Infected system32\vtuts.dll file

[Mattwardinterglaze]

Hi there my virus scan came up saying I have an infected vtuts.dll file I have no idea how I got this virus and absolutley no idea on how to rid my computer of it. if anyone could post me ideas or tips it would be greatley appreciated as I am pretty much stuck on this subject! thanks Matt

[screen317]

Hello Mattwardinterglaze, and welcome to MalwareBytes.

My apologies for the delay. We're all volunteers, and we've been swamped.

Please download HijackThis from here.

Save it to a permanent folder (such as C:\HJT).

Next, open HijackThis, and select Do a system scan and save a logfile.

A Notepad document will open. Please post the contents of that document.

Next, please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
  

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

-screen317

[Mattwardinterglaze]

Hey there I have followd all of your instructions and have the two log files you requested, thank you sooo much for your help much appreciated!

hope to hear from you soon thanks again...Matt

Malwarebytes' Anti-Malware 1.05

Database version: 449

Scan type: Quick Scan

Objects scanned: 37394

Time elapsed: 12 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 3

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 4

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\vtuts.dll (Trojan.Vundo) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{a877bbe5-f8de-4340-bcdf-54a0bdfbded8} (Trojan.Vundo) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{a877bbe5-f8de-4340-bcdf-54a0bdfbded8} (Trojan.Vundo) -> No action taken.

HKEY_CLASSES_ROOT\CLSID\{c285cf22-115f-3252-41ac-f686d912c63d} (Spyare.Passwords) -> No action taken.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\WinApp (Spyare.Passwords) -> No action taken.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtuts.dll -> No action taken.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\vtuts.dll (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\stutv.ini (Trojan.Vundo) -> No action taken.

C:\WINDOWS\system32\clipuser32.dll (Spyare.Passwords) -> No action taken.

C:\onhtp.exe (Trojan.Spambot) -> No action taken.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:11:57 PM, on 4/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\drivers\security\services.exe

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\Program Files\PrevxCSI\prevxcsi.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\drivers\security\mssvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\System32\alg.exe

C:\WINDOWS\explorer.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\Program Files\Skype\Plugin Manager\skypePM.exe

C:\Documents and Settings\Owner\Desktop\VundoFix.exe

C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\HJT\HiJackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com/lofiversion/in...hp/t145098.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: (no name) - {A877BBE5-F8DE-4340-BCDF-54A0BDFBDED8} - C:\WINDOWS\system32\vtuts.dll

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

O4 - HKLM\..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [startup Manager] C:\Documents and Settings\Owner\Application Data\Systweak\ASO 2\smstartUp manager.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O4 - Startup: PrevxCSI.lnk = ?

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6339968F-3669-498A-9BA6-653CD45217F0}: NameServer = 211.29.132.12,198.142.0.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O21 - SSODL: WinApp - {C285CF22-115F-3252-41AC-F686D912C63D} - C:\WINDOWS\system32\clipuser32.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: WindowsTime - Unknown owner - C:\WINDOWS\system32\drivers\security\services.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--

End of file - 10337 bytes

[screen317]

Hi Matt,

Next we'll use ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

• When the tool is finished, it will produce a report for you.
  
• Please post the C:\ComboFix.txt along with a new HijackThis log so we may continue cleaning the system.
  

-screen317

[Mattwardinterglaze]

Hi have followed all instructions and the results are:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 5:17:38 PM, on 4/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\drivers\security\services.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\WINDOWS\system32\drivers\security\mssvc.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.pcpitstop.com/lofiversion/in...hp/t145098.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

O4 - HKLM\..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [startup Manager] C:\Documents and Settings\Owner\Application Data\Systweak\ASO 2\smstartUp manager.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6339968F-3669-498A-9BA6-653CD45217F0}: NameServer = 211.29.132.12,198.142.0.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: WindowsTime - Unknown owner - C:\WINDOWS\system32\drivers\security\services.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--

End of file - 9676 byte

ComboFix 08-03-04.2 - Owner 2008-03-04 17:07:52.2 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1243 [GMT 11:00]

Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-02-04 to 2008-03-04 )))))))))))))))))))))))))))))))

.

2008-03-04 16:13 . 2008-03-04 16:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-03-04 16:13 . 2008-03-04 16:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-03-04 16:13 . 2008-03-04 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-03-04 16:10 . 2008-03-04 16:12 <DIR> d-------- C:\HJT

2008-03-04 13:29 . 2008-03-04 15:00 <DIR> d-------- C:\VundoFix Backups

2008-03-04 12:37 . 2008-03-04 12:37 260,608 --a------ C:\WINDOWS\system32\sleep32.dll

2008-03-03 20:46 . 2008-03-03 20:46 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-03-03 20:46 . 2008-03-04 15:30 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM

2008-03-03 20:46 . 2008-03-03 20:46 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat

2008-03-03 20:17 . 2008-03-04 17:13 <DIR> d--hs---- C:\WINDOWS\system32\drivers\security

2008-02-28 19:13 . 2008-03-03 21:25 <DIR> d-------- C:\Program Files\MagicISO

2008-02-28 19:06 . 2008-03-03 21:31 <DIR> d-------- C:\Program Files\Advanced System Optimizer

2008-02-28 10:10 . 2006-02-28 23:00 221,184 --a------ C:\WINDOWS\system32\wmpns.dll

2008-02-28 10:10 . 2008-02-28 16:06 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb

2008-02-28 10:10 . 2008-02-28 16:06 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb

2008-02-28 09:07 . 2008-02-28 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems

2008-02-28 09:04 . 2008-02-28 09:04 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

2008-02-28 09:03 . 2008-02-28 09:03 <DIR> d-------- C:\WINDOWS\system32\Adobe

2008-02-28 09:03 . 2004-08-17 10:40 16,384 --a------ C:\WINDOWS\system32\FileOps.exe

2008-02-28 08:40 . 2008-02-28 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro

2008-02-28 08:39 . 2008-02-28 08:39 <DIR> d-------- C:\Program Files\DAEMON Tools Pro

2008-02-28 08:39 . 2008-02-28 08:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro

2008-02-23 11:38 . 2008-03-03 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-02-23 10:47 . 2008-02-23 10:47 <DIR> d-------- C:\Program Files\Bonjour

2008-02-23 10:39 . 2008-02-23 10:39 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared

2008-02-22 14:03 . 2008-03-03 20:40 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-02-19 18:23 . 2008-02-19 18:23 <DIR> d-------- C:\WINDOWS\Sun

2008-02-08 17:50 . 2008-02-08 17:50 664 --a------ C:\WINDOWS\system32\d3d9caps.dat

2008-02-07 17:27 . 2008-02-23 18:43 7,680 --ahs---- C:\WINDOWS\Thumbs.db

2008-02-04 16:00 . 2008-02-14 13:59 <DIR> d-------- C:\Program Files\Call of Duty Game of the Year Edition

2008-02-04 15:57 . 2008-02-04 16:07 745 --a------ C:\WINDOWS\CoD.INI

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-04 05:53 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-03-04 05:49 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype

2008-03-04 02:34 --------- d-----w C:\Program Files\Trend Micro

2008-03-03 10:26 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent

2008-03-03 09:52 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire

2008-02-27 23:22 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-02-26 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-02-25 04:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-02-23 23:50 --------- d-----w C:\Program Files\iTunes

2008-02-23 23:49 --------- d-----w C:\Program Files\QuickTime

2008-02-23 23:49 --------- d-----w C:\Program Files\iPod

2008-02-16 08:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio

2008-02-14 02:59 --------- d-----w C:\Program Files\LimeWire

2008-02-02 22:16 --------- d-----w C:\Program Files\Java

2008-02-01 23:49 --------- d-----w C:\Program Files\Common Files\Java

2008-01-24 17:43 --------- d-----w C:\Program Files\uTorrent

2008-01-17 05:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP

2007-12-31 06:02 3,532 ----a-w C:\drmHeader.bin

2005-05-11 12:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

[screen317]

Hi Matt,

Please go to VirusTotal, and upload the following file for analysis:

C:\WINDOWS\system32\sleep32.dll

Post the results in your reply.

-screen317

[Mattwardinterglaze]

Hi there again have done what you asked here are the results thanks ...Matt

File sleep32.dll received on 03.04.2008 07:26:17 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 6/32 (18.75%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.3.4.0 2008.03.03 -

AntiVir 7.6.0.73 2008.03.03 -

Authentium 4.93.8 2008.03.04 -

Avast 4.7.1098.0 2008.03.04 -

AVG 7.5.0.516 2008.03.03 -

BitDefender 7.2 2008.03.03 -

CAT-QuickHeal 9.50 2008.03.03 -

ClamAV 0.92.1 2008.03.04 -

DrWeb 4.44.0.09170 2008.03.03 -

eSafe 7.0.15.0 2008.02.28 -

eTrust-Vet 31.3.5584 2008.03.03 -

Ewido 4.0 2008.03.03 -

FileAdvisor 1 2008.03.04 -

Fortinet 3.14.0.0 2008.03.04 -

F-Prot 4.4.2.54 2008.03.03 W32/Delf.B.gen!Eldorado

F-Secure 6.70.13260.0 2008.03.03 -

Ikarus T3.1.1.20 2008.03.04 -

Kaspersky 7.0.0.125 2008.03.04 -

McAfee 5243 2008.03.03 -

Microsoft 1.3301 2008.03.03 PWS:Win32/Delf.ALD

NOD32v2 2919 2008.03.04 probably a variant of Win32/PSW.Delf.AMJ

Norman 5.80.02 2008.03.03 -

Panda 9.0.0.4 2008.03.03 Suspicious file

Prevx1 V2 2008.03.04 Heuristic: Suspicious File Which Interferes With Vulnerable Files Like The HostsFile

Rising 20.34.10.00 2008.03.04 -

Sophos 4.27.0 2008.03.04 -

Sunbelt 3.0.906.0 2008.02.28 -

Symantec 10 2008.03.04 -

TheHacker 6.2.92.232 2008.03.04 -

VBA32 3.12.6.2 2008.02.27 suspected of Trojan-Spy.Banker.59 (paranoid heuristics)

VirusBuster 4.3.26:9 2008.03.03 -

Webwasher-Gateway 6.6.2 2008.03.04 -

Additional information

File size: 260608 bytes

MD5: 9eb9ef61f278fc536b1e06bdc1442d19

SHA1: 2626da202890297bbae5f435135cc65bfafd2c28

PEiD: -

Prevx info: http://info.prevx.com/aboutprogramtext.asp...E2B68001B9E9675

[screen317]

Hi Matt,

Please delete the following file:

C:\WINDOWS\system32\sleep32.dll

Next, please use the Internet Explorer browser, and do an online scan with Kaspersky Online Scanner

Note: If you have used this particular scanner before, you MAY HAVE TO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Click Yes, when prompted to install its ActiveX component.

(Note.. for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.)

The program launches and downloads the latest definition files.

• Once the files are downloaded click on Next
• Click on Scan Settings and configure as follows:
  • Scan using the following Anti-Virus database:
    • Extended
      

    [*]Scan Options:

    • Scan Archives
      
    • Scan Mail Bases
      

  [*] Click OK and, under select a target to scan, select My Computer

When the scan is done, in the Scan is completed window (below), any infection is displayed.

There is no option to clean/disinfect, however, we need to analyze the information on the report.

To obtain the report:

Click on: Save Report As (above - red blinking arrow)

Next, in the Save as prompt, Save in area, select: Desktop

In the File name area, use KScan, or something similar

In Save as type, click the drop arrow and select: Text file [*.txt]

Then, click: Save

Please post the Kaspersky Online Scanner Report in your reply.

Also... Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:

• Download the latest version of Java Runtime Environment (JRE) 6u5.
  
• Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications".
  
• Click the "Download" button to the right.
  
• In the pull down menu next to Platform select Windows
  
• Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement"
  
• Click Continue
  
• Click on the link to download Windows Offline Installation and save to your desktop.
  
• Close any programs you may have running - especially your web browser.
  
• Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  
• Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  
• Click the Remove or Change/Remove button.
  
• Repeat as many times as necessary to remove each Java versions.
  
• Reboot your computer once all Java components are removed.
  
• Then from your desktop double-click on jre-6u5-windowsi586-p.exe to install the newest version.
  

Restart your computer, post a fresh HijackThis log, and let me know what problems remain.

-screen317

[Mattwardinterglaze]

Hi there apologies for the extended reply.

herer are the logs you requested.thanks...Matt

Number of viruses found: 7

Number of infected objects: 19

Number of suspicious objects: 0

Duration of the scan process: 01:04:26

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\~ROMFN_00000754 Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\My Documents\Downloads\Nero 8 Ultra Edition v8.0.3.1\nero8-fdb.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe/data0017 Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Documents and Settings\Owner\My Documents\Downloads\Nero 8 Ultra Edition v8.0.3.1\nero8-fdb.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Documents and Settings\Owner\My Documents\Downloads\Nero 8 Ultra Edition v8.0.3.1\nero8-fdb.iso/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\Documents and Settings\Owner\My Documents\Downloads\Nero 8 Ultra Edition v8.0.3.1\nero8-fdb.iso ISOimage: infected - 3 skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\RECYCLER\S-1-5-21-1935655697-2077806209-839522115-1003\Dc5.dll Infected: Trojan-PSW.Win32.Delf.bbe skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP140\A0024313.exe/Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP140\A0024313.exe RAR: infected - 1 skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034900.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034900.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034900.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034900.exe/data.rar Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034900.exe RarSFX: infected - 4 skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034901.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034901.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.Small.iui skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034901.exe/data.rar/serial.exe Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034901.exe/data.rar Infected: Trojan-Downloader.Win32.Small.irm skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173\A0034901.exe RarSFX: infected - 4 skipped

C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP174\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\inf\qwetab.inf Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped

C:\WINDOWS\system32\config\OSession.evt Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\drivers\security\Mssvc.exe Infected: not-a-virus:Server-FTP.Win32.Serv-U.40 skipped

C:\WINDOWS\system32\drivers\security\service.exe Infected: not-a-virus:RiskTool.Win32.HideRun skipped

C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:31:27 PM, on 5/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\Program Files\Bonjour\mDNSResponder.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\WINDOWS\system32\drivers\security\services.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\WINDOWS\system32\drivers\security\mssvc.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\RUNDLL32.EXE

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

O4 - HKLM\..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKCU\..\Run: [DAEMON Tools Pro Agent] "C:\Program Files\DAEMON Tools Pro\DTProAgent.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{6339968F-3669-498A-9BA6-653CD45217F0}: NameServer = 211.29.132.12,198.142.0.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: Roxio UPnP Renderer 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUPnPRenderer10.exe

O23 - Service: Roxio Upnp Server 10 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 10\RoxioUpnpService10.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe

O23 - Service: RoxMediaDB10 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxMediaDB10.exe

O23 - Service: Roxio Hard Drive Watcher 10 (RoxWatch10) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxWatch10.exe

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O23 - Service: WindowsTime - Unknown owner - C:\WINDOWS\system32\drivers\security\services.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--

End of file - 9706 bytes

[screen317]

Hi Matt,

Are you using a cracked version of Nero? If so, please uninstall it immediately; cracks are one of the top sources of getting malware, and it's probably why you were infected in the first place

Please download OTMoveIt by OldTimer.

• Save it to your desktop.
  
• Please double-click OTMoveIt.exe to run it.
  
• Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  C:\RECYCLER\S-1-5-21-1935655697-2077806209-839522115-1003\Dc5.dll
  C:\WINDOWS\system32\drivers\security\Mssvc.exe
  C:\WINDOWS\system32\drivers\security\service.exe
  
• Return to OTMoveIt, right click on the "Paste Standard List Of Files/Folders to move" window and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  
• Open Notepad and paste the text into a new file.
  
• Save the file to the desktop as OTMoveIt.txt and post it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

-screen317

[Mattwardinterglaze]

Hi Screen have folowed your instuctions and here are the logs thanks again...Matt

File/Folder C:\RECYCLER\S-1-5-21-1935655697-2077806209-839522115-1003\Dc5.dll not found.

C:\WINDOWS\system32\drivers\security\Mssvc.exe moved successfully.

C:\WINDOWS\system32\drivers\security\service.exe moved successfully.

OTMoveIt2 v1.0.20 log created on 03092008_084210

[Mattwardinterglaze]

Hey there agian, this version of Nero was on the computer when i bought it but i dont think it is cracked, is there a way I can tell? also could you please reccomend a program (not too expensive) to "TWEAK" my system and make it a bit better performance wise, much appreciated...Matt

[screen317]

Hi Matt,

Hey there agian, this version of Nero was on the computer when i bought it but i dont think it is cracked, is there a way I can tell?

Kaspersky detected an associated file as infected; do the following, and we'll make sure.

Please go to VirusTotal, and upload the following file for analysis:

C:\Documents and Settings\Owner\My Documents\Downloads\Nero 8 Ultra Edition v8.0.3.1\nero8-fdb.iso/Nero PhotoShow Express/nero_photoshow_express_5_setup.exe

Post the results in your reply.

...also could you please reccomend a program (not too expensive) to "TWEAK" my system and make it a bit better performance wise

I'll do you one better. Let's find out what's causing the lackluster performance, and maybe we can do something about it without you having to pay for it... maybe.

Please register (it's free, don't worry) with PCPitStop and run the full tests here. When the tests are complete, a results page will pop up. Click "Share these results with TechExpress" on the left-hand side. Then copy the URL provided and post it here for me.

-screen317

[Mattwardinterglaze]

Hi Screen, that file (nero 8 whatever) is not even being used as i am running nero 6 so i deleted it, i have run the tests at PC Pitstop and the url is here, look forward to hearing from you soon Matt.

http://www.pcpitstop.com/techexpress.asp?id=8L70SWFXX4GSB4PG

[Mattwardinterglaze]

Hi Screen, also PC Pitstop results found a "backdoor trojan" in the windows\system32\driver\security\services.exe file so I scaned it with virustotal and the results were:

File services.exe received on 03.09.2008 09:05:00 (CET)

Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED

Result: 5/32 (15.63%)

Loading server information...

Your file is queued in position: ___.

Estimated start time is between ___ and ___ .

Do not close the window until scan is complete.

The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.

If you are waiting for more than five minutes you have to resend your file.

Your file is being scanned by VirusTotal in this moment,

results will be shown as they're generated.

Compact Print results

Your file has expired or does not exists.

Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.

Email:

Antivirus Version Last Update Result

AhnLab-V3 2008.3.4.0 2008.03.07 -

AntiVir 7.6.0.73 2008.03.07 -

Authentium 4.93.8 2008.03.07 -

Avast 4.7.1098.0 2008.03.08 Win32:Trojan-gen {VC}

AVG 7.5.0.516 2008.03.08 -

BitDefender 7.2 2008.03.09 -

CAT-QuickHeal 9.50 2008.03.08 Tool.XYNTService.c (Not a Virus)

ClamAV 0.92.1 2008.03.09 -

DrWeb 4.44.0.09170 2008.03.08 Tool.Starter

eSafe 7.0.15.0 2008.03.06 -

eTrust-Vet 31.3.5597 2008.03.07 -

Ewido 4.0 2008.03.08 -

FileAdvisor 1 2008.03.09 -

Fortinet 3.14.0.0 2008.03.08 -

F-Prot 4.4.2.54 2008.03.08 -

F-Secure 6.70.13260.0 2008.03.08 -

Ikarus T3.1.1.20 2008.03.09 Win32.SuspectCrc

Kaspersky 7.0.0.125 2008.03.09 -

McAfee 5247 2008.03.07 -

Microsoft 1.3301 2008.03.07 -

NOD32v2 2932 2008.03.09 -

Norman 5.80.02 2008.03.07 -

Panda 9.0.0.4 2008.03.08 -

Prevx1 V2 2008.03.09 Generic.Malware

Rising 20.34.52.00 2008.03.08 -

Sophos 4.27.0 2008.03.09 -

Sunbelt 3.0.930.0 2008.03.05 -

Symantec 10 2008.03.09 -

TheHacker 6.2.92.238 2008.03.08 -

VBA32 3.12.6.2 2008.03.05 -

VirusBuster 4.3.26:9 2008.03.08 -

Webwasher-Gateway 6.6.2 2008.03.09 -

Additional information

File size: 53760 bytes

MD5: ea2e9e72f5bc8ac2549b325a757d321d

SHA1: 82968811c3329c44edf796acaaf3f04618f99d97

PEiD: InstallShield 2000

Prevx info: http://info.prevx.com/aboutprogramtext.asp...8CB6700B3F5FF02

ATTENTION: VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.

[screen317]

Hi Matt,

Please go to this website, and complete the form as follows:

Link to topic where this file was requested: http://www.malwarebytes.org/forums/index.p...amp;#entry14285

Browse to the file you want to submit:

Click Browse, and navigate to the following file:

C:\WINDOWS\system32\driver\security\services.exe

Leave any comments, further information about this file, or contact information: From screen317; identified as a backdoor by PCPitStop.

Next, please download Dr.Web CureIt to your Desktop.

Run Dr.Web CureIt as follows:

• Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  
• Once the short scan has finished, mark the drives that you want to scan.
  
• Select all drives. A red dot shows which drives have been chosen.
  
• Click the green arrow at the right, and the scan will start.
  
• Click 'Yes to all' if it asks if you want to cure/move the file.
  
• When the scan has finished, look if you can click next icon next to the files found:
  
• If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
  
  This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  
• Save the report to your desktop. The report will be called DrWeb.csv
  
• Close Dr.Web Cureit.
  
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  
• After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
  

-screen317

[Mattwardinterglaze]

Hey Screen, done what you have askerd and the log is as followed thanks mate...Matt

A0034906.bat;C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173;Probably BATCH.Virus;Incurable.Moved.;

A0034912.bat;C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173;Probably SCRIPT.Virus;Incurable.Moved.;

A0035014.bat;C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173;Probably BATCH.Virus;Incurable.Moved.;

A0035021.bat;C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP173;Probably SCRIPT.Virus;Incurable.Moved.;

A0039862.dll;C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP193;Trojan.PWS.Club.origin;Incurable.Moved.;

A0040449.dll;C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP194;Adware.SaveNow.124;Incurable.Moved.;

A0040450.exe;C:\System Volume Information\_restore{F681A544-FDC4-480B-922B-5179769293F6}\RP194;Tool.Starter;Incurable.Moved.;

Mssvc.exe;C:\_OTMoveIt\MovedFiles\03092008_084210\WINDOWS\system32\drivers\security;BackDoor.Servu.4004;Deleted.;

service.exe;C:\_OTMoveIt\MovedFiles\03092008_084210\WINDOWS\system32\drivers\security;Tool.HideApp;Incurable.Moved.;

[screen317]

Hi Matt,

• Please double-click OTMoveIt.exe to run it.
  
• Copy the file path below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  C:\Documents and Settings\Owner\DoctorWeb
  
• Return to OTMoveIt, right click on the "Paste Standard List Of Files/Folders to move" window and choose Paste.
  
• Click the red Moveit! button.
  
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy).
  
• Open Notepad and paste the text into a new file.
  
• Save the file to the desktop as OTMoveIt.txt and post it in your next reply.
  
• Close OTMoveIt
  

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

Next, navigate to Start --> Run, and type Combofix /u in the box that appears. Click OK afterwards. Notice the space between the X and the /u

This uninstalls all of ComboFix's components.

Next, double click OTMoveIt.exe.

• Click the CleanUp! button.
  
• Select Yes when the "Begin cleanup Process?" prompt appears.
  
• If you are prompted to Reboot during the cleanup, select Yes.
  
• The tool will delete itself once it finishes.
  

Note: If you receive a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, please allow it to do so.

Post a fresh HijackThis log, and let me know what problems remain.

-screen317

[Mattwardinterglaze]

OMG Screen! after I followed your instructions the system rebooted and it was like a fresh version of windows went on aqll my settings were lost so i restarted and it said eroor in the services.exe file and restarted again and seems to be okay (hopefully) I done a fre Hjt, here are the logs you requested...Matt

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:33:06 PM, on 12/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Internet Explorer\iexplore.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

O4 - HKLM\..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot

O4 - HKLM\..\Run: [PCPitstop Optimize Registration Reminder] C:\Program Files\PCPitstop\Optimize\Reminder.exe

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{6339968F-3669-498A-9BA6-653CD45217F0}: NameServer = 211.29.132.12,198.142.0.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--

End of file - 9080 bytes

C:\Documents and Settings\Owner\DoctorWeb\Quarantine moved successfully.

C:\Documents and Settings\Owner\DoctorWeb moved successfully.

OTMoveIt2 v1.0.20 log created on 03122008_122045

[Mattwardinterglaze]

Hey Scrren Please help! i canty use my computer without this messafe popping up on reboot, :Services and contollers app has encountered a problem and needs to close. sorry for the imconvenience, and when i click dont send error report another pop up box comes up saying the computer will shut down in 60 seconds to save what i was doing, please help ...Matt

[screen317]

Hi Matt,

Whenever the "computer will shut down in 60 seconds" box appears, navigate to Start --> Run, and type in the following command:

shutdown -a

Please download Combofix by sUBs.

1. Save it to your Desktop.

2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log, as well as a fresh HijackThis log, in your next reply.

-screen317

[Mattwardinterglaze]

Hi Screen, firstly sorry about all the spelling errors in my last reply, i have downloaded and run the combofix and hijackthis programs and the logs are posted thanks mate..Matt

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 7:16:00 PM, on 12/03/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

C:\WINDOWS\system32\userinit.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

C:\Program Files\Microsoft IntelliType Pro\itype.exe

C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

C:\WINDOWS\system32\RUNDLL32.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

C:\WINDOWS\system32\HPZipm12.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\WINDOWS\system32\PnkBstrB.exe

C:\WINDOWS\system32\svchost.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://au.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O2 - BHO: IEPlugin Class - {CF7C3CF0-4B15-11D1-ABED-709549C10000} - C:\Program Files\Advanced System Optimizer\IEHelper.dll

O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_1.dll

O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [nwiz] nwiz.exe /install

O4 - HKLM\..\Run: [pccguide.exe] C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe

O4 - HKLM\..\Run: [itype] C:\Program Files\Microsoft IntelliType Pro\itype.exe

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe

O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/resources/MSNPUpld.cab

O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/Facebo...toUploader3.cab

O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab

O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll

O17 - HKLM\System\CCS\Services\Tcpip\..\{6339968F-3669-498A-9BA6-653CD45217F0}: NameServer = 211.29.132.12,198.142.0.51

O17 - HKLM\System\CCS\Services\Tcpip\..\{8971FCB1-16B4-403B-AA00-19B076156F41}: NameServer = 211.29.132.12,198.142.0.51

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\Logitech\SrvLnch\SrvLnch.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe

O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe

O23 - Service: LiveShare P2P Server 10 (RoxLiveShare10) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\10.0\SharedCOM\RoxLiveShare10.exe (file missing)

O23 - Service: ServiceLayer - Nokia. - C:\Program Files\Common Files\PCSuite\Services\ServiceLayer.exe

O23 - Service: SessionLauncher - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\DX9\SessionLauncher.exe (file missing)

O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe

O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe

O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/Owner/LOCALS~1/Temp/msohtmlclip1/01/clip_image001.gif

--

End of file - 8778 bytes

ComboFix 08-03-10.1 - Owner 2008-03-12 18:42:07.3 - NTFSx86

Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1454 [GMT 11:00]

Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe

* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

.

((((((((((((((((((((((((( Files Created from 2008-02-12 to 2008-03-12 )))))))))))))))))))))))))))))))

.

2008-03-12 09:14 . 2008-03-12 09:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PCPitstop

2008-03-09 19:40 . 2008-03-09 19:42 <DIR> d-------- C:\WINDOWS\NV22523428.TMP

2008-03-09 19:40 . 2007-12-10 14:24 159,458 --a------ C:\WINDOWS\system32\nvapps.nvb

2008-03-09 19:39 . 2008-03-09 19:39 <DIR> d-------- C:\NVIDIA

2008-03-09 19:13 . 2008-03-12 09:32 <DIR> d-------- C:\Program Files\PCPitstop

2008-03-07 10:09 . 2008-03-07 10:09 <DIR> d-------- C:\Program Files\Auslogics

2008-03-07 10:09 . 2008-03-07 10:11 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Auslogics

2008-03-05 20:27 . 2008-03-05 20:27 <DIR> d-------- C:\Program Files\Common Files\Java

2008-03-05 20:27 . 2008-02-22 02:33 69,632 --------- C:\WINDOWS\system32\javacpl.cpl

2008-03-05 18:30 . 2008-03-05 18:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-03-05 18:30 . 2008-03-05 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-03-04 16:13 . 2008-03-04 16:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware

2008-03-04 16:13 . 2008-03-04 16:13 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\Malwarebytes

2008-03-04 16:13 . 2008-03-04 16:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-03-04 16:10 . 2008-03-04 16:12 <DIR> d-------- C:\HJT

2008-03-03 20:46 . 2008-03-03 20:46 <DIR> d-------- C:\Program Files\Common Files\Skype

2008-03-03 20:46 . 2008-03-07 22:51 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\skypePM

2008-03-03 20:46 . 2008-03-03 20:46 32 --a------ C:\Documents and Settings\All Users\Application Data\ezsid.dat

2008-03-03 20:17 . 2008-03-10 18:53 <DIR> d--hs---- C:\WINDOWS\system32\drivers\security

2008-02-28 19:13 . 2008-03-03 21:25 <DIR> d-------- C:\Program Files\MagicISO

2008-02-28 19:06 . 2008-03-09 09:17 <DIR> d-------- C:\Program Files\Advanced System Optimizer

2008-02-28 10:10 . 2006-02-28 23:00 221,184 --------- C:\WINDOWS\system32\wmpns.dll

2008-02-28 10:10 . 2008-02-28 16:06 23,392 --------- C:\WINDOWS\system32\nscompat.tlb

2008-02-28 10:10 . 2008-02-28 16:06 16,832 --------- C:\WINDOWS\system32\amcompat.tlb

2008-02-28 09:07 . 2008-02-28 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems

2008-02-28 09:04 . 2008-02-28 09:04 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared

2008-02-28 09:03 . 2008-02-28 09:03 <DIR> d-------- C:\WINDOWS\system32\Adobe

2008-02-28 09:03 . 2004-08-17 10:40 16,384 --------- C:\WINDOWS\system32\FileOps.exe

2008-02-28 08:40 . 2008-02-28 08:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DAEMON Tools Pro

2008-02-28 08:39 . 2008-03-10 18:53 <DIR> d-------- C:\Program Files\DAEMON Tools Pro

2008-02-28 08:39 . 2008-02-28 08:40 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\DAEMON Tools Pro

2008-02-23 11:38 . 2008-03-03 19:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-02-22 14:03 . 2008-03-09 09:07 <DIR> d-------- C:\Program Files\Common Files\Adobe

2008-02-19 18:23 . 2008-02-19 18:23 <DIR> d-------- C:\WINDOWS\Sun

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-03-12 03:01 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys

2008-03-12 03:01 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe

2008-03-12 01:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-03-11 22:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\uTorrent

2008-03-07 14:47 --------- d-----w C:\Documents and Settings\Owner\Application Data\Skype

2008-03-06 22:40 --------- d-----w C:\Program Files\Roxio

2008-03-06 22:33 --------- d-----w C:\Program Files\Common Files\Roxio Shared

2008-03-06 21:44 --------- d-----w C:\Program Files\Common Files\Sonic Shared

2008-03-06 21:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\Roxio

2008-03-05 09:27 --------- d-----w C:\Program Files\Java

2008-03-05 02:50 --------- d-----w C:\Program Files\LimeWire

2008-03-05 02:46 --------- d-----w C:\Documents and Settings\Owner\Application Data\LimeWire

2008-03-04 02:34 --------- d-----w C:\Program Files\Trend Micro

2008-02-27 23:22 --------- d-----w C:\Program Files\Windows Media Connect 2

2008-02-26 04:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink

2008-02-23 23:50 --------- d-----w C:\Program Files\iTunes

2008-02-23 23:49 --------- d-----w C:\Program Files\QuickTime

2008-02-23 23:49 --------- d-----w C:\Program Files\iPod

2008-02-16 08:16 --------- d-----w C:\Documents and Settings\Owner\Application Data\Roxio

2008-02-14 02:59 --------- d-----w C:\Program Files\Call of Duty Game of the Year Edition

2008-01-24 17:43 --------- d-----w C:\Program Files\uTorrent

2008-01-17 05:07 --------- d-----w C:\Documents and Settings\Owner\Application Data\HP

2007-12-31 06:02 3,532 ----a-w C:\drmHeader.bin

2005-05-11 12:36 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 23:00 15360]

"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-04-14 16:56 1957888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 01:41 8523776]

"nwiz"="nwiz.exe" [2007-12-05 01:41 1626112 C:\WINDOWS\system32\nwiz.exe]

"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2006-04-03 22:43 897089]

"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2006-07-08 10:14 576320]

"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 13:10 267048]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-12-05 01:41 81920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2006-02-28 23:00 15360]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]

LMIinit.dll 2007-05-25 15:22 63040 C:\WINDOWS\system32\LMIinit.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\ipoint.exe"

"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"

"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe"

"LogitechCommunicationsManager"="C:\Program Files\Common Files\Logitech\LComMgr\Communications_Helper.exe"

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide

"Gainward"=C:\Program Files\XpertVision\TBPanel.exe /A

"RTHDCPL"=RTHDCPL.EXE

"Alcmtr"=ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendAntiVirus]

"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\TrendFirewall]

"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"C:\\Program Files\\uTorrent\\uTorrent.exe"=

"C:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"C:\\Call of Duty Game of the Year Edition\\CoDMP.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqtra08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqste08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpofxm08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposfx08.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hposid01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqscnvw.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqkygrp.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpqCopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpfccopy.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpzwiz01.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqPhUnl.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\Unload\\HpqDIA.exe"=

"C:\\Program Files\\HP\\Digital Imaging\\bin\\hpoews01.exe"=

"C:\\Program Files\\BitLord\\BitLord.exe"=

"C:\\Program Files\\iTunes\\iTunes.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

.

Contents of the 'Scheduled Tasks' folder

"2008-02-28 09:57:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"

- C:\Program Files\Apple Software Update\SoftwareUpdate.exe

.

**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-03-12 18:45:42

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\qwetab]

"ImagePath"="\??\C:\WINDOWS\inf\qwetab.inf"

.

Completion time: 2008-03-12 19:09:42

.

2008-03-12 01:38:43 --- E O F ---

[screen317]

Hi Matt,

Are you still receiving the "computer will shut down in 60 seconds" box? If so, when did this begin happening (specifically, after which step)?

Please download F-Secure's Blacklight from here

• Save it to your Desktop
  
• Double-click blbeta.exe then accept the agreement.
  
• click > scan then > next,
  
• You'll see a list of all items found.
  
• Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
  
• There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
  
• Post the contents of the log in your next reply.
  

-screen317

[Mattwardinterglaze]

Yep mate done that the log is...

cheers mate..Matt

03/13/08 16:48:38 [info]: BlackLight Engine 1.0.67 initialized

03/13/08 16:48:38 [info]: OS: 5.1 build 2600 (Service Pack 2)

03/13/08 16:48:38 [Note]: 7019 4

03/13/08 16:48:38 [Note]: 7005 0

03/13/08 16:48:40 [Note]: 7006 0

03/13/08 16:48:40 [Note]: 7011 1448

03/13/08 16:48:40 [Note]: 7026 0

03/13/08 16:48:40 [Note]: 7026 0

03/13/08 16:48:41 [Note]: FSRAW library version 1.7.1024

03/13/08 16:50:59 [Note]: 2000 1012

03/13/08 16:50:59 [Note]: 2000 1012

03/13/08 16:52:13 [Note]: 7007 0

[Mattwardinterglaze]

P.S I am no longer getting the pop up box saying the computer will shut down in 60 seconds....Matt