ciderman2

23 Posts

May 8th, 2009 13:00

worm autorun

hi all can anyone help cant get rid of this wormscanned with malwarebytes but still there

plus keep getting lots of trojens and redirected on google

Malwarebytes' Anti-Malware 1.36
Database version: 2056
Windows 5.1.2600 Service Pack 3

08/05/2009 20:01:03
mbam-log-2009-05-08 (20-00-44).txt

Scan type: Quick Scan
Objects scanned: 85450
Time elapsed: 10 minute(s), 23 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> No action taken.

Responses(39)
Solutions(0)

ciderman2

23 Posts

May 8th, 2009 13:00

tis is my hijack this log if any help anybody please

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:45:49, on 08/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\btdna.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcfc.co.uk/default.sps
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://172.16.30.35/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C2BA40A1-74F3-42BD-F434-12345A2C8953} - (no file)
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\btdna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\xpelnhp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\xpelnhp.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Diagnostic Manager] C:\WINDOWS\TEMP\1610226734.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - AppInit_DLLs: mctphy.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 9667 bytes

Bugbatter

4 Apprentice

•

20.5K Posts

May 8th, 2009 17:00

Welcome. Thank you for using Dell Community Forums.

I am reviewing your log. It appears that you are auto-starting a [BitTorrent] client, yet have no antivirus software installed. All I see running is Stopzilla. This is both reckless and dangerous to your data and privacy. While I arrange for how to deal with this, you can help me by addressing the following:

* Have you have posted this issue on another forum? If so, please provide a link to the topic.

* If you have disabled System Restore in an attempt to begin cleaning malware, please enable it now. We will flush System Restore when we are finished cleaning and we are sure that everything is running smoothly.

* If you are using any cracked software, please remove it. In addition to being illegal, when you install cracked software, you are running executable files from dubious, unknown sources. You are giving these sources access to information on your hard disk, and potential control over operation of your computer. Definition of cracked software HERE.

* If you are using any P2P (file sharing) programs, please remove them before we clean your computer. The nature of such software and the high incidence of malware in files downloaded with them is counter productive to restoring your PC to a healthy state. That includes BitTorrent and similar programs. There is a list HERE.

* If this computer belongs to someone else, do you have authority to apply the fixes we will use?

* Have you already fixed entries using HijackThis? If so, please restore all the backups and then post another log.

* After we begin working, please print or copy all instructions to Notepad in order to assist you when carrying out procedures. Please follow all instructions in sequence. Do not, on your own, install/re-install any programs or run any fixes or scanners that you have not been instructed to use because this may cause conflicts with the tools that I am using. Please note that these fixes are not instantaneous. Most infections require more than one round to properly eradicate. It is understood by the trained analysts that once a helper replies to a log, he continues working with you until the issue is resolved.

* During the course of our cleanup please do not do any additional online work or surfing until we have verified that your system is clean.

* We may be using some specialized tools during our fix. Certain embedded files that are part of legitimate programs or specialized fix tools such as process.exe, restart.exe, SmiUpdate.exe, reboot.exe, ws2fix.exe, prcviewer.exe and nircmd.exe may at times be detected by some anti-virus/anti-malware scanners as a "RiskTool", "Hacking tool", "Potentially unwanted tool", or even "malware (virus/trojan)" when that is not the case. Such programs have legitimate uses in contexts where an authorized user or administrator has knowingly installed it. These detections do not necessarily mean the file is malware or a bad program. It means it has the potential for being misused by others. Anti-virus scanners cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert you or even automatically remove them.

* If your replies do not fit in one post while we are handling your issue, please reply to yourself until all text is submitted. It may take several posts.

I look forward to your reply so we can begin cleaning.

Instructions posted for this user are customized for this user only. The tools used may cause damage if used on a computer with different infections. If you think you have similar problems, please post a log at the top of this board to start a new forum topic.

ciderman2

23 Posts

May 9th, 2009 06:00

thaks for helping bugbatter, i did have mcafee installed but it would not let me scan so i uninstalled it and put stopzilla on so it has only been a week or 2 without av software,should i put mcafee back on or wait for you to do your magic.i have got rid of p2p have no crack software and is my pc so ok to use,look forward to here from you,thanks again

Bugbatter

4 Apprentice

•

20.5K Posts

May 9th, 2009 13:00

We can leave McAfee off so it does not interfere with our tools if you do not use the computer for anything but to come here. When we are finished, you can reinstall McAfee as long as your subscription is still valid. Most likely the infection came from using P2P/BitTorrent.

We need to see some additional information about what is happening in your machine.

Download DDS by sUBs from one of the following links. Save it to your desktop.
- DDS.scr
- DDS.pif
Double click on the DDS icon, allow it to run.
A small box will open, with an explanation about the tool.
Click Yes at the prompt for Optional Scan.
When done, DDS will open two (2) logs
1. DDS.txt
2. Attach.txt
Save both reports to your desktop.
Copy/paste both logs to your reply on the forum.
Close the program window, and delete the program from your desktop.
Please note: You may have to disable any script protection running if the scan fails to run. After downloading the tool, disconnect from the internet to run the scan.

ciderman2

23 Posts

May 9th, 2009 14:00

hi bugbatter, got those reports

UNLESS SPECIFICALLY INSTRUCTED, DO NOT POST THIS LOG.
IF REQUESTED, ZIP IT UP & ATTACH IT

DDS (Ver_09-03-16.01)

Microsoft Windows XP Home Edition
Boot Device: \Device\HarddiskVolume2
Install Date: 05/12/2005 17:59:25
System Uptime: 05/09/2009 13:15:39 (-2848 hours ago)

Motherboard: Dell Computer Corp. | | 0CF458
Processor: Intel(R) Celeron(R) CPU 2.80GHz | Microprocessor | 2793/533mhz

==== Disk Partitions =========================

C: is FIXED (NTFS) - 71 GiB total, 53.304 GiB free.
D: is CDROM ()

==== Disabled Device Manager Items =============

==== System Restore Points ===================

RP1: 06/05/2009 17:53:55 - System Checkpoint
RP2: 08/05/2009 19:29:41 - System Checkpoint
RP3: 09/05/2009 20:24:08 - System Checkpoint

==== Installed Programs ======================

4oD
Adobe Flash Player 10 Plugin
Adobe Reader 7.0
Adobe Shockwave Player 11
AOL You've Got Pictures Screensaver
Apple Software Update
ARTEuro
AutoUpdate
BlueSoleil
BOB Books Version 1.5.0.3
CCleaner (remove only)
Critical Update for Windows Media Player 11 (KB959772)
dBpoweramp Music Converter
dBpoweramp Ogg Vorbis Codec
Dell Driver Reset Tool
Dell Media Experience
Dell Photo Printer 720
Dell Photo Printer 720 Logger
Dell Picture Studio v3.0
Dell Support Center (Support Software)
Dell System Restore
DellSupport
Disc2Phone
DivX Codec
DivX Converter
DivX Player
DivX Web Player
DNA
FinePix Studio
FinePixViewer Resource
FinePixViewer Ver.5.3
FUJIFILM USB Driver
getPlus(R) for Adobe
HijackThis 2.0.2
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows Internet Explorer 7 (KB947864)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB952287)
Hotfix for Windows XP (KB954550-v5)
Hotfix for Windows XP (KB961118)
ImageMixer VCD2 LE for FinePix
Intel(R) 537EP V9x DF PCI Modem
Intel(R) Extreme Graphics 2 Driver
Intel(R) PRO Network Adapters and Drivers
Intel(R) PROSet for Wired Connections
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 6
Jasc Paint Shop Photo Album 5
Jasc Paint Shop Pro Studio, Dell Editon
Java 2 Runtime Environment, SE v1.4.2_03
Learn2 Player (Uninstall Only)
LOFooty TV Player
Malwarebytes' Anti-Malware
Map Button (Windows Live Toolbar)
Match-Up!
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 7.0
Modem Event Monitor
Modem Helper
Modem On Hold
Mozilla Firefox (3.0.10)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MyWay Search Assistant
OneCare Advisor (Windows Live Toolbar)
Photo Manager
PokerStars
Popup Blocker (Windows Live Toolbar)
PowerDVD 5.5
QuickTime
RealPlayer
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Internet Explorer 7 (KB950759)
Security Update for Windows Internet Explorer 7 (KB953838)
Security Update for Windows Internet Explorer 7 (KB956390)
Security Update for Windows Internet Explorer 7 (KB958215)
Security Update for Windows Internet Explorer 7 (KB960714)
Security Update for Windows Internet Explorer 7 (KB961260)
Security Update for Windows Internet Explorer 7 (KB963027)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB923561)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB946648)
Security Update for Windows XP (KB950760)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951376-v2)
Security Update for Windows XP (KB951376)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952004)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953839)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956391)
Security Update for Windows XP (KB956572)
Security Update for Windows XP (KB956802)
Security Update for Windows XP (KB956803)
Security Update for Windows XP (KB956841)
Security Update for Windows XP (KB957095)
Security Update for Windows XP (KB957097)
Security Update for Windows XP (KB958644)
Security Update for Windows XP (KB958687)
Security Update for Windows XP (KB958690)
Security Update for Windows XP (KB959426)
Security Update for Windows XP (KB960225)
Security Update for Windows XP (KB960715)
Security Update for Windows XP (KB960803)
Security Update for Windows XP (KB961373)
Sky Anytime
Sky Broadband
Smart Menus (Windows Live Toolbar)
Sonic Audio module
Sonic DLA
Sonic RecordNow Copy
Sonic RecordNow Data
Sonic Update Manager
Sony Ericsson DRM Packager 1.21
Sony Ericsson Media Manager 1.2
Spyware Doctor 3.2
STOPzilla
Tiscali Internet
Update for Windows Internet Explorer 8 (KB968220)
Update for Windows XP (KB951072-v2)
Update for Windows XP (KB951978)
Update for Windows XP (KB955839)
Update for Windows XP (KB967715)
Viewpoint Media Player
Wanadoo Europe Installer
WebFldrs XP
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Internet Explorer 7
Windows Internet Explorer 8
Windows Live Favorites for Windows Live Toolbar
Windows Live Messenger
Windows Live OneCare safety scanner
Windows Live Outlook Toolbar (Windows Live Toolbar)
Windows Live Sign-in Assistant
Windows Live Toolbar
Windows Live Toolbar Extension (Windows Live Toolbar)
Windows Live Toolbar Feed Detector (Windows Live Toolbar)
Windows Media Format 11 runtime
Windows Media Player 11
Windows Resource Kit Tools - SubInAcl.exe
Windows XP Service Pack 3

==== Event Viewer Messages From Past Week ========

09/05/2009 00:20:20, error: System Error [1003] - Error code 100000d1, parameter1 e19d0000, parameter2 00000002, parameter3 00000000, parameter4 f08b8cf1.
08/05/2009 17:36:14, error: System Error [1003] - Error code 100000d1, parameter1 e1a1b000, parameter2 00000002, parameter3 00000000, parameter4 f08dacf1.
07/05/2009 22:42:14, error: System Error [1003] - Error code 100000d1, parameter1 e1d09000, parameter2 00000002, parameter3 00000000, parameter4 f08b8cf1.
07/05/2009 17:12:02, error: Service Control Manager [7009] - Timeout (30000 milliseconds) waiting for the IMAPI CD-Burning COM Service service to connect.
07/05/2009 17:12:02, error: Service Control Manager [7000] - The IMAPI CD-Burning COM Service service failed to start due to the following error: The service did not respond to the start or control request in a timely fashion.
07/05/2009 17:10:13, error: System Error [1003] - Error code 100000d1, parameter1 e1a0a000, parameter2 00000002, parameter3 00000000, parameter4 f08b8cf1.
06/05/2009 21:53:35, information: Windows File Protection [64002] - File replacement was attempted on the protected system file rundll32.exe. This file was restored to the original version to maintain system stability. The file version of the system file is 5.1.2600.5512.
03/05/2009 23:13:09, error: DCOM [10005] - DCOM got error "%1058" attempting to start the service wuauserv with arguments "" in order to run the server: {E60687F7-01A1-40AA-86AC-DB1CBF673334}
03/05/2009 16:33:42, error: Service Control Manager [7026] - The following boot-start or system-start driver(s) failed to load: IntelIde
03/05/2009 16:33:42, error: Service Control Manager [7022] - The KService service hung on starting.
03/05/2009 16:33:04, error: Service Control Manager [7000] - The Automatic LiveUpdate Scheduler service failed to start due to the following error: The system cannot find the file specified.

DS (Ver_09-03-16.01) - NTFSx86
Run by christopher at 21:34:04.78 on 09/05/2009
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.254.52 [GMT 1:00]

AV: MacroVirus *On-access scanning enabled* (Updated)

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
svchost.exe
svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\BitTorrent_DNA\btdna.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe -k HTTPFilter
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Documents and Settings\christopher\Desktop\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.mcfc.co.uk/default.sps
uSearch Page = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
uSearch Bar = hxxp://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
uDefault_Page_URL = hxxp://www.sky.com
uWindow Title = Internet Explorer Provided By Sky Broadband
uInternet Connection Wizard,ShellNext = hxxp://172.16.30.35/
uSearchURL,(Default) = hxxp://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
mURLSearchHooks: H - No File
BHO: Windows Live Toolbar Helper: {bdbd1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
BHO: 1 (0x1) - No File
BHO: {C2BA40A1-74F3-42BD-F434-12345A2C8953} - No File
BHO: STOPzilla Browser Helper Object: {e3215f20-3212-11d6-9f8b-00d0b743919d} - c:\program files\stopzilla!\SZIEBHO.dll
TB: Windows Live Toolbar: {bdad1dad-c946-4a17-adc1-64b5b4ff55d0} - c:\program files\windows live toolbar\msntb.dll
TB: STOPzilla: {98828ded-a591-462f-83ba-d2f62a68b8b8} - c:\program files\stopzilla!\SZSG.dll
TB: {0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} - No File
EB: Real.com: {fe54fa40-d68c-11d2-98fa-00c0f0318afe} - c:\windows\system32\Shdocvw.dll
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [DNA] "c:\program files\bittorrent_dna\dna.exe"
uRun: [kdx] c:\program files\kontiki\KHost.exe -all
uRun: [BitTorrent DNA] "c:\program files\bittorrent_dna\btdna.exe"
uRun: [Uniblue RegistryBooster 2009] c:\program files\uniblue\registrybooster\RegistryBooster.exe /S
uRun: [MsnMsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
mRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [dla] c:\windows\system32\dla\tfswctrl.exe
mRun: [REGSHAVE] c:\program files\regshave\REGSHAVE.EXE /AUTORUN
mRun: [kdx] "c:\program files\kontiki\KHost.exe" -all
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [4oD] "c:\program files\kontiki\KHost.exe" -all
mRun: [dscactivate] "c:\program files\dell support center\gs_agent\custom\dsca.exe"
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
dRun: [ ] c:\windows\temp\xpelnhp.exe
dRun: [uidenhiufgsduiazghs] c:\windows\temp\xpelnhp.exe
dRun: [Diagnostic Manager] c:\windows\temp\1610226734.exe
dRun: [msnmsgr] "c:\program files\msn messenger\msnmsgr.exe" /background
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\ADOBER~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\AOL90T~1.LNK -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\dlbcserv.lnk -
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\EXIFLA~1.LNK -
dPolicies-explorer: NoFolderOptions = 1 (0x1)
dPolicies-system: DisableRegistryTools = 1 (0x1)
IE: &Windows Live Search - c:\program files\windows live toolbar\msntb.dll/search.htm
IE: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - c:\program files\pokerstars\PokerStarsUpdate.exe
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC} - c:\program files\java\jre1.5.0_10\bin\ssv.dll
IE: {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - {A1EDC4A1-940F-48E0-8DFD-E38F1D501021} - c:\progra~1\spywar~1\tools\iesdpb.dll
IE: {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - {FE54FA40-D68C-11d2-98FA-00C0F0318AFE} - c:\windows\system32\Shdocvw.dll
LSP: c:\program files\common files\is3\anti-spyware\iS3lsp.dll
Trusted Zone: download.com
Trusted Zone: internet
Trusted Zone: mcafee.com
DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} - hxxp://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/polarbear/ultrashim.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} - hxxp://java.sun.com/products/plugin/autodl/jinstall-142-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cab
DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_10-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
DPF: {D821DC4A-0814-435E-9820-661C543A4679} - hxxp://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
Filter: application/x-internet-signup - {A173B69A-1F9B-4823-9FDA-412F641E65D6} - c:\program files\tiscali\tiscali internet\dlls\tiscalifilter.dll
Notify: igfxcui - igfxdev.dll
AppInit_DLLs: mctphy.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\christ~1\applic~1\mozilla\firefox\profiles\zan04yk6.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.mcfc.co.uk/mcfc/splashpage/standard.sps?itype=11643&icustompageid=23575&bg=1|http://www.google.co.uk/firefox?client=firefox-a&rls=org.mozilla:en-GB:official
FF - plugin: c:\program files\bittorrent_dna\plugins\npbtdna.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava11.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava12.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava13.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava14.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJava32.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPJPI150_10.dll
FF - plugin: c:\program files\java\jre1.5.0_10\bin\NPOJI610.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll

---- FIREFOX POLICIES ----
FF - user.js: dom.disable_open_during_load - true // Popupblocker control handled by McAfee Privacy Service

============= SERVICES / DRIVERS ===============

R0 szkg5;szkg;c:\windows\system32\drivers\SZKG.sys [2009-3-12 54656]
R1 mfehidk;McAfee Inc. mfehidk;c:\windows\system32\drivers\mfehidk.sys [2008-10-8 214024]
S0 ithfvx;ithfvx;c:\windows\system32\drivers\drjg.sys --> c:\windows\system32\drivers\drjg.sys [?]
S3 mfeavfk;McAfee Inc. mfeavfk;c:\windows\system32\drivers\mfeavfk.sys [2008-10-8 79880]
S3 mfebopk;McAfee Inc. mfebopk;c:\windows\system32\drivers\mfebopk.sys [2008-10-8 35272]
S3 mferkdk;McAfee Inc. mferkdk;c:\windows\system32\drivers\mferkdk.sys [2008-10-8 34216]
S3 mfesmfk;McAfee Inc. mfesmfk;c:\windows\system32\drivers\mfesmfk.sys [2008-10-8 40552]
S3 Smc1046;EZ Connect USB to Dual Speed Ethernet Converter;c:\windows\system32\drivers\SMCUSB.sys [2005-12-5 25260]

=============== Created Last 30 ================

2009-05-09 13:31   360   a-------   c:\windows\system32\drivers\kgpfr2.cfg
2009-05-09 13:31   27,648   a-------   c:\windows\system32\lmn_setup.exe
2009-05-09 13:17   1,280   a-------   c:\windows\system32\drivers\kgpcpy.cfg
2009-05-08 20:44

   --d-----   c:\program files\Trend Micro
2009-05-03 16:35   3,448   a-------   c:\windows\system32\lmppcsetup.exe
2009-05-01 14:50   12,388   a-------   c:\windows\system32\load.exe
2009-04-30 20:19      --d-----   c:\docume~1\alluse~1\applic~1\SITEguard
2009-04-30 20:17      --d-----   c:\program files\STOPzilla!
2009-04-30 20:17      --d-----   c:\program files\common files\iS3
2009-04-30 20:17      --d-----   c:\docume~1\alluse~1\applic~1\STOPzilla!
2009-04-30 18:59      --d-----   c:\program files\Spyware Doctor
2009-04-29 17:10   1,089,593   --------   c:\windows\system32\dllcache\ntprint.cat
2009-04-28 23:21      --dsh---   c:\documents and settings\christopher\PrivacIE
2009-04-28 23:14      --dsh---   c:\documents and settings\christopher\IETldCache
2009-04-28 23:09      --d-----   c:\windows\ie8updates
2009-04-28 23:08   105,984   --------   c:\windows\system32\dllcache\iecompat.dll
2009-04-28 23:04      -cd-h---   c:\windows\ie8
2009-04-28 22:42      --d-----   c:\windows\system32\XPSViewer
2009-04-28 22:41   1,676,288   --------   c:\windows\system32\xpssvcs.dll
2009-04-28 22:41   1,676,288   --------   c:\windows\system32\dllcache\xpssvcs.dll
2009-04-28 22:41   597,504   --------   c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-04-28 22:41   575,488   --------   c:\windows\system32\xpsshhdr.dll
2009-04-28 22:41   575,488   --------   c:\windows\system32\dllcache\xpsshhdr.dll
2009-04-28 22:41   117,760   --------   c:\windows\system32\prntvpt.dll
2009-04-28 22:41   89,088   --------   c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-04-28 22:41      --d-----   C:\4771a3014d5c1b26b21e7f50c9d25b27
2009-04-28 19:41      --d-----   c:\docume~1\christ~1\applic~1\McAfee
2009-04-28 17:04      --d-----   C:\spoolerlogs
2009-04-27 21:32   5,284   a-------   c:\windows\system32\b7966a0ebb.ax
2009-04-27 21:29   27,648   a-------   c:\windows\system32\lspsrf.dll
2009-04-24 19:01   54,156   a---h---   c:\windows\QTFont.qfn
2009-04-24 19:01   1,409   a-------   c:\windows\QTFont.for
2009-04-24 18:45   88   ---shr--   c:\docume~1\alluse~1\applic~1\025975C174.sys
2009-04-24 18:45   2,828   a--sh---   c:\docume~1\alluse~1\applic~1\KGyGaAvL.sys
2009-04-24 18:16      --d-----   c:\program files\Corel
2009-04-23 23:07   155   a-------   c:\windows\system32\SelfDel.bat
2009-04-18 18:20   2,560   --------   c:\windows\system32\xpsp4res.dll
2009-04-18 18:20   1,203,922   --------   c:\windows\system32\dllcache\sysmain.sdb
2009-04-18 18:20   215,552   --------   c:\windows\system32\dllcache\wordpad.exe
2009-04-18 18:10   284,160   --------   c:\windows\system32\dllcache\pdh.dll
2009-04-18 18:09   35,328   --------   c:\windows\system32\dllcache\sc.exe
2009-04-18 18:09   401,408   --------   c:\windows\system32\dllcache\rpcss.dll
2009-04-18 18:09   110,592   --------   c:\windows\system32\dllcache\services.exe
2009-04-18 18:09   473,600   --------   c:\windows\system32\dllcache\fastprox.dll
2009-04-18 18:09   227,840   --------   c:\windows\system32\dllcache\wmiprvse.exe
2009-04-18 18:09   453,120   --------   c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-18 18:09   729,088   --------   c:\windows\system32\dllcache\lsasrv.dll
2009-04-18 18:09   617,472   --------   c:\windows\system32\dllcache\advapi32.dll
2009-04-18 18:09   714,752   --------   c:\windows\system32\dllcache\ntdll.dll

==================== Find3M ====================

2009-04-06 15:32   38,496   a-------   c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-06 15:32   15,504   a-------   c:\windows\system32\drivers\mbam.sys
2009-03-31 14:57   17,408   a----r--   c:\windows\system32\SZIO5.dll
2009-03-31 14:56   294,912   a----r--   c:\windows\system32\SZBase5.dll
2009-03-31 14:55   540,672   a----r--   c:\windows\system32\SZComp5.dll
2009-03-27 10:56   126,976   a----r--   c:\windows\system32\IS3HTUI5.dll
2009-03-27 10:55   393,216   a----r--   c:\windows\system32\IS3DBA5.dll
2009-03-27 10:55   372,736   a----r--   c:\windows\system32\IS3UI5.dll
2009-03-27 10:55   61,440   a----r--   c:\windows\system32\IS3Hks5.dll
2009-03-27 10:54   23,040   a----r--   c:\windows\system32\IS3XDat5.dll
2009-03-27 10:54   221,184   a----r--   c:\windows\system32\IS3Win325.dll
2009-03-27 10:54   94,208   a----r--   c:\windows\system32\IS3Inet5.dll
2009-03-27 10:53   90,112   a----r--   c:\windows\system32\IS3Svc5.dll
2009-03-27 10:50   716,800   a----r--   c:\windows\system32\IS3Base5.dll
2009-03-25 11:06   40,552   a-------   c:\windows\system32\drivers\mfesmfk.sys
2009-03-25 11:06   214,024   a-------   c:\windows\system32\drivers\mfehidk.sys
2009-03-25 11:06   79,880   a-------   c:\windows\system32\drivers\mfeavfk.sys
2009-03-25 11:06   35,272   a-------   c:\windows\system32\drivers\mfebopk.sys
2009-03-25 11:05   34,216   a-------   c:\windows\system32\drivers\mferkdk.sys
2009-03-21 15:06   989,696   --------   c:\windows\system32\dllcache\kernel32.dll
2009-03-12 12:18   54,656   a----r--   c:\windows\system32\drivers\SZKG.sys
2009-03-08 14:09   638,816   a-------   c:\windows\system32\dllcache\iexplore.exe
2009-03-08 14:09   391,536   a-------   c:\windows\system32\dllcache\iedkcs32.dll
2009-03-08 04:41   5,937,152   a-------   c:\windows\system32\dllcache\mshtml.dll
2009-03-08 04:39   11,063,808   a-------   c:\windows\system32\dllcache\ieframe.dll
2009-03-08 04:34   914,944   a-------   c:\windows\system32\wininet.dll
2009-03-08 04:34   914,944   a-------   c:\windows\system32\dllcache\wininet.dll
2009-03-08 04:34   1,206,784   a-------   c:\windows\system32\dllcache\urlmon.dll
2009-03-08 04:34   236,544   a-------   c:\windows\system32\dllcache\webcheck.dll
2009-03-08 04:34   43,008   a-------   c:\windows\system32\licmgr10.dll
2009-03-08 04:34   43,008   a-------   c:\windows\system32\dllcache\licmgr10.dll
2009-03-08 04:34   105,984   a-------   c:\windows\system32\dllcache\url.dll
2009-03-08 04:34   193,536   a-------   c:\windows\system32\dllcache\msrating.dll
2009-03-08 04:34   109,568   a-------   c:\windows\system32\dllcache\occache.dll
2009-03-08 04:33   759,296   a-------   c:\windows\system32\dllcache\VGX.dll
2009-03-08 04:33   18,944   a-------   c:\windows\system32\corpol.dll
2009-03-08 04:33   18,944   --------   c:\windows\system32\dllcache\corpol.dll
2009-03-08 04:33   25,600   a-------   c:\windows\system32\dllcache\jsproxy.dll
2009-03-08 04:33   726,528   a-------   c:\windows\system32\dllcache\jscript.dll
2009-03-08 04:33   229,376   a-------   c:\windows\system32\dllcache\ieaksie.dll
2009-03-08 04:33   420,352   a-------   c:\windows\system32\vbscript.dll
2009-03-08 04:33   420,352   a-------   c:\windows\system32\dllcache\vbscript.dll
2009-03-08 04:33   125,952   a-------   c:\windows\system32\dllcache\ieakeng.dll
2009-03-08 04:32   72,704   a-------   c:\windows\system32\dllcache\admparse.dll
2009-03-08 04:32   72,704   a-------   c:\windows\system32\admparse.dll
2009-03-08 04:32   173,056   a-------   c:\windows\system32\dllcache\ie4uinit.exe
2009-03-08 04:32   163,840   a-------   c:\windows\system32\dllcache\ieakui.dll
2009-03-08 04:32   71,680   a-------   c:\windows\system32\iesetup.dll
2009-03-08 04:32   71,680   a-------   c:\windows\system32\dllcache\iesetup.dll
2009-03-08 04:32   55,808   a-------   c:\windows\system32\dllcache\iernonce.dll
2009-03-08 04:32   128,512   a-------   c:\windows\system32\dllcache\advpack.dll
2009-03-08 04:32   94,720   a-------   c:\windows\system32\dllcache\inseng.dll
2009-03-08 04:32   594,432   a-------   c:\windows\system32\dllcache\msfeeds.dll
2009-03-08 04:32   1,985,024   a-------   c:\windows\system32\dllcache\iertutil.dll
2009-03-08 04:32   611,840   a-------   c:\windows\system32\dllcache\mstime.dll
2009-03-08 04:24   68,608   a-------   c:\windows\system32\dllcache\hmmapi.dll
2009-03-08 04:22   156,160   a-------   c:\windows\system32\msls31.dll
2009-03-08 04:22   156,160   a-------   c:\windows\system32\dllcache\msls31.dll
2009-03-08 04:11   445,952   a-------   c:\windows\system32\dllcache\ieapfltr.dll
2009-03-06 15:22   284,160   a-------   c:\windows\system32\pdh.dll
2009-02-20 19:09   133,120   a-------   c:\windows\system32\dllcache\extmgr.dll
2009-02-20 11:20   13,824   --------   c:\windows\system32\dllcache\ieudinit.exe
2009-02-09 13:10   729,088   a-------   c:\windows\system32\lsasrv.dll
2009-02-09 13:10   714,752   a-------   c:\windows\system32\ntdll.dll
2009-02-09 13:10   617,472   a-------   c:\windows\system32\advapi32.dll
2009-02-09 13:10   401,408   a-------   c:\windows\system32\rpcss.dll
2009-02-09 12:13   1,846,784   a-------   c:\windows\system32\win32k.sys
2009-02-09 12:13   1,846,784   --------   c:\windows\system32\dllcache\win32k.sys

============= FINISH: 21:35:54.07 ===============

Bugbatter

4 Apprentice

•

20.5K Posts

May 9th, 2009 17:00

According to the list of programs to remove, you should have removed Kontiki and BitTorrent. Also please delete their folders here:

C:\Program Files\Kontiki\
C:\Program Files\BitTorrent_DNA

Reboot.

Please update and run Malwarebytes' Anti-Malware again. It may take some time to complete so please be patient.

When the scan is finished, a message box will say "The scan completed successfully.
Click 'Show Results' to display all objects found".
Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
- Click on the Show Results button to see a list of any malware that was found.
- Make sure that everything is checked, and click Remove Selected.
- When removal is completed, a log report will open in Notepad.
- The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
- Copy and paste the contents of that report along with a fresh HijackThis log into your next reply and exit MBAM.

ciderman2

23 Posts

May 10th, 2009 14:00

hi i have uninstall bit torrent but wont let me delete some of the folders in program file says

cannot delete btdna.exe. access denied make sure disk is not full or write protected and the file is not currently not in use

the kontiki i cant get rid of, i think i uninstalled something and it took c;\windows\system32\rundll32.exe with it so i cant get in control panel to add/remove here is my log of mbam anyway hope you can help

Malwarebytes' Anti-Malware 1.36
Database version: 2056
Windows 5.1.2600 Service Pack 3

10/05/2009 20:34:30
mbam-log-2009-05-10 (20-34-30).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 158085
Time elapsed: 34 minute(s), 28 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Bugbatter

4 Apprentice

•

20.5K Posts

May 10th, 2009 14:00

i have uninstall bit torrent but wont let me delete some of the folders in program file says

cannot delete btdna.exe. access denied make sure disk is not full or write protected and the file is not currently not in use

the kontiki i cant get rid of

Boot the computer into Safemode and uninstall those in Safemode.

To reboot into Safemode, turn on the computer.
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

MBAM reported one infected file. but did not include it in the log. Please update MBAM and run another scan. The current database is 2104. Yours is 2056. Please post the new log. Thanks.

ciderman2

23 Posts

May 10th, 2009 16:00

hi went in safe mode deleted folders for bit torent still wouldnt let me in add/remove here is my new log

Malwarebytes' Anti-Malware 1.36
Database version: 2105
Windows 5.1.2600 Service Pack 3

10/05/2009 22:47:05
mbam-log-2009-05-10 (22-47-05).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 160238
Time elapsed: 35 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 6

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c2ba40a1-74f3-42bd-f434-12345a2c8953} (Trojan.Ertfor) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\christopher\Desktop\Live-Player_setup(2).exe (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\Documents and Settings\christopher\Desktop\Live-Player_setup.exe (Adware.Navipromo) -> Quarantined and deleted successfully.
C:\RECYCLER\S-1-5-21-869233362-3832075220-2753878455-1006\Dc1.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmppcsetup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

ciderman2

23 Posts

May 10th, 2009 16:00

this is the log after restart from full scan did a quick scan straight after

Malwarebytes' Anti-Malware 1.36
Database version: 2105
Windows 5.1.2600 Service Pack 3

10/05/2009 23:24:16
mbam-log-2009-05-10 (23-24-16).txt

Scan type: Quick Scan
Objects scanned: 87498
Time elapsed: 10 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\Temp\msb.dll (Worm.Autorun) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lmn_setup.exe (Trojan.Downloader) -> Quarantined and deleted successfully.

Bugbatter

4 Apprentice

•

20.5K Posts

May 10th, 2009 17:00

"went in safe mode deleted folders for bit torent still wouldnt let me in add/remove"

That is very odd.

Please download and scan with SUPERAntiSpyware Free

Double-click SUPERAntiSypware.exe and use the default settings for installation.
An icon will be created on your desktop. Double-click that icon to launch the program.
If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
In the Main Menu, click the Preferences... button.
Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Scan for tracking cookies.
- Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.
Do not run a scan just yet.

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:

Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
On the left, make sure you check C:Fixed Drive.
On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
Make sure everything has a checkmark next to it and click "Next".
A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
If asked if you want to reboot, click "Yes" and reboot normally.
To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply along with a fresh HijackThis log..
Click Close to exit the program.

ciderman2

23 Posts

May 11th, 2009 01:00

hi got those logs thanks

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 05/11/2009 at 02:14 AM

Application Version : 4.26.1002

Core Rules Database Version : 3885
Trace Rules Database Version: 1833

Scan type       : Complete Scan
Total Scan Time : 01:19:39

Memory items scanned      : 220
Memory threats detected   : 0
Registry items scanned    : 5487
Registry threats detected : 11
File items scanned        : 24406
File threats detected     : 38

Trojan.Agent/Gen-FakeAlert
    [] C:\WINDOWS\TEMP\XPELNHP.EXE
    C:\WINDOWS\TEMP\XPELNHP.EXE
    [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\XPELNHP.EXE
    [Diagnostic Manager] C:\WINDOWS\TEMP\1610226734.EXE
    C:\WINDOWS\TEMP\1610226734.EXE
    [] C:\WINDOWS\TEMP\XPELNHP.EXE
    [uidenhiufgsduiazghs] C:\WINDOWS\TEMP\XPELNHP.EXE
    [Diagnostic Manager] C:\WINDOWS\TEMP\1610226734.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER\LOCAL SETTINGS\TEMP\1186389516.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER\LOCAL SETTINGS\TEMP\1788718748.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER\LOCAL SETTINGS\TEMP\193880339.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER\LOCAL SETTINGS\TEMP\2406377837.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER\LOCAL SETTINGS\TEMP\2544788404.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER\LOCAL SETTINGS\TEMP\3720397502.EXE
    C:\DOCUMENTS AND SETTINGS\CHRISTOPHER\LOCAL SETTINGS\TEMP\542414234.EXE
    C:\WINDOWS\TEMP\194648956.EXE
    C:\WINDOWS\TEMP\3337428752.EXE
    C:\WINDOWS\TEMP\3358678752.EXE
    C:\WINDOWS\TEMP\339859720.EXE
    C:\WINDOWS\TEMP\4198765970.EXE
    C:\WINDOWS\TEMP\SFSDFDF.EXE
    C:\WINDOWS\TEMP\SJGH4KDG4RG4.EXE
    C:\WINDOWS\Prefetch\1610226734.EXE-33F1EC71.pf
    C:\WINDOWS\Prefetch\339859720.EXE-05E31BFF.pf
    C:\WINDOWS\Prefetch\4198765970.EXE-0C5B0761.pf

Adware.Tracking Cookie
    C:\Documents and Settings\christopher\Cookies\christopher@ads.techguy[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@atdmt[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@chitika[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@doubleclick[1].txt
    C:\Documents and Settings\christopher\Cookies\christopher@serving-sys[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@imrworldwide[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@apmebf[1].txt
    C:\Documents and Settings\christopher\Cookies\christopher@2o7[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@adtech[1].txt
    C:\Documents and Settings\christopher\Cookies\christopher@media.adrevolver[1].txt
    C:\Documents and Settings\christopher\Cookies\christopher@bs.serving-sys[1].txt
    C:\Documents and Settings\christopher\Cookies\christopher@ad.yieldmanager[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@mediaplex[1].txt
    C:\Documents and Settings\christopher\Cookies\christopher@overture[1].txt
    C:\Documents and Settings\christopher\Cookies\christopher@adrevolver[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@adviva[2].txt
    C:\Documents and Settings\christopher\Cookies\christopher@specificclick[1].txt

Rogue.Component/Trace
    HKLM\Software\Microsoft\B065F86F
    HKLM\Software\Microsoft\B065F86F#b065f86f
    HKLM\Software\Microsoft\B065F86F#Version
    HKLM\Software\Microsoft\B065F86F#b06555ef
    HKLM\Software\Microsoft\B065F86F#b0653c0a

Trojan.Unclassified/RegSVR-Fake
    C:\WINDOWS\SYSTEM32\EMBEDDED\REGSVR.EXE

Trojan.Agent/Gen-LSPHack
    C:\WINDOWS\SYSTEM32\LSPSRF.DLL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:07:05, on 11/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DK
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcfc.co.uk/default.sps
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://172.16.30.35/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [kdx] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\BitTorrent_DNA\btdna.exe"
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2009] C:\Program Files\Uniblue\RegistryBooster\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - AppInit_DLLs: mctphy.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 9108 bytes

Bugbatter

4 Apprentice

•

20.5K Posts

May 11th, 2009 09:00

It looks as if malware really did a job on that system, probably as a result of P2P and torrents.

Please visit this webpage for download links, and instructions for running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

" * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Please include the C:\ComboFix.txt in your next reply along with a fresh HijackThis log for further review.

Notes:

1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.

2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

3. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.

4. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.

5. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

* Additional information on A/V control HERE. * ComboFix is not intended for use with servers.

ciderman2

23 Posts

May 11th, 2009 11:00

cheers bugbatter will try ,but can i ask a question is restoring it to original state with dells pc restore an option or would all this follow thanks

ciderman2

23 Posts

May 11th, 2009 13:00

hi i tried combofix everything was going ok then when log screen came up said couldnt find would i like to create a new log folder gave the option yes/no/cancel i clicked yes then the cursur just flashing on/off left it for 45 mins still blank so i closed the box which then just left my background left on there fo another 30 min did nothing so i restated pc didnt know what to do done a search for combofix.text cant find what should i do, here is my hijack this but dont think it will change if combo didnt work thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:49:14, on 11/05/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\STOPzilla!\STOPzilla.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mcfc.co.uk/default.sps
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.co.uk/0SEENGB/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://172.16.30.35/
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: STOPzilla Browser Helper Object - {E3215F20-3212-11D6-9F8B-00D0B743919D} - C:\Program Files\STOPzilla!\SZIEBHO.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: STOPzilla - {98828DED-A591-462F-83BA-D2F62A68B8B8} - C:\Program Files\STOPzilla!\SZSG.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = ?
O4 - Global Startup: AOL 9.0 Tray Icon.lnk = ?
O4 - Global Startup: dlbcserv.lnk = C:\Program Files\Dell Photo Printer 720\dlbcserv.exe
O4 - Global Startup: ExifLauncher2.lnk = C:\Program Files\FinePixViewer\QuickDCF2.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O10 - Unknown file in Winsock LSP: c:\program files\common files\is3\anti-spyware\is3lsp.dll
O15 - Trusted Zone: *.download.com
O15 - Trusted Zone: http://*.mcafee.com
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase5483.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flashplayer/current/swflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crlupdate/en/crlocx.ocx
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Unknown owner - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: STOPzilla Service (szserver) - iS3, Inc. - C:\Program Files\Common Files\iS3\Anti-Spyware\SZServer.exe

--
End of file - 7983 bytes

View All

No Events found!

Virus & Spyware

worm autorun

Was this post helpful?