MBAM freezing and update to 1.34 issues

[Perth2008]

Hi Guys

I do not think there is a problem with my PC ... according to MBAM, Ad-Aware, Spybot, Windows Malicious Software Removal and Norton 360 2.0, however I have posted other information related to the MBAM freezing and updating to 1.34 and want to be sure its not my system that is at fault and/or to identify if there are incompatabilities with MBAM that may be causing freezing and updating issues.

My related post is here: http://www.malwarebytes.org/forums/index.php?showtopic=11218

and I have been in contact with TeMerc (Ticket 2575) on the freezing problem (actually a very slow MBAM scan in my opinion, as a non-IT person, with some issues in the c:\windows\installer directory).

Without further ado here are the recent relevant MBAM and HijackThis logs to get the ball rolling.

Malwarebytes' Anti-Malware 1.34

Database version: 1752

Windows 5.1.2600 Service Pack 3

12/02/2009 4:57:01 PM

mbam-log-2009-02-12 (16-57-01).txt

Scan type: Quick Scan

Objects scanned: 74157

Time elapsed: 19 minute(s), 17 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 2:44:40 PM, on 12/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Westnet\iConnect\launcher.exe

C:\DOCUME~1\Frank\LOCALS~1\Temp\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\monSvr.exe

C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\taskmgr.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Frank\My Documents\Computer & ISP\PC Utils\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mywestnet.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.mywestnet.com.au/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent

O4 - HKCU\..\Run: [uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Service Centre.lnk = C:\Program Files\Westnet\iConnect\launcher.exe

O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.arrowcomputers.com.au

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229485591656

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--

End of file - 9871 bytes

I look forward to your comments and hope it may assist in resolving the above problems for others, no just me.

Thanks

Perth2008

[AdvancedSetup]

Well I've never heard of this 'C:\DOCUME~1\Frank\LOCALS~1\Temp\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\monSvr.exe"

But generally speaking NO service or executable file should be running from the %temp% folder.

Please download and run the following.

Please visit this webpage for instructions for downloading ComboFix to your

DESKTOP

:

how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

NOTE!!:

You must save and run

ComboFix.exe

on your DESKTOP and not from any other folder.

Also,

DO NOT

click the mouse or launch any other applications while this is running or it may stall the program

Additional links to download the tool:

ComboFix.exe

ComboFix.exe

ComboFix.exe

Note:

The

Windows Recovery Console

will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

• Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
• Click
  Yes
  to allow ComboFix to continue scanning for malware.
  
  
• When the tool is finished, it will produce a report for you.
  
  
• Please post the
  C:\ComboFix.txt
  along with a
  new HijackThis log
  so we may continue cleaning the system.
  
  

[Perth2008]

G'day Advanced Setup

Thanks for VERY prompt response.

Generally I would agree 100% with your comment about EXE (or DLL) files running from/in Local Services\Temp directory:

Well I've never heard of this 'C:\DOCUME~1\Frank\LOCALS~1\Temp\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\monSvr.exe"

But generally speaking NO service or executable file should be running from the %temp% folder.

The WESTNET/iConnect monitor is a graphical interface provided by my ISP that allows moitoring of my internet connection and to readily access my service account.

I'll attach a couple of screen shots to show you what this program creates/does ... it installs/refreshes the interface at every re-boot and I don't BELIEVE it is a problem ... however I am happy to undertake your advice if you still think, after reading this, that it may be a problem.

Screenshots as follows:

Hmmm seems like I've used up my 500k upload allocation ... :-(

Well, attached is perhaps the most relevant image ... it shows the graphical interface

Am I correct in assuming from your comment that the C:\DOCUME~1\Frank\LOCALS~1\Temp\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\monSvr.exe is the ONLY potential cause for concern in the HijackThis log?

Nevertheless can you please confirm whether the procedure (above) using the ComboFix.exe program is what I need to do should I notice unusual EXE (or DLL) files in the Local Services\Temp in the future.

Thanks & regards,

Perth2008

[Perth2008]

Hi AdvancedSetup

I ran Conbofix as suggested ... I figured it cannot hurt given that it does a deeper scan. Ofcourse it's all "gobbledegook" to me and best left to experts, such as you, to interpret, although I did notice a "strange" SYS and EXE file in Local Settings\Temp showing in the logs ... however when I looked for the files using explore there was a new (replacement?) Local Settings\temp directory (note lower case "t" in temp now) with a "WPDNSE" subdirectory.

ComboFix 09-02-12.03 - Frank 2009-02-13 9:38:28.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2492 [GMT 9:00]

Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe

AV: Norton 360 *On-access scanning disabled* (Updated)

FW: Norton 360 *disabled*

* Created a new restore point

.

((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))

.

2009-02-04 11:49 . 2009-02-04 11:49 <DIR> d-------- c:\documents and settings\Frank\Application Data\ArcSoft

2009-02-04 11:31 . 2009-02-04 11:36 <DIR> d-------- c:\documents and settings\Frank\Application Data\EPSON

2009-02-04 11:29 . 2009-02-04 11:49 <DIR> d-------- c:\documents and settings\Frank\Application Data\Smart Panel

2009-02-01 11:18 . 2009-02-01 11:18 <DIR> d-------- c:\documents and settings\Frank\Application Data\Media Player Classic

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2017-10-17 00:30 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink

2017-10-17 00:29 --------- d-----w c:\program files\CyberLink

2017-10-17 00:21 --------- d-----w c:\program files\Nero

2017-10-16 23:59 --------- d-----w c:\program files\microsoft frontpage

2009-02-13 00:35 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-13 00:32 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-13 00:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-12 23:48 --------- d-----w c:\documents and settings\All Users\Application Data\OPEN Networks

2009-02-12 07:25 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-12 06:00 --------- d-----w c:\program files\Uniblue

2009-02-12 03:00 --------- d-----w c:\documents and settings\Frank\Application Data\GetRight Pro

2009-02-12 02:12 --------- d-----w c:\program files\Westnet

2009-02-12 02:07 410,984 ----a-w c:\windows\system32\deploytk.dll

2009-02-12 01:21 --------- d-----w c:\program files\SpywareBlaster

2009-02-12 00:32 --------- d-----w c:\program files\Java

2009-02-11 01:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 01:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-11 00:04 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-11 00:04 --------- d-----w c:\program files\EPSON

2009-02-10 13:49 43,520 ----a-w c:\windows\system32\CmdLineExt03.dll

2009-02-10 13:38 --------- d-----w c:\program files\Sierra

2009-02-09 09:15 --------- d-----w c:\program files\Norton Security Scan

2009-02-04 02:35 --------- d-----w c:\program files\Smart Panel

2009-02-03 23:17 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-02 10:27 --------- d-----w c:\program files\Reference Assemblies

2009-02-02 10:27 --------- d-----w c:\program files\MSBuild

2009-02-01 09:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-01 09:18 --------- d-----w c:\program files\AGEIA Technologies

2009-02-01 02:16 --------- d-----w c:\program files\K-Lite Codec Pack

2009-02-01 01:00 --------- d-----w c:\documents and settings\Frank\Application Data\IGN_DLM

2009-01-31 13:03 15,688 ----a-w c:\windows\system32\lsdelete.exe

2009-01-28 06:00 --------- d-----w c:\program files\InterActual

2009-01-28 01:04 15,616 ----a-w c:\windows\system32\drivers\Dbgv.sys

2009-01-27 04:59 --------- d-----w c:\program files\Defraggler

2009-01-27 04:58 --------- d-----w c:\program files\Recuva

2009-01-26 03:13 --------- d-----w c:\program files\QuickTime

2009-01-26 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2009-01-23 05:06 --------- d-----w c:\program files\Ubisoft

2009-01-21 09:33 64,160 ----a-w c:\windows\system32\drivers\Lbd.sys

2009-01-21 09:27 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-01-21 09:27 --------- d-----w c:\program files\Lavasoft

2009-01-19 01:08 --------- d-----w c:\program files\MSECache

2009-01-16 09:24 70,936 ----a-w c:\windows\system32\PhysXLoader.dll

2009-01-08 05:32 107,888 ----a-w c:\windows\system32\CmdLineExt.dll

2009-01-06 02:16 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2009-01-06 02:16 60,808 ----a-w c:\windows\system32\S32EVNT1.DLL

2009-01-06 02:16 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-06 02:16 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-06 02:16 --------- d-----w c:\program files\Symantec

2009-01-04 08:54 18,048 ----a-w c:\windows\system32\drivers\lirsgt.sys

2009-01-04 08:54 165,376 ----a-w c:\windows\system32\drivers\atksgt.sys

2009-01-03 02:56 --------- d-----w c:\program files\SCi Games

2009-01-02 05:36 --------- d-----w c:\documents and settings\Frank\Application Data\Ahead

2009-01-02 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-31 08:04 691,560 ----a-w c:\windows\system32\OGACheckControl.dll

2008-12-31 08:04 528,744 ----a-w c:\windows\system32\OGAVerify.exe

2008-12-31 08:04 502,120 ----a-w c:\windows\system32\OGAAddin.dll

2008-12-31 06:00 --------- d-----w c:\program files\2015

2008-12-30 02:18 --------- d-----w c:\program files\Download Manager

2008-12-28 14:34 --------- d-----w c:\documents and settings\Frank\Application Data\WebRenderer

2008-12-28 08:47 --------- d-----w c:\program files\CCleaner

2008-12-25 15:08 453,152 ----a-w c:\windows\system32\nvudisp.exe

2008-12-23 12:58 453,152 ----a-w c:\windows\system32\NVUNINST.EXE

2008-12-21 12:57 --------- d-----w c:\program files\GetRight

2008-12-20 23:15 826,368 ----a-w c:\windows\system32\wininet.dll

2008-12-19 06:57 98,304 ----a-w c:\windows\system32CmdLineExt.dll

2008-12-19 06:29 --------- d-----w c:\documents and settings\Eva\Application Data\Symantec

2008-12-19 04:05 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller

2008-12-19 04:05 --------- d-----w c:\program files\Windows Live

2008-12-19 03:58 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller

2008-12-19 01:13 --------- d-----w c:\program files\EA GAMES

2008-12-19 00:43 --------- d-----w c:\program files\Air Conflicts

2008-12-19 00:10 --------- d--h--r c:\documents and settings\Frank\Application Data\SecuROM

2008-12-18 23:12 --------- d-----w c:\program files\THQ

2008-12-18 22:34 --------- d-----w c:\program files\GameSpy Arcade

2008-12-18 21:21 --------- d-----w c:\documents and settings\Frank\Application Data\InstallShield

2008-12-18 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2008-12-18 20:27 --------- d-----w c:\program files\activePDF

2008-12-18 19:24 --------- d-----w c:\program files\Canon

2008-12-18 19:00 --------- d-----w c:\program files\Apple Software Update

2008-12-18 18:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple

2008-12-18 18:58 --------- d-----w c:\documents and settings\Frank\Application Data\Apple Computer

2008-12-18 18:29 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-18 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\UDL

2008-12-18 17:50 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint

2008-12-18 17:49 --------- d-----w c:\program files\ArcSoft

2008-12-18 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead

2008-12-18 02:56 --------- d-----w c:\program files\Common Files\Ahead

2008-12-18 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\Nero

2008-12-18 00:24 --------- d-----w c:\program files\Common Files\Adobe

2008-12-17 23:57 --------- d-----w c:\program files\filehippo.com

2008-12-17 23:20 --------- d-----w c:\program files\Google

2008-12-17 23:09 --------- d-----w c:\program files\Britannica 2006

2008-12-17 23:07 --------- d--h--w c:\program files\Zero G Registry

2008-12-17 22:11 --------- d-----w c:\program files\Microsoft Encarta

2008-12-17 19:39 --------- d-----w c:\documents and settings\Frank\Application Data\OfficeUpdate12

2008-12-17 18:17 --------- d-----w c:\documents and settings\Frank\Application Data\Symantec

2008-12-17 18:13 --------- d-----w c:\program files\Norton 360

2008-12-17 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-17 17:30 --------- d-----w c:\program files\Windows Sidebar

2008-06-05 20:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]

@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]

2008-11-01 05:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]

@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]

2008-11-01 05:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]

@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]

2008-11-01 05:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue ProcessQuickLink 2"="c:\program files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" [2008-04-03 655640]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-30 638976]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-02-26 29757440]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-18 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-29 570664]

"EPSON Stylus Photo RX510"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" [2003-09-12 99840]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-30 509784]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 148888]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2007-10-11 c:\windows\SkyTel.exe]

"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Service Centre.lnk - c:\program files\Westnet\iConnect\launcher.exe [2009-02-12 791976]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2008-01-23 04:13 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2008-05-29 01:27 570664 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2004-11-03 12:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2009-02-12 11:07 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

R0 Lbd;Lbd;c:\windows\system32\drivers\Lbd.sys [2009-01-21 64160]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-19 149352]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-18 99376]

R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-14 38400]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-12-14 222976]

S2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-19 950096]

S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-06-04 30720]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]

S3 gkmixern;gkmixern;\??\c:\docume~1\Frank\LOCALS~1\Temp\gkmixern.sys --> c:\docume~1\Frank\LOCALS~1\Temp\gkmixern.sys [?]

S4 ZDSVNXJP;ZDSVNXJP;c:\docume~1\Frank\LOCALS~1\Temp\ZDSVNXJP.exe --> c:\docume~1\Frank\LOCALS~1\Temp\ZDSVNXJP.exe [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

*Deregistered* - uphcleanhlp

.

Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 22:03]

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-31 05:34]

2009-02-09 c:\windows\Tasks\Norton Security Scan for Frank.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 21:18]

2009-02-12 c:\windows\Tasks\OGADaily.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

2009-02-12 c:\windows\Tasks\OGALogon.job

- c:\windows\system32\OGAVerify.exe [2008-12-31 17:04]

.

- - - - ORPHANS REMOVED - - - -

HKLM-Run-NWEReboot - (no file)

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

mStart Page = hxxp://www.mywestnet.com.au/

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"

uInternet Settings,ProxyOverride = <local>

IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-13 09:39:23

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1614895754-682003330-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:b2,05,e2,fb,dc,71,5e,2d,6b,90,0e,37,3f,b0,73,95,37,62,c6,4e,d0,b9,80,

1b,90,05,1d,c2,c4,d1,ae,1e,e3,a0,db,6f,21,56,08,cc,3e,29,22,fd,a4,fa,5f,a4,\

"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

.

Completion time: 2009-02-13 9:40:33

ComboFix-quarantined-files.txt 2009-02-13 00:40:30

Pre-Run: 309,046,935,552 bytes free

Post-Run: 309,112,201,216 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

262 --- E O F --- 2009-02-02 09:01:56

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:01:53 AM, on 13/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Documents and Settings\Frank\My Documents\Computer & ISP\PC Utils\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Service Centre.lnk = C:\Program Files\Westnet\iConnect\launcher.exe

O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.arrowcomputers.com.au

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229485591656

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--

End of file - 9311 bytes

FINALLY, I noticed a two new directories C:\Qoobox and C:\ComboFix (which is empty) were created at about the time of running ComboFix ... presumably the Qoobox is for backups and quarantine?

Hopefully your diagnosis will be favourable!

Thank you for time.

[Perth2008]

Hello AdvancedSetup

Just to update you ... the related MBAM freezing issue seems to have been resolved ... it seems to be an incompatability with Norton 360 Auto-Protect, see here:

http://www.malwarebytes.org/forums/index.php?showtopic=11218

and

http://www.malwarebytes.org/forums/index.p...0&start=40)

http://www.malwarebytes.org/forums/index.php?showtopic=9499&st=40&start=40)' rel="external nofollow">

So I guess its down to your analysis of my HijackThis and ComboFix logs ... fingers crossed.

Thanks

[AdvancedSetup]

Well CF does show active infections. We'll ignore the Monitor running from %temp% but that is very poor coding in my opinion.

Download but do not yet run ComboFix

If you have a previous version of Combofix.exe, delete it and download a fresh copy.

Download it to your DESKTOP - it MUST run from the Desktop

download.bleepingcomputer.com/sUBs/ComboFix.exe

subs.geekstogo.com/ComboFix.exe

Using your mouse, Highlight and then Right-click | Copy the entire contents of the Code box below, including blank lines

KILLALL::

Driver::
Lbd
gkmixern
ZDSVNXJP

File::
c:\windows\system32\drivers\Lbd.sys
c:\docume~1\Frank\LOCALS~1\Temp\gkmixern.sys
c:\docume~1\Frank\LOCALS~1\Temp\ZDSVNXJP.exe
c:\windows\Tasks\OGADaily.job
c:\windows\system32\OGAVerify.exe
c:\windows\Tasks\OGALogon.job
c:\windows\system32\OGAVerify.exe

Open a new Notepad session (Do not use a Word Processor or WordPad). Click "Format" and be certain that Word Wrap is not enabled. Right-click | Paste the Code box contents from above into Notepad. Click File, Save as..., and set the location to your Desktop, and enter (including quotation marks) as the filename: "CFscript.txt" .

Using your mouse, drag the new file CFscript.txt and drop it on the Combo-Fix.exe icon as shown:

• Important: Have no other programs running. Your Task Bar should be clear of any program entries including your Browser.
  
• Disconnect from the Internet.
  
• Disable your Antivirus software. If it has Script Blocking features, please disable these as well.
  
• A window may open with a series of Disclaimers. Accept the Disclaimers to start the fix.
  
• It may identify that Recovery Console is not installed. Please accept when asked if you wish it to be installed.
  When the scan completes Notepad will open with with your results log open. Do a File, Exit.
  

A caution - Do not run Combofix more than once. Do not touch your mouse/keyboard until the scan has completed, as this may cause the process to stall or your computer to lock. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop. Even when ComboFix appears to be doing nothing, look at your Drive light. If it is flashing, Combofix is still at work.

Post back the Combofix log on your next reply.

Then please download Lop S&D

Double-click on Lop S&D.exe

Choose the language, then choose Option 1 (Search)

Wait till the end of the scan

Post the log which is created: (%SystemDrive%\lopR.txt), typcially C:\lopR.txt

When that's all done please run this.

Download and install CCleaner
• CCleaner
  
• Double-click on the downloaded file "ccsetup216.exe" and install the application.
  
• Keep the default installation folder "C:\Program Files\CCleaner"
  
• Uncheck "Add CCleaner Yahoo! Toolbar and use CCleaner from your browser"
  
• Click finish when done and close ALL PROGRAMS
  
• Start the CCleaner program.
  
• Click on Registry and Uncheck Registry Integrity so that it does not run (basically the very top, uncheck it)
  
• Click on Options - Advanced and Uncheck "Only delete files in Windows Temp folders older than 48 hours"
  
• Click back to Cleaner and under SYSTEM uncheck the Memory Dumps and Windows Log Files
  
• Click on Run Cleaner button on the bottom right side of the program.
  
• Click OK to any prompts
  

Then update MBAM and do another Quick Scan.

[Perth2008]

Hello AdvancedSetup

Followed instructions ... computer did the sort of things you mentioned and finally rebooted but stopped on the Windows login screen ... I left computer for ~2 hours by which time no activity (ie neither drive lights and/or disk sounds were observed).

I notice you flagged the OGAVerify.exe ... I took it for granted that was a legit process to do with "Office Genuine Advantage" ... obviously not. Can you advise how/if this program/process may have compromised my system ... is it a keylogger or other?

Logged back in and ComboFix blue screen returned advising not to start any programs ... well the Westnet monitor, Norton 360, and other start up programs re-started as on a normal startup ... hopefully this has not skewed the ComboFix results/logs which were generated in the next 3 or so minutes, which follow:

ComboFix 09-02-12.03 - Frank 2009-02-13 19:47:28.2 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2471 [GMT 9:00]

Running from: c:\documents and settings\Frank\Desktop\ComboFix.exe

Command switches used :: c:\documents and settings\Frank\Desktop\CFscript.txt

AV: Norton 360 *On-access scanning disabled* (Updated)

FW: Norton 360 *disabled*

* Created a new restore point

FILE ::

c:\docume~1\Frank\LOCALS~1\Temp\gkmixern.sys

c:\docume~1\Frank\LOCALS~1\Temp\ZDSVNXJP.exe

c:\windows\system32\drivers\Lbd.sys

c:\windows\system32\OGAVerify.exe

c:\windows\Tasks\OGADaily.job

c:\windows\Tasks\OGALogon.job

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\drivers\Lbd.sys

c:\windows\system32\OGAVerify.exe

c:\windows\Tasks\OGADaily.job

c:\windows\Tasks\OGALogon.job

.

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.

-------\Legacy_GKMIXERN

-------\Legacy_LBD

-------\Legacy_ZDSVNXJP

-------\Service_gkmixern

-------\Service_Lbd

-------\Service_ZDSVNXJP

((((((((((((((((((((((((( Files Created from 2009-01-13 to 2009-02-13 )))))))))))))))))))))))))))))))

.

2009-02-04 11:49 . 2009-02-04 11:49 <DIR> d-------- c:\documents and settings\Frank\Application Data\ArcSoft

2009-02-04 11:31 . 2009-02-04 11:36 <DIR> d-------- c:\documents and settings\Frank\Application Data\EPSON

2009-02-04 11:29 . 2009-02-04 11:49 <DIR> d-------- c:\documents and settings\Frank\Application Data\Smart Panel

2009-02-01 11:18 . 2009-02-01 11:18 <DIR> d-------- c:\documents and settings\Frank\Application Data\Media Player Classic

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2017-10-17 00:30 --------- d-----w c:\documents and settings\All Users\Application Data\CyberLink

2017-10-17 00:29 --------- d-----w c:\program files\CyberLink

2017-10-17 00:21 --------- d-----w c:\program files\Nero

2017-10-16 23:59 --------- d-----w c:\program files\microsoft frontpage

2009-02-13 10:51 --------- d-----w c:\program files\Common Files\Symantec Shared

2009-02-13 09:35 --------- d---a-w c:\documents and settings\All Users\Application Data\TEMP

2009-02-13 09:15 --------- d-----w c:\program files\Norton Security Scan

2009-02-13 06:57 --------- d-----w c:\documents and settings\All Users\Application Data\OPEN Networks

2009-02-13 00:27 --------- d-----w c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy

2009-02-12 07:25 --------- d-----w c:\program files\Malwarebytes' Anti-Malware

2009-02-12 06:00 --------- d-----w c:\program files\Uniblue

2009-02-12 03:00 --------- d-----w c:\documents and settings\Frank\Application Data\GetRight Pro

2009-02-12 02:12 --------- d-----w c:\program files\Westnet

2009-02-12 01:21 --------- d-----w c:\program files\SpywareBlaster

2009-02-12 00:32 --------- d-----w c:\program files\Java

2009-02-11 01:19 38,496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys

2009-02-11 01:19 15,504 ----a-w c:\windows\system32\drivers\mbam.sys

2009-02-11 00:04 --------- d--h--w c:\program files\InstallShield Installation Information

2009-02-11 00:04 --------- d-----w c:\program files\EPSON

2009-02-10 13:38 --------- d-----w c:\program files\Sierra

2009-02-04 02:35 --------- d-----w c:\program files\Smart Panel

2009-02-03 23:17 --------- d-----w c:\program files\Spybot - Search & Destroy

2009-02-02 10:27 --------- d-----w c:\program files\Reference Assemblies

2009-02-02 10:27 --------- d-----w c:\program files\MSBuild

2009-02-01 09:19 --------- d-----w c:\program files\Common Files\Wise Installation Wizard

2009-02-01 09:18 --------- d-----w c:\program files\AGEIA Technologies

2009-02-01 02:16 --------- d-----w c:\program files\K-Lite Codec Pack

2009-02-01 01:00 --------- d-----w c:\documents and settings\Frank\Application Data\IGN_DLM

2009-01-28 06:00 --------- d-----w c:\program files\InterActual

2009-01-28 01:04 15,616 ----a-w c:\windows\system32\drivers\Dbgv.sys

2009-01-27 04:59 --------- d-----w c:\program files\Defraggler

2009-01-27 04:58 --------- d-----w c:\program files\Recuva

2009-01-26 03:13 --------- d-----w c:\program files\QuickTime

2009-01-26 03:13 --------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer

2009-01-23 05:06 --------- d-----w c:\program files\Ubisoft

2009-01-21 09:27 --------- dc-h--w c:\documents and settings\All Users\Application Data\{83C91755-2546-441D-AC40-9A6B4B860800}

2009-01-21 09:27 --------- d-----w c:\program files\Lavasoft

2009-01-19 01:08 --------- d-----w c:\program files\MSECache

2009-01-14 23:19 6,301,248 ----a-w c:\windows\system32\drivers\nv4_mini.sys

2009-01-06 02:16 806 ----a-w c:\windows\system32\drivers\SYMEVENT.INF

2009-01-06 02:16 124,464 ----a-w c:\windows\system32\drivers\SYMEVENT.SYS

2009-01-06 02:16 10,635 ----a-w c:\windows\system32\drivers\SYMEVENT.CAT

2009-01-06 02:16 --------- d-----w c:\program files\Symantec

2009-01-04 08:54 18,048 ----a-w c:\windows\system32\drivers\lirsgt.sys

2009-01-04 08:54 165,376 ----a-w c:\windows\system32\drivers\atksgt.sys

2009-01-03 02:56 --------- d-----w c:\program files\SCi Games

2009-01-02 05:36 --------- d-----w c:\documents and settings\Frank\Application Data\Ahead

2009-01-02 00:23 --------- d-----w c:\documents and settings\All Users\Application Data\Symantec

2008-12-31 06:00 --------- d-----w c:\program files\2015

2008-12-30 02:18 --------- d-----w c:\program files\Download Manager

2008-12-28 14:34 --------- d-----w c:\documents and settings\Frank\Application Data\WebRenderer

2008-12-28 08:47 --------- d-----w c:\program files\CCleaner

2008-12-21 12:57 --------- d-----w c:\program files\GetRight

2008-12-19 06:57 98,304 ----a-w c:\windows\system32CmdLineExt.dll

2008-12-19 06:29 --------- d-----w c:\documents and settings\Eva\Application Data\Symantec

2008-12-19 04:05 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller

2008-12-19 04:05 --------- d-----w c:\program files\Windows Live

2008-12-19 03:58 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller

2008-12-19 01:13 --------- d-----w c:\program files\EA GAMES

2008-12-19 00:43 --------- d-----w c:\program files\Air Conflicts

2008-12-19 00:10 --------- d--h--r c:\documents and settings\Frank\Application Data\SecuROM

2008-12-18 23:12 --------- d-----w c:\program files\THQ

2008-12-18 22:34 --------- d-----w c:\program files\GameSpy Arcade

2008-12-18 21:21 --------- d-----w c:\documents and settings\Frank\Application Data\InstallShield

2008-12-18 20:34 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files

2008-12-18 20:27 --------- d-----w c:\program files\activePDF

2008-12-18 19:24 --------- d-----w c:\program files\Canon

2008-12-18 19:00 --------- d-----w c:\program files\Apple Software Update

2008-12-18 18:59 --------- d-----w c:\documents and settings\All Users\Application Data\Apple

2008-12-18 18:58 --------- d-----w c:\documents and settings\Frank\Application Data\Apple Computer

2008-12-18 18:29 --------- d-----w c:\documents and settings\All Users\Application Data\Lavasoft

2008-12-18 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\UDL

2008-12-18 17:50 --------- d-----w c:\program files\ABBYY FineReader 5.0 Sprint

2008-12-18 17:49 --------- d-----w c:\program files\ArcSoft

2008-12-18 02:57 --------- d-----w c:\documents and settings\All Users\Application Data\Ahead

2008-12-18 02:56 --------- d-----w c:\program files\Common Files\Ahead

2008-12-18 02:55 --------- d-----w c:\documents and settings\All Users\Application Data\Nero

2008-12-18 00:24 --------- d-----w c:\program files\Common Files\Adobe

2008-12-17 23:57 --------- d-----w c:\program files\filehippo.com

2008-12-17 23:20 --------- d-----w c:\program files\Google

2008-12-17 23:09 --------- d-----w c:\program files\Britannica 2006

2008-12-17 23:07 --------- d--h--w c:\program files\Zero G Registry

2008-12-17 22:11 --------- d-----w c:\program files\Microsoft Encarta

2008-12-17 19:39 --------- d-----w c:\documents and settings\Frank\Application Data\OfficeUpdate12

2008-12-17 18:17 --------- d-----w c:\documents and settings\Frank\Application Data\Symantec

2008-12-17 18:13 --------- d-----w c:\program files\Norton 360

2008-12-17 17:51 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}

2008-12-17 17:30 --------- d-----w c:\program files\Windows Sidebar

2008-12-17 17:25 --------- d-----w c:\documents and settings\All Users\Application Data\Trend Micro

2008-12-17 08:35 --------- d-----w c:\program files\DirectX_Nov2008

2008-12-17 04:00 --------- d-----w c:\documents and settings\All Users\Application Data\Office Genuine Advantage

2008-12-17 00:59 --------- d-----w c:\documents and settings\Frank\Application Data\Malwarebytes

2008-12-15 21:42 --------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes

2008-12-15 19:44 --------- d-----w c:\program files\SEGA

2008-12-15 18:47 --------- d-----w c:\program files\Microsoft Works

2008-12-15 18:43 --------- d-----w c:\program files\Common Files\L&H

2008-12-15 18:42 --------- d-----w c:\program files\Microsoft ActiveSync

2008-12-15 18:41 --------- d-----w c:\program files\Microsoft.NET

2008-12-13 22:24 --------- d-----w c:\program files\Optional Software for XP

2008-12-13 19:14 --------- d-----w c:\program files\MSXML 4.0

2008-06-05 20:18 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat

.

((((((((((((((((((((((((((((( SnapShot@2009-02-13_ 9.39.42.82 )))))))))))))))))))))))))))))))))))))))))

.

+ 2005-10-20 11:02:28 163,328 ----a-w c:\windows\ERDNT\subs\ERDNT.EXE

- 2009-02-12 14:34:09 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

+ 2009-02-13 10:01:14 16,384 ----a-w c:\windows\system32\config\systemprofile\Cookies\index.dat

- 2009-02-12 14:34:09 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

+ 2009-02-13 10:01:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat

- 2009-02-12 14:34:09 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

+ 2009-02-13 10:01:14 32,768 ----a-w c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat

- 2009-02-12 23:07:17 72,302 ----a-w c:\windows\system32\perfc009.dat

+ 2009-02-13 10:55:59 72,302 ----a-w c:\windows\system32\perfc009.dat

- 2009-02-12 23:07:17 444,362 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-13 10:55:59 444,362 ----a-w c:\windows\system32\perfh009.dat

+ 2009-02-13 10:51:54 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_290.dat

+ 2009-02-13 10:51:19 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_600.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayExcluded]

@="{4433A54A-1AC8-432F-90FC-85F045CF383C}"

[HKEY_CLASSES_ROOT\CLSID\{4433A54A-1AC8-432F-90FC-85F045CF383C}]

2008-11-01 05:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayPending]

@="{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}"

[HKEY_CLASSES_ROOT\CLSID\{F17C0B1E-EF8E-4AD4-8E1B-7D7E8CB23225}]

2008-11-01 05:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\OverlayProtected]

@="{476D0EA3-80F9-48B5-B70B-05E677C9C148}"

[HKEY_CLASSES_ROOT\CLSID\{476D0EA3-80F9-48B5-B70B-05E677C9C148}]

2008-11-01 05:24 576352 --a------ c:\program files\Common Files\Symantec Shared\Backup\buShell.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Uniblue ProcessQuickLink 2"="c:\program files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" [2008-04-03 655640]

"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-11-08 141848]

"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-11-08 166424]

"Persistence"="c:\windows\system32\igfxpers.exe" [2007-11-08 137752]

"SMSERIAL"="c:\program files\Motorola\SMSERIAL\sm56hlpr.exe" [2007-01-30 638976]

"HDAudDeck"="c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe" [2008-02-26 29757440]

"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2009-01-15 13680640]

"ccApp"="c:\program files\Common Files\Symantec Shared\ccApp.exe" [2008-10-18 51048]

"osCheck"="c:\program files\Norton 360\osCheck.exe" [2008-02-26 988512]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]

"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-05-29 570664]

"EPSON Stylus Photo RX510"="c:\windows\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE" [2003-09-12 99840]

"Ad-Watch"="c:\program files\Lavasoft\Ad-Aware\AAWTray.exe" [2009-01-30 509784]

"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2009-01-15 86016]

"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-01-05 413696]

"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-02-12 148888]

"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 c:\windows\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2007-10-11 c:\windows\SkyTel.exe]

"nwiz"="nwiz.exe" [2009-01-15 c:\windows\system32\nwiz.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Service Centre.lnk - c:\program files\Westnet\iConnect\launcher.exe [2009-02-12 791976]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Lavasoft Ad-Aware Service]

@="Service"

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

backup=c:\windows\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]

path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk

backup=c:\windows\pss\Adobe Reader Synchronizer.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

--a------ 2008-01-23 04:13 152872 c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]

--a------ 2008-05-29 01:27 570664 c:\program files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

--a------ 2009-01-05 16:18 413696 c:\program files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]

--a------ 2004-11-03 12:24 32768 c:\program files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]

--a------ 2009-02-12 11:07 148888 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]

--a------ 2009-01-15 08:19 1657376 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]

"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"c:\\WINDOWS\\system32\\sessmgr.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

"c:\\WINDOWS\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\Program Files\\Messenger\\Msmsgs.exe"=

"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=

"c:\\Documents and Settings\\Frank\\Local Settings\\temp\\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\\monSvr.exe"=

R2 Lavasoft Ad-Aware Service;Lavasoft Ad-Aware Service;c:\program files\Lavasoft\Ad-Aware\AAWService.exe [2009-01-19 950096]

R2 LiveUpdate Notice;LiveUpdate Notice;c:\program files\Common Files\Symantec Shared\CCSVCHST.EXE [2008-02-19 149352]

R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [2008-12-18 99376]

R3 L1e;Miniport Driver for Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller;c:\windows\system32\drivers\l1e51x86.sys [2008-12-14 38400]

R3 VIAHdAudAddService;VIA High Definition Audio Driver Service;c:\windows\system32\drivers\viahduaa.sys [2008-12-14 222976]

S3 AtcL002;NDIS Miniport Driver for Atheros L2 Fast Ethernet Controller;c:\windows\system32\drivers\l251x86.sys [2008-06-04 30720]

S3 COH_Mon;COH_Mon;c:\windows\system32\drivers\COH_Mon.sys [2008-01-13 23888]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - COMHOST

*Deregistered* - uphcleanhlp

.

Contents of the 'Scheduled Tasks' folder

2009-02-09 c:\windows\Tasks\Ad-Aware Update (Weekly).job

- c:\program files\Lavasoft\Ad-Aware\Ad-AwareAdmin.exe [2009-01-31 22:03]

2009-02-03 c:\windows\Tasks\AppleSoftwareUpdate.job

- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-31 05:34]

2009-02-13 c:\windows\Tasks\Norton Security Scan for Frank.job

- c:\program files\Norton Security Scan\Nss.exe [2008-09-19 21:18]

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.google.com.au/

mStart Page = hxxp://www.mywestnet.com.au/

uInternet Connection Wizard,ShellNext = "c:\program files\Outlook Express\msimn.exe"

uInternet Settings,ProxyOverride = <local>

IE: Download with GetRight Pro - c:\program files\GetRight\GRdownload.htm

IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

IE: Open with GetRight Pro Browser - c:\program files\GetRight\GRbrowse.htm

.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-13 21:30:32

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run

HDAudDeck = c:\program files\VIA\VIAudioi\HDADeck\HDeck.exe 1????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1644491937-1614895754-682003330-1007\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]

"??"=hex:b2,05,e2,fb,dc,71,5e,2d,6b,90,0e,37,3f,b0,73,95,37,62,c6,4e,d0,b9,80,

1b,90,05,1d,c2,c4,d1,ae,1e,e3,a0,db,6f,21,56,08,cc,3e,29,22,fd,a4,fa,5f,a4,\

"??"=hex:e2,06,90,c3,a9,ab,f7,ca,1c,f7,63,d7,3e,f2,89,5d

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Common Files\Symantec Shared\ccProxy.exe

c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe

c:\program files\Java\jre6\bin\jqs.exe

c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

c:\windows\system32\nvsvc32.exe

c:\windows\system32\IoctlSvc.exe

c:\program files\UPHClean\uphclean.exe

c:\program files\Canon\CAL\CALMAIN.exe

c:\windows\system32\wbem\unsecapp.exe

c:\windows\system32\rundll32.exe

c:\docume~1\Frank\LOCALS~1\temp\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\monSvr.exe

c:\windows\system32\wscntfy.exe

.

**************************************************************************

.

Completion time: 2009-02-13 21:35:02 - machine was rebooted

ComboFix-quarantined-files.txt 2009-02-13 12:34:59

ComboFix2.txt 2009-02-13 00:40:34

Pre-Run: 309,017,575,424 bytes free

Post-Run: 308,912,472,064 bytes free

304 --- E O F --- 2009-02-02 09:01:56

After I send this I'll shutdown IE and run LopSD.exe (I'll disable anti virus and disconnect from internet).

I already have that version of CCleaner on my system ... I don't use those add-ons you said to uncheck ... I'll assume it's OK to run my copy with adjustments you have indicated ... unless I hear from you otherwise before I get to it.

Thanks for your assistance.

[Perth2008]

Here is the LopSD log.

Just to note the files (webpages, pdf and urls) under Cracks & KeyGens are in my opinion OK.

On the topic of Host Files (which to me, a non-IT guy, is like a phone number linked to an address) when I immunise Global Hosts with Spybot I get a "vulnerability" when I run the Norton 360 Security Inspector that is "repaired" by Norton 360 ... then when I check back on Spybot the immunisation for Global Hosts is unchecked. As an expert in this field am I better relying on Spybot's immunisation and not run N360 SI or vice versa.

--------------------\\ Lop S&D 4.2.5-0 XP/Vista

Microsoft Windows XP Professional ( v5.1.2600 ) Service Pack 3

X86-based PC ( Multiprocessor Free : Intel Pentium III Xeon processor )

BIOS : BIOS Date: 07/09/08 09:28:35 Ver: 08.00.12

USER : Frank ( Administrator )

BOOT : Normal boot

Antivirus : Norton 360 2007 (Not Activated)

Firewall : Norton 360 2007 (Not Activated)

C:\ (Local Disk) - NTFS - Total:465 Go (Free:287 Go)

D:\ (CD or DVD) - CDFS - Total:4 Go (Free:0 Go)

F:\ (USB)

G:\ (USB)

H:\ (USB)

I:\ (USB)

"C:\Lop SD" ( MAJ : 19-12-2008|23:40 )

Option : [1] ( Fri 13/02/2009|22:00 )

--------------------\\ Listing folders in APPLIC~1

[05/06/2008|02:24] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Adobe

[17/10/2017|08:59] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Identities

[05/06/2008|01:52] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Microsoft

[05/06/2008|08:41] C:\DOCUME~1\ADMINI~1\APPLIC~1\<DIR> Sun

[18/12/2008|02:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {3276BE95_AF08_429F_A64F_CA64CB79BCF6}

[21/01/2009|06:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> {83C91755-2546-441D-AC40-9A6B4B860800}

[18/12/2008|09:24] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Adobe

[18/12/2008|11:57] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Ahead

[19/12/2008|03:59] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple

[26/01/2009|12:13] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Apple Computer

[17/10/2017|09:30] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> CyberLink

[19/12/2008|05:34] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Kaspersky Lab Setup Files

[19/12/2008|03:29] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Lavasoft

[16/12/2008|06:42] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Malwarebytes

[19/12/2008|01:05] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Microsoft

[18/12/2008|11:55] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Nero

[17/12/2008|01:00] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Office Genuine Advantage

[13/02/2009|09:31] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> OPEN Networks

[13/02/2009|09:27] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Spybot - Search & Destroy

[02/01/2009|09:23] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Symantec

[13/02/2009|06:35] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> TEMP

[18/12/2008|02:25] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Trend Micro

[19/12/2008|02:51] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> UDL

[14/12/2008|04:39] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> Windows Genuine Advantage

[19/12/2008|12:58] C:\DOCUME~1\ALLUSE~1\APPLIC~1\<DIR> WLInstaller

[05/06/2008|02:24] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Adobe

[17/10/2017|08:59] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Identities

[05/06/2008|01:52] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Microsoft

[05/06/2008|08:41] C:\DOCUME~1\DEFAUL~1\APPLIC~1\<DIR> Sun

[19/12/2008|03:29] C:\DOCUME~1\Eva\APPLIC~1\<DIR> Adobe

[17/10/2017|08:59] C:\DOCUME~1\Eva\APPLIC~1\<DIR> Identities

[19/12/2008|03:29] C:\DOCUME~1\Eva\APPLIC~1\<DIR> Macromedia

[05/06/2008|01:52] C:\DOCUME~1\Eva\APPLIC~1\<DIR> Microsoft

[05/06/2008|08:41] C:\DOCUME~1\Eva\APPLIC~1\<DIR> Sun

[19/12/2008|03:29] C:\DOCUME~1\Eva\APPLIC~1\<DIR> Symantec

[10/02/2009|11:27] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Adobe

[02/01/2009|02:36] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Ahead

[19/12/2008|03:58] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Apple Computer

[04/02/2009|11:49] C:\DOCUME~1\Frank\APPLIC~1\<DIR> ArcSoft

[04/02/2009|11:36] C:\DOCUME~1\Frank\APPLIC~1\<DIR> EPSON

[12/02/2009|12:00] C:\DOCUME~1\Frank\APPLIC~1\<DIR> GetRight Pro

[18/12/2008|08:21] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Google

[17/10/2017|08:59] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Identities

[01/02/2009|10:00] C:\DOCUME~1\Frank\APPLIC~1\<DIR> IGN_DLM

[19/12/2008|06:21] C:\DOCUME~1\Frank\APPLIC~1\<DIR> InstallShield

[17/12/2008|12:38] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Macromedia

[17/12/2008|09:59] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Malwarebytes

[01/02/2009|11:18] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Media Player Classic

[06/02/2009|04:08] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Microsoft

[18/12/2008|08:10] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Mozilla

[18/12/2008|04:39] C:\DOCUME~1\Frank\APPLIC~1\<DIR> OfficeUpdate12

[19/12/2008|09:10] C:\DOCUME~1\Frank\APPLIC~1\<DIR> SecuROM

[04/02/2009|11:49] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Smart Panel

[05/06/2008|08:41] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Sun

[18/12/2008|03:17] C:\DOCUME~1\Frank\APPLIC~1\<DIR> Symantec

[28/12/2008|11:34] C:\DOCUME~1\Frank\APPLIC~1\<DIR> WebRenderer

[26/12/2008|09:57] C:\DOCUME~1\Frank\APPLIC~1\<DIR> WinRAR

[23/12/2008|02:40] C:\DOCUME~1\LOCALS~1\APPLIC~1\<DIR> Microsoft

[17/10/2017|09:02] C:\DOCUME~1\NETWOR~1\APPLIC~1\<DIR> Microsoft

--------------------\\ Scheduled Tasks located in C:\WINDOWS\Tasks

[13/02/2009 07:51 PM][--ah-----] C:\WINDOWS\tasks\SA.DAT

[27/07/2007 09:00 PM][-rah-----] C:\WINDOWS\tasks\desktop.ini

[09/02/2009 06:33 PM][--a------] C:\WINDOWS\tasks\Ad-Aware Update (Weekly).job

[13/02/2009 06:15 PM][--a------] C:\WINDOWS\tasks\Norton Security Scan for Frank.job

[04/02/2009 08:20 AM][--a------] C:\WINDOWS\tasks\AppleSoftwareUpdate.job

--------------------\\ Listing Folders in C:\Program Files

[31/12/2008|03:00] C:\Program Files\<DIR> 2015

[19/12/2008|02:50] C:\Program Files\<DIR> ABBYY FineReader 5.0 Sprint

[19/12/2008|05:27] C:\Program Files\<DIR> activePDF

[18/12/2008|09:24] C:\Program Files\<DIR> Adobe

[01/02/2009|06:18] C:\Program Files\<DIR> AGEIA Technologies

[19/12/2008|09:43] C:\Program Files\<DIR> Air Conflicts

[19/12/2008|04:00] C:\Program Files\<DIR> Apple Software Update

[19/12/2008|02:49] C:\Program Files\<DIR> ArcSoft

[18/12/2008|08:09] C:\Program Files\<DIR> Britannica 2006

[19/12/2008|04:24] C:\Program Files\<DIR> Canon

[28/12/2008|05:47] C:\Program Files\<DIR> CCleaner

[13/02/2009|07:48] C:\Program Files\<DIR> Common Files

[17/10/2017|08:56] C:\Program Files\<DIR> ComPlus Applications

[17/10/2017|09:29] C:\Program Files\<DIR> CyberLink

[27/01/2009|01:59] C:\Program Files\<DIR> Defraggler

[17/12/2008|05:35] C:\Program Files\<DIR> DirectX_Nov2008

[30/12/2008|11:18] C:\Program Files\<DIR> Download Manager

[19/12/2008|10:13] C:\Program Files\<DIR> EA GAMES

[11/02/2009|09:04] C:\Program Files\<DIR> EPSON

[18/12/2008|08:57] C:\Program Files\<DIR> filehippo.com

[19/12/2008|07:34] C:\Program Files\<DIR> GameSpy Arcade

[21/12/2008|09:57] C:\Program Files\<DIR> GetRight

[18/12/2008|08:20] C:\Program Files\<DIR> Google

[11/02/2009|09:04] C:\Program Files\<DIR> InstallShield Installation Information

[04/06/2008|09:11] C:\Program Files\<DIR> Intel

[28/01/2009|03:00] C:\Program Files\<DIR> InterActual

[11/02/2009|10:10] C:\Program Files\<DIR> Internet Explorer

[12/02/2009|09:32] C:\Program Files\<DIR> Java

[01/02/2009|11:16] C:\Program Files\<DIR> K-Lite Codec Pack

[21/01/2009|06:27] C:\Program Files\<DIR> Lavasoft

[12/02/2009|04:25] C:\Program Files\<DIR> Malwarebytes' Anti-Malware

[14/12/2008|04:09] C:\Program Files\<DIR> Messenger

[16/12/2008|03:42] C:\Program Files\<DIR> Microsoft ActiveSync

[14/12/2008|04:09] C:\Program Files\<DIR> Microsoft CAPICOM 2.1.0.2

[18/12/2008|07:11] C:\Program Files\<DIR> Microsoft Encarta

[17/10/2017|08:59] C:\Program Files\<DIR> microsoft frontpage

[19/01/2009|10:08] C:\Program Files\<DIR> Microsoft Office

[16/12/2008|03:42] C:\Program Files\<DIR> Microsoft Visual Studio

[16/12/2008|03:47] C:\Program Files\<DIR> Microsoft Works

[16/12/2008|03:41] C:\Program Files\<DIR> Microsoft.NET

[05/06/2008|08:39] C:\Program Files\<DIR> Motorola

[06/06/2008|04:26] C:\Program Files\<DIR> Movie Maker

[02/02/2009|07:27] C:\Program Files\<DIR> MSBuild

[19/01/2009|10:08] C:\Program Files\<DIR> MSECache

[17/10/2017|08:56] C:\Program Files\<DIR> MSN

[17/10/2017|08:56] C:\Program Files\<DIR> MSN Gaming Zone

[14/12/2008|04:14] C:\Program Files\<DIR> MSXML 4.0

[17/10/2017|09:21] C:\Program Files\<DIR> Nero

[06/06/2008|04:23] C:\Program Files\<DIR> NetMeeting

[18/12/2008|03:13] C:\Program Files\<DIR> Norton 360

[13/02/2009|06:15] C:\Program Files\<DIR> Norton Security Scan

[17/10/2017|08:56] C:\Program Files\<DIR> Online Services

[14/12/2008|07:24] C:\Program Files\<DIR> Optional Software for XP

[06/06/2008|04:23] C:\Program Files\<DIR> Outlook Express

[26/01/2009|12:13] C:\Program Files\<DIR> QuickTime

[04/06/2008|09:24] C:\Program Files\<DIR> Realtek

[27/01/2009|01:58] C:\Program Files\<DIR> Recuva

[02/02/2009|07:27] C:\Program Files\<DIR> Reference Assemblies

[03/01/2009|11:56] C:\Program Files\<DIR> SCi Games

[16/12/2008|04:44] C:\Program Files\<DIR> SEGA

[10/02/2009|10:38] C:\Program Files\<DIR> Sierra

[04/02/2009|11:35] C:\Program Files\<DIR> Smart Panel

[04/02/2009|08:17] C:\Program Files\<DIR> Spybot - Search & Destroy

[12/02/2009|10:21] C:\Program Files\<DIR> SpywareBlaster

[06/01/2009|11:16] C:\Program Files\<DIR> Symantec

[19/12/2008|08:12] C:\Program Files\<DIR> THQ

[23/01/2009|02:06] C:\Program Files\<DIR> Ubisoft

[12/02/2009|03:00] C:\Program Files\<DIR> Uniblue

[17/10/2017|09:02] C:\Program Files\<DIR> Uninstall Information

[14/12/2008|04:07] C:\Program Files\<DIR> UPHClean

[14/12/2008|03:43] C:\Program Files\<DIR> VIA

[12/02/2009|11:12] C:\Program Files\<DIR> Westnet

[14/12/2008|04:07] C:\Program Files\<DIR> Windows Journal Viewer

[19/12/2008|01:05] C:\Program Files\<DIR> Windows Live

[14/12/2008|04:08] C:\Program Files\<DIR> Windows Media Connect 2

[14/12/2008|04:08] C:\Program Files\<DIR> Windows Media Player

[06/06/2008|04:23] C:\Program Files\<DIR> Windows NT

[18/12/2008|02:30] C:\Program Files\<DIR> Windows Sidebar

[17/10/2017|08:57] C:\Program Files\<DIR> WindowsUpdate

[26/12/2008|09:56] C:\Program Files\<DIR> WinRAR

[19/12/2008|05:23] C:\Program Files\<DIR> WinZip

[17/10/2017|08:59] C:\Program Files\<DIR> xerox

[18/12/2008|08:07] C:\Program Files\<DIR> Zero G Registry

--------------------\\ Listing Folders in C:\Program Files\Common Files

[18/12/2008|09:24] C:\Program Files\Common Files\<DIR> Adobe

[18/12/2008|11:56] C:\Program Files\Common Files\<DIR> Ahead

[16/12/2008|03:42] C:\Program Files\Common Files\<DIR> DESIGNER

[14/12/2008|03:43] C:\Program Files\Common Files\<DIR> InstallShield

[16/12/2008|03:43] C:\Program Files\Common Files\<DIR> L&H

[19/12/2008|01:05] C:\Program Files\Common Files\<DIR> Microsoft Shared

[17/10/2017|08:57] C:\Program Files\Common Files\<DIR> MSSoap

[17/10/2017|01:53] C:\Program Files\Common Files\<DIR> ODBC

[17/10/2017|08:57] C:\Program Files\Common Files\<DIR> Services

[17/10/2017|01:53] C:\Program Files\Common Files\<DIR> SpeechEngines

[13/02/2009|10:00] C:\Program Files\Common Files\<DIR> Symantec Shared

[16/12/2008|03:42] C:\Program Files\Common Files\<DIR> System

[19/12/2008|01:05] C:\Program Files\Common Files\<DIR> WindowsLiveInstaller

[01/02/2009|06:19] C:\Program Files\Common Files\<DIR> Wise Installation Wizard

--------------------\\ Process

( 36 Processes )

... OK !

--------------------\\ Searching with S_Lop

No Lop folder found !

--------------------\\ Searching for Lop Files - Folders

No Lop folder found !

--------------------\\ Searching within the Registry

..... OK !

--------------------\\ Checking the Hosts file

Hosts file CLEAN

--------------------\\ Searching for hidden files with Catchme

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-02-13 22:01:10

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden files: 0

--------------------\\ Searching for other infections

--------------------\\ Cracks & Keygens ..

C:\DOCUME~1\Frank\Favorites\Hobbies\Computer [War] Games\Specific Games\Pending\Home of the Underdogs - Entry Crack of Doom.url

C:\DOCUME~1\Frank\My Documents\Operations Magazine (Gamers)\Operations_06\Cracking the Code Stalingrad Pocket.mht

C:\DOCUME~1\Frank\My Documents\Operations Magazine (Gamers)\Operations_33\Cracking a Few Eggs DAK and North Africa 1941.mht

C:\DOCUME~1\Frank\My Documents\PC Computer Games\Brothers in Arms SERIES\Crackly Sound.... - Topic Powered by eve community.url

C:\DOCUME~1\Frank\My Documents\Wargames Database\A S L SERIES (AH & MMP)\ASL Database\Printed\S M P\CracKhar.pdf

[F:1][D:1]-> C:\DOCUME~1\Frank\LOCALS~1\Temp

[F:62][D:0]-> C:\DOCUME~1\Frank\Cookies

[F:10][D:4]-> C:\DOCUME~1\Frank\LOCALS~1\TEMPOR~1\content.IE5

[F:1][D:1]-> C:\$Recycle.Bin

1 - "C:\Lop SD\LopR_1.txt" - Fri 13/02/2009|22:01 - Option : [1]

--------------------\\ Scan completed at 22:01:42

Hope this shows good news.

[AdvancedSetup]

Well the logs all look good to me.

How is the computer running now?

Are there still any signs of infection?

As for the hosts file, not sure as I don't really use either product so not sure what they're trying to say or why they don't agree.

Basically if you're not using a managed hosts file then the only entry in the file should be 127.0.0.1 localhost

c:\windows\system32\drivers\etc\hosts which basically is a text file that can be opened and modified with notepad

[Perth2008]

TEST only ... having this error: IE error:"HTTP 501 Not Implemented/HTTP 505 Version Not Supported"

If succeeds I'll send full email with logs, etc.

[AdvancedSetup]

http://support.microsoft.com/kb/811262

[Perth2008]

Hi AdvancedSetup

Tried to get the latest MBAM and HijackThis scans to you last night (Perth, WA time) but could not post to the forum (got this IE error:"HTTP 501 Not Implemented/HTTP 505 Version Not Supported") last night or earlier today ... now trying after using the Microsft advice.

Anyway here are MBAM and HijackThis scans from this morning:

Malwarebytes' Anti-Malware 1.34

Database version: 1760

Windows 5.1.2600 Service Pack 3

14/02/2009 9:24:27 AM

mbam-log-2009-02-14 (09-24-27).txt

Scan type: Quick Scan

Objects scanned: 74102

Time elapsed: 1 minute(s), 37 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:39:07 AM, on 14/02/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16791)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\Program Files\Java\jre6\bin\jqs.exe

C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\IoctlSvc.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\UPHClean\uphclean.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE

C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Java\jre6\bin\jusched.exe

C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Westnet\iConnect\launcher.exe

C:\DOCUME~1\Frank\LOCALS~1\Temp\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\monSvr.exe

C:\DOCUME~1\Frank\LOCALS~1\Temp\iCBB_04_19 R14-47 WESTNET B01 Monitor Temporary Items\monitor.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Documents and Settings\Frank\My Documents\Computer & ISP\PC Utils\HiJackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mywestnet.com.au/

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: NCO 2.0 IE BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\coIEPlg.dll

O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Java Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll

O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll

O3 - Toolbar: Show Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\2.6\CoIEPlg.dll

O4 - HKLM\..\Run: [igfxTray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [sMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe

O4 - HKLM\..\Run: [HDAudDeck] C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe 1

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton 360\osCheck.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [EPSON Stylus Photo RX510] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3K2.EXE /P24 "EPSON Stylus Photo RX510" /O6 "USB001" /M "Stylus Photo RX510"

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware\AAWTray.exe

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"

O4 - HKCU\..\Run: [uniblue ProcessQuickLink 2] "C:\Program Files\Uniblue\ProcessQuickLink 2\ProcessQuickLink2.exe" /autostart

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Service Centre.lnk = C:\Program Files\Westnet\iConnect\launcher.exe

O8 - Extra context menu item: Download with GetRight Pro - C:\Program Files\GetRight\GRdownload.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open with GetRight Pro Browser - C:\Program Files\GetRight\GRbrowse.htm

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O14 - IERESET.INF: START_PAGE_URL=http://www.arrowcomputers.com.au

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.7.109.cab

O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab

O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1229485591656

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab

O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe

O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe

O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe

O23 - Service: Lavasoft Ad-Aware Service - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\AAWService.exe

O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE

O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PLFlash DeviceIoControl Service - Prolific Technology Inc. - C:\WINDOWS\system32\IoctlSvc.exe

O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

--

End of file - 9634 bytes

Can you say (guess) on a scale of 1 (minor) to 10 (extreme) what the severity of this infection was/is and/or whether it came via IE browsing or email, both of which I'm sensible about? I'm surprised that it was not picked up by my suite of protection programs: Norton 360, Ad-Aware, Malwarebytes, Spybot, Spyware Blaster or Windows Malicious Software Remover.

I didn't notice anything particularly unusual previously ... except for the issues with MBAM 1.33 onwards scans being slow (which seems to be a conflict with Norton 360) and recently the mouse cursor freezing in one spot and need do a hard reset (happened about 3 times in the last week).

I had a look in the hosts file you indicated and there are literally 1000s of websites listed, the start and finish of the list look like this:

127.0.0.1 localhost

# Start of entries inserted by Spybot - Search & Destroy

# This list is Copyright 2000-2008 Safer Networking Limited

127.0.0.1 www.007guard.com

127.0.0.1 007guard.com

127.0.0.1 008i.com

127.0.0.1 www.008k.com

127.0.0.1 008k.com

127.0.0.1 www.00hq.com

127.0.0.1 00hq.com

127.0.0.1 010402.com

127.0.0.1 www.032439.com

127.0.0.1 032439.com

127.0.0.1 www.0scan.com

127.0.0.1 0scan.com

127.0.0.1 1000gratisproben.com

127.0.0.1 www.1000gratisproben.com

127.0.0.1 www.1001namen.com

127.0.0.1 1001namen.com

127.0.0.1 www.100888290cs.com

127.0.0.1 100888290cs.com

127.0.0.1 www.100sexlinks.com

127.0.0.1 100sexlinks.com

127.0.0.1 www.10sek.com

127.0.0.1 10sek.com

127.0.0.1 www.1-2005-search.com

127.0.0.1 1-2005-search.com

127.0.0.1 123haustiereundmehr.com

127.0.0.1 www.123haustiereundmehr.com

127.0.0.1 www.123simsen.com

127.0.0.1 123simsen.com

127.0.0.1 123topsearch.com

127.0.0.1 www.123topsearch.com

127.0.0.1 125sms.co.uk

...

127.0.0.1 www.zuoyouweinan.com

127.0.0.1 zuoyouweinan.com

127.0.0.1 www.zurrusco.com

127.0.0.1 zurrusco.com

127.0.0.1 zvimigdal.com

127.0.0.1 www.zxcsolution.com

127.0.0.1 zxcsolution.com

127.0.0.1 www.zxlinks.com

127.0.0.1 zxlinks.com

127.0.0.1 zyban-zocor-levitra.com

# End of entries inserted by Spybot - Search & Destroy

Thanks for ALL you help.

[Perth2008]

Hi again

I THINK the problem posting had to do with a CCleaner generated txt file of the Registry (all boxes checked) I was trying to send (I removed it and the post below went through OK ... I think it perhaps was the tab delimiting in the txt file that MAY have caused the problem ... I'm now try by manual entry).

What I wanted to tell you was that there were some suspicious files in the Registry (yet to be cleaned, pending your advice) names from the Data column of the registry scan, as one rarely sees EXE files inthere except after uninstalling software:

C:\WINDOWS\ststem32\OGAVerify.exe

C:\32788R22FWJFW\nircmd.com

C:\32788R22FWJFW\hidec.exe

C:|WINDOWS\system32\CF15193.exe

I Googled these and I was obviously infected with something ... how bad is/was this infection?

Cheers

[Perth2008]

Hmmm, you asked about strange behaviour ... well I'm not sure HOW strange this is but I have noticed, by observing the flashing light(s) on my router and watching the graphs on Windows Task Manager's Networking tab where I track incoming data (yellow) and outgoing (red) that occassionally of late there SOMETIMES seems to be a "bit" of extra activity outgoing even after the webpage has been loaded and "Done" and I'm not entering any data and SOMETIMES the outgoing graph is closely mirroring the incoming. This is only observed when IE is on ... and only one instance of IE is shown as running.

For the record ... I had the "taskmagr.exe" with "chinese audio" infection in December but had my computer wiped, reformatted and software reinstalled (as a precaution) ... and haven't noticed anything of that scale lately. In that case IE was running without my initiating it. Since then I've been more focussed on strange behaviour ... I'm not sure whether these recent observations are NORMAL or suspicious, especially after having gone through with the processes above ... perhaps I'm being paranoid ... I know I was after the taskmagr.exe issue! :-)

When I click on Windows Task Manager's Processes Tab the activity always stops and I THINK some processes actually drop off the listing when I do this ... perhaps its my imagination or this is normal. I do have Uniblue's Process Quicklink 2 active which allows me to see what the running processes are.

Any thoughts?

[AdvancedSetup]

NO, very difficult to tell where you got it from especially after the fact. These guys are pretty good at sneaking it onto boxes through various means.

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• Check Turn off System Restore.
  
• Click Apply, and then click OK.
  
• Reboot.
  

Turn ON System Restore

• On the Desktop, right-click My Computer.
  
• Click Properties.
  
• Click the System Restore tab.
  
• UN-Check *Turn off System Restore*.
  
• Click Apply, and then click OK.
  

This will remove all restore points except the new one you just created.

Then let's do an online scan with Panda.

PANDA ONLINE SCAN

Please go >here< to run Panda's ActiveScan

• Once you are on the Panda site, click the Scan your PC now button
  
• A new window will open...click the Scan Now button
  
• Allow the ActiveX control to be installed. It will start downloading the files it requires for the scan. Note: This may take a couple of minutes
  
• Run the ActiveX control, if requested. The screen will then show the scanning progress - the scan will take a while to finish. Please be patient.
  
• When the scan has finished, click on Export To
  
• Save the file as Activescan.txt to your Desktop
  
• Close the Activescan window then go to your Desktop
  
• Double-click on Activescan.txt and it will open in Notepad
  
• In Notepad, click Edit > Select all, then Edit > Copy
  
• Reply to this thread and click Ctrl+V to paste the log in your reply
  

PANDA ONLINE SCAN

[Perth2008]

G'day AdvancedSettings

Again thanks for your kind assistance.

The Panda scan ran for about 3 hours ... I did NOT (well, I forgot to) turn off Auto-Protect on my Norton 360 (2007 ???) while the Panda scan was on ... Kaspersky Online which I have used in the past notes/reminds to turn off other AV programs. My Norton 360 is Version 2.5.0.5, SKUm: 13535445, SKUp: 13586576, SKUf: 13121381, with Protection Updates 13/02/2009 and Add-on Pack Version 2.1.0.55 (based on the info under "About Norton 360" tab).

Anyway here is the scan results and interstingly it notes that Norton 360 is "not active"?! Perhaps I should run it again with N360 disabled? Your thoughts.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2009-02-14 15:58:01

PROTECTIONS: 1

MALWARE: 2

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Norton 360 2007 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00039204 adware/cws Adware No 0 Yes No c:\documents and settings\frank\favorites\health

00048526 spyware/web3000 Spyware No 0 Yes No c:\windows\hh.ico

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location O

;===============================================================================

================================================================================

=

===================

No C:\Documents and Settings\Frank\My Documents\PC Computer Games\Company of Heroes\COH_BattleoftheBulge_botb_2301.rar[battle of the Bulge.exe]

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description O

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

I didn't mention before, and cannot recall if it showed up on the previous scans, and I'm not sure but this file: symlcsv1.exe is usually "resident" in Local Settings/temp after I run Norton 360 ... it shows as Version 1.9.2.84 and is described as Symantec Core Component, Copyright © 2003 and has a Verisign Class 3 Code Signing 2004 CA certificate valid from 31/10/2007 to 25/11/2010. Perhaps, as noted before I'm getting paranoid or jumping at shadows.

I also noted two new files in Local Settings\temp after the Panda scan ... probably(?) connected with the scan:

(1) PSSysChk.log ... its content as follows:

Entry Point Function: CheckVulnerabilidades

Entry Point Function: CheckVulnerabilidad.

SO: WINXP Service Pack: 3

Vulnerabilidad: MS05-049

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS05-050

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS05-051

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS05-052

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS05-053

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS05-054

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS05-055

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-001

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-002

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-004

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-006

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-007

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-008

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-011

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-013

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-015

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-016

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-018

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-021

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-022

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-025

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-026

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-030

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-031

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-032

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-035

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-036

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-040

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-041

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-042

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-043

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-044

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-045

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-046

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-049

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-050

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-051

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-052

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-053

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-055

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-057

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-063

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-064

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-065

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-067

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-070

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-072

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-075

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS06-076

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-004

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-006

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-007

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-008

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-011

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-012

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-013

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-016

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-017

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-019

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-020

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-021

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-022

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-027

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-031

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-032

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-033

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-035

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-038

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-043

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-045

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-046

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-048

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-050

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-051

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-058

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-057

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-061

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-063

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-064

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-066

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-067

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS07-069

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS08-001

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckVulnerabilidad.

Vulnerabilidad: MS08-002

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

Entry Point Function: CheckSystem.

(2) stadistic.log ... its content as follows:

HTTP status = 0

I have scanned the Company of Heroes MOD "Battle of the Bulge" RAR file with N360, Spybot and MBAM ... showing nothing.

Anyway, I patiently await your next advice.

[Perth2008]

Ooops ...here is Panda scan using Ctrl+V (I just pasted last time) ... not sure if there is a difference.

;*******************************************************************************

********************************************************************************

*

*******************

ANALYSIS: 2009-02-14 15:58:01

PROTECTIONS: 1

MALWARE: 2

SUSPECTS: 1

;*******************************************************************************

********************************************************************************

*

*******************

PROTECTIONS

Description Version Active Updated

;===============================================================================

================================================================================

=

===================

Norton 360 2007 No Yes

;===============================================================================

================================================================================

=

===================

MALWARE

Id Description Type Active Severity Disinfectable Disinfected Location

;===============================================================================

================================================================================

=

===================

00039204 adware/cws Adware No 0 Yes No c:\documents and settings\frank\favorites\health

00048526 spyware/web3000 Spyware No 0 Yes No c:\windows\hh.ico

;===============================================================================

================================================================================

=

===================

SUSPECTS

Sent Location O

;===============================================================================

================================================================================

=

===================

No C:\Documents and Settings\Frank\My Documents\PC Computer Games\Company of Heroes\COH_BattleoftheBulge_botb_2301.rar[battle of the Bulge.exe]

;===============================================================================

================================================================================

=

===================

VULNERABILITIES

Id Severity Description O

;===============================================================================

================================================================================

=

===================

;===============================================================================

================================================================================

=

===================

[Perth2008]

Just a note the "hh.ico" is, in thumbnail view, the Encyclopedia Britannica logo ... I do have 2006 Ultimate Reference Suite installed on my PC.

The c:\documents and settings\frank\favorites\health contains 4 URLs linking to information about heart disease and cancer, the most recent dates from January 2008.

I scanned the above with N360, Spybot and MBAM ... again showing nothing.

Perhaps "false positives"?

[AdvancedSetup]

Yeah none of that looks bad to me. For the hosts file it looks like you're using a managed one which is okay and even suggested.

Just want to make sure they were not Malware entries.

At this time without going overboard scanning looking for Ghosts it doesn't look like your system is infected anymore.

[Perth2008]

Many thanks "AdvancedSetup"!

I am learning many useful things "lurking" around the MBAM forum ... and am happy to put in my 2 cents worth only if I believe it may add value ... or at the very least steer a newer "newbie" than me to the right topic. :-)

I guess we can call it "case closed".

Cheers from Downunder

Perth2008

[AdvancedSetup]

No problem with the helping, just remember not to post in this forum helping others. All the other forums that are open you should be allowed to post in.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Disable and Enable System Restore-WINDOWS XP

This is a good time to clear your existing system restore points and establish a new clean restore point:

Turn off System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
  
  
• Click the System Restore tab.
  
  
• Check Turn off System Restore.
  
  
• Click Apply, and then click OK.
  
  
• Reboot.
  
  

Turn ON System Restore

• On the Desktop, right-click My Computer.
• Click Properties.
  
  
• Click the System Restore tab.
  
  
• UN-Check *Turn off System Restore*.
  
  
• Click Apply, and then click OK.
  
  

This will remove all restore points except the new one you just created.

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from

here

Find here the tutorial on how to use Spyware Blaster

here

Install WinPatrol

Download it from

here

Here you can find information about how WinPatrol works

here

Install FireTrust SiteHound

You can find information and download it from

here

Install hpHosts

Download it from

here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1:

If you are running Windows XP

SP2

, you should upgrade to

SP3

.

Note 2:

Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend

Online Armor Free

A little outdated but good reading on

how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you

Fully Understand

how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting

Pre- HJT Post Instructions

Also don't forget that we offer

FREE

assistance with General PC questions and repair here

PC Help

If you're pleased with the product

Malwarebytes

and the service provided you, please let your friends, family, and co-workers know.

http://www.malwarebytes.org

[Perth2008]

G'day AdvancedSetup,

Noted and understood regarding posting in the HijackThis forum.

Protection practices you recommend are in place and I will do another systemm restore while system is running A-OK.

Again sincere thanks for your help ... as I said I thought I was "clean" ... interesting how different anti-malware programs find (or ignore) different infections ... a fascinating business you are in!

I know where to come if anything goes wrong!

Cheers mate,

Perth2008