008-07-16 21:09 . 2008-07-16 21:09 <DIR> d-------- C:\Program Files\Bonjour 2008-07-16 20:59 . 2008-07-16 21:00 <DIR> d-------- C:\Program Files\Safari . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-14 16:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki 2008-08-14 15:10 --------- d-----w C:\Program Files\Soulseek 2008-08-10 13:08 --------- d-----w C:\Program Files\Java 2008-08-02 13:29 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Apple Computer 2008-07-16 20:09 --------- d-----w C:\Program Files\QuickTime 2008-07-01 22:53 --------- d-----w C:\Program Files\Audacity 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll 2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys 2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys 2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 05:56 64512] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 18:16 376912] "Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2006-04-21 16:41 438359] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-30 17:40 185784] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344] "CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 18:30 45632] "Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552] "-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064] "SoundMan"="SOUNDMAN.EXE" [2005-09-26 15:07 90112 C:\WINDOWS\soundman.exe] "CHotkey"="zHotkey.exe" [2004-12-08 17:57 550912 C:\WINDOWS\zHotkey.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mey64.sys] @="Driver" [HKEY_LOCAL_MACHINE\software\microsoft\security center] "AntiVirusDisableNotify"=dword:00000001 [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Soulseek\\slsk.exe"= "C:\\Program Files\\Kontiki\\KService.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [] R3 PhSerUsb;PHILOG USB Serial Driver;C:\WINDOWS\system32\DRIVERS\PhSerUsb.sys [2005-11-04 05:19] R3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-10 20:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E] \Shell\AutoRun\command - E:\setup.exe [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{221a7163-c63e-11da-8201-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 . Contents of the 'Scheduled Tasks' folder 2008-08-13 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2008-08-13 C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job - C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe [] 2008-08-13 C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job - C:\Program Files\MalwareRemovalBot [] 2008-08-14 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [2007-03-09 22:15] 2008-07-31 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [2007-03-09 22:15] 2008-08-14 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-03-08 00:58] 2008-07-29 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-03-08 00:58] . - - - - ORPHANS REMOVED - - - - HKCU-Run-updateMgr - C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe HKLM-Run-sysrest32.exe - C:\WINDOWS\system32\sysrest32.exe MSConfigStartUp-MalwareRemovalBot - C:\Program Files\MalwareRemovalBot\MalwareRemovalBot.exe MSConfigStartUp-SMrhcp2qj0eldp - C:\Program Files\rhcp2qj0eldp\rhcp2qj0eldp.exe . ------- Supplementary Scan ------- . FireFox -: Profile - C:\Documents and Settings\Andrew\Application Data\Mozilla\Firefox\Profiles\mef807e6.default\ ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-14 17:40:20 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... ************************************************************************** . Completion time: 2008-08-14 17:44:08 ComboFix-quarantined-files.txt 2008-08-14 16:43:05 ComboFix2.txt 2008-02-24 15:56:22 Pre-Run: 54,604,861,440 bytes free Post-Run: 54,589,317,120 bytes free 146 --- E O F --- 2008-07-15 17:18:32 Hijack this log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 17:54:39, on 14/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Virgin Broadband\PCguard\Fws.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\zHotkey.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\taskswitch.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\explorer.exe C:\Program Files\Opera\Opera.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...ys=DTP&M=E4040 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f006.mail.lycos.co.uk/app/upl...leUploader.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- End of file - 7750 bytes |
|
|
|
|
08-15-2008, 07:33 AM
|
#8 (permalink) | |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: windows xp 2008 virus scan
Hello again,
Please go to your add/remove list and remove these programs if present. SpyHunter<---Spyhunter was once on the rogue antispyware list, we would not recommend that programme. MalwareRemovalBot<---MalwareRemovalBot is a rogue programme. Even if those programs are not listed in add/remove, carry on with the following instructions. Remove any other programs that you do not regonise. Also if you have any older version of Java installed please remove them, leave yourself with only Java 1.6.07 installed. ========== Download ATF-Cleaner by Atribune to your desktop. Do not run just yet, we will shortly ========== Open notepad and copy/paste the text in the quotebox below into it: Quote:
 Refering to the picture above, drag CFscript into ComboFix.exe Follow the prompts, and post the resulting log, C:\ComboFix.txt Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system. Warning: Do not mouseclick combofix's window whilst it's running. That may cause it to stall ========== Double-click ATF Cleaner.exe to open it Under Main choose: Windows Temp Current User Temp All Users Temp Cookies Temporary Internet Files Prefetch Java Cache *The other boxes are optional* Then click the Empty Selected button. If you have Firefox installed: Click Firefox at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. If you have Opera installed: Click Opera at the top and choose: Select All Click the Empty Selected button. NOTE: If you would like to keep your saved passwords, please click NO at the prompt. Click Exit on the Main menu to close the program. ========== Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner Click Accept, when prompted to download and install the program files and database of malware definitions.
This animation will guide you through the process:  To optimize scanning time and produce a more sensible report for review:
=========== Open HijackThis and click on 'Do a System Scan and save a Logfile'. Save the log file and post it here. =========== Logs Required C:\Combofix.txt Kaspersky Scan Report Hijackthis Log An update on how your system is performing. |
|
|
|
|
|
08-28-2008, 03:54 PM
|
#9 (permalink) |
|
Registered User
Join Date: Feb 2008
Posts: 22
OS: XP
|
Re: windows xp 2008 virus scan
ComboFix 08-08-28.03 - Andrew 2008-08-28 20:43:13.7 - NTFSx86
Running from: C:\Documents and Settings\Andrew\Desktop\ComboFix.exe Command switches used :: C:\Documents and Settings\Andrew\Desktop\CFscript.txt * Created a new restore point FILE :: C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\bin.clearspring.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\bin.clearspring.com\clearspring.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\static.youku.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\static.youku.com\v1.0.0235\v\swf\qplayer.swf\youku.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\static.youku.com\v1.0.0236\v\swf\qplayer.swf\youku.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\static.youku.com\v1.0.0291\v\swf\qplayer.swf\qplayer.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\www.youku.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\#SharedObjects\99MMLU5S\www.youku.com\v\swf\qplayer.swf\youku.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#static.youku.com\settings.sol C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youku.com C:\Documents and Settings\Andrew\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.youku.com\settings.sol C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot\Log\2008 Aug 13 - 12_07_48 PM_083.log C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot\Log\2008 Aug 13 - 12_07_53 PM_286.log C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot\Log\2008 Aug 13 - 12_30_53 PM_083.log C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot\rs.dat C:\Documents and Settings\Andrew\Application Data\MalwareRemovalBot\Settings\ScanResults.pie C:\Program Files\Enigma Software Group C:\Program Files\Enigma Software Group\SpyHunter\scan.log C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.log C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock C:\Program Files\Enigma Software Group\SpyHunter\support.log C:\Program Files\Microsoft Common C:\Program Files\Microsoft Common\wuauclt.exe C:\WINDOWS\Tasks\MalwareRemovalBot Scheduled Scan.job . ((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-28 ))))))))))))))))))))))))))))))) . 2008-08-19 08:28 . 2008-08-19 08:29 <DIR> d-------- C:\WINDOWS\ERUNT 2008-08-19 08:17 . 2008-08-19 08:48 <DIR> d-------- C:\SDFix 2008-08-14 12:53 . 2008-08-14 12:53 <DIR> d-------- C:\Deckard 2008-08-14 08:34 . 2008-05-01 15:30 331,776 -----c--- C:\WINDOWS\system32\dllcache\msadce.dll 2008-08-13 17:17 . 2008-08-13 17:17 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy 2008-08-13 11:47 . 2008-08-13 11:47 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\Malwarebytes 2008-08-13 11:46 . 2008-08-13 11:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes 2008-08-12 07:37 . 2008-08-13 11:55 <DIR> d-------- C:\Program Files\SUPERAntiSpyware 2008-08-12 07:37 . 2008-08-13 11:57 <DIR> d-------- C:\Documents and Settings\Andrew\Application Data\SUPERAntiSpyware.com 2008-08-12 07:37 . 2008-08-12 07:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com 2008-08-04 23:00 . 2008-08-04 23:33 <DIR> d-------- C:\WINDOWS\system32\CatRoot_bak . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-08-28 19:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki 2008-08-28 19:32 --------- d-----w C:\Program Files\Soulseek 2008-08-19 21:51 --------- d-----w C:\Program Files\Microsoft Silverlight 2008-08-10 13:08 --------- d-----w C:\Program Files\Java 2008-08-02 13:29 --------- d-----w C:\Documents and Settings\Andrew\Application Data\Apple Computer 2008-07-16 20:11 --------- d-----w C:\Program Files\iTunes 2008-07-16 20:11 --------- d-----w C:\Program Files\iPod 2008-07-16 20:09 --------- d-----w C:\Program Files\QuickTime 2008-07-16 20:09 --------- d-----w C:\Program Files\Bonjour 2008-07-16 20:00 --------- d-----w C:\Program Files\Safari 2008-07-07 20:32 253,952 ----a-w C:\WINDOWS\system32\es.dll 2008-07-01 22:53 --------- d-----w C:\Program Files\Audacity 2008-06-24 16:23 74,240 ----a-w C:\WINDOWS\system32\mscms.dll 2008-06-23 16:57 826,368 ----a-w C:\WINDOWS\system32\wininet.dll 2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll . ((((((((((((((((((((((((((((( snapshot@2008-08-14_17.42.42.93 ))))))))))))))))))))))))))))))))))))))))) . + 2008-08-07 15:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE + 2008-08-19 07:29:48 3,493,888 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat + 2008-08-19 07:29:49 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat + 2008-08-07 15:27:04 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE + 2008-08-19 07:29:17 3,493,888 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\ntuser.dat + 2008-08-19 07:29:18 155,648 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat + 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\advpack.dll + 2008-04-23 04:16:28 347,136 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtmsft.dll + 2008-04-23 04:16:28 214,528 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\dxtrans.dll + 2008-04-23 04:16:28 133,120 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\extmgr.dll + 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\icardie.dll + 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ie4uinit.exe + 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakeng.dll + 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieaksie.dll + 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieakui.dll + 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieapfltr.dll + 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iedkcs32.dll + 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieframe.dll + 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iernonce.dll + 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iertutil.dll + 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\ieudinit.exe + 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\iexplore.exe + 2008-04-23 04:16:28 27,648 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\jsproxy.dll + 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeeds.dll + 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msfeedsbs.dll + 2008-04-23 21:16:30 3,591,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtml.dll + 2008-04-23 04:16:28 478,208 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mshtmled.dll + 2008-04-23 04:16:28 193,024 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\msrating.dll + 2008-04-23 04:16:28 671,232 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\mstime.dll + 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\occache.dll + 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\pngfilt.dll + 2007-03-06 01:22:39 213,216 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\spuninst.exe + 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\spuninst\updspapi.dll + 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\url.dll + 2008-04-23 04:16:29 1,159,680 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\urlmon.dll + 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\webcheck.dll + 2008-04-23 04:16:29 826,368 -c----w C:\WINDOWS\ie7updates\KB953838-IE7\wininet.dll - 2008-04-23 04:16:28 124,928 ----a-w C:\WINDOWS\system32\advpack.dll + 2008-06-23 16:57:27 124,928 ----a-w C:\WINDOWS\system32\advpack.dll - 2008-04-23 04:16:28 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll + 2008-06-23 16:57:27 124,928 -c----w C:\WINDOWS\system32\dllcache\advpack.dll - 2008-04-23 04:16:28 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll + 2008-06-23 16:57:27 347,136 -c--a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll - 2008-04-23 04:16:28 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll + 2008-06-23 16:57:27 214,528 -c--a-w C:\WINDOWS\system32\dllcache\dxtrans.dll + 2008-07-07 20:32:22 253,952 -c----w C:\WINDOWS\system32\dllcache\es.dll - 2008-04-23 04:16:28 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll + 2008-06-23 16:57:27 133,120 -c--a-w C:\WINDOWS\system32\dllcache\extmgr.dll - 2008-04-23 04:16:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll + 2008-06-23 16:57:28 63,488 -c----w C:\WINDOWS\system32\dllcache\icardie.dll - 2008-04-22 07:39:58 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe + 2008-06-23 09:20:25 70,656 -c----w C:\WINDOWS\system32\dllcache\ie4uinit.exe - 2008-04-23 04:16:28 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll + 2008-06-23 16:57:29 153,088 -c----w C:\WINDOWS\system32\dllcache\ieakeng.dll - 2008-04-23 04:16:28 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll + 2008-06-23 16:57:29 230,400 -c----w C:\WINDOWS\system32\dllcache\ieaksie.dll - 2008-04-20 05:07:51 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll + 2008-06-21 05:23:54 161,792 -c----w C:\WINDOWS\system32\dllcache\ieakui.dll - 2008-04-23 04:16:28 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll + 2008-06-23 16:57:29 383,488 -c----w C:\WINDOWS\system32\dllcache\ieapfltr.dll - 2008-04-23 04:16:28 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll + 2008-06-23 16:57:29 384,512 -c----w C:\WINDOWS\system32\dllcache\iedkcs32.dll - 2008-04-23 04:16:28 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll + 2008-06-23 16:57:33 6,066,176 -c----w C:\WINDOWS\system32\dllcache\ieframe.dll - 2008-04-23 04:16:28 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll + 2008-06-23 16:57:33 44,544 -c----w C:\WINDOWS\system32\dllcache\iernonce.dll - 2008-04-23 04:16:28 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll + 2008-06-23 16:57:34 267,776 -c----w C:\WINDOWS\system32\dllcache\iertutil.dll - 2008-04-22 07:39:58 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe + 2008-06-23 09:20:26 13,824 -c----w C:\WINDOWS\system32\dllcache\ieudinit.exe - 2008-04-22 07:40:18 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe + 2008-06-23 09:20:52 625,664 -c----w C:\WINDOWS\system32\dllcache\iexplore.exe - 2007-08-21 06:15:44 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll + 2008-04-11 18:50:43 683,520 -c----w C:\WINDOWS\system32\dllcache\inetcomm.dll - 2008-04-23 04:16:28 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll + 2008-06-23 16:57:35 27,648 -c--a-w C:\WINDOWS\system32\dllcache\jsproxy.dll + 2008-06-24 16:23:05 74,240 -c----w C:\WINDOWS\system32\dllcache\mscms.dll - 2008-04-23 04:16:28 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll + 2008-06-23 16:57:36 459,264 -c----w C:\WINDOWS\system32\dllcache\msfeeds.dll - 2008-04-23 04:16:28 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll + 2008-06-23 16:57:36 52,224 -c----w C:\WINDOWS\system32\dllcache\msfeedsbs.dll - 2008-04-23 21:16:30 3,591,680 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll + 2008-06-24 09:57:40 3,592,192 -c--a-w C:\WINDOWS\system32\dllcache\mshtml.dll - 2008-04-23 04:16:28 478,208 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll + 2008-06-23 16:57:39 477,696 -c--a-w C:\WINDOWS\system32\dllcache\mshtmled.dll - 2008-04-23 04:16:28 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll + 2008-06-23 16:57:39 193,024 -c--a-w C:\WINDOWS\system32\dllcache\msrating.dll - 2008-04-23 04:16:28 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll + 2008-06-23 16:57:40 671,232 -c--a-w C:\WINDOWS\system32\dllcache\mstime.dll - 2008-04-23 04:16:28 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll + 2008-06-23 16:57:40 102,912 -c----w C:\WINDOWS\system32\dllcache\occache.dll - 2008-04-23 04:16:28 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll + 2008-06-23 16:57:40 44,544 -c--a-w C:\WINDOWS\system32\dllcache\pngfilt.dll - 2008-04-23 04:16:28 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll + 2008-06-23 16:57:40 105,984 -c----w C:\WINDOWS\system32\dllcache\url.dll - 2008-04-23 04:16:29 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll + 2008-06-23 16:57:40 1,159,680 -c--a-w C:\WINDOWS\system32\dllcache\urlmon.dll - 2008-04-23 04:16:29 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll + 2008-06-23 16:57:41 233,472 -c----w C:\WINDOWS\system32\dllcache\webcheck.dll - 2008-04-23 04:16:29 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll + 2008-06-23 16:57:41 826,368 -c--a-w C:\WINDOWS\system32\dllcache\wininet.dll - 2008-04-23 04:16:28 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll + 2008-06-23 16:57:27 347,136 ----a-w C:\WINDOWS\system32\dxtmsft.dll - 2008-04-23 04:16:28 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll + 2008-06-23 16:57:27 214,528 ----a-w C:\WINDOWS\system32\dxtrans.dll - 2008-04-23 04:16:28 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll + 2008-06-23 16:57:27 133,120 ----a-w C:\WINDOWS\system32\extmgr.dll - 2008-04-23 04:16:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll + 2008-06-23 16:57:28 63,488 ----a-w C:\WINDOWS\system32\icardie.dll - 2008-04-22 07:39:58 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe + 2008-06-23 09:20:25 70,656 ----a-w C:\WINDOWS\system32\ie4uinit.exe - 2008-04-23 04:16:28 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll + 2008-06-23 16:57:29 153,088 ----a-w C:\WINDOWS\system32\ieakeng.dll - 2008-04-23 04:16:28 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll + 2008-06-23 16:57:29 230,400 ----a-w C:\WINDOWS\system32\ieaksie.dll - 2008-04-20 05:07:51 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll + 2008-06-21 05:23:54 161,792 ----a-w C:\WINDOWS\system32\ieakui.dll - 2008-04-23 04:16:28 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll + 2008-06-23 16:57:29 383,488 ----a-w C:\WINDOWS\system32\ieapfltr.dll - 2008-04-23 04:16:28 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll + 2008-06-23 16:57:29 384,512 ----a-w C:\WINDOWS\system32\iedkcs32.dll - 2008-04-23 04:16:28 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll + 2008-06-23 16:57:33 6,066,176 ----a-w C:\WINDOWS\system32\ieframe.dll - 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll + 2008-06-23 16:57:33 44,544 ----a-w C:\WINDOWS\system32\iernonce.dll - 2008-04-23 04:16:28 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll + 2008-06-23 16:57:34 267,776 ----a-w C:\WINDOWS\system32\iertutil.dll - 2008-04-22 07:39:58 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe + 2008-06-23 09:20:26 13,824 ----a-w C:\WINDOWS\system32\ieudinit.exe - 2007-08-21 06:15:44 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll + 2008-04-11 18:50:43 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll - 2008-04-23 04:16:28 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll + 2008-06-23 16:57:35 27,648 ----a-w C:\WINDOWS\system32\jsproxy.dll - 2008-06-25 08:15:48 17,972,344 ----a-w C:\WINDOWS\system32\MRT.exe + 2008-08-05 18:11:01 15,888,504 ----a-w C:\WINDOWS\system32\MRT.exe - 2008-04-23 04:16:28 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll + 2008-06-23 16:57:36 459,264 ----a-w C:\WINDOWS\system32\msfeeds.dll - 2008-04-23 04:16:28 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll + 2008-06-23 16:57:36 52,224 ----a-w C:\WINDOWS\system32\msfeedsbs.dll - 2008-04-23 21:16:30 3,591,680 ----a-w C:\WINDOWS\system32\mshtml.dll + 2008-06-24 09:57:40 3,592,192 ----a-w C:\WINDOWS\system32\mshtml.dll - 2008-04-23 04:16:28 478,208 ----a-w C:\WINDOWS\system32\mshtmled.dll + 2008-06-23 16:57:39 477,696 ----a-w C:\WINDOWS\system32\mshtmled.dll - 2008-04-23 04:16:28 193,024 ----a-w C:\WINDOWS\system32\msrating.dll + 2008-06-23 16:57:39 193,024 ----a-w C:\WINDOWS\system32\msrating.dll - 2008-04-23 04:16:28 671,232 ----a-w C:\WINDOWS\system32\mstime.dll + 2008-06-23 16:57:40 671,232 ----a-w C:\WINDOWS\system32\mstime.dll - 2008-04-23 04:16:28 102,912 ----a-w C:\WINDOWS\system32\occache.dll + 2008-06-23 16:57:40 102,912 ----a-w C:\WINDOWS\system32\occache.dll - 2008-04-23 04:16:28 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll + 2008-06-23 16:57:40 44,544 ----a-w C:\WINDOWS\system32\pngfilt.dll - 2007-11-13 11:31:11 60,416 ------w C:\WINDOWS\system32\tzchange.exe + 2008-07-14 11:09:18 62,976 ------w C:\WINDOWS\system32\tzchange.exe - 2008-04-23 04:16:28 105,984 ----a-w C:\WINDOWS\system32\url.dll + 2008-06-23 16:57:40 105,984 ----a-w C:\WINDOWS\system32\url.dll - 2008-04-23 04:16:29 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll + 2008-06-23 16:57:40 1,159,680 ----a-w C:\WINDOWS\system32\urlmon.dll - 2008-04-23 04:16:29 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll + 2008-06-23 16:57:41 233,472 ----a-w C:\WINDOWS\system32\webcheck.dll - 2008-08-14 16:31:04 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7f0.dat + 2008-08-23 01:21:32 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_7f0.dat . -- Snapshot reset to current date -- . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360] "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-14 00:24 1694208] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 05:56 64512] "BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2003-01-27 18:16 376912] "Motive SmartBridge"="C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe" [2006-04-21 16:41 438359] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-03-30 17:40 185784] "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344] "CoolSwitch"="C:\WINDOWS\system32\taskswitch.exe" [2002-03-19 18:30 45632] "Broadbandadvisor.exe"="C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2007-08-07 19:49 2061552] "-FreedomNeedsReboot"="C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" [2007-09-05 15:10 13552] "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792] "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-10 09:47 116040] "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 10:50 413696] "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-10 10:51 289064] "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784] "SoundMan"="SOUNDMAN.EXE" [2005-09-26 15:07 90112 C:\WINDOWS\soundman.exe] "CHotkey"="zHotkey.exe" [2004-12-08 17:57 550912 C:\WINDOWS\zHotkey.exe] [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run] "Power2GoExpress"="NA" [X] "CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360] [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles "InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Mey64.sys] @="Driver" [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "C:\\Program Files\\Soulseek\\slsk.exe"= "C:\\Program Files\\Kontiki\\KService.exe"= "C:\\Program Files\\Messenger\\msmsgs.exe"= "C:\\Program Files\\Real\\RealPlayer\\realplay.exe"= "C:\\Program Files\\Bonjour\\mDNSResponder.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= R3 MBAMSwissArmy;MBAMSwissArmy;C:\WINDOWS\system32\drivers\mbamswissarmy.sys [] R3 PhSerUsb;PHILOG USB Serial Driver;C:\WINDOWS\system32\DRIVERS\PhSerUsb.sys [2005-11-04 05:19] R3 Radialpoint Security Services;Virgin Broadband PCguard;C:\WINDOWS\system32\dllhost.exe [2004-08-10 20:00] [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{221a7163-c63e-11da-8201-806d6172696f}] \Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480 . Contents of the 'Scheduled Tasks' folder 2008-08-27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job - C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57] 2008-08-28 C:\WINDOWS\Tasks\RegCure Program Check.job - C:\Program Files\RegCure\RegCure.exe [2007-03-09 22:15] 2008-07-31 C:\WINDOWS\Tasks\RegCure.job - C:\Program Files\RegCure\RegCure.exe [2007-03-09 22:15] 2008-08-28 C:\WINDOWS\Tasks\XoftSpySE 2.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-03-08 00:58] 2008-08-23 C:\WINDOWS\Tasks\XoftSpySE.job - C:\Program Files\XoftSpySE\XoftSpy.exe [2007-03-08 00:58] . ************************************************************************** catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-08-28 20:46:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... C:\DOCUME~1\Andrew\LOCALS~1\Temp\TMP4352$.TMP ************************************************************************** . Completion time: 2008-08-28 20:49:40 ComboFix-quarantined-files.txt 2008-08-28 19:48:37 ComboFix2.txt 2008-08-14 16:44:09 ComboFix3.txt 2008-02-24 15:56:22 Pre-Run: 53,732,093,952 bytes free Post-Run: 53,748,809,728 bytes free 313 --- E O F --- 2008-08-19 21:51:16 Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 22:53:45, on 28/08/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16705) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Virgin Broadband\PCguard\Fws.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\eHome\ehRecvr.exe C:\WINDOWS\eHome\ehSched.exe C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe C:\Program Files\Kontiki\KService.exe C:\Program Files\Raxco\PerfectDisk\PDAgent.exe C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS C:\WINDOWS\system32\dllhost.exe C:\WINDOWS\system32\Ati2evxx.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\ehome\ehtray.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\zHotkey.exe C:\Program Files\BroadJump\Client Foundation\CFD.exe C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\system32\taskswitch.exe C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe C:\WINDOWS\eHome\ehmsas.exe C:\Program Files\QuickTime\QTTask.exe C:\Program Files\iTunes\iTunesHelper.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\ntl\broadband medic\bin\mpbtn.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\explorer.exe C:\Program Files\Opera\Opera.exe C:\Program Files\internet explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = google.co.uk/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.h...ys=DTP&M=E4040 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;*.local O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Virgin Broadband\PCguard\pkR.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKLM\..\Run: [CHotkey] zHotkey.exe O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ntl\BROADB~1\SMARTB~1\MotiveSB.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN O4 - HKLM\..\Run: [-FreedomNeedsReboot] "C:\Program Files\Virgin Broadband\PCguard\ZkRunOnceR.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O4 - Global Startup: broadband medic.lnk = C:\Program Files\ntl\broadband medic\bin\matcli.exe O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {C36112BF-2FA3-4694-8603-3B510EA3B465} (Lycos File Upload Component) - http://f006.mail.lycos.co.uk/app/upl...leUploader.cab O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Documents and Settings\Andrew\Desktop\AVG Anti-Spyware 7.5\guard.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: CA Pest Patrol Realtime Protection Service (ITMRTSVC) - CA, Inc. - C:\Program Files\CA\PPRT\bin\ITMRTSVC.exe O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS O23 - Service: Virgin Broadband PCguard Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Virgin Broadband\PCguard\rpsupdaterR.exe O23 - Service: PCguard Firewall (RP_FWS) - Virgin Media - C:\Program Files\Virgin Broadband\PCguard\Fws.exe -- End of file - 7799 bytes -------------------------------------------------------------------------------- KASPERSKY ONLINE SCANNER 7 REPORT Thursday, August 28, 2008 Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600) Kaspersky Online Scanner 7 version: 7.0.25.0 Program database last update: Thursday, August 28, 2008 19:13:15 Records in database: 1157785 -------------------------------------------------------------------------------- Scan settings: Scan using the following database: extended Scan archives: yes Scan mail databases: yes Scan area - My Computer: C:\ D:\ E:\ Scan statistics: Files scanned: 52412 Threat name: 3 Infected objects: 3 Suspicious objects: 0 Duration of the scan: 01:46:10 File name / Threat name / Threats count C:\Documents and Settings\Andrew\Shared\running wild roxy music.mp3 Infected: Trojan-Downloader.WMA.Wimad.n 1 C:\QooBox\Quarantine\C\Program Files\Microsoft Common\wuauclt.exe.vir Infected: Trojan-Downloader.Win32.Agent.zxt 1 C:\QooBox\Quarantine\C\WINDOWS\system32\pphct2qj0eldp.exe.vir Infected: not-a-virus:FraudTool.Win32.MalwareProtector.d 1 The selected area was scanned. |
|
|
|
|
09-02-2008, 04:59 AM
|
#10 (permalink) |
|
Moderator, Analyst, Security Team
Join Date: Oct 2006
Location: Důn Čideann,Scotland.
Posts: 5,093
OS: XP
|
Re: windows xp 2008 virus scan
Hello again
The reason for the late reply is sue to the fact that i had already unsubscribed to this thread, i only have a certain amount of time and therefore can only have a certain amount of active logs on the go at any one time. Delete this file in red. C:\Documents and Settings\Andrew\Shared\running wild roxy music.mp3 ========= I see you are running a registry cleaner, these programs can do more harm than good, see this blog by one of my colleagues. http://miekiemoes.blogspot.com/2008/...eaking_13.html Also, AVG Antispyware will be no longer from the end of this year, well that is the current information, AVG antispyware is now incorporated into AVG8 and will no longer be offered as a stand-alone product. ========= Well done, your logs are clean. Click start>run>type(or copy/paste command into run box): ComboFix /u Click ok. ========== Clear IE7 cookies *On the Internet Explorer 7 Tools menu, click Internet Options. The Internet Options box should open to the General tab. *On the General tab, in the Browsing History, click the Delete button. This will delete all the files that are currently stored in your cache [that includes cookies too]. *Click OK, and then click OK again. Clear Firefox cookies/cache • Select "Tools" • Select "Options". • Select "Privacy". • In "Settings" window put the check mark for Cookies,Cache,Browsing history and any others you want. • Click OK. • In Private area click "Clear Now". ------------------------------------------------------------------------------------------- MICROSOFT UPDATES 1.Click Start,Run, type sysdm.cpl, and then press OK. 2.Click the Automatic Updates tab, and then click to select one of the following options. We recommend that you select the Automatic (recommended). Microsoft updates are released every second Tuesday of each month,what is called "Patch Tuesday". ------------------------------------------------------------------------------------------ Useful Information and Programs to keep you safe. TrendProtect is a FREE browser plug-in that helps you avoid Web pages with unwanted content and hidden threats. TrendProtect rates the current page and pages listed in Google, MSN, and Yahoo search results. You can use the rating to decide if you want to visit or avoid a given Web page. To rate Web pages, TrendProtect refers to an extensive database that covers the following information for billions of Web pages: * Content category * Phishing scam detection * Site reputation * Page reputation WOT Free helps you avoid disingenuous Internet content by allowing you to learn from others' experiences. WOT shows you website reputations on your browser, telling you how much other users trust a website. This helps you make better decisions while browsing and avoid phishing, malware, and other types of fraud. Reputations can also be added to web search results, Gmail, Wikipedia, and other selected sites. WOT reputations are computed mainly from user testimonies. Sharing your knowledge with others is just a click away, without ever having to leave the site. We also collect data from hundreds of other sources (including PhishTank) to quickly warn you of emerging threats. Currently, WOT knows over 12 million websites. Note:Only compatible with Firefox 1.5 and higher. -------------------------------------------------------------------------------------- Alternate Browsers Try the following free alternate browsers rather than Internet Explorer Avant Firefox Opera K-Meleon ------------------------------------------------------------------------------------------ Free Antispyware Products SuperAntiSpyware Malwarebytes ' Anti-Malware ------------------------------------------------------------------ IE-Spyad™ is a freeware utility that places more than 4000 dubious websites and domains in the Internet Explorer Restricted List. Download and installation instructions for IE-Spyad™ Here ----------------------------------------- The MVPS Hosts file replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Note that if you use a company provided HOSTS file you should not use the MVPS HOSTS file. If your having trouble downloading & extracting,see link below for guidance: http://www.mvps.org/winhelp2002/hosts2.htm Once you have extracted the host file,double click on it and a new window will open. Double-click on mvps.batand follow the prompts --------------------------------------------------------------- Winpatrol - Download and install the free version of Winpatrol. A tutorial for this product is located here: Using Winpatrol to protect your computer. ---------------------------------------- SnoopFree is a programme that informs you when another programme is wanting to log your keystrokes or read your screen.Only for XP users. Update all these programs regularly. Without regular updates you will not be protected when new malicious programs are released. ============================================== Also, please take a look at these well written articles: PC Safety and Security--What Do I Need? HOW DID I GET INFECTED IN THE FIRST PLACE? by Tony Klein THE ANTI-SPYWARE TUTORIAL MAKING INTERNET EXPLORER SAFER Understanding and Using Firewalls **Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them. Please reply to this thread once more, as we may mark this as resolved, thanks. |
|
|
|
| Thread Tools | |
|
|
