Tech Support Forum banner
Status
Not open for further replies.
1 - 20 of 30 Posts

·
Registered
Joined
·
16 Posts
Discussion Starter · #1 ·
Background:
A file I downloaded (and scanned) was infected by a virus / trojan not picked up by Norton 2009. This disabled Norton in several ways. On reboot, the Norton icon no longer displayed in my taskbar (so assumed disabled). Uninstalling / reinstalling Norton did not work as liveupdate was prevented. Reinstalling via Norton's online live help (done by their tech guys whilst I sat and watched) got Norton working again for 10 minutes ... and then it stopped working. I was finally able to remove the remaining virus / trojan using Malwarebytes.

Everything now appears to be working fine, with one exception: Some links within websites and emails no longer work in IE. (although they do appear to still be working in Firefox on my site).


_______________________________________________________________



DDS (Ver_09-05-14.01) - NTFSx86
Run by Julian at 23:58:11.62 on 26/05/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_13
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.735.251 [GMT 1:00]

AV: Norton AntiVirus *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\keyhook.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
C:\Program Files\Trusteer\Rapport\bin\RapportService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\sistray.exe
svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\CSHelper.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
C:\Program Files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Julian\Desktop\dds.pif

============== Pseudo HJT Report ===============

uStart Page = https://www.orderkleeneze.co.uk/ordering/login.aspx
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dll
BHO: Skype add-on (mastermind): {22bf413b-c6d2-4d91-82a9-a0f997ba588c} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: RealPlayer Download and Record Plugin for Internet Explorer: {3049c3e9-b461-4bc5-8870-4c09146192ca} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
BHO: BitComet Helper: {39f7e362-828a-4b5a-bcaf-5b79bfdfea60} - c:\program files\bitcomet\tools\BitCometBHO_1.3.1.15.dll
BHO: {53707962-6f74-2d53-2644-206d7942484f} - c:\program files\spybot - search & destroy\SDHelper.dll
BHO: {5C255C8A-E604-49b4-9D64-90988571CECB} - No File
BHO: Symantec Intrusion Prevention: {6d53ec84-6aae-4787-aeee-f4628f01010c} - c:\program files\norton antivirus\norton antivirus\engine\16.5.0.134\IPSBHO.DLL
BHO: Windows Live Sign-in Helper: {9030d464-4c02-4abf-8ecc-5164760863c6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.1.1309.3572\swg.dll
BHO: Java(tm) Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll
uRun: [updateMgr] c:\program files\adobe\acrobat 7.0\acrobat\AdobeUpdateManager.exe AcPro7_0_0
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [Rapportexe] "c:\program files\trusteer\rapport\bin\RapportService.exe" -start -after_boot
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
mRun: [SiS Windows KeyHook] c:\windows\system32\keyhook.exe
mRun: [SiSUSBRG] c:\windows\SiSUSBrg.exe
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy media creator 8\drag to disc\DrgToDsc.exe"
mRun: [RoxWatchTray] "c:\program files\common files\roxio shared\sharedcom8\RoxWatchTray.exe"
mRun: [TkBellExe] "c:\program files\common files\real\update_ob\realsched.exe" -osboot
mRun: [Acrobat Assistant 7.0] "c:\program files\adobe\acrobat 7.0\distillr\Acrotray.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [SoundMan] SOUNDMAN.EXE
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\isuspm.exe -startup
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 9.0\reader\Reader_sl.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\julian\startm~1\programs\startup\erunta~1.lnk - c:\program files\erunt\AUTOBACK.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobea~1.lnk - c:\windows\installer\{ac76ba86-1033-0000-7760-000000000002}\SC_Acrobat.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\blueto~1.lnk - c:\program files\widcomm\bluetooth software\BTTray.exe
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\utilit~1.lnk - c:\windows\system32\sistray.exe
IE: &D&ownload &with BitComet - c:\program files\bitcomet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\bitcomet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\bitcomet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\adobe\acrobat 7.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\widcomm\bluetooth software\btsendto_ie_ctx.htm
DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} - hxxp://appldnld.apple.com.edgesuite.net/content.info.apple.com/QuickTime/qtactivex/qtplugin.cab
DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - hxxps://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} - hxxp://zone.msn.com/bingame/zpagames/GAME_UNO1.cab60096.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} - hxxp://zone.msn.com/bingame/zpagames/zpa_wof.cab55579.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {95B5D20C-BD31-4489-8ABF-F8C8BE748463} - hxxp://zone.msn.com/bingame/zpagames/zpa_hrtz.cab99160.cab
DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} - hxxp://cdn2.zone.msn.com/binFramework/v10/ZPAFramework.cab102118.cab
DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} - hxxp://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
DPF: {CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_12-windows-i586.cab
DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows-i586.cab
DPF: {F773E7B2-62A9-4524-9109-87D2F0BEFAA4} - hxxp://zone.msn.com/bingame/zpagames/zpa_kqrp.cab56961.cab
DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} - hxxp://zone.msn.com/bingame/zpagames/ZPA_Backgammon.cab64162.cab
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\julian\applic~1\mozilla\firefox\profiles\o1kf5ox7.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.orderkleeneze.co.uk/ordering/login.aspx
FF - component: c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\ipsffplgn\components\IPSFFPl.dll
FF - component: c:\program files\real\realplayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\google\update\1.2.145.5\npGoogleOneClick8.dll

============= SERVICES / DRIVERS ===============

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\nav\1005000.086\SymEFA.sys [2009-5-22 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\nav\1005000.086\BHDrvx86.sys [2009-5-22 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\nav\1005000.086\cchpx86.sys [2009-5-22 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\ipsdefs\20090513.001\IDSxpx86.sys [2009-5-22 276344]
R1 RapportKELL;RapportKELL;c:\program files\trusteer\rapport\bin\RapportKELL.sys [2009-3-30 56808]
R1 RapportPG;RapportPG;c:\program files\trusteer\rapport\bin\RapportPG.sys [2009-3-30 89192]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [2009-3-4 266240]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\norton antivirus\norton antivirus\engine\16.5.0.134\ccSvcHst.exe [2009-5-22 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\common files\symantec shared\eengine\EraserUtilRebootDrv.sys [2009-5-23 101936]
R3 NAVENG;NAVENG;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090526.004\NAVENG.SYS [2009-5-26 89104]
R3 NAVEX15;NAVEX15;c:\documents and settings\all users\application data\norton\{0c55c096-0f1d-4f28-aaa2-85ef591126e7}\norton\definitions\virusdefs\20090526.004\NAVEX15.SYS [2009-5-26 876144]
S2 gupdate1c962a48d00b644;Google Update Service (gupdate1c962a48d00b644);c:\program files\google\update\GoogleUpdate.exe [2008-12-20 133104]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\julian\my documents\inter-tel\collaboration client 2.0\lkWebLink.exe [2007-9-20 32768]

=============== Created Last 30 ================

2009-05-23 10:54 <DIR> --d----- c:\docume~1\julian\applic~1\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-22 21:54 26 a------- c:\windows\Zone.Identifier
2009-05-22 13:06 36,400 a----r-- c:\windows\system32\drivers\SymIM.sys
2009-05-22 13:05 124,464 a------- c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-22 13:05 60,808 a------- c:\windows\system32\S32EVNT1.DLL
2009-05-22 13:05 7,386 a------- c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-22 13:05 805 a------- c:\windows\system32\drivers\SYMEVENT.INF
2009-05-22 13:05 <DIR> --d----- c:\program files\Symantec
2009-05-22 13:05 <DIR> --d----- c:\program files\common files\Symantec Shared
2009-05-22 11:05 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Symantec
2009-05-22 11:04 <DIR> --d----- c:\windows\system32\drivers\NAV
2009-05-22 11:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\PCSettings
2009-05-21 16:01 <DIR> --d----- c:\program files\iPod
2009-05-21 16:01 <DIR> --d----- c:\program files\iTunes
2009-05-21 16:01 <DIR> --d----- c:\docume~1\alluse~1\applic~1\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-21 15:53 397 ---shr-- C:\autorun.inf
2009-05-21 15:50 <DIR> --d----- c:\program files\Bonjour
2009-05-19 17:03 <DIR> --dsh--- c:\documents and settings\julian\IECompatCache
2009-05-19 16:59 <DIR> --dsh--- c:\documents and settings\julian\PrivacIE
2009-05-19 16:58 <DIR> --dsh--- c:\documents and settings\julian\IETldCache
2009-05-19 16:56 <DIR> --d----- c:\windows\ie8updates
2009-05-19 16:55 102,400 -c------ c:\windows\system32\dllcache\iecompat.dll
2009-05-19 16:54 <DIR> -cd-h--- c:\windows\ie8
2009-05-07 19:17 <DIR> --d----- c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-07 19:17 <DIR> --d----- c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-07 19:17 <DIR> --d----- c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-07 19:17 <DIR> --d----- c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-07 18:58 <DIR> --d----- c:\program files\New Folder
2009-05-07 18:57 <DIR> --d----- c:\docume~1\alluse~1\applic~1\Spybot - Search & Destroy
2009-05-07 18:57 <DIR> --d----- c:\program files\Spybot - Search & Destroy
2009-05-07 10:31 399,872 a------- c:\windows\c4dstand.dll
2009-05-07 10:31 475,136 a------- c:\windows\lk_c4.dll
2009-05-07 10:31 50 a------- c:\windows\app.ini
2009-05-07 10:30 <DIR> --d----- c:\program files\LKMH
2009-05-07 10:30 98,304 a------- c:\windows\system32\tsccvid.dll
2009-05-07 10:30 1,644,032 a------- c:\windows\LKMHDemo.exe
2009-05-07 10:30 3,362 a------- c:\windows\LKMHDemo.ini
2009-05-07 10:30 2,238 a------- c:\windows\LK.ico
2009-05-07 10:30 304 a------- c:\windows\LKMH_Demo_Cfg.ini
2009-05-07 09:44 <DIR> --d----- c:\program files\Total Seminars
2009-05-05 19:25 <DIR> --d----- c:\docume~1\julian\applic~1\Seiz System Engineering

==================== Find3M ====================

2009-04-06 15:32 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-03-09 05:19 410,984 a------- c:\windows\system32\deploytk.dll
2009-03-08 04:34 914,944 a------- c:\windows\system32\wininet.dll
2009-03-08 04:34 43,008 a------- c:\windows\system32\licmgr10.dll
2009-03-08 04:33 18,944 a------- c:\windows\system32\corpol.dll
2009-03-08 04:33 420,352 a------- c:\windows\system32\vbscript.dll
2009-03-08 04:32 72,704 a------- c:\windows\system32\admparse.dll
2009-03-08 04:32 71,680 a------- c:\windows\system32\iesetup.dll
2009-03-08 04:31 34,816 a------- c:\windows\system32\imgutil.dll
2009-03-08 04:31 48,128 a------- c:\windows\system32\mshtmler.dll
2009-03-08 04:31 45,568 a------- c:\windows\system32\mshta.exe
2009-03-08 04:22 156,160 a------- c:\windows\system32\msls31.dll
2009-03-06 15:22 284,160 a------- c:\windows\system32\pdh.dll
2009-03-04 00:22 266,240 a------- c:\windows\system32\CSHelper.exe
2009-03-04 00:22 225,280 a------- c:\windows\system32\CSInstru.DLL

============= FINISH: 23:59:05.31 ===============
 

Attachments

·
Premium Member
Joined
·
29,790 Posts
Hello and Welcome to TSF.

Please Subscribe to this Thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools, then click Subscribe to this Thread. Make sure it is set to Instant notification by email, then click Add Subscription.

Please note that the forum is very busy and if I don't hear from you within three days this thread will be closed.

------------------------------------------------------

One or more of the identified infections is a backdoor trojan.

This type of infection allows hackers to remotely control your computer, log keystrokes, steal critical system information, and download and execute files without your knowledge.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Please read this: How Do I Handle Possible Identify Theft, Internet Fraud, and CC Fraud?

------------------------------------------------------

Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate.

Please stay with me until given the 'all clear' even if symptoms seemingly abate.

Kindly follow my instructions and please do no fixing on your own or running of scanners unless requested by a helper.

------------------------------------------------------

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

* Ensure you have disabled all antivirus and antimalware programs so they do not interfere with the running of ComboFix.

Get help here

Please post the C:\ComboFix.txt in your next reply for further review.

------------------------------------------------------
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #3 ·
ComboFix 09-05-29.01 - Julian 30/05/2009 7:56.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.735.347 [GMT 1:00]
Running from: c:\documents and settings\Julian\Desktop\ComboFix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Autorun.inf
c:\windows\winhelp.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_msqpdxserv.sys


((((((((((((((((((((((((( Files Created from 2009-04-28 to 2009-05-30 )))))))))))))))))))))))))))))))
.

2009-05-30 07:00 . 2009-02-27 10:57 165240 ----a-r c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
2009-05-30 06:21 . 2009-05-22 00:57 89104 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\NAVENG.SYS
2009-05-30 06:21 . 2009-05-22 00:57 876144 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\NAVEX15.SYS
2009-05-30 06:21 . 2009-05-22 00:57 177520 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\NAVENG32.DLL
2009-05-30 06:21 . 2009-05-22 00:57 1181040 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\NAVEX32A.DLL
2009-05-30 06:21 . 2009-05-22 00:57 371248 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\EECTRL.SYS
2009-05-30 06:21 . 2009-05-22 00:57 259368 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\ECMSVR32.DLL
2009-05-30 06:21 . 2009-05-22 00:57 2414128 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\CCERASER.DLL
2009-05-30 06:21 . 2009-05-22 00:57 101936 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\VirusDefs\20090529.032\ERASER.SYS
2009-05-29 18:14 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\Scxpx86.dll
2009-05-29 18:14 . 2009-01-29 21:50 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSXpx86.sys
2009-05-29 18:14 . 2009-01-29 21:50 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSvix86.sys
2009-05-29 18:14 . 2009-01-29 21:50 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSxpx86.dll
2009-05-29 18:14 . 2009-01-29 21:50 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSviA64.sys
2009-05-23 09:54 . 2009-05-23 09:54 -------- d-----w c:\documents and settings\Julian\Application Data\com.adobe.mauby.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
2009-05-23 09:53 . 2009-05-23 09:55 38208 ----a-w c:\documents and settings\Julian\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\airappinstaller\airappinstaller.exe
2009-05-23 09:42 . 2009-05-23 09:55 -------- d-----w c:\program files\Common Files\Adobe AIR
2009-05-22 12:07 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\Scxpx86.dll
2009-05-22 12:07 . 2009-01-29 21:50 276344 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSxpx86.sys
2009-05-22 12:07 . 2009-01-29 21:50 292912 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvix86.sys
2009-05-22 12:07 . 2009-01-29 21:50 447864 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSxpx86.dll
2009-05-22 12:07 . 2009-01-29 21:50 396848 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090513.001\IDSvia64.sys
2009-05-22 12:06 . 2009-02-27 10:57 36400 ----a-r c:\windows\system32\drivers\SymIM.sys
2009-05-22 12:05 . 2009-05-23 14:24 -------- d-----w c:\program files\Common Files\Symantec Shared
2009-05-22 12:05 . 2009-05-22 15:07 -------- d-----w c:\program files\Symantec
2009-05-22 12:05 . 2009-05-22 15:07 60808 ----a-w c:\windows\system32\S32EVNT1.DLL
2009-05-22 12:05 . 2009-05-22 15:07 124464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS
2009-05-22 12:05 . 2009-05-22 12:05 1294680 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\SyKnAppS.dll
2009-05-22 12:05 . 2009-05-22 12:05 136840 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\SyKnAppS\patch25.dll
2009-05-22 12:05 . 2009-05-22 12:05 791920 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\CLT\cltLMSx.dll
2009-05-22 12:05 . 2009-05-22 12:05 -------- d-----w c:\program files\Windows Sidebar
2009-05-22 10:05 . 2009-05-22 10:05 -------- d-----w c:\documents and settings\All Users\Application Data\Symantec
2009-05-22 10:04 . 2009-05-22 22:03 -------- d-----w c:\windows\system32\drivers\NAV
2009-05-22 10:01 . 2009-05-22 10:01 -------- d-----w c:\documents and settings\All Users\Application Data\PCSettings
2009-05-21 15:08 . 2009-05-21 15:08 -------- d-sh--w c:\documents and settings\LocalService\PrivacIE
2009-05-21 15:01 . 2009-05-21 15:01 -------- d-----w c:\program files\iPod
2009-05-21 15:01 . 2009-05-21 15:02 -------- d-----w c:\program files\iTunes
2009-05-21 15:01 . 2009-05-21 15:02 -------- d-----w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-05-21 14:55 . 2009-05-21 14:55 -------- d-sh--w c:\documents and settings\LocalService\IETldCache
2009-05-21 14:52 . 2009-05-21 14:52 75048 ----a-w c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.1.1.10\SetupAdmin.exe
2009-05-21 14:50 . 2009-05-21 14:50 -------- d-----w c:\program files\Bonjour
2009-05-19 16:03 . 2009-05-19 16:03 -------- d-sh--w c:\documents and settings\Julian\IECompatCache
2009-05-19 15:59 . 2009-05-19 15:59 -------- d-sh--w c:\documents and settings\Julian\PrivacIE
2009-05-19 15:59 . 2009-05-19 15:59 -------- d-sh--w c:\documents and settings\NetworkService\IETldCache
2009-05-19 15:58 . 2009-05-19 15:58 -------- d-sh--w c:\documents and settings\Julian\IETldCache
2009-05-19 15:56 . 2009-05-19 15:56 -------- d-----w c:\windows\ie8updates
2009-05-19 15:55 . 2009-04-25 05:30 102400 -c----w c:\windows\system32\dllcache\iecompat.dll
2009-05-19 15:54 . 2009-05-19 15:55 -------- dc-h--w c:\windows\ie8
2009-05-07 18:17 . 2009-05-07 18:17 -------- d-----w c:\program files\TeaTimer (Spybot - Search & Destroy)
2009-05-07 18:17 . 2009-05-07 18:17 -------- d-----w c:\program files\SDHelper (Spybot - Search & Destroy)
2009-05-07 18:17 . 2009-05-07 18:17 -------- d-----w c:\program files\Misc. Support Library (Spybot - Search & Destroy)
2009-05-07 18:17 . 2009-05-07 18:17 -------- d-----w c:\program files\File Scanner Library (Spybot - Search & Destroy)
2009-05-07 17:58 . 2009-05-07 17:58 -------- d-----w c:\program files\New Folder
2009-05-07 17:57 . 2009-05-07 18:16 -------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2009-05-07 17:57 . 2009-05-07 18:16 -------- d-----w c:\program files\Spybot - Search & Destroy
2009-05-07 09:31 . 2005-05-26 06:00 399872 ----a-w c:\windows\c4dstand.dll
2009-05-07 09:31 . 2005-05-26 06:00 475136 ----a-w c:\windows\lk_c4.dll
2009-05-07 09:30 . 2009-05-07 09:31 -------- d-----w c:\program files\LKMH
2009-05-07 09:30 . 2001-01-25 01:12 98304 ----a-w c:\windows\system32\tsccvid.dll
2009-05-07 09:30 . 2006-06-07 21:19 1644032 ----a-w c:\windows\LKMHDemo.exe
2009-05-07 08:44 . 2009-05-27 19:37 -------- d-----w c:\program files\Total Seminars
2009-05-05 18:25 . 2009-05-05 18:25 -------- d-----w c:\documents and settings\Julian\Application Data\Seiz System Engineering

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-05-30 07:02 . 2009-02-13 17:47 -------- d-----w c:\documents and settings\All Users\Application Data\Kontiki
2009-05-30 06:49 . 2008-12-21 00:34 -------- d-----w c:\program files\BitComet
2009-05-30 00:08 . 2008-12-20 13:10 -------- d-----w c:\documents and settings\All Users\Application Data\Google Updater
2009-05-27 19:40 . 2008-12-16 17:30 92960 ----a-w c:\documents and settings\Julian\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-05-23 09:41 . 2008-12-17 10:34 -------- d-----w c:\program files\Common Files\Adobe
2009-05-22 15:07 . 2009-05-22 12:05 805 ----a-w c:\windows\system32\drivers\SYMEVENT.INF
2009-05-22 15:07 . 2009-05-22 12:05 7386 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT
2009-05-22 12:05 . 2008-12-17 10:48 -------- d-----w c:\program files\Norton AntiVirus
2009-05-22 12:05 . 2008-12-17 10:48 -------- d-----w c:\documents and settings\All Users\Application Data\Norton
2009-05-22 12:04 . 2008-12-17 10:46 -------- d-----w c:\documents and settings\All Users\Application Data\NortonInstaller
2009-05-22 10:57 . 2008-12-31 17:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-05-22 10:56 . 2009-02-26 19:11 2967799 ----a-w c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-05-22 08:57 . 2008-12-17 10:46 -------- d-----w c:\program files\NortonInstaller
2009-05-21 15:01 . 2009-03-08 18:48 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-05-21 15:01 . 2009-03-08 18:48 -------- d-----w c:\program files\Common Files\Apple
2009-05-20 22:50 . 2009-02-20 17:49 -------- d-----w c:\documents and settings\Julian\Application Data\Skype
2009-05-20 22:43 . 2009-02-27 22:12 -------- d-----w c:\documents and settings\Julian\Application Data\skypePM
2009-05-08 19:36 . 2009-01-30 10:10 -------- d-----w c:\program files\Common Files\DVDVideoSoft
2009-05-08 19:36 . 2009-01-30 10:10 -------- d-----w c:\program files\DVDVideoSoft
2009-04-20 22:03 . 2009-03-08 18:51 -------- d-----w c:\documents and settings\Julian\Application Data\Apple Computer
2009-04-06 14:32 . 2008-12-31 17:37 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 14:32 . 2008-12-31 17:37 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-03-31 22:25 . 2009-01-13 22:32 -------- d-----w c:\program files\Java
2009-03-31 22:24 . 2009-03-31 22:24 152576 ----a-w c:\documents and settings\Julian\Application Data\Sun\Java\jre1.6.0_13\lzma.dll
2009-03-31 10:09 . 2009-03-31 10:09 -------- d-----w c:\documents and settings\NetworkService\Application Data\Trusteer
2009-03-19 15:32 . 2009-03-19 15:32 23400 ----a-w c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}\x86\x86\GEARAspiWDM.sys
2009-03-19 15:32 . 2009-03-08 18:50 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-16 20:03 . 2009-03-16 20:03 533880 ----a-w c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\BinHub\Scxpx86.dll
2009-03-09 04:19 . 2009-01-16 09:36 410984 ----a-w c:\windows\system32\deploytk.dll
2009-03-08 03:34 . 2008-04-14 12:00 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 03:34 . 2008-04-14 12:00 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 03:33 . 2008-04-14 12:00 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 03:33 . 2008-04-14 12:00 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 03:32 . 2008-04-14 12:00 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 03:32 . 2008-04-14 12:00 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 03:31 . 2008-04-14 12:00 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 03:31 . 2008-04-14 12:00 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 03:31 . 2008-04-14 12:00 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 03:22 . 2008-04-14 12:00 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:59 . 2009-03-06 14:59 8966 ----a-r c:\documents and settings\Julian\Application Data\Microsoft\Installer\{04f6ffea-6702-11dc-8314-0800200c9a66}\ARPPRODUCTICON.exe
2009-03-06 14:59 . 2009-03-06 14:59 45056 ----a-r c:\documents and settings\Julian\Application Data\Microsoft\Installer\{04f6ffea-6702-11dc-8314-0800200c9a66}\NewShortcut1_A80EDC6C85754FF6B838BB92A8E49DC5.exe
2009-03-06 14:22 . 2008-04-14 12:00 284160 ----a-w c:\windows\system32\pdh.dll
2009-03-06 11:05 . 2009-03-06 11:05 503808 ----a-w c:\documents and settings\Julian\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-2a120671-n\msvcp71.dll
2009-03-06 11:05 . 2009-03-06 11:05 499712 ----a-w c:\documents and settings\Julian\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-2a120671-n\jmc.dll
2009-03-06 11:05 . 2009-03-06 11:05 348160 ----a-w c:\documents and settings\Julian\Application Data\Sun\Java\Deployment\cache\6.0\38\39ba6e6-2a120671-n\msvcr71.dll
2009-03-06 11:03 . 2009-03-06 11:03 152576 ----a-w c:\documents and settings\Julian\Application Data\Sun\Java\jre1.6.0_12\lzma.dll
2009-03-05 16:27 . 2009-03-05 16:27 0 -c--a-w c:\windows\nsreg.dat
2009-03-03 23:22 . 2009-03-03 23:22 266240 ----a-w c:\windows\system32\CSHelper.exe
2009-03-03 23:22 . 2009-03-03 23:22 225280 ----a-w c:\windows\system32\CSInstru.DLL
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="c:\program files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2006-03-30 313472]
"Rapportexe"="c:\program files\Trusteer\Rapport\bin\RapportService.exe" [2009-03-24 972008]
"msnmsgr"="c:\program files\Windows Live\Messenger\msnmsgr.exe" [2009-02-06 3885408]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SiS Windows KeyHook"="c:\windows\system32\keyhook.exe" [2004-05-12 249856]
"SiSUSBRG"="c:\windows\SiSUSBrg.exe" [2002-07-12 106496]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 32768]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"RoxioDragToDisc"="c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc.exe" [2005-09-19 1687552]
"RoxWatchTray"="c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe" [2005-09-19 163840]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-01-04 185872]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-28 81920]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-03-08 413696]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-03-09 148888]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\isuspm.exe" [2004-07-28 221184]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\SOUNDMAN.EXE [2007-04-16 577536]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\Julian\Start Menu\Programs\Startup\
ERUNT AutoBackup.lnk - c:\program files\ERUNT\AUTOBACK.EXE [2005-10-20 38912]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth.lnk - c:\program files\WIDCOMM\Bluetooth Software\BTTray.exe [2005-10-9 610365]
Utility Tray.lnk - c:\windows\system32\sistray.exe [2008-12-17 335872]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=c:\windows\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Julian^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=c:\documents and settings\Julian\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=c:\windows\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Julian^Start Menu^Programs^Startup^MagicDisc.lnk]
path=c:\documents and settings\Julian\Start Menu\Programs\Startup\MagicDisc.lnk
backup=c:\windows\pss\MagicDisc.lnkStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\BitComet\\BitComet.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\WINDOWS\\system32\\dpvsetup.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\Roxio\\Easy Media Creator 8\\Digital Home\\RoxUpnpServer.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"22894:TCP"= 22894:TCP:BitComet 22894 TCP
"22894:UDP"= 22894:UDP:BitComet 22894 UDP

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1005000.086\SymEFA.sys [22/05/2009 16:07 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1005000.086\BHDrvx86.sys [22/05/2009 16:07 258608]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1005000.086\cchpx86.sys [22/05/2009 16:06 482352]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090528.001\IDSXpx86.sys [29/05/2009 19:14 276344]
R1 RapportKELL;RapportKELL;c:\program files\Trusteer\Rapport\bin\RapportKELL.sys [30/03/2009 10:52 56808]
R1 RapportPG;RapportPG;c:\program files\Trusteer\Rapport\bin\RapportPG.sys [30/03/2009 10:52 89192]
R2 CSHelper;CopySafe Helper Service;c:\windows\system32\CSHelper.exe [04/03/2009 00:22 266240]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe [22/05/2009 16:06 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [23/05/2009 10:35 101936]
S2 gupdate1c962a48d00b644;Google Update Service (gupdate1c962a48d00b644);c:\program files\Google\Update\GoogleUpdate.exe [20/12/2008 14:12 133104]
S3 FXDRV;FXDRV;\??\d:\fxdrv.sys --> d:\Fxdrv.sys [?]
S4 LkWebLink;Inter-Tel Collaboration Remote Client;c:\documents and settings\Julian\My Documents\Inter-Tel\Collaboration Client 2.0\lkWebLink.exe [20/09/2007 18:10 32768]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - SISPORT
*Deregistered* - SiSPort
.
Contents of the 'Scheduled Tasks' folder

2009-05-21 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 12:34]

2009-05-30 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-12-20 20:04]

2009-05-30 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2008-12-20 16:25]
.
- - - - ORPHANS REMOVED - - - -

SafeBoot-procexp90.Sys


.
------- Supplementary Scan -------
.
uStart Page = https://www.orderkleeneze.co.uk/ordering/login.aspx
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
IE: &D&ownload &with BitComet - c:\program files\BitComet\BitComet.exe/AddLink.htm
IE: &D&ownload all video with BitComet - c:\program files\BitComet\BitComet.exe/AddVideo.htm
IE: &D&ownload all with BitComet - c:\program files\BitComet\BitComet.exe/AddAllLink.htm
IE: Convert link target to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert to existing PDF - c:\program files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
IE: Send to &Bluetooth Device... - c:\program files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
FF - ProfilePath - c:\documents and settings\Julian\Application Data\Mozilla\Firefox\Profiles\o1kf5ox7.default\
FF - prefs.js: browser.startup.homepage - hxxps://www.orderkleeneze.co.uk/ordering/login.aspx
FF - component: c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\IPSFFPlgn\components\IPSFFPl.dll
FF - component: c:\program files\Real\RealPlayer\browserrecord\components\nprpbrowserrecordplugin.dll
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Google\Update\1.2.145.5\npGoogleOneClick8.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-30 08:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Norton AntiVirus\Engine\16.5.0.134\diMaster.dll\" /prefetch:1"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(124)
c:\program files\Trusteer\Rapport\bin\rooksbas.dll
c:\windows\system32\ieframe.dll
c:\program files\Microsoft Office\OFFICE11\msohev.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\btncopy.dll
c:\windows\system32\OneX.DLL
c:\windows\system32\eappprxy.dll
c:\program files\Roxio\Easy Media Creator 8\Drag to Disc\Shellex.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
c:\windows\system32\rundll32.exe
c:\program files\Common Files\Roxio Shared\SharedCOM8\CPSHelpRunner.exe
c:\program files\WIDCOMM\Bluetooth Software\BTStackServer.exe
.
**************************************************************************
.
Completion time: 2009-05-30 8:05 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-30 07:05

Pre-Run: 91,206,840,320 bytes free
Post-Run: 91,869,863,936 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

296 --- E O F --- 2009-05-13 22:26
 

·
Premium Member
Joined
·
29,790 Posts
Hello Jaylint. Please tell us how your system is behaving. Are your links working now?

Please copy this page to Notepad and Save it to your Desktop in order to assist you when carrying out the following instructions.

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding.
Ensure that there aren't any opened browsers when you are carrying out the procedures below.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

------------------------------------------------------

I see you have P2P software ( BitComet ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

References for the risk of these programs are here, here, and here.

I would strongly recommend that you uninstall it, however that choice is up to you. If you choose to remove this program, you can do so via Control Panel >> Add or Remove Programs.

------------------------------------------------------

Go Start > Run and copy/paste the following single-line command into the Run box and click OK:

sc delete FXDRV

A DOS window will open and close again, this is normal.

------------------------------------------------------

Open Notepad and copy/paste the entire contents of the codebox below into Notepad (don't forget to copy and paste REGEDIT4):

Code:
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Connection Wizard] 
"ShellNext"=-
Save the file as fix.reg and choose to Save as type: - All Files then close the Notepad file.
It should look like this:


Double-click on fix.reg and choose Yes to merge/add it to the registry. Please delete the file afterwards.

------------------------------------------------------

Your Java is out of date.

Java(TM) 6 Update 13 can be updated from the Java Control Panel. Go Start > Control Panel(Classic View) > Java (looks like a coffee cup) > Update Tab > Update Now. An update should begin; follow the prompts.

Make sure you untick the box next to Yahoo Toolbar for Firefox/Mozilla or MSN Toolbar unless you want it.

------------------------------------------------------

Please download ATF-Cleaner by Atribune and Save it to your Desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.
If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

------------------------------------------------------

Please run this online scan to help look for remnants.

Establish an internet connection & perform an online scan at Kaspersky Online Scanner

Ensure your external and/or USB drives are inserted during the scan.

Click Accept, when prompted to download and install the program files and database of malware definitions.
  • Click Run at any Security prompt.
  • The program will then begin downloading and installing and will also update the database.
  • Please be patient as this can take several minutes.
  • Once the update is complete, click on My Computer under the green Scan bar to the left to start the scan.
  • Once the scan is complete, it will display if your system has been infected.
  • It does not provide an option to clean/disinfect. We only require a report from it.
  • Do NOT be alarmed by what you see in the report. Many of the finds have likely been quarantined.
  • Click View scan report at the bottom.
  • Click the Save Report As... button.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply.


**Note**

To optimize scanning time and produce a more sensible report for review:
  • Close any open programs.
  • Turn off the real-time scanner of all antivirus or antispyware programs while performing the online scan.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.

------------------------------------------------------

Please post the following in your next reply:

Kaspersky report
report on system behavior
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #5 ·
--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT 1
Tuesday, June 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 02, 2009 10:28:21
Records in database: 2295588
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:


Scan statistics:
Files scanned: 103614
Threat name: 3
Infected objects: 3
Suspicious objects: 0
Duration of the scan: 04:09:21


File name / Threat name / Threats count
C:\Mailstore\Deleted Items.dbx Infected: Trojan-Spy.HTML.Halifraud.e 1
C:\Mailstore\Inbox.dbx Infected: Backdoor.Win32.IRCBot.si 1
C:\Mailstore\Sent Items.dbx Infected: Backdoor.Win32.Breplibot.ai 1

The selected area was scanned.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT 2
Tuesday, June 2, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Tuesday, June 02, 2009 10:28:21
Records in database: 2295588
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - Folder:
E:\

Scan statistics:
Files scanned: 3161
Threat name: 1
Infected objects: 1
Suspicious objects: 0
Duration of the scan: 00:13:23


File name / Threat name / Threats count
E:\AUTORUN.FCB Infected: Worm.Win32.AutoRun.spw 1

The selected area was scanned.
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #6 ·
Hi Chemist,
In answer to your question "are your links working now" the answer is
"not always". Links send within emails and within some webpages often will not work (although I can copy and paste into a browser with success), whilst links on webpages (buttons etc) usually do.
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, Jaylint. Ensure your E: drive is inserted.

Go to Start > Run and copy/paste the following into the Run box and click OK:

cmd /c del /a/f/q "E:\AUTORUN.FCB"

A DOS window will open and close again, this is normal.

------------------------------------------------------

Download Flash_Disinfector.exe and Save it to your Desktop.
  • Close any open browsers.
  • Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
  • The utility may ask you to insert your flash drive and/or other removable drives including your mobile phone. Please do so and allow the utility to clean up all those drives.
  • Wait until it has finished scanning and then exit the program.
  • Reboot your computer when done.
------------------------------------------------------

Kaspersky has detected 1 infected email in each of the following Folders:

C:\Mailstore\Deleted Items.dbx
C:\Mailstore\Inbox.dbx
C:\Mailstore\Sent Items.dbx

Unfortunately, it only tells us where the emails are, and not their names. You will have to find the emails and delete them. They are likely emails with an attachment. If you are not sure what they are, you will have to delete emails until a scan of those folders comes up clean. You can configure Kaspersky to scan only those folders. Let me know when you find and delete them.

------------------------------------------------------

Since you didn't scan 'My Computer', I cannot guarantee your machine is clean. To be absolutely sure, redo the Kaspersky scan, and choose 'My Computer'. Else, let me know and I will give you some final instructions.

------------------------------------------------------
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #8 ·
Finally ...

After many scans, I have managed to track down all four threats and delete them. This is the latest scan of 'My Computer'

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0 REPORT
Thursday, June 4, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Program database last update: Wednesday, June 03, 2009 08:49:01
Records in database: 2300667
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\

Scan statistics:
Files scanned: 107193
Threat name: 0
Infected objects: 0
Suspicious objects: 0
Duration of the scan: 08:09:05

No malware has been detected. The scan area is clean.

The selected area was scanned.

----------------------------------------------------------------------------------
What do I have to do to repair the remaining 'links' problem? Links within emails and on webpages do not activate (although buttons on webpages usually do). I am able to copy link information & paste into a browser with success (Flash links excepting of course).
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #9 ·
I should have mentioned, my flash drive was also cleaned successfully using the cleaner via the link you sent above (although Norton initially identified the program as a trojan and removed it automatically). Thank you.
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, Jaylint. Does the problem still occur in IE only? Other browsers work fine?

------------------------------------------------------

Download RootRepeal.zip to your Desktop and click 'Extract all files' to extract the compressed file to it's own folder.

  • Double-click on RootRepeal.exe to run it.
  • Click on the 'Report' tab, and then click on 'Scan'.
  • A window opens asking what to include in the scan.
  • Check the following boxes then click 'OK':
Drivers
Files
Processes
SSDT
Stealth Objects
Hidden Services
  • You will then be asked which drive to scan.
  • Check C: (or the drive your operating system is installed on, if not C:)
  • Click 'OK' once again.
  • The tool will begin scanning and may take a while to complete, so please be patient.
  • When the scan finishes, click on 'Save Report'.
  • Save the log to your desktop, using a distinctive name, such as RootRepeal.txt.
  • Post the log in your next reply.
------------------------------------------------------
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #11 ·
ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Time: 2009/06/07 23:02
Program Version: Version 1.3.0.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xB7ACA000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7D35000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xB5D4B000 Size: 49152 File Visible: No Signed: -
Status: -

Name: SYMEFA.SYS
Image Path: SYMEFA.SYS
Address: 0xF76CF000 Size: 323584 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector
Status: Locked to the Windows API!

SSDT
-------------------
#: 012 Function Name: NtAlertResumeThread
Status: Hooked by "<unknown>" at address 0x8201dba0

#: 013 Function Name: NtAlertThread
Status: Hooked by "<unknown>" at address 0x8201dd18

#: 017 Function Name: NtAllocateVirtualMemory
Status: Hooked by "<unknown>" at address 0x81fb10b8

#: 019 Function Name: NtAssignProcessToJobObject
Status: Hooked by "<unknown>" at address 0x8201ca68

#: 031 Function Name: NtConnectPort
Status: Hooked by "<unknown>" at address 0x81f70998

#: 037 Function Name: NtCreateFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cd93f4

#: 041 Function Name: NtCreateKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7e9a040

#: 043 Function Name: NtCreateMutant
Status: Hooked by "<unknown>" at address 0x8206a350

#: 052 Function Name: NtCreateSymbolicLinkObject
Status: Hooked by "<unknown>" at address 0x820c1768

#: 053 Function Name: NtCreateThread
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cdd9d8

#: 057 Function Name: NtDebugActiveProcess
Status: Hooked by "<unknown>" at address 0x8201cd50

#: 062 Function Name: NtDeleteFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cd9556

#: 063 Function Name: NtDeleteKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7e9a2c0

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7e9a820

#: 068 Function Name: NtDuplicateObject
Status: Hooked by "<unknown>" at address 0x8223e1d0

#: 083 Function Name: NtFreeVirtualMemory
Status: Hooked by "<unknown>" at address 0x821015c0

#: 089 Function Name: NtImpersonateAnonymousToken
Status: Hooked by "<unknown>" at address 0x8201d748

#: 091 Function Name: NtImpersonateThread
Status: Hooked by "<unknown>" at address 0x8201d8c0

#: 097 Function Name: NtLoadDriver
Status: Hooked by "<unknown>" at address 0x8209f108

#: 108 Function Name: NtMapViewOfSection
Status: Hooked by "<unknown>" at address 0x821a63e0

#: 114 Function Name: NtOpenEvent
Status: Hooked by "<unknown>" at address 0x8201d490

#: 116 Function Name: NtOpenFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cd94ac

#: 122 Function Name: NtOpenProcess
Status: Hooked by "<unknown>" at address 0x822313b8

#: 123 Function Name: NtOpenProcessToken
Status: Hooked by "<unknown>" at address 0x8201e7e0

#: 125 Function Name: NtOpenSection
Status: Hooked by "<unknown>" at address 0x8201d100

#: 128 Function Name: NtOpenThread
Status: Hooked by "<unknown>" at address 0x81cc7830

#: 137 Function Name: NtProtectVirtualMemory
Status: Hooked by "<unknown>" at address 0x820b1d50

#: 177 Function Name: NtQueryValueKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cdca64

#: 192 Function Name: NtRenameKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cdc9ce

#: 193 Function Name: NtReplaceKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cdca00

#: 204 Function Name: NtRestoreKey
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cdca32

#: 206 Function Name: NtResumeThread
Status: Hooked by "<unknown>" at address 0x8201f110

#: 213 Function Name: NtSetContextThread
Status: Hooked by "<unknown>" at address 0x8201e1a8

#: 224 Function Name: NtSetInformationFile
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cd95b6

#: 228 Function Name: NtSetInformationProcess
Status: Hooked by "<unknown>" at address 0x82164c20

#: 240 Function Name: NtSetSystemInformation
Status: Hooked by "<unknown>" at address 0x8201d0c8

#: 247 Function Name: NtSetValueKey
Status: Hooked by "C:\WINDOWS\system32\Drivers\SYMEVENT.SYS" at address 0xb7e9aa70

#: 253 Function Name: NtSuspendProcess
Status: Hooked by "<unknown>" at address 0x8201d318

#: 254 Function Name: NtSuspendThread
Status: Hooked by "<unknown>" at address 0x8201de90

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "<unknown>" at address 0x8201e958

#: 258 Function Name: NtTerminateThread
Status: Hooked by "<unknown>" at address 0x8201e0d0

#: 267 Function Name: NtUnmapViewOfSection
Status: Hooked by "<unknown>" at address 0x8201e320

#: 277 Function Name: NtWriteVirtualMemory
Status: Hooked by "C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys" at address 0xb7cdda18

==EOF==
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, Jaylint. You didn't answer my questions.

Does the problem still occur in IE only? Other browsers work fine?

Is IE set as your default browser? If not, do the following:

Go Start > (Settings) > Control Panel > Internet Options > Programs

Under 'Default web browser' click 'Make default'.

Click Apply, and then click OK.

Do the links work now?

------------------------------------------------------
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #13 ·
Hi Chemist,

Does the problem still occur in IE only? Other browsers work fine?
"No, the problem also exists in other browsers too (Firefox)."

Is IE set as your default browser? "Yes"
 

·
Premium Member
Joined
·
29,790 Posts

·
Registered
Joined
·
16 Posts
Discussion Starter · #15 ·
Hi Chemsit,

I have reset my router without success. To give you an idea of what I am encountering, on a flash website I clicked a button that has this link:

javascript:OpenWindow('/en/chess/zpa/game.htm','zpa', '','','')

The link also shows up as is normal in the grey bar above the blue task bar. However, when I click the link, the link 'address' changes, showing a small white yellow with a black exclamation mark and the message "Error on page" to the right of the triangle.

Any ideas why this might be?
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, Jaylint. As this problem seems not to be malware related, you would probably be better served in our Internet Explorer Forum

Go Start > Run and copy/paste the following into the Run box and click OK:

regsvr32 urlmon.dll

When you receive the "DllRegisterServer in urlmon.dll succeeded" message, click OK.

Repeat for each of these:

regsvr32 Shdocvw.dll

regsvr32 Actxprxy.dll

regsvr32 Oleaut32.dll

regsvr32 Mshtml.dll

regsvr32 Browseui.dll

regsvr32 Shell32.dll

------------------------------------------------------

If that didn't fix it, do the following:

Open Notepad and copy/paste the entire contents of the codebox below into Notepad:

Code:
regedit /a peek.txt "HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}" 
start notepad peek.txt
Save this as peek.bat Choose to Save type as - All Files then close the Notepad file.
It should look like this:


Double-click on peek.bat and allow it to run. A Notepad file will open. Copy/paste that information into your next reply, please. Please delete the file afterwards.

------------------------------------------------------
 

·
Registered
Joined
·
16 Posts
Discussion Starter · #17 ·
Hi Chemist,

This is the return from the following:

*regsvr32 Shdocvw.dll* DllRegisterServer in Shdocvw.dll failed. Return code 0x8002801c

*regsvr32 Shdocvw.dll* OK

*regsvr32 Actxprxy.dll* OK

*regsvr32 Oleaut32.dll* OK

*regsvr32 Mshtml.dll* mastml.dll was loaded, but the DllRegisterServer entry point was not found. This file cannot be registered.

*regsvr32 Browseui.dll* OK

*regsvr32 Shell32.dll* OK



RE: peek:-


REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}]
@="IDispatch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}\NumMethods]
@="7"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid]
@="{00020420-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface\{00020400-0000-0000-C000-000000000046}\ProxyStubClsid32]
@="{00020420-0000-0000-C000-000000000046}"
 

·
Premium Member
Joined
·
29,790 Posts
Hello again, Jaylint. Let's try another approach.

I want you to perform a System Restore to a point before you started having problems.

Go Start > Run and copy/paste the following into the Run box and click OK:

%systemroot%\system32\restore\rstrui.exe

Choose an available Restore Point to before you started having problems.

Click 'Next' and follow the prompts. Let me know if you were successful.

------------------------------------------------------
 
1 - 20 of 30 Posts
Status
Not open for further replies.
Top