many many problems

[neilthewolf]

Hi, i think ive got many viruses or nasties in my system. I've lost all desktop and can only access programs and files through task manager.
Ive followed all the steps you advise and here are the logs.

Hope you can help me.


Thanks


Neil


DDS (Ver_09-05-14.01) - NTFSx86
Run by neil turner at 21:09:56.18 on Sat 05/16/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.13 [GMT 1:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\sopidkc.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\tpszxyd.sys
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dncyool64.sys
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Documents and Settings\neil turner.NEILSCOMPUTER07\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wolves.co.uk/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [Adobe Photo Downloader] "c:\program files\adobe\photoshop album starter edition\3.0\apps\apdproxy.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
mRun: [CreativeMouse ] c:\program files\mouse driver\MouseDrv.exe
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [BDAgent] "c:\program files\bitdefender\bitdefender 2009\bdagent.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [NoIE4StubProcessing] c:\windows\system32\reg.exe delete "hklm\software\microsoft\active setup\Installed Components" /v "NoIE4StubProcessing" /f
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178751406125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neiltu~1.nei\applic~1\mozilla\firefox\profiles\a7l8jfw2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\neil turner.neilscomputer07\application data\vusion\npWARPVideoPlugin.480544.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-1-23 3968]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
S1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys --> c:\windows\system32\drivers\iksysflt.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\neil turner.neilscomputer07\desktop\vcdrom.sys --> c:\documents and settings\neil turner.neilscomputer07\desktop\VCdRom.sys [?]
S2 afisicx;afisicx Service;c:\windows\system32\afisicx.exe --> c:\windows\system32\afisicx.exe [?]
S2 SOFTLOK;SOFTLOK; [x]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 192512]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-12-27 17149]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [2009-2-10 16640]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-9-9 7680]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-27 44928]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-2-10 16896]
S4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe --> c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [?]

=============== Created Last 30 ================

2009-05-10 10:45 <DIR> -cdsh--- c:\documents and settings\neil turner.neilscomputer07\PrivacIE
2009-05-10 10:42 <DIR> -cdsh--- c:\documents and settings\neil turner.neilscomputer07\IETldCache
2009-05-10 10:38 <DIR> --d----- c:\windows\ie8updates
2009-05-10 10:37 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-10 10:33 <DIR> -cd-h--- c:\windows\ie8
2009-05-06 17:04 5,654 a------- c:\windows\system32\PerfStringBackup.TMP
2009-05-03 18:00 <DIR> acdshr-- C:\cmdcons
2009-05-03 17:59 161,792 a------- c:\windows\SWREG.exe
2009-05-03 17:59 98,816 a------- c:\windows\sed.exe
2009-05-03 17:59 389,120 a------- c:\windows\system32\CF29846.exe
2009-05-03 17:59 <DIR> -cd----- C:\ComboFix
2009-05-03 17:58 389,120 a------- c:\windows\system32\CF29708.exe
2009-05-03 16:10 44,544 a------- c:\windows\system32\msxml4a.dll
2009-05-03 16:10 <DIR> --d----- c:\program files\File Recover
2009-05-03 15:10 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-03 15:10 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 15:10 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-03 15:10 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-03 15:10 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 15:10 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-03 15:10 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 15:10 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-03 15:10 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-03 15:10 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-03 15:10 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-03 15:10 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-27 19:53 28,160 ac------ C:\syxm.exe
2009-04-27 19:53 57,856 ac------ C:\cuhel.exe
2009-04-27 18:35 <DIR> -cd----- c:\docume~1\neiltu~1.nei\applic~1\BitDefender
2009-04-27 18:34 <DIR> -cd----- c:\docume~1\alluse~1.win\applic~1\BitDefender
2009-04-27 18:34 <DIR> --d----- c:\program files\common files\BitDefender
2009-04-27 17:55 0 a------- c:\windows\system32\C.tmp
2009-04-27 17:54 59,904 a------- c:\windows\system32\8.tmp
2009-04-27 17:54 40 a------- c:\windows\system32\7.tmp
2009-04-19 17:27 389,120 a------- c:\windows\system32\CF5681.exe
2009-04-19 12:26 <DIR> -cd----- C:\SDFix
2009-04-19 09:40 55,152 a------- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-04-19 09:38 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-04-19 09:37 <DIR> --d----- c:\program files\Microsoft

==================== Find3M ====================

2009-05-03 12:58 81,984 a------- c:\windows\system32\bdod.bin
2009-05-03 12:10 33,280 a------- c:\windows\system32\ctfmon.exe
2009-05-03 11:51 51,200 a------- c:\windows\system32\rundll32.exe
2009-04-27 20:15 58,024 a---h--- c:\windows\system32\mlfcache.dat
2009-04-27 19:53 61,952 a------- c:\windows\system32\alg.exe
2009-04-16 19:39 389,120 a------- c:\windows\system32\CF4418.exe
2009-04-16 19:38 38,601 ac------ C:\MGlogs.zip
2009-04-16 19:31 389,120 a------- c:\windows\system32\CF2876.exe
2009-04-16 19:27 389,120 a------- c:\windows\system32\CF2106.exe
2009-04-16 06:25 44,032 a------- c:\windows\system32\CTsvcCDA.exe
2009-04-16 06:24 439,808 -------- c:\windows\system32\SearchIndexer.exe
2009-04-14 18:11 735,232 a------- c:\windows\system32\AdvOcr.dll
2009-04-10 15:00 21,704 a------- c:\windows\system32\kk.exe
2009-03-22 09:49 622 ac------ C:\avexport.bat
2009-03-22 09:39 2,508 ac------ C:\3.reg
2009-03-22 09:39 2,508 ac------ C:\2.reg
2009-03-22 09:39 2,508 ac------ C:\1.reg
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2007-12-24 13:21 784 ac------ c:\docume~1\neiltu~1.nei\applic~1\mpauth.dat
2001-10-05 13:53 21,866 ac------ c:\program files\common files\tppupd2k.dll
2008-01-25 17:08 2 a--shrot c:\windows\winstart.bat
2006-05-03 10:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 a--shr-- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 a--shr-- c:\windows\system32\nbDX.dll

============= FINISH: 21:11:38.45 ===============

[neilthewolf]

Hi, its me again. Have i missed something out in my logs? Just wondererd why i havnt had a reply.
I would be really pleased if one of you out there could help me, i'm desperate for help as i dont really know a lot about computers and i dont know where to turn next.

Thanks

Neil

[TheBruce1]

Hello and welcome to TSF

I see you have already run Combofix.

Quote:

Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

I`ll need to see the Combofix logs, the most recent once can be located at C:\Combofix.txt, with previous runs the logs will be located at C:\Combofix1.txt, C:\Combofix2.txt, depending on how many times you have run Combofix.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

[neilthewolf]

Thanks for the reply.

The only combofix.txt i can find is in the attachment.

Like i said i dont really know what im doing so im now entierly in your hands.


Thanks


Neil

[TheBruce1]

Hi

Can you copy/paste the C:\Combofix.txt instead of attaching, the attached format is incorrect.

[neilthewolf]

sorry.


ComboFix 09-05-02.4 - neil turner 05/03/2009 18:04:18.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1535.1254 [GMT 1:00]
Running from: C:\Documents and Settings\neil turner.NEILSCOMPUTER07\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning enabled* (Updated)
.

[TheBruce1]

I need to see the entire log, not just the header information.

[neilthewolf]

Thats all there is in combofix.txt. Cant find anything else on system.

[TheBruce1]

Click Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Please post the contents of that file in your next reply.

[neilthewolf]

Havnt got start. Have lost everything on desktop including start menu.
Tried to open C:\Qoobox\ComboFix-quarantined-files.txt through task manager/new task but a window pops up and says it dosnt exist. I have gone to C:\Qoobox and there isnt a combofix in the quarantined section.

[TheBruce1]

Please run Combofix in normal mode, if you are unable to run in normal mode, please try safe mode.

[neilthewolf]

i managed to run combofix in normal mode. It ran through all the processes and deleted several files. But the only txt file it created was the same as before????????????

ComboFix 09-05-17.08 - neil turner 05/18/2009 21:10:52.10 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.74 [GMT 1:00]
Running from: C:\Documents and Settings\neil turner.NEILSCOMPUTER07\Desktop\ComboFix.exe
AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}
.

[TheBruce1]

If you can, Click Start > Run and copy/paste the following single-line command into the Run box and click OK:

C:\Qoobox\ComboFix-quarantined-files.txt

A text file should open. Please post the contents of that file in your next reply.

Also post this log:

C:\Bug.txt


Also run DDS again and post the DDS.txt in your reply.

[neilthewolf]

2009-05-18 21:02:36 . 2009-05-18 21:02:36 159 -c--a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-BDAgent.reg.dat
2009-05-18 21:02:35 . 2009-05-18 21:02:35 292 -c--a-w C:\Qoobox\Quarantine\Registry_backups\HKLM-Run-Adobe Photo Downloader.reg.dat
2009-05-18 20:16:10 . 2009-05-18 20:16:10 2,500 -c--a-w C:\Qoobox\Quarantine\Registry_backups\Service_tdctxte.reg.dat
2009-05-18 20:16:10 . 2009-05-18 20:16:10 2,500 -c--a-w C:\Qoobox\Quarantine\Registry_backups\Service_afisicx.reg.dat
2009-05-18 18:49:50 . 2009-03-08 03:34:56 1,206,784 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\temp\mta85229.dll.vir
2009-05-18 18:47:48 . 2009-03-08 03:34:56 1,206,784 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\temp\x1c75579.dll.vir
2009-05-05 17:29:42 . 2009-03-08 03:34:56 1,206,784 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\temp\mta13187.dll.vir
2009-05-03 1716 . 2009-05-18 20:16:10 2,500 -c--a-w C:\Qoobox\Quarantine\Registry_backups\Service_sopidkc.reg.dat
2009-05-03 1716 . 2009-05-18 20:16:09 816 -c--a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_TDCTXTE.reg.dat
2009-05-03 1716 . 2009-05-18 20:16:09 1,044 -c--a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_SOPIDKC.reg.dat
2009-05-03 1716 . 2009-05-18 20:16:09 816 -c--a-w C:\Qoobox\Quarantine\Registry_backups\Legacy_AFISICX.reg.dat
2009-05-03 1705 . 2009-05-18 20:58:30 7,115 -c--a-w C:\Qoobox\Quarantine\Registry_backups\tcpip.reg
2009-05-03 16:58:26 . 2009-05-18 20:53:03 218 -c--a-w C:\Qoobox\Quarantine\catchme.log
2009-05-03 1122 . 2009-05-03 1123 230,400 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\w.exe.vir
2009-04-27 17:38:13 . 2009-04-27 18:59:33 355 -c--a-w C:\Qoobox\Quarantine\C\Documents and Settings\NetworkService.NT AUTHORITY\Application Data\twain_32\user.ds.vir
2009-04-27 16:55:25 . 2009-04-27 19:00:20 312 -c--a-w C:\Qoobox\Quarantine\C\Documents and Settings\LocalService.NT AUTHORITY\Application Data\twain_32\user.ds.vir
2009-04-27 16:55:23 . 2009-04-27 19:00:28 178,373 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\twain_32\local.ds.vir
2009-04-27 16:55:23 . 2009-04-27 17:37:56 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\twain_32\user.ds.vir
2009-04-27 14:45:48 . 2009-05-03 1101 66,760 ----a-w C:\Qoobox\Quarantine\C\Program Files\ThunMail\testabd.exe.vir
2009-04-27 14:45:48 . 2009-05-03 1103 24,576 ----a-w C:\Qoobox\Quarantine\C\Program Files\ThunMail\testabd.dll.vir
2009-04-14 17:09:55 . 2009-04-14 17:09:55 3 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\bversion.dll.vir
2009-04-14 17:08:18 . 2009-04-14 17:08:18 565,248 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\IPHACTION.dll.vir
2009-04-14 16:19:23 . 2009-04-14 16:19:23 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\IpSvchostF.dll.vir
2009-04-14 14:42:37 . 2009-04-14 14:42:23 989,696 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\kernel32_check.dll.vir
2009-04-14 14:42:17 . 2009-04-14 14:42:17 3 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fhpatch.dll.vir
2009-04-14 14:42:17 . 2009-04-14 14:42:17 9 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\iphy.dll.vir
2009-04-14 14:42:15 . 2009-04-14 14:42:15 0 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\fiplock.dll.vir
2009-03-21 07:08:12 . 2009-03-21 07:08:12 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_320594528288.bk.vir
2009-03-21 07:08:07 . 2009-03-21 07:08:07 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_557319780625.bk.vir
2009-03-21 07:08:02 . 2009-03-21 07:08:02 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_134406207918.bk.vir
2009-03-21 07:07:57 . 2009-03-21 07:07:57 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_343173459749.bk.vir
2009-03-21 07:07:52 . 2009-03-21 07:07:52 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_120730517446.bk.vir
2009-03-21 07:07:41 . 2009-03-21 07:07:41 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_36131317391.bk.vir
2009-03-21 07:07:36 . 2009-03-21 07:07:36 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_392470190796.bk.vir
2009-03-21 07:07:33 . 2009-03-21 07:07:33 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_548741795600.bk.vir
2009-03-21 07:07:31 . 2009-03-21 07:07:31 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_166364897378.bk.vir
2009-03-21 07:07:28 . 2009-03-21 07:07:28 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_723527151703.bk.vir
2009-03-21 07:07:26 . 2009-03-21 07:07:26 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_233734709548.bk.vir
2009-03-21 07:07:23 . 2009-03-21 07:07:23 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_300899770114.bk.vir
2009-03-21 07:07:21 . 2009-03-21 07:07:21 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_828201626546.bk.vir
2009-03-21 07:07:18 . 2009-03-21 07:07:18 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_648661214698.bk.vir
2

[neilthewolf]

2009-03-21 07:07:13 . 2009-03-21 07:07:13 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_572426522285.bk.vir
2009-03-21 07:07:11 . 2009-03-21 07:07:11 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_428216417147.bk.vir
2009-03-21 07:07:06 . 2009-03-21 07:07:06 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_48242472805.bk.vir
2009-03-21 07:07:03 . 2009-03-21 07:07:03 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_32663729155.bk.vir
2009-03-21 07:07:01 . 2009-03-21 07:07:01 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_888073155120.bk.vir
2009-03-21 0758 . 2009-03-21 0758 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_55932898837.bk.vir
2009-03-21 0756 . 2009-03-21 0756 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_67498618208.bk.vir
2009-03-21 0753 . 2009-03-21 0753 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_141581295264.bk.vir
2009-03-21 0751 . 2009-03-21 0751 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_673975414397.bk.vir
2009-03-21 0748 . 2009-03-21 0748 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_194163166669.bk.vir
2009-03-21 0743 . 2009-03-21 0743 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_42416131035.bk.vir
2009-03-21 0733 . 2009-03-21 0733 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_597347737135.bk.vir
2009-03-21 0728 . 2009-03-21 0728 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_152175763951.bk.vir
2009-03-21 0723 . 2009-03-21 0723 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_260750241239.bk.vir
2009-03-21 0718 . 2009-03-21 0718 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_837428162331.bk.vir
2009-03-21 0713 . 2009-03-21 0713 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_281123831388.bk.vir
2009-03-21 07:05:39 . 2009-03-21 07:05:39 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_23929101071.bk.vir
2009-03-21 07:05:33 . 2009-03-21 07:05:33 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_23466131338.bk.vir
2009-03-21 07:05:26 . 2009-03-21 07:05:26 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_120104385453.bk.vir
2009-03-21 07:05:19 . 2009-03-21 07:05:19 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_575028492946.bk.vir
2009-03-21 07:05:13 . 2009-03-21 07:05:13 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_312982647217.bk.vir
2009-03-21 07:05:01 . 2009-03-21 07:05:01 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_623740803491.bk.vir
2009-03-21 07:04:59 . 2009-03-21 07:04:59 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_124792710648.bk.vir
2009-03-21 07:04:54 . 2009-03-21 07:04:54 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_355663182225.bk.vir
2009-03-21 07:04:52 . 2009-03-21 07:04:52 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_216637506273.bk.vir
2009-03-21 07:04:47 . 2009-03-21 07:04:47 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_11992195009.bk.vir
2009-03-21 07:04:46 . 2009-03-21 07:04:46 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_107516315363.bk.vir
2009-03-21 07:04:41 . 2009-03-21 07:04:41 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_290918840346.bk.vir
2009-03-21 07:04:39 . 2009-03-21 07:04:39 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_475948242230.bk.vir
2009-03-21 07:04:34 . 2009-03-21 07:04:34 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_662732576439.bk.vir
2009-03-21 07:04:32 . 2009-03-21 07:04:32 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_313929200224.bk.vir
2009-03-21 07:04:21 . 2009-03-21 07:04:21 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_357081366640.bk.vir
2009-03-21 07:04:19 . 2009-03-21 07:04:19 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_568024740984.bk.vir
2009-03-21 07:04:14 . 2009-03-21 07:04:14 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_686040876850.bk.vir
2009-03-21 07:04:12 . 2009-03-21 07:04:12 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_804908885760.bk.vir
2009-03-21 07:04:07 . 2009-03-21 07:04:07 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_3293581663.bk.vir
2009-03-21 07:04:06 . 2009-03-21 07:04:06 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_445268836155.bk.vir
2009-03-21 07:04:01 . 2009-03-21 07:04:01 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_426455112293.bk.vir
2009-03-21 07:03:59 . 2009-03-21 07:03:59 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_789255585015.bk.vir
2009-03-21 07:03:54 . 2009-03-21 07:03:54 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_91178383486.bk.vir
2009-03-21 07:03:52 . 2009-03-21 07:03:52 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_359063173020.bk.vir
2009-03-21 07:03:41 . 2009-03-21 07:03:41 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp4_8332688771.bk.vir
2009-03-21 07:03:34 . 2009-03-21 07:03:34 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp3_90228335079.bk.vir
2009-03-21 07:03:27 . 2009-03-21 07:03:27 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp2_226302521555.bk.vir
2009-03-21 07:03:21 . 2009-03-21 07:03:21 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp1_138329420540.bk.vir
2009-03-21 07:03:14 . 2009-03-21 07:03:14 1,982 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tmp0_701332106914.bk.vir
2008-12-24 10:54:10 . 2006-04-27 17:49:30 288,417 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\SrchSTS.exe.vir
2008-12-24 10:54:08 . 2003-06-05 21:13:00 53,248 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\Process.exe.vir
2008-02-09 12:04:51 . 2002-03-03 20:39:56 504 -c--a-w C:\Qoobox\Quarantine\C\setup.bat.vir
2002-09-03 16:29:08 . 2002-09-03 16:29:08 271 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\Install.txt.vir
2002-09-03 16:29:08 . 2002-09-03 16:29:08 9 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\comsa32.sys.vir
2002-09-03 16:29:08 . 2002-09-03 16:29:08 8 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\FInstall.sys.vir
2002-09-03 16:29:08 . 2002-09-03 16:29:08 271 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\Install.txt.vir
2002-09-03 16:29:08 . 2002-09-03 16:29:08 123,904 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\sopidkc.exe.vir
2002-09-03 16:29:08 . 2002-09-03 16:29:08 158,208 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\tpszxyd.sys.vir
2002-09-03 16:29:08 . 2002-09-03 16:29:08 158,208 ----a-w C:\Qoobox\Quarantine\C\WINDOWS\temp\tmp0_661888399912.bk.old.vir

[neilthewolf]

couldnt run c:\bug.txt


DDS (Ver_09-05-14.01) - NTFSx86
Run by neil turner at 22:18:50.84 on Mon 05/18/2009
Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_12
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.255.30 [GMT 1:00]

AV: BitDefender Antivirus *On-access scanning enabled* (Updated) {6C4BB89C-B0ED-4F41-A29C-4373888923BB}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Microsoft Small Business\Business Contact Manager\BcmSqlStartupSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\nvsvc32.exe
c:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe -k imgsvc
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\neil turner.NEILSCOMPUTER07\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.wolves.co.uk/
uInternet Settings,ProxyOverride = *.local
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
mURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: BitDefender Toolbar: {381ffde8-2394-4f90-b10d-fc6124a40f8c} - c:\program files\bitdefender\bitdefender 2009\IEToolbar.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
EB: {32683183-48a0-441b-a342-7c2a440a9478} - No File
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [BitTorrent DNA] "c:\program files\dna\btdna.exe"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [H/PC Connection Agent] "c:\program files\microsoft activesync\wcescomm.exe"
mRun: [CTSysVol] c:\program files\creative\sbaudigy2\surround mixer\CTSysVol.exe
mRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottime
mRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartup
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [nwiz] nwiz.exe /install
mRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInit
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [EPSON Stylus Photo RX420 Series] c:\windows\system32\spool\drivers\w32x86\3\E_FATI9CE.EXE /P31 "EPSON Stylus Photo RX420 Series" /O6 "USB001" /M "Stylus Photo RX420"
mRun: [CreativeMouse ] c:\program files\mouse driver\MouseDrv.exe
mRun: [BitDefender Antiphishing Helper] "c:\program files\bitdefender\bitdefender 2009\IEShow.exe"
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
mRunOnce: [<NO NAME>]
mRunOnce: [GrpConv] grpconv -o
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\netgea~1.lnk - c:\program files\netgear\wg111t\wlan111t.exe
StartupFolder: c:\docume~1\alluse~1.win\startm~1\programs\startup\window~1.lnk - c:\program files\windows desktop search\WindowsSearch.exe
IE: E&xport to Microsoft Excel - c:\progra~1\micros~3\office12\EXCEL.EXE/3000
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~4\INetRepl.dll
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java
DPF: {0000000A-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/d/4/4/d446e8a9-3a86-4b59-bb19-f5bd11b40367/wmavax.CAB
DPF: {33564D57-0000-0010-8000-00AA00389B71} - hxxp://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - hxxp://www.eset.eu/buxus/docs/OnlineScanner.cab
DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} - hxxp://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1178751406125
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} - hxxp://www.crucial.com/controls/cpcScanner.cab
DPF: {CAFEEFAC-0016-0000-0004-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_04-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0005-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_05-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_12-windows-i586.cab
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Microsoft AntiMalware ShellExecuteHook: {091eb208-39dd-417d-a5dd-7e2c2d8fb9cb} - c:\progra~1\wifd1f~1\MpShHook.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\neiltu~1.nei\applic~1\mozilla\firefox\profiles\a7l8jfw2.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://go.microsoft.com/fwlink/?LinkId=69157
FF - prefs.js: keyword.URL - hxxp://search.live.com/results.aspx?FORM=IEFM1&q=
FF - component: c:\program files\mozilla firefox\components\FFComm.dll
FF - plugin: c:\documents and settings\neil turner.neilscomputer07\application data\vusion\npWARPVideoPlugin.480544.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npdbplug.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npmozax.dll
FF - plugin: c:\program files\windows live\photo gallery\NPWLPG.dll

---- FIREFOX POLICIES ----
FF - user.js: network.http.max-persistent-connections-per-server - 4
FF - user.js: content.max.tokenizing.time - 200000
FF - user.js: content.notify.interval - 100000
FF - user.js: content.switch.threshold - 650000
FF - user.js: nglayout.initialpaint.delay - 300

============= SERVICES / DRIVERS ===============

R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2008-1-23 3968]
R2 BcmSqlStartupSvc;Business Contact Manager SQL Server Startup Service;c:\program files\microsoft small business\business contact manager\BcmSqlStartupSvc.exe [2008-1-11 30312]
R2 msncache;msncache;c:\windows\system32\svchost.exe -k netsvcs [2002-9-3 14336]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;\??\c:\program files\grisoft\avg anti-spyware 7.5\guard.sys --> c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [?]
S1 IKSysFlt;System Filter Driver;c:\windows\system32\drivers\iksysflt.sys --> c:\windows\system32\drivers\iksysflt.sys [?]
S1 vcdrom;Virtual CD-ROM Device Driver;\??\c:\documents and settings\neil turner.neilscomputer07\desktop\vcdrom.sys --> c:\documents and settings\neil turner.neilscomputer07\desktop\VCdRom.sys [?]
S2 SOFTLOK;SOFTLOK; [x]
S3 Arrakis3;BitDefender Arrakis Server;c:\program files\common files\bitdefender\bitdefender arrakis server\bin\Arrakis3.exe [2009-1-20 192512]
S3 bdfm;BDFM;c:\windows\system32\drivers\bdfm.sys [2008-9-18 111112]
S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2007-12-27 17149]
S3 DsAudioDevice_310;DsAudioDevice_310;c:\windows\system32\drivers\DsAudioDevice_310.sys [2009-2-10 16640]
S3 motccgp;Motorola USB Composite Device Driver;c:\windows\system32\drivers\motccgp.sys --> c:\windows\system32\drivers\motccgp.sys [?]
S3 motccgpfl;MotCcgpFlService;c:\windows\system32\drivers\motccgpfl.sys [2007-9-9 7680]
S3 MSSQL$MSSMLBIZ;SQL Server (MSSMLBIZ);c:\program files\microsoft sql server\mssql.1\mssql\binn\sqlservr.exe [2008-11-24 29263712]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-27 44928]
S3 wsvad_driver;WS Audio Device;c:\windows\system32\drivers\VirtualAudio.sys [2009-2-10 16896]
S4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe --> c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [?]
S4 WinDefend;Windows Defender;c:\program files\windows defender\MsMpEng.exe [2006-11-3 13592]

=============== Created Last 30 ================

2009-05-18 21:53 <DIR> -cd----- C:\ComboFix
2009-05-10 10:45 <DIR> -cdsh--- c:\documents and settings\neil turner.neilscomputer07\PrivacIE
2009-05-10 10:42 <DIR> -cdsh--- c:\documents and settings\neil turner.neilscomputer07\IETldCache
2009-05-10 10:38 <DIR> --d----- c:\windows\ie8updates
2009-05-10 10:37 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-10 10:33 <DIR> -cd-h--- c:\windows\ie8
2009-05-06 17:04 5,654 a------- c:\windows\system32\PerfStringBackup.TMP
2009-05-03 18:00 <DIR> acdshr-- C:\cmdcons
2009-05-03 17:59 161,792 a------- c:\windows\SWREG.exe
2009-05-03 17:59 98,816 a------- c:\windows\sed.exe
2009-05-03 16:10 44,544 a------- c:\windows\system32\msxml4a.dll
2009-05-03 16:10 <DIR> --d----- c:\program files\File Recover
2009-05-03 15:10 473,600 -c------ c:\windows\system32\dllcache\fastprox.dll
2009-05-03 15:10 453,120 -c------ c:\windows\system32\dllcache\wmiprvsd.dll
2009-05-03 15:10 401,408 -c------ c:\windows\system32\dllcache\rpcss.dll
2009-05-03 15:10 284,160 -c------ c:\windows\system32\dllcache\pdh.dll
2009-05-03 15:10 227,840 -c------ c:\windows\system32\dllcache\wmiprvse.exe
2009-05-03 15:10 110,592 -c------ c:\windows\system32\dllcache\services.exe
2009-05-03 15:10 729,088 -c------ c:\windows\system32\dllcache\lsasrv.dll
2009-05-03 15:10 714,752 -c------ c:\windows\system32\dllcache\ntdll.dll
2009-05-03 15:10 617,472 -c------ c:\windows\system32\dllcache\advapi32.dll
2009-05-03 15:10 1,203,922 -c------ c:\windows\system32\dllcache\sysmain.sdb
2009-05-03 15:10 215,552 -c------ c:\windows\system32\dllcache\wordpad.exe
2009-05-03 15:10 2,560 -------- c:\windows\system32\xpsp4res.dll
2009-04-27 19:53 28,160 ac------ C:\syxm.exe
2009-04-27 19:53 57,856 ac------ C:\cuhel.exe
2009-04-27 18:35 <DIR> -cd----- c:\docume~1\neiltu~1.nei\applic~1\BitDefender
2009-04-27 18:34 <DIR> -cd----- c:\docume~1\alluse~1.win\applic~1\BitDefender
2009-04-27 18:34 <DIR> --d----- c:\program files\common files\BitDefender
2009-04-27 17:55 0 a------- c:\windows\system32\C.tmp
2009-04-27 17:54 59,904 a------- c:\windows\system32\8.tmp
2009-04-27 17:54 40 a------- c:\windows\system32\7.tmp
2009-04-19 12:26 <DIR> -cd----- C:\SDFix
2009-04-19 09:40 55,152 a------- c:\windows\system32\drivers\fssfltr_tdi.sys
2009-04-19 09:38 <DIR> --d----- c:\program files\Microsoft SQL Server Compact Edition
2009-04-19 09:37 <DIR> --d----- c:\program files\Microsoft

==================== Find3M ====================

2009-05-03 12:58 81,984 a------- c:\windows\system32\bdod.bin
2009-05-03 12:10 33,280 a------- c:\windows\system32\ctfmon.exe
2009-05-03 11:51 51,200 a------- c:\windows\system32\rundll32.exe
2009-04-27 20:15 58,024 a---h--- c:\windows\system32\mlfcache.dat
2009-04-27 19:53 61,952 a------- c:\windows\system32\alg.exe
2009-04-16 19:38 38,601 ac------ C:\MGlogs.zip
2009-04-16 06:25 44,032 a------- c:\windows\system32\CTsvcCDA.exe
2009-04-16 06:24 439,808 -------- c:\windows\system32\SearchIndexer.exe
2009-04-14 18:11 735,232 a------- c:\windows\system32\AdvOcr.dll
2009-04-10 15:00 21,704 a------- c:\windows\system32\kk.exe
2009-03-22 09:49 622 ac------ C:\avexport.bat
2009-03-22 09:39 2,508 ac------ C:\3.reg
2009-03-22 09:39 2,508 ac------ C:\2.reg
2009-03-22 09:39 2,508 ac------ C:\1.reg
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-06 00:59 1,900,544 a------- c:\windows\system32\usbaaplrc.dll
2007-12-24 13:21 784 ac------ c:\docume~1\neiltu~1.nei\applic~1\mpauth.dat
2001-10-05 13:53 21,866 ac------ c:\program files\common files\tppupd2k.dll
2008-01-25 17:08 2 a--shrot c:\windows\winstart.bat
2006-05-03 10:06 163,328 a--shr-- c:\windows\system32\flvDX.dll
2007-02-21 11:47 31,232 a--shr-- c:\windows\system32\msfDX.dll
2008-03-16 13:30 216,064 a--shr-- c:\windows\system32\nbDX.dll

============= FINISH: 22:20:17.12 ===============

[TheBruce1]

Hello again

Looks much better, but still work to be done.

Please follow all instructions and in which order they come, if you have any questions, please ask before proceeding. Its important that you follow this through until i give you the all clear.

Please DO NOT Attach logs to your posts unless you are advised to do so.

========

From the attach.txt it would seem you have two version of Bitdefender antivirus installed.

Quote:

BitDefender Antivirus 2008
BitDefender Antivirus 2009

If so, please uninstall BitDefender Antivirus 2008 via add/remove.

Also make sure you disable Bitdefender prior to running Combofix.

=========

Open notepad and copy/paste the text in the quotebox below into it:

Code:

http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/376616-many-many-problems.html

Collect::
C:\syxm.exe
C:\cuhel.exe
c:\windows\system32\8.tmp
c:\windows\system32\7.tmp
c:\windows\system32\kk.exe
File::
c:\windows\system32\C.tmp
c:\windows\system32\mlfcache.dat
C:\avexport.bat
Driver::
SOFTLOK
FileLook::
C:\1.reg
DDS::
uInternet Settings,ProxyOverride = *.local
EB: {32683183-48a0-441b-a342-7c2a440a9478}
mRunOnce: [<NO NAME>] 
DPF: DirectAnimation Java Classes
DPF: Microsoft XML Parser for Java

Save this as CFscript







Refering to the picture above, drag CFscript into ComboFix.exe

Follow the prompts, and post the resulting log, C:\ComboFix.txt

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


Warning:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture a file to submit for analysis.

Ensure you are connected to the internet and click OK. A browser will open. Simply follow the instructions to copy/paste/send the requested file(s).

========

JAVA OUTDATED


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

• Download the latest version of Java Runtime Environment (JRE) 6 and save it to your desktop.
• Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 13. The Java SE Runtime Environment (JRE) allows end-users to run Java applications."
• Click the "Download" button to the right.
• Select the Windows platform from the dropdown menu.
• Read the License Agreement and then check the box that says: "Accept License Agreement". Click on Continue.The page will refresh.
• Click on the link to download Windows Offline Installation and save the file to your desktop.
• Close any programs you may have running - especially your web browser.
• Go to Start > Settings > Control Panel, double-click on Add/Remove Programs and remove all older versions of Java.
• Check (highlight) any item with Java Runtime Environment (JRE or J2SE) in the name.
• Click the Remove or Change/Remove button.
• Repeat as many times as necessary to remove each Java versions.
• Reboot your computer once all Java components are removed.
• Then from your desktop double-click on jre-6u13-windows-i586-p.exe to install the newest version.

• After the install is complete, go into the Control Panel (using Classic View) and double-click the Java Icon. (looks like a coffee cup)
  • On the General tab, under Temporary Internet Files, click the Settings button.
  • Next, click on the Delete Files button
  • There are two options in the window to clear the cache - Leave BOTH Checked
    • Applications and Applets
      Trace and Log Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Temporary Files Window
  • Click OK to leave the Java Control Panel.

=========

Download ATF-Cleaner by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you have Firefox installed:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you have Opera installed:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

=========

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Click Accept, when prompted to download and install the program files and database of malware definitions.

• Click Run at the Security prompt.
• The program will then begin downloading and installing and will also update the database.
• Please be patient as this can take several minutes.
• Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
• Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
• Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
• Click View scan report at the bottom.
• Click the Save Report As... button.
• Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.

**Note**

This animation will guide you through the process:




To optimize scanning time and produce a more sensible report for review:

• Close any open programs.
• Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.

Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

========
Logs Required
C:\Combofix.txt
Kaspersky Scan Report

An update on how your system is running.

[neilthewolf]

Ok, first problem.
I couldnt remove bitdefender 08 from add/remove programs.
It came up with a message saying....'Installation source for this product is not available.
Verify that the source exists and you can access it'.

I havnt a clue what that means.

I managed to get to the uninstaller and tried that. i think it has worked that way.
Also, how do i turn off bitdefender 09 to run combofix.

Thanks

Neil

[neilthewolf]

Managed to disable bitdefender 09 and drag/drop Cfscript to open and run combofix......but after it ran it didnt open ant boxes to post, it just restarted system.
Do i carry on with next stage or try again with combofix?

Thanks

Neil

[TheBruce1]

Hi

Quote:

I couldnt remove bitdefender 08 from add/remove programs.
It came up with a message saying....'Installation source for this product is not available.
Verify that the source exists and you can access it'.

I havnt a clue what that means.

I managed to get to the uninstaller and tried that. i think it has worked that way.

Are you saying that you uninstalled Bitdefender 08 using the uninstaller?

Quote:

Also, how do i turn off bitdefender 09 to run combofix.

Got this from the Bitdefender forum.

Basic disabling: http://twitpic.com/opa9/full
Advanced disabling: http://twitpic.com/opab/full

You really only want to disable Real-Time Antivirus & Antispyware File Protection and Real time protection is enabled.

Looking at the advanced image you have a choice on how long to disable the protection, if there is an option to do it manually, choose that option...otherwise choose until system restarts.

If Combofix does not reboot your system, please do so before proceeding with the other instructions.