Blue Desktop with spyware detected - appears to be Smitfraud?

[-Shirt]

Hi,

I turned on my computer on Friday having left it so my housemates could use it (mistake...) and the desktop has changed to a blue background with yellow text that reads "Warning, Spyware detected on your computer, install an antivirus or spyware remover to clean your computer" and a bunch of icons had appeared.

I left them well alone, and ran a selection of antivirus packages - Spybot Search and Destroy, Lavasoft Ad-Aware, and McAfee Virusscan. That picked up a fistful of things, which I deleted/cleaned etc. Mostly they were just suspicious cookies, but there was one at the bottom called Zlob?

Anyway, if I right-click the desktop and select properties, I am still missing the tab to change the desktop background and possibly a few others - this implies to me I still have a problem.

Any help would be much appreciated, I have run Deckard's and the main.txt is below, the extra.txt is attached. I have also run Pandascan and can attach the output from that if it would help?

Many thanks

-Shirt



Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-10 21:19:51
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 3 Restore Point(s) --
3: 2008-08-10 20:20:04 UTC - RP1369 - Deckard's System Scanner Restore Point
2: 2008-08-08 16:26:22 UTC - RP1368 - Installed Ad-Aware
1: 2008-08-07 19:35:58 UTC - RP1367 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

System Drive H: has 3.35 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-10 21:22:08
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (7.00.5730.11)
Boot mode: Normal

Running processes:
H:\WINDOWS\system32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
H:\WINDOWS\system32\spoolsv.exe
H:\WINDOWS\explorer.exe
H:\Program Files\MSI\Live Update 3\LMonitor.exe
H:\Program Files\D-Tools\daemon.exe
H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
H:\Program Files\Network Associates\VirusScan\shstat.exe
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\rundll32.exe
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\Program Files\QuickTime\qttask.exe
H:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe
H:\WINDOWS\system32\rundll32.exe
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
H:\Program Files\Common Files\Teleca Shared\Generic.exe
H:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe
H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\Network Associates\VirusScan\Mcshield.exe
H:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
H:\WINDOWS\system32\nvsvc32.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\system32\svchost.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Documents and Settings\Tom\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vqtujiodkrrcwb.net/TfLrbs...g8k_ckKi8.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7DECFBB5-90B2-41AB-9955-6B773FC06C49} - H:\WINDOWS\system32\odbccp42.dll
O2 - BHO: (no name) - {C5FA80B2-6916-C4C1-1F63-760991C73CA3} - H:\DOCUME~1\Tom\APPLIC~1\FASTSE~1\First Htm.exe (file missing)
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [LiveMonitor] H:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Each Less Mode Mp3] H:\Documents and Settings\All Users\Application Data\CashAtomEachLess\Jugstwo.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Bonemetaviewplan] H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta\ForkWarn.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "H:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "H:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [EPSON Stylus D78 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "H:\WINDOWS\TEMP\E_S8B.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [lphc9mpj0ej4a] H:\WINDOWS\system32\lphc9mpj0ej4a.exe
O4 - HKLM\..\Run: [H:\WINDOWS\system32\kdxsm.exe] H:\WINDOWS\system32\kdxsm.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mags up] H:\DOCUME~1\Tom\APPLIC~1\BINPUR~1\plan cool.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: 3D!Turbo Experience.lnk = H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Copy to Semagic - H:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - H:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: H:\WINDOWS\system32\nwprovau.dll
O16 - DPF: {00000045-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/sg726acm.cab
O16 - DPF: {00000055-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/fhg.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get.../ultrashim.cab
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.co...194.2193402778
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - H:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - H:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
O18 - Protocol: mso-offdap - {3D9F03FA-7A94-11D3-BE81-0050048385D1} - H:\Program Files\Common Files\Microsoft Shared\Web Components\10\OWC10.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\Program Files\Common Files\Skype\Skype4COM.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - H:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - H:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - H:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe


--
End of file - 9617 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - H:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "H:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 d346bus - h:\windows\system32\drivers\d346bus.sys
R0 d346prt - h:\windows\system32\drivers\d346prt.sys
R0 Lor02 - h:\windows\system32\drivers\lor02.sys
R1 NaiAvTdi1 - h:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
R3 EntDrv51 - h:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - h:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
R3 tcpsr - h:\windows\system32\drivers\tcpsr.sys (file missing)

S1 InCDPass - h:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - h:\windows\system32\drivers\incdrm.sys (file missing)
S3 CoachUsb (Dual Mode Digital Camera on USB) - h:\windows\system32\drivers\coachusb.sys <Not Verified; Accapella Ltd.; USB Driver for Digital Camera>
S3 Dual Mode (Dual Mode Video Capture) - h:\windows\system32\drivers\coachvc.sys <Not Verified; Accapella Ltd.; Video Capture Minidriver for Digital Camera>
S3 ENTECH - h:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 GMSIPCI - g:\install\gmsipci.sys (file missing)
S3 w800mdfl (Sony Ericsson W800 USB WMC Modem Filter) - h:\windows\system32\drivers\w800mdfl.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem Filter Driver>
S3 w800mdm (Sony Ericsson W800 USB WMC Modem Drivers) - h:\windows\system32\drivers\w800mdm.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem>
S3 w800mgmt (Sony Ericsson W800 USB WMC Device Management Drivers) - h:\windows\system32\drivers\w800mgmt.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Device Management>
S3 w800obex (Sony Ericsson W800 USB WMC OBEX Interface Drivers) - h:\windows\system32\drivers\w800obex.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC OBEX Interface>
S4 InCDFs (InCD File System) - h:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - h:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "h:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&23533C57&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&23533C57&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&4628B9&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&4628B9&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&22C50E9A&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&22C50E9A&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&E1800B&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&E1800B&0&RM
Service:


-- Scheduled Tasks -------------------------------------------------------------

2008-08-08 18:00:00 226 --ah----- H:\WINDOWS\Tasks\972366CBA28CE567.job
2008-08-08 18:00:00 252 --ah----- H:\WINDOWS\Tasks\889BB40D85202CE1.job


-- Files created between 2008-07-10 and 2008-08-10 -----------------------------

2008-08-08 17:28:02 0 d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-08 17:26:24 0 d-------- H:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 17:25:41 0 d-------- H:\Program Files\Common Files\Wise Installation Wizard
2008-08-08 1729 150 --a------ H:\WINDOWS\iexplorer.exe
2008-08-08 1724 173056 --a------ H:\WINDOWS\msauc.exe
2008-08-08 1720 30848 --a------ H:\WINDOWS\system32\drivers\Lor02.sys


-- Find3M Report ---------------------------------------------------------------

2008-08-08 17:26:26 0 d-------- H:\Program Files\Lavasoft
2008-08-08 17:25:41 0 d-------- H:\Program Files\Common Files
2008-07-11 20:13:16 0 d-------- H:\Program Files\Java
2008-07-05 00:01:22 0 d-------- H:\Documents and Settings\Tom\Application Data\Skype
2008-06-25 20:55:50 0 d-------- H:\Program Files\eMule
2008-05-17 15:21:40 133120 --a------ H:\WINDOWS\system32\zip32.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DECFBB5-90B2-41AB-9955-6B773FC06C49}]
20/01/2006 23:09 23833 --a------ H:\WINDOWS\system32\odbccp42.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5FA80B2-6916-C4C1-1F63-760991C73CA3}]
H:\DOCUME~1\Tom\APPLIC~1\FASTSE~1\First Htm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVCLOCK"="nvclock.dll" [14/04/2003 02:59 H:\WINDOWS\system32\nvclock.dll]
"LiveMonitor"="H:\Program Files\MSI\Live Update 3\LMonitor.exe" [27/10/2003 15:16]
"DAEMON Tools-1033"="H:\Program Files\D-Tools\daemon.exe" [12/03/2004 22:43]
"Each Less Mode Mp3"="H:\Documents and Settings\All Users\Application Data\CashAtomEachLess\Jugstwo.exe" []
"McAfeeUpdaterUI"="H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [18/09/2003 02:01]
"ShStatEXE"="H:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [18/08/2004 08:00]
"NvCplDaemon"="H:\WINDOWS\System32\NvCpl.dll" [24/09/2003 12:32]
"nwiz"="nwiz.exe" [24/09/2003 12:32 H:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"Bonemetaviewplan"="H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta\ForkWarn.exe" []
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [23/02/2006 16:45]
"P17Helper"="P17.dll" [03/05/2005 20:38 H:\WINDOWS\system32\P17.dll]
"WMC_AutoUpdate"="" []
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"Adobe Photo Downloader"="H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07/06/2005 00:46]
"QuickTime Task"="H:\Program Files\QuickTime\qttask.exe" [01/09/2006 15:57]
"Sony Ericsson PC Suite"="H:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [13/06/2007 09:16]
"EPSON Stylus D78 Series"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.exe" [23/02/2006 05:00]
"lphc9mpj0ej4a"="H:\WINDOWS\system32\lphc9mpj0ej4a.exe" []
"H:\WINDOWS\system32\kdxsm.exe"="H:\WINDOWS\system32\kdxsm.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="H:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]
"mags up"="H:\DOCUME~1\Tom\APPLIC~1\BINPUR~1\plan cool.exe" []
"SpybotSD TeaTimer"="H:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [07/07/2008 09:42]

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
3D!Turbo Experience.lnk - H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe [26/07/2004 13:07:35]
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [03/08/2004 17:45:56]
Adobe Reader Speed Launch.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
InterVideo WinCinema Manager.lnk - H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [27/07/2004 13:33:35]
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"="kdxsm.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lor02.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - ENTDRV51
*Newly Created Service* - VGAUTI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8972 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-10 21:25:14 ------------

[-Shirt]

OK, don't worry about it.

Did a system restore, then ran MalwareBytes Anti-Malware, followed by a Panda scan and then Spybot Search and Destroy.

Those no longer show anything as a threat, I'm going to run another online scan (Kaspersky or similar) overnight.

Got the pointers from other threads, so please keep posting because this forum is a hell of a lot of help! :)

[Ried]

Hello -Shirt.

I see some infections on there that I'm not sure any of the tools you ran, would have taken care of.

Download fl.zip

• Extract the contents of the fl.zip to a new folder on Desktop.
• Within the folder, locate & double-click fl.bat.
• It should produce a report at c:\findlop.txt. Post the contents of the report in your next reply

----------------------------------------------------------------------

I'd also like to see a fresh main.txt and the results of your Panda scan.

[-Shirt]

Hi Ried,

sorry for the delay, I've been away from my computer.

Findlop.txt below, Panda scan is attached. On the basis of this stickied thread I haven't run Deckards.

Thanks

-Shirt



Volume in drive H is Bruce
Volume Serial Number is 9439-7155

Directory of H:\Documents and Settings\All Users\Application Data

09/12/2007 10:17 <DIR> Adobe
23/08/2006 18:00 <DIR> Ahead
10/06/2007 08:52 <DIR> Apple Computer
17/10/2005 23:34 <DIR> CashAtomEachLess
19/10/2005 17:46 <DIR> GridPartBoneMeta
12/08/2008 07:12 <DIR> Lavasoft
03/08/2004 17:46 <DIR> Macrovision
12/08/2008 17:09 <DIR> Malwarebytes
16/12/2004 18:45 <DIR> MSN6
07/05/2007 22:07 <DIR> MumboJumbo
10/10/2004 16:30 <DIR> Network Associates
19/10/2005 17:37 <DIR> New Folder
30/07/2004 15:02 <DIR> nView_Profiles
11/01/2006 20:17 <DIR> Pinnacle
07/12/2006 22:50 2,925 QTSBandwidthCache
27/07/2004 19:26 <DIR> QuickTime
04/01/2007 18:36 <DIR> shockwave.com
28/03/2007 21:08 <DIR> Skype
09/11/2007 11:24 <DIR> Sony Ericsson
12/08/2008 20:51 <DIR> Spybot - Search & Destroy
10/10/2004 16:29 <DIR> Symantec
09/11/2007 11:24 <DIR> Teleca
07/05/2007 22:07 <DIR> Trymedia
18/08/2005 23:46 <DIR> Windows Genuine Advantage
1 File(s) 2,925 bytes
23 Dir(s) 3,900,993,536 bytes free
Volume in drive H is Bruce
Volume Serial Number is 9439-7155

Directory of H:\Documents and Settings\Tom\Application Data

17/02/2008 20:35 <DIR> Adobe
15/03/2007 20:42 <DIR> AdobeAUM
20/05/2007 19:27 <DIR> AdobeUM
29/10/2006 08:41 <DIR> Ahead
16/03/2006 08:48 <DIR> Apple Computer
30/11/2006 21:37 <DIR> Arcsoft
19/10/2005 17:45 <DIR> BinPureName
28/07/2004 22:23 <DIR> CoffeeCup Software
13/02/2005 19:35 <DIR> DVD Shrink
11/06/2005 10:33 39 EV Nova License.lcs
01/06/2006 20:59 140 EV Nova Prefs.prf
30/09/2007 22:25 <DIR> Gamelab
02/01/2007 20:21 66,680 GDIPFONTCACHEV1.DAT
23/08/2004 15:28 <DIR> GetBot
30/07/2004 03:37 <DIR> Help
26/07/2004 12:41 <DIR> Identities
26/07/2004 13:06 <DIR> InterTrust
27/07/2004 13:34 <DIR> InterVideo
09/10/2006 20:25 <DIR> Lavasoft
24/03/2007 23:06 <DIR> Leadertech
27/06/2005 15:57 <DIR> Macromedia
12/08/2008 17:09 <DIR> Malwarebytes
07/05/2006 20:25 <DIR> Media Player Classic
28/07/2004 22:12 <DIR> Mozilla
16/12/2004 18:46 <DIR> MSN6
19/11/2004 03:06 <DIR> Real
04/01/2007 18:36 <DIR> shockwave.com
05/07/2008 00:01 <DIR> Skype
23/06/2006 17:04 <DIR> SmartFTP
09/11/2007 11:24 <DIR> Sony Ericsson
09/11/2007 10:57 <DIR> Sony Setup
07/01/2005 17:54 <DIR> Sun
28/07/2004 22:12 <DIR> Talkback
10/11/2007 08:55 <DIR> Teleca
29/07/2004 10:00 <DIR> Thunderbird
3 File(s) 66,859 bytes
32 Dir(s) 3,900,993,536 bytes free
Volume in drive H is Bruce
Volume Serial Number is 9439-7155

Directory of H:\Documents and Settings\Default User\Application Data

26/07/2004 20:22 <DIR> .
26/07/2004 20:22 <DIR> ..
26/07/2004 20:22 62 desktop.ini
1 File(s) 62 bytes
2 Dir(s) 3,900,993,536 bytes free
Volume in drive H is Bruce
Volume Serial Number is 9439-7155

Directory of H:\Documents and Settings\LocalService\Application Data

Volume in drive H is Bruce
Volume Serial Number is 9439-7155

Directory of H:\Documents and Settings\NetworkService\Application Data

[TRACE] Enumerating jobs and queues
[TRACE] Activating job '889BB40D85202CE1.job'
[TRACE] Printing all job properties

ApplicationName: 'h:\docume~1\tom\applic~1\binpur~1\FlawFunkDeaf.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Tom'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 10/17/2005 23:00:00
NextRun: 08/14/2008 18:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/25/2000
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0


[TRACE] Activating job '972366CBA28CE567.job'
[TRACE] Printing all job properties

ApplicationName: 'h:\progra~1\binpur~1\FlawFunkDeaf.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'Tom'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 12/16/2004 17:00:00
NextRun: 08/14/2008 18:00:00
StartError: 0x80070002
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 06/04/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

[Ried]

Hello -Shirt,

I'm glad to see you reading.

It's ok for you to run dss.exe again as you do not have the particular rootkit that is causing issues.

To save some time, let's take care of the remaining LOP infection first, then I'll need a new main.txt to ensure the rest of the infections I saw, are indeed neutralized.

Using 'My Computer', navigate to and delete the following Files and Folders (Right click and select 'Delete'):

H:\Documents and Settings\All Users\Application Data\CashAtomEachLess
H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta
H:\Documents and Settings\Tom\Application Data\BinPureName
H:\Program Files\BinPureName
H:\Program Files\Rippackv3\Logiciels\codec\DivX5.02\DivXPro502GAINBundle.exe
I:\DVD Ripping\Rippackv3beta161.exe

--------------------------------------------------------------------

Click on the Start>Run

Type in tasks & click Ok

In the ensuing window, click on the 'Advanced' menu (located above) & select 'View Hidden Tasks'

Delete these hidden jobs:

889BB40D85202CE1.job
972366CBA28CE567.job

--------------------------------------------------

Please run a new scan with dss.exe and post a fresh main.txt.

[-Shirt]

Hi Ried,

zapped the relevant folders, main.txt is below and extra.txt is attached (in case it's useful)

Thanks



Deckard's System Scanner v20071014.68
Run by Tom on 2008-08-15 06:48:16
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
9: 2008-08-15 05:48:22 UTC - RP1375 - Deckard's System Scanner Restore Point
8: 2008-08-14 05:33:23 UTC - RP1374 - System Checkpoint
7: 2008-08-12 22:10:29 UTC - RP1373 - Restore Operation
6: 2008-08-12 22:04:58 UTC - RP1372 - Restore Operation
5: 2008-08-12 21:05:17 UTC - RP1371 - After removal of worm/smitfraud/XPantivirus08/etc!


-- First Restore Point --
1: 2008-08-07 19:35:58 UTC - RP1367 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Percentage of Memory in Use: 86% (more than 75%).
System Drive H: has 3.6 GiB (less than 15%) free.


-- HijackThis (run as Tom.exe) -------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:50:28, on 15/08/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
H:\WINDOWS\System32\smss.exe
H:\WINDOWS\system32\winlogon.exe
H:\WINDOWS\system32\services.exe
H:\WINDOWS\system32\lsass.exe
H:\WINDOWS\system32\svchost.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\system32\spoolsv.exe
H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
H:\Program Files\Network Associates\VirusScan\Mcshield.exe
H:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
H:\WINDOWS\System32\nvsvc32.exe
H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
H:\WINDOWS\System32\svchost.exe
H:\WINDOWS\Explorer.EXE
H:\Program Files\MSI\Live Update 3\LMonitor.exe
H:\Program Files\D-Tools\daemon.exe
H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
H:\Program Files\iTunes\iTunesHelper.exe
H:\WINDOWS\system32\Rundll32.exe
H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
H:\WINDOWS\system32\RUNDLL32.EXE
H:\WINDOWS\system32\ctfmon.exe
H:\Program Files\iPod\bin\iPodService.exe
H:\Program Files\Mozilla Firefox\firefox.exe
H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
H:\Documents and Settings\Tom\Desktop\dss.exe
H:\PROGRA~1\TRENDM~1\HIJACK~1\Tom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.vqtujiodkrrcwb.net/TfLrbs...g8k_ckKi8.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - H:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {C5FA80B2-6916-C4C1-1F63-760991C73CA3} - H:\DOCUME~1\Tom\APPLIC~1\FASTSE~1\First Htm.exe (file missing)
O4 - HKLM\..\Run: [NVCLOCK] Rundll32 nvclock.dll,fnNvclock
O4 - HKLM\..\Run: [LiveMonitor] H:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "H:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [Each Less Mode Mp3] H:\Documents and Settings\All Users\Application Data\CashAtomEachLess\Jugstwo.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [ShStatEXE] "H:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE H:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] "H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [Bonemetaviewplan] H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta\ForkWarn.exe
O4 - HKLM\..\Run: [iTunesHelper] "H:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [NeroFilterCheck] H:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [EPSON Stylus D78 Series] H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.EXE /FU "H:\WINDOWS\TEMP\E_S8B.tmp" /EF "HKLM"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE H:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] H:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [mags up] H:\DOCUME~1\Tom\APPLIC~1\BINPUR~1\plan cool.exe
O4 - Global Startup: 3D!Turbo Experience.lnk = H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Microsoft Office.lnk = H:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Copy to Semagic - H:\Program Files\Semagic\copy.htm
O8 - Extra context menu item: Semagic - H:\Program Files\Semagic\link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - H:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - H:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - H:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: h:\windows\system32\nwprovau.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - H:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - H:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - H:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - H:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - H:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - H:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - H:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - H:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - H:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7512 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - H:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "H:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"
.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 d346bus - h:\windows\system32\drivers\d346bus.sys
R0 d346prt - h:\windows\system32\drivers\d346prt.sys
R1 NaiAvTdi1 - h:\windows\system32\drivers\mvstdi5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>
R3 EntDrv51 - h:\windows\system32\drivers\entdrv51.sys <Not Verified; Network Associates, Inc; Virus Scan Enterprise, Entercept>
R3 NaiAvFilter1 - h:\windows\system32\drivers\naiavf5x.sys <Not Verified; Network Associates, Inc.; VirusScan (Enterprise, ASaP & Retail.)>

S1 InCDPass - h:\windows\system32\drivers\incdpass.sys (file missing)
S1 InCDRm (InCD Reader) - h:\windows\system32\drivers\incdrm.sys (file missing)
S3 CoachUsb (Dual Mode Digital Camera on USB) - h:\windows\system32\drivers\coachusb.sys <Not Verified; Accapella Ltd.; USB Driver for Digital Camera>
S3 Dual Mode (Dual Mode Video Capture) - h:\windows\system32\drivers\coachvc.sys <Not Verified; Accapella Ltd.; Video Capture Minidriver for Digital Camera>
S3 ENTECH - h:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 GMSIPCI - g:\install\gmsipci.sys (file missing)
S3 w800mdfl (Sony Ericsson W800 USB WMC Modem Filter) - h:\windows\system32\drivers\w800mdfl.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem Filter Driver>
S3 w800mdm (Sony Ericsson W800 USB WMC Modem Drivers) - h:\windows\system32\drivers\w800mdm.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Modem>
S3 w800mgmt (Sony Ericsson W800 USB WMC Device Management Drivers) - h:\windows\system32\drivers\w800mgmt.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC Device Management>
S3 w800obex (Sony Ericsson W800 USB WMC OBEX Interface Drivers) - h:\windows\system32\drivers\w800obex.sys <Not Verified; MCCI; Sony Ericsson W800 USB WMC OBEX Interface>
S4 InCDFs (InCD File System) - h:\windows\system32\drivers\incdfs.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 McAfeeFramework (McAfee Framework Service) - h:\program files\network associates\common framework\frameworkservice.exe /servicestart <Not Verified; Network Associates, Inc.; McAfee Common Framework>
R2 McTaskManager (Network Associates Task Manager) - "h:\program files\network associates\virusscan\vstskmgr.exe" <Not Verified; Network Associates, Inc.; VirusScan Enterprise>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&23533C57&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&23533C57&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&4628B9&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&4628B9&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&22C50E9A&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&22C50E9A&0&RM
Service:

Class GUID: {71A27CDD-812A-11D0-BEC7-08002BE2092F}
Description: Generic volume
Device ID: STORAGE\REMOVABLEMEDIA\7&E1800B&0&RM
Manufacturer: Microsoft
Name: Generic volume
PNP Device ID: STORAGE\REMOVABLEMEDIA\7&E1800B&0&RM
Service:


-- Files created between 2008-07-15 and 2008-08-15 -----------------------------

2008-08-13 18:54:34 0 d-------- H:\Documents and Settings\Tom\.housecall6.6
2008-08-12 22:05:12 11534336 --a------ H:\Documents and Settings\Tom\ntuser.dat
2008-08-12 22:05:11 233472 --a------ H:\Documents and Settings\LocalService\ntuser.dat
2008-08-12 22:01:08 0 d-------- H:\Incoming
2008-08-12 17:09:29 0 d-------- H:\Documents and Settings\Tom\Application Data\Malwarebytes
2008-08-12 17:09:22 0 d-------- H:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-12 17:09:21 0 d-------- H:\Program Files\Malwarebytes' Anti-Malware
2008-08-11 06:28:35 0 d-------- H:\Program Files\Trend Micro
2008-08-10 21:39:07 0 d-------- H:\Program Files\Panda Security
2008-08-08 17:28:02 0 d-------- H:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-08 17:26:24 0 d-------- H:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-08 1720 0 --a------ H:\WINDOWS\system32\drivers\Lor02.sys


-- Find3M Report ---------------------------------------------------------------

2008-08-08 17:26:26 0 d-------- H:\Program Files\Lavasoft
2008-08-08 17:25:41 0 d-------- H:\Program Files\Common Files
2008-07-11 20:13:16 0 d-------- H:\Program Files\Java
2008-07-05 00:01:22 0 d-------- H:\Documents and Settings\Tom\Application Data\Skype
2008-05-17 15:21:40 133120 --a------ H:\WINDOWS\system32\zip32.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C5FA80B2-6916-C4C1-1F63-760991C73CA3}]
H:\DOCUME~1\Tom\APPLIC~1\FASTSE~1\First Htm.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVCLOCK"="nvclock.dll" [14/04/2003 02:59 H:\WINDOWS\system32\nvclock.dll]
"LiveMonitor"="H:\Program Files\MSI\Live Update 3\LMonitor.exe" [27/10/2003 15:16]
"DAEMON Tools-1033"="H:\Program Files\D-Tools\daemon.exe" [12/03/2004 22:43]
"Each Less Mode Mp3"="H:\Documents and Settings\All Users\Application Data\CashAtomEachLess\Jugstwo.exe" []
"McAfeeUpdaterUI"="H:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [18/09/2003 02:01]
"ShStatEXE"="H:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [18/08/2004 08:00]
"NvCplDaemon"="H:\WINDOWS\System32\NvCpl.dll" [24/09/2003 12:32]
"nwiz"="nwiz.exe" [24/09/2003 12:32 H:\WINDOWS\system32\nwiz.exe]
"SunJavaUpdateSched"="H:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [10/06/2008 04:27]
"Bonemetaviewplan"="H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta\ForkWarn.exe" []
"iTunesHelper"="H:\Program Files\iTunes\iTunesHelper.exe" [23/02/2006 16:45]
"P17Helper"="P17.dll" [03/05/2005 20:38 H:\WINDOWS\system32\P17.dll]
"WMC_AutoUpdate"="" []
"NeroFilterCheck"="H:\WINDOWS\system32\NeroCheck.exe" [09/07/2001 10:50]
"Adobe Photo Downloader"="H:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07/06/2005 00:46]
"EPSON Stylus D78 Series"="H:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBGE.exe" [23/02/2006 05:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="H:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit" []
"ctfmon.exe"="H:\WINDOWS\system32\ctfmon.exe" [04/08/2004 01:56]
"mags up"="H:\DOCUME~1\Tom\APPLIC~1\BINPUR~1\plan cool.exe" []

H:\Documents and Settings\All Users\Start Menu\Programs\Startup\
3D!Turbo Experience.lnk - H:\Program Files\MSI\3D!Turbo Experience\3D!Turbo.exe [26/07/2004 13:07:35]
Adobe Gamma Loader.lnk - H:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [03/08/2004 17:45:56]
Adobe Reader Speed Launch.lnk - H:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [23/09/2005 22:05:26]
InterVideo WinCinema Manager.lnk - H:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe [27/07/2004 13:33:35]
Microsoft Office.lnk - H:\Program Files\Microsoft Office\Office10\OSA.EXE [13/02/2001 01:01:04]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

*Newly Created Service* - VGAUTI



-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8972 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-08-15 06:52:56 ------------

[Ried]

Thank you, -Shirt.

You may want to copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

***************************************************

Close any open browsers.

--------------------------------------------------------------------

We just have the orphaned registry entries remaining. Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries:

O2 - BHO: (no name) - {C5FA80B2-6916-C4C1-1F63-760991C73CA3} - H:\DOCUME~1\Tom\APPLIC~1\FASTSE~1\First Htm.exe (file missing)
O4 - HKLM\..\Run: [Each Less Mode Mp3] H:\Documents and Settings\All Users\Application Data\CashAtomEachLess\Jugstwo.exe
O4 - HKLM\..\Run: [Bonemetaviewplan] H:\Documents and Settings\All Users\Application Data\GridPartBoneMeta\ForkWarn.exe
O4 - HKCU\..\Run: [mags up] H:\DOCUME~1\Tom\APPLIC~1\BINPUR~1\plan cool.exe

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Sun Java leaves behind it's old versions when you update it. There is no need to keep these on the system, and it would free up some precious hard drive space for you.

Uninstall the following via the Add/Remove Panel (Start->Control Panel->Add/Remove Programs)

J2SE Runtime Environment 5.0
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 4
J2SE Runtime Environment 5.0 Update 6
Java(TM) 6 Update 3
Java(TM) 6 Update 5


**Leave this version intact - Java(TM) 6 Update 7

--------------------------------------------------------------------

Online scans are time consuming, but important to run to search for remnants that may still be lurking. Please perform an online scan at Panda ActiveScan

• Click on Scan Your PC Now
• A "pop up" window will appear, or a new tab will open.
• Click on Register
• Choose the option you like most, but we recommend the Free Registration.
• Click on Register
• Enter your e-mail address, and create a password.
• Select "I do not want to receive any type of information". (unless you want to receive such information)
• Click on Send
• Confirm registration, and continue by entering your user name and password, then click on Enter
• Select Full Scan, then Click on Scan Now
• Wait for the components to be loaded and installed. Don't close this window or go to another page while it is downloading. You can continue using the Internet by opening another window in your browser.
  
• If it finds any malware it can disinfect, the Disinfect button will be enabled. Click on Disinfect
• Please ignore the offer to buy the program. Click on Export To
  
• Export the log and save it to your desktop.
• Please attach the contents of that log in your next reply.

* Turn off the real time scanner of any existing antivirus program while performing the online scan


How is the system behaving?

[-Shirt]

Panda scan attached.

System is behaving fairly well - not noticeably slow or anything, appears to be back to normal. (Owner is still a bit paranoid, but there we go...)

Cheers

[Ried]

Hi -Shirt,

Panda is only reporting undesirable cookies, (which are easily cleared via Firefox Tool>Internet Options) and items located in C:\System Volume Information\, which is where System Restore's cache is stored. Whatever is in there can't harm unless you choose to perform a manual restore.

Nevertheless, we shall be reset/clear the cache now:

Create a new System Restore point
Click Start >> Run - type SYSDM.CPL & press Enter
* Select the System Restore Tab
* Tick on the checkbox - "Turn off System Restore on all drives"
Click Apply
* Then untick the same checkbox & click OK
This will flush out previous restore points (which contain the infections) and create a new restore point.

**************************************************************************************

The logs are clean. If there aren't any more problems, please continue with these final instructions and helpful links:

To help protect your computer in the future I recommend that you get the following free programs if you do not already have them:

McAfee Site Advisor--free version. The folks there check out websites and based on their findings, rate it as Safe, Unknown, Caution, or Bad.

SpywareBlaster 4.0 to help prevent spyware from installing in the first place. Install & update SpywareBlaster with the latest definitions. After you have updated, click the button - enable protection for all unprotected items.

• It will block any bad ActiveX from running in Internet Explorer and Firefox if it's listed in their database (which you should update frequently). To view their database and list of restricted sites, launch the program and click on each of the tabs on the main display page.

IESpyAD Zoned Out to block access to malicious websites so you cannot be redirected to them from an infected site or email. This severely impairs attempts to infect your system as it basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.


Update, and scan with your onboard Anti Malware and Anti Virus programs regularly. Without regular updates you will not be protected when new malicious programs are released.


In light of his recent issue, have him take a look at these well written articles. It may help him to not feel so 'powerless':

PC Safety and Security--What Do I Need?
Think Prevention


**Be very wary with any security software that is advertised in popups or in other ways. They are not only usually of no use, but often have malware in them.

-----------------------------------------------------

Follow the list above and the potential for infection will reduce dramatically.

**Kindly respond one more time and let me know if we may consider this thread resolved.

[-Shirt]

Just cleared the system restore, am going to install SpywareBlaster shortly.

Thank you for all your help, this thread is now properly over. :)

[Ried]

You're welcome, -Shirt. Take care.