Fake "Security Centre" rears its head again

[dutchroll]

UH OH!

IIIIIIIT'S BAAAAAACK!!!!!

I kid you not.......................

From having the pc very much behaving itself over the last couple of days (since deletion of that offending .dll file), and from a couple of hours ago when I left it alone to go outside and do some work around the house, I have just switched it back on and ........lo and behold.......it booted up with the fake "windows security centre" again!!!

The NOD32 antivirus is still working. Everything else is still working. The only new software installed apart from what has been instructed was the very latest version of Flashplayer from the recommended website (that was a day or 2 ago because I needed it). System resources are fine at the moment and it is running things at normal speed.

My web access today has been no different to any other day. Trusted websites (if there is such a thing) I've been using for quite a while now. Nothing unusual has downloaded or happened. In fact, most web access has been on my uninfected laptop and it's still fine.

This is getting very, very weird. It is similar to what happened when I first posted, except that instead of the malware remnants apparently fixing themselves after a couple of weeks, it has managed to repair itself after a couple of days!

There it is, "Windows Security Centre", sitting down in the system tray, laughing its head off at me, sending its "virus activity detected" popups whenever I switch web pages. I'm also back to the popup threats that system will be shutdown while the virus scan is running, etc, etc, etc. I'm not particularly amused. I'm going to go out on a limb here and try a Panda scan again, while the system is still running OK.

[AdvancedSetup]

Well now - isn't that a joy.

Please update MB and do a Quick Scan. Then run the Deckards scan again and post both logs and we'll see what we can find.

You should also install this product to help prevent future infections. SpywareBlaster 4.0 Download

Get all the updates and apply ALL the protection settings.

[dutchroll]

OK I'll install the SpywareBlaster.

An interesting turn of events happened while I was following the above instructions:

1. A Panda scan was running.

2. When I saw your reply, I immediately updated Malwarebytes and ran it, and saved the log. It detected new malware, as you'll see in the log, which required a reboot to fix. I selected not to do the reboot, because I wanted to run the Deckards straight away.

3. While the Deckard's was running, the system went into its uncontrollable "shutdown" mode, as was happening before with this malware and a Panda scan running. This prevented the Deckards from completing.

4. Upon rebooting, the "Windows Security Centre" did not start, presumably because the reboot ran the fix determined by Malwarebytes. So the system seems to be running normally again! (but for how long??)

Here are the Malwarebytes (pre-reboot) and Deckards (post-reboot) logs:

Malwarebytes' Anti-Malware 1.12

Database version: 779

Scan type: Quick Scan

Objects scanned: 42030

Time elapsed: 8 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

C:\WINDOWS\system32\xfxwjdol.dll (Trojan.FakeAlert) -> No action taken.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xfxwjdol (Trojan.FakeAlert) -> No action taken.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\xfxwjdol.dll (Trojan.FakeAlert) -> No action taken.

Deckard's System Scanner v20071014.68

Run by Mike&Sarah on 2008-05-23 18:21:59

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 6:22:11 PM, on 23/05/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

D:\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

D:\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

D:\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

C:\Program Files\Windows Defender\MSASCui.exe

D:\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

D:\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\hasplms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe

C:\WINDOWS\system32\wuauclt.exe

D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll

O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9405 bytes

-- Files created between 2008-04-23 and 2008-05-23 -----------------------------

2008-05-23 18:19:31 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent

2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status

2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites

2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll

2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple

2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner

2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates

2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood

2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop

2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data

2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft

2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>

2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>

2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL

2008-04-29 17:19:05 0 d-------- C:\acrsk

2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

2008-04-25 08:23:30 0 dr------- C:\Documents and Settings\LocalService\Favorites

2008-04-24 16:34:20 0 d-------- C:\cmdcons

2008-04-24 15:24:47 0 d-------- C:\Program Files\Windows Defender

2008-04-24 15:21:11 0 d-------- C:\Program Files\Panda Security

2008-04-24 14:49:23 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>

2008-04-24 14:41:36 68096 --a------ C:\WINDOWS\zip.exe

2008-04-24 14:41:36 49152 --a------ C:\WINDOWS\VFind.exe

2008-04-24 14:41:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>

2008-04-24 14:41:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>

2008-04-24 14:41:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>

2008-04-24 14:41:36 98816 --a------ C:\WINDOWS\sed.exe

2008-04-24 14:41:36 80412 --a------ C:\WINDOWS\grep.exe

2008-04-24 14:41:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-24 12:52:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

-- Find3M Report ---------------------------------------------------------------

2008-05-23 18:21:41 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-22 11:17:21 278 --a------ C:\053347d72ebcd5e.dat

2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight

2008-05-18 09:00:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe

2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files

2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech

2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime

2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia

2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia

2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml

2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared

2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real

2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon

2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared

2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest

2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2

2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared

2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley

2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini

2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader

2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat

2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe

2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared

2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype

2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX

2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems

2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared

2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc

2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works

2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild

2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET

2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]

"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]

"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]

"egui"="D:\ESET NOD32 Antivirus\egui.exe" [13/03/2008 04:48 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsMenu"=01000000

"NoRecentDocsNetHood"=01000000

"NoSMMyDocs"=01000000

"NoSMMyPictures"=01000000

"NoUserNameInStartMenu"=01000000

"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]

AutoRun\command- H:\InstallTomTomHOME.exe

-- End of Deckard's System Scanner: finished at 2008-05-23 18:23:10 ------------

[AdvancedSetup]

Please check for updates again for MB and run it again and fix selected if found.

That log from MB says you did not allow it to fix an item. So we want to make sure you select and fix it.

Please copy / paste this entry into notepad and do a Save As and for file type select "All Files" and save

it to your desktop as as MBSCAN.bat

@ECHO OFF
MD C:\MBHOLDING
MOVE C:\053347d72ebcd5e.dat C:\MBHOLDING
ATTRIB %windir%\system32\*.* > "%USERPROFILE%\Desktop\MBFiles.txt"
DIR /o:e C:\ >> "%USERPROFILE%\Desktop\MBFiles.txt"
ATTRIB C:\*.* >> "%USERPROFILE%\Desktop\MBFiles.txt"
ATTRIB *.* >> "%USERPROFILE%\Desktop\MBFiles.txt"
DIR C:\MBHOLDING >> "%USERPROFILE%\Desktop\MBFiles.txt"

Please run that batch file by double clicking it and it will create a new text file named MBFiles.txt and put it on your desktop.

Then reply back and attach that file here via the upload button - don't post it directly, just upload it.

Also download and install WinPatrol and it will watch for changes to your system as well. WinPatrol

[dutchroll]

OK no probs.

Malwarebytes has been run again and nothing was detected. Could it be that upon the reboot it fixed those items? This was what it suggested when it first discovered them (ie, that a reboot was necessary).

The file upload is done with this reply.

I've installed SpywareBlaster and WinPatrol and they are running. I'll switch the PC off now and check back in the morning for any updates. Cheers.

MBFiles.txt

MBFiles.txt

[AdvancedSetup]

Yes the reboot removed them. You simply copied the log before it had actually cleaned up so that's fine.

Curious how or why you got reinfected so fast again though. I was hoping to find something obvious in the files listed but nothing stands out.

Please update Spybot Search & Destroy and run another scan with it and let me know if it finds anything.

Then after a reboot, run one more Deckard's scan and post that please.

I would hold of on any Vista upgrade plans for a least a few days.

[dutchroll]

Yes that makes at least two of us who are curious as to why this is happening!

I'm a bit confused about the turn of events yesterday prior to having this infection rear up again:

This PC is normally turned off at night. It was running (without the infection showing in any obvious way) fine yesterday afternoon with no apparent problems. Most of what I was doing on it involved monitoring this forum and some minor browsing, with most of my other internet access (and any downloads) being done through the uninfected laptop. I left it on & went outside. My wife got home from work and said that she just did her normal checking Outlook, hotmail, and a regular trusted website (a work discussion forum), and then left the computer running and went off to do other stuff. However when I got back from outside, it was shutdown. She says she may have inadvertently shut it down, though she wouldn't normally do this and doesn't remember doing it (she was very tired). It was upon turning it back on that the virus popped back up again and started the Security Centre, fake popups, etc.

I wonder about this because the infection certainly appears to have caused or led to random shutdowns/reboots when the PC was unattended in the past.

That last Malwarebytes run I did upon discovering the reinfection detected the fake warning alerts - interestingly this was the first time Malwarebytes had detected anything so I assume there was a relevant update sometime in the last 48hrs or so. BTW, the computer has been behaving again since Malwarebytes removed those items it detected.

Spybot run just now found only 5 tracking cookies, which were fixed.

Here is the Deckard's log after the subsequent reboot:

Deckard's System Scanner v20071014.68

Run by Mike&Sarah on 2008-05-24 10:36:44

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 10:36:49 AM, on 24/05/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

D:\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

D:\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\hasplms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

D:\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

C:\Program Files\Logitech\QuickCam\Quickcam.exe

D:\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

C:\Program Files\Windows Defender\MSASCui.exe

D:\ESET NOD32 Antivirus\egui.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\Program Files\Skype\Phone\Skype.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\WINDOWS\system32\wuauclt.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\Program Files\Skype\Plugin Manager\SkypePM.exe

C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe

D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll

O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch

O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide

O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9757 bytes

-- Files created between 2008-04-24 and 2008-05-24 -----------------------------

2008-05-24 10:33:44 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent

2008-05-23 21:52:54 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol

2008-05-23 21:52:48 0 d-------- C:\Program Files\BillP Studios

2008-05-23 21:52:31 0 d-------- C:\Program Files\SpywareBlaster

2008-05-23 21:46:00 0 d-------- C:\MBHOLDING

2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status

2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites

2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll

2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple

2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner

2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates

2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood

2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop

2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data

2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft

2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>

2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>

2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL

2008-04-29 17:19:05 0 d-------- C:\acrsk

2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

2008-04-25 08:23:30 0 dr------- C:\Documents and Settings\LocalService\Favorites

2008-04-24 16:34:20 0 d-------- C:\cmdcons

2008-04-24 15:24:47 0 d-------- C:\Program Files\Windows Defender

2008-04-24 15:21:11 0 d-------- C:\Program Files\Panda Security

2008-04-24 14:49:23 53248 --a------ C:\WINDOWS\PSEXESVC.EXE <Not Verified; Sysinternals; Sysinternals PsExec>

2008-04-24 14:41:36 68096 --a------ C:\WINDOWS\zip.exe

2008-04-24 14:41:36 49152 --a------ C:\WINDOWS\VFind.exe

2008-04-24 14:41:36 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>

2008-04-24 14:41:36 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>

2008-04-24 14:41:36 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>

2008-04-24 14:41:36 98816 --a------ C:\WINDOWS\sed.exe

2008-04-24 14:41:36 80412 --a------ C:\WINDOWS\grep.exe

2008-04-24 14:41:36 73728 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 14:11:34 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-24 12:52:41 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

-- Find3M Report ---------------------------------------------------------------

2008-05-24 09:51:20 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight

2008-05-18 09:00:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe

2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files

2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech

2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime

2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia

2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia

2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml

2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared

2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real

2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon

2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared

2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest

2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2

2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared

2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley

2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini

2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader

2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat

2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe

2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared

2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype

2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX

2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems

2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared

2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc

2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works

2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild

2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET

2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]

"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]

"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]

"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [03/11/2006 07:20 PM]

"egui"="D:\ESET NOD32 Antivirus\egui.exe" [13/03/2008 04:48 PM]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [26/04/2008 03:31 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsMenu"=01000000

"NoRecentDocsNetHood"=01000000

"NoSMMyDocs"=01000000

"NoSMMyPictures"=01000000

"NoUserNameInStartMenu"=01000000

"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]

SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]

@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\RpcSs]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]

@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]

@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]

@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]

@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]

@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]

@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]

@="Volume"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]

AutoRun\command- H:\InstallTomTomHOME.exe

-- End of Deckard's System Scanner: finished at 2008-05-24 10:37:45 ------------

[AdvancedSetup]

Okay let me do some more research - I should have a fix for the System Restore being broken but I want to do some further research before having you continue with the repair.

Will try to get back later tonight if possible.

[AdvancedSetup]

Sorry but I didn't have time last night and I have to cut trees today so hopefully later tonight.

Please delete your current ComboFix and download a new one and run it again and reply back with the log.

[dutchroll]

That's OK. I had to cut the horse paddocks on the tractor yesterday. Still need to finish them off today. Seems there's never enough time for everything!

The PC is still behaving itself, so far, since the last Malwarebytes run.

Here's the Combofix log, latest version.

ComboFix 08-05-21.3 - Mike&Sarah 2008-05-25 7:27:02.4 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1472 [GMT 10:00]

Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe

* Created a new restore point

.

Error: Cfiles.dat

Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-24 to 2008-05-24 )))))))))))))))))))))))))))))))

.

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol

2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING

2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 12:21 . 2008-05-17 12:21 <DIR> d-------- C:\Deckard

2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple

2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll

2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator

2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

2008-04-24 15:24 . 2008-04-24 15:24 <DIR> d-------- C:\Program Files\Windows Defender

2008-04-24 15:21 . 2008-04-24 15:23 <DIR> d-------- C:\Program Files\Panda Security

2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 14:11 . 2008-04-24 14:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-24 12:52 . 2008-04-24 12:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-24 12:51 . 2008-04-24 12:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-24 12:04 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll

2008-04-24 12:04 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-24 21:25 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech

2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime

2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia

2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-16 04:18 --------- d-----w C:\Program Files\Canon

2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared

2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest

2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2

2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley

2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley

2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader

2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys

2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead

2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype

2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX

2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems

2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared

2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc

2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild

2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works

2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET

2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((( snapshot_2008-05-17_18.53.04.95 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-17 08:00:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-24 21:17:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-03-25 08:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll

+ 2008-03-24 09:33:02 1,527,056 ----a-w C:\WINDOWS\Downloaded Program Files\CONFLICT.1\FP_AX_CAB_INSTALLER.exe

+ 2008-03-24 09:33:02 1,527,056 ----a-w C:\WINDOWS\Downloaded Program Files\FP_AX_CAB_INSTALLER.exe

+ 2007-02-12 06:24:56 114,792 ----a-w C:\WINDOWS\Downloaded Program Files\IDropENU.dll

+ 2007-07-18 03:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll

- 2008-01-18 00:53:20 73,728 ----a-r C:\WINDOWS\Installer\{5783F2D7-6001-0409-0002-0060B0CE6BBA}\Acad162_icon.exe

+ 2008-05-21 21:56:09 73,728 ----a-r C:\WINDOWS\Installer\{5783F2D7-6001-0409-0002-0060B0CE6BBA}\Acad162_icon.exe

+ 2008-03-25 02:32:44 218,496 ----a-r C:\WINDOWS\system32\Macromed\Flash\FlashUtil9f.exe

+ 2008-05-17 23:00:16 74,649 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe

- 2008-05-17 08:04:59 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-05-24 21:22:04 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-05-17 08:04:59 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-05-24 21:22:04 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]

"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"E:\\tomtom home\\TomTomHOME.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=

"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]

R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []

S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]

\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-05-24 21:20:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"

- C:\WINDOWS\system32\wupdmgr.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-25 07:30:10

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe [788] 0x8A46A7A8

scanning hidden autostart entries ...

scanning hidden files ...

C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp\tmp16C.tmp.8cfe9a0b.tmp 249344 bytes executable

C:\WINDOWS\TEMP\tmp95.tmp.8cfe9a0b.tmp 249856 bytes executable

C:\WINDOWS\TEMP\tmp15C.tmp.8cfe9a0b.tmp 249856 bytes executable

C:\WINDOWS\system32\.8cfe9a0b

scan completed successfully

hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b]

"ImagePath"="C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

-> C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll

-> ?:\WINDOWS\system32\MLANG.dll

-> ?:\WINDOWS\system32\MLANG.dll

-> ?:\WINDOWS\system32\MLANG.dll

-> ?:\WINDOWS\system32\MLANG.dll

.

Completion time: 2008-05-25 7:31:36

ComboFix-quarantined-files.txt 2008-05-24 21:31:24

ComboFix2.txt 2008-04-24 06:42:03

Pre-Run: 3,950,338,048 bytes free

Post-Run: 4,039,208,960 bytes free

219 --- E O F --- 2008-05-21 14:37:43

[AdvancedSetup]

Please remove ComboFix and the backup files it created by running this.

Click START then RUN

Now type Combofix /u in the runbox and click OK

When shown the disclaimer, Select "2"

Then reboot your computer and run the ATF Temporary file cleaner you downloaded and ran before.

Then reboot your computer again and browse with Explorer to this location and see if you can find this folder and file.

C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll

If it's is not found then try to locate it in a DOS prompt.

Click START then RUN and type in CMD

Then type the following - followed by the ENTER key after each line.

CD\

CD WINDOWS

CD SYSTEM32

DIR /AD /P

Do you see the folder .8cfe9a0b

CD .8cfe9a0b

DIR

Do you see the file 8cfe9a0b.core.dll

If not then try this

attrib *.dll

Do you see the file now?

Please post back your findings.

.

[dutchroll]

No, nothing even resembling that file was found in c:\windows\system32 using either technique.

However winpatrol is picking up a change to the ".REG" file type associations. This just popped up apparently randomly on the screen a few secs ago (I'm writing this on the laptop - the PC is on, but not being used apart from following your requests above).

It is wanting to reassociate "regedit.exe %1 %*" to "regedit.exe %1" whatever that means. I'll select NO unless you advise that this is OK. PC going off for a while anyway, as we're going out.

[AdvancedSetup]

Yes you can accept the change. That is the correct entry. Not sure where the old one came from.

Okay delete any versions of ComboFix you have and download a new version once again and run it and post back the logs.

ComboFix.exe download.

I want to see if that file is showing up again with ComboFix still.

[dutchroll]

I got the error message "COMSPEC environment variable was found to be corrupt" on initially running the new download of combofix but it appeared to repair itself and then ran OK.

Here's the log (that entry seems to still be there)

ComboFix 08-05-24.1 - Mike&Sarah 2008-05-25 20:34:44.5 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1465 [GMT 10:00]

Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe

* Created a new restore point

.

Error: Cfiles.dat

Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))

.

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol

2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING

2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple

2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll

2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator

2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-25 10:31 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech

2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime

2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia

2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-04-24 05:24 --------- d-----w C:\Program Files\Windows Defender

2008-04-24 05:23 --------- d-----w C:\Program Files\Panda Security

2008-04-24 04:11 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-24 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-24 02:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-16 04:18 --------- d-----w C:\Program Files\Canon

2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared

2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest

2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2

2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley

2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley

2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader

2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys

2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead

2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype

2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX

2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems

2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared

2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc

2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild

2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works

2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET

2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]

"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"E:\\tomtom home\\TomTomHOME.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=

"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]

R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []

S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]

\Shell\AutoRun\command - K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]

\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-05-25 04:53:51 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"

- C:\WINDOWS\system32\wupdmgr.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-25 20:37:33

Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:

ZwEnumerateKey, ZwEnumerateValueKey, ZwQueryDirectoryFile, ZwQuerySystemInformation

scanning hidden processes ...

C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe [816] 0x8A2A4DA0

scanning hidden autostart entries ...

scanning hidden files ...

C:\DOCUME~1\MIKE&S~1\LOCALS~1\Temp\tmp16C.tmp.8cfe9a0b.tmp 249344 bytes executable

C:\WINDOWS\TEMP\tmp95.tmp.8cfe9a0b.tmp 249856 bytes executable

C:\WINDOWS\TEMP\tmp15C.tmp.8cfe9a0b.tmp 249856 bytes executable

C:\WINDOWS\system32\.8cfe9a0b

scan completed successfully

hidden files: 4

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b]

"ImagePath"="C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.exe"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\explorer.exe

-> C:\WINDOWS\system32\.8cfe9a0b\8cfe9a0b.core.dll

.

Completion time: 2008-05-25 20:38:53

ComboFix-quarantined-files.txt 2008-05-25 10:38:41

ComboFix2.txt 2008-05-24 21:31:38

Pre-Run: 5,088,317,440 bytes free

Post-Run: 5,076,852,736 bytes free

196 --- E O F --- 2008-05-21 14:37:43

[AdvancedSetup]

Okay that confirms that you do have a hidden RootKit on your system.

Please follow the instructions below carefully as we will have to use another tool for removal.

This is a very powerful tool that can fix this but can also do great harm if used incorrectly.

Step 1

• Download
  IceSword English Version 1.22
• Extract the files -
  C:\is_en
  would be the default but it can be extracted where you want as long as you know where it's at.
  
  
• Launch the program - on the left side are 3 panels
  Functions
  ,
  Registry
  , and
  File
  
  
• Click on the
  File
  panel and browse to this location
  C:\WINDOWS\system32\.8cfe9a0b
  
  
• Right click all files in that folder and force delete them as well as the directory
  .8cfe9a0b
  
  
• Now click on the
  Registry
  panel and browse to this location
  HKEY_LOCAL_MACHINE\system\ControlSet001\Services\8cfe9a0b
  
  
• Then right click on the
  8cfe9a0b
  key and delete it.
  
  
• Look for the entry in each of the following as well and if found delete them as well
  
  
• HKEY_LOCAL_MACHINE\system\ControlSet\Services\8cfe9a0b
  ,
  HKEY_LOCAL_MACHINE\system\ControlSet002\Services\8cfe9a0b
  ,
  HKEY_LOCAL_MACHINE\system\ControlSet003\Services\8cfe9a0b
  ,
  HKEY_LOCAL_MACHINE\system\ControlSet004\Services\8cfe9a0b
  
  
• Quit IceSword - do not reboot
  
  

Step 2

• Run
  ComboFix
  again and scan your system.
• Now reboot your system and run
  ComboFix
  once again
  
  

Step 3

• Run
  Deckard's System Scanner
  again as well and post back both those logs
  
  

[dutchroll]

Right, we seem to have some success there, though I did have difficulty deleting the 8cfe9a0b directory. The .exe and .core.dll files within the hidden directory had to be force deleted whereas the others were easy. Trying to force delete the directory itself kept resulting in a "failed delete" message. So I went onto the registry entries (of which there were only two - in the .....ControlSet001\..... key and the .....ControlSet003\....key. When I returned to have another go at the directory it was gone.

I notice that directory still gets a mention in the log in the "....currentcontrolset....safeboot......" key, which I didn't realise until just now when I was browsing the logs. Would it be correct to assume that this key should be deleted too?

I'm assuming this malware has escaped detection by AV software by being hidden in the rootkit?

Here are the post-reboot combofix and Deckards logs (I have the pre-reboot combofix one as well if you want it).

ComboFix 08-05-24.1 - Mike&Sarah 2008-05-26 8:47:57.7 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1493 [GMT 10:00]

Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe

.

Error: Cfiles.dat

Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))

.

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol

2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING

2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple

2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll

2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator

2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-25 22:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech

2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime

2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia

2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-04-24 05:24 --------- d-----w C:\Program Files\Windows Defender

2008-04-24 05:23 --------- d-----w C:\Program Files\Panda Security

2008-04-24 04:11 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-24 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-24 02:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-16 04:18 --------- d-----w C:\Program Files\Canon

2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared

2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest

2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2

2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley

2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley

2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader

2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys

2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead

2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype

2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX

2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems

2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared

2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc

2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild

2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works

2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET

2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((( snapshot@2008-05-25_20.38.08.51 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-25 04:50:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-25 22:46:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat

- 2008-05-25 04:55:12 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-05-25 22:23:02 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-05-25 04:55:12 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-05-25 22:23:02 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]

"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\8cfe9a0b]

@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\security center]

"AntiVirusDisableNotify"=dword:00000001

"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"E:\\tomtom home\\TomTomHOME.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=

"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]

R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []

S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]

\Shell\AutoRun\command - K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]

\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

.

Contents of the 'Scheduled Tasks' folder

"2008-05-25 22:49:33 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"

- C:\WINDOWS\system32\wupdmgr.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-26 08:50:12

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-26 8:51:53

ComboFix-quarantined-files.txt 2008-05-25 22:51:41

ComboFix2.txt 2008-05-25 22:42:57

ComboFix3.txt 2008-05-25 10:38:55

ComboFix4.txt 2008-05-24 21:31:38

Pre-Run: 5,094,744,064 bytes free

Post-Run: 5,079,425,024 bytes free

195 --- E O F --- 2008-05-21 14:37:43

Deckard's System Scanner v20071014.68

Run by Mike&Sarah on 2008-05-26 08:52:36

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 8:52:41 AM, on 26/05/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

D:\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

D:\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

D:\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

D:\ESET NOD32 Antivirus\egui.exe

C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

D:\ESET NOD32 Antivirus\ekrn.exe

C:\WINDOWS\system32\hasplms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\wuauclt.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe

D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll

O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch

O4 - HKLM\..\Run: [egui] "D:\ESET NOD32 Antivirus\egui.exe" /hide /waitservice

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - D:\ESET NOD32 Antivirus\EHttpSrv.exe

O23 - Service: Eset Service (ekrn) - ESET - D:\ESET NOD32 Antivirus\ekrn.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: NBService - Nero AG - D:\Nero\Nero 7\Nero BackItUp\NBService.exe

O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 9365 bytes

-- Files created between 2008-04-26 and 2008-05-26 -----------------------------

2008-05-26 08:45:11 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent

2008-05-25 20:33:58 68096 --a------ C:\WINDOWS\zip.exe

2008-05-25 20:33:58 49152 --a------ C:\WINDOWS\VFind.exe

2008-05-25 20:33:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>

2008-05-25 20:33:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>

2008-05-25 20:33:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>

2008-05-25 20:33:58 98816 --a------ C:\WINDOWS\sed.exe

2008-05-25 20:33:58 80412 --a------ C:\WINDOWS\grep.exe

2008-05-25 20:33:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-05-23 21:52:54 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol

2008-05-23 21:52:48 0 d-------- C:\Program Files\BillP Studios

2008-05-23 21:52:31 0 d-------- C:\Program Files\SpywareBlaster

2008-05-23 21:46:00 0 d-------- C:\MBHOLDING

2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status

2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites

2008-05-17 10:38:04 19968 --a------ C:\WINDOWS\system32\cpuinf32.dll

2008-05-17 10:38:04 0 d-------- C:\Program Files\Interapple

2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-17 10:22:59 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-17 10:22:58 0 d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 16:21:52 0 d-------- C:\Program Files\EsetOnlineScanner

2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates

2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood

2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop

2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data

2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft

2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>

2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>

2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL

2008-04-29 17:19:05 0 d-------- C:\acrsk

2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

-- Find3M Report ---------------------------------------------------------------

2008-05-26 08:47:16 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight

2008-05-18 09:00:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe

2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files

2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech

2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime

2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia

2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia

2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml

2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared

2008-04-24 15:24:48 0 d-------- C:\Program Files\Windows Defender

2008-04-24 15:23:14 0 d-------- C:\Program Files\Panda Security

2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real

2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon

2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared

2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest

2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2

2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared

2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley

2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini

2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader

2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat

2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 11:52:48 0 d-------- C:\Program Files\Common Files\Adobe

2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared

2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype

2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX

2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems

2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared

2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc

2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works

2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild

2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET

2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]

"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]

"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [09/03/2007 06:53 PM]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]

"egui"="D:\ESET NOD32 Antivirus\egui.exe" [13/03/2008 04:48 PM]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [26/04/2008 03:31 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [12/03/2007 01:49 PM]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsMenu"=01000000

"NoRecentDocsNetHood"=01000000

"NoSMMyDocs"=01000000

"NoSMMyPictures"=01000000

"NoUserNameInStartMenu"=01000000

"ClearRecentDocsOnExit"=01000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\8cfe9a0b]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]

@="Volume shadow copy"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]

AutoRun\command- K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]

AutoRun\command- H:\InstallTomTomHOME.exe

-- End of Deckard's System Scanner: finished at 2008-05-26 08:53:21 ------------

[AdvancedSetup]

Download ERUNT The Emergency Recovery Utility NT

Run the program and create a backup of your Registry

Use IceSword and remove this entry, then quit IceSword

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\8cfe9a0b]

@="Service"

Download and run this file to repair the Safe Boot Option SafeBootKeyRepair.exe

Download and run SDFIX from here: How to use SDFix

Let me know if you run into any issues with the above procedures.

Then after getting back into Normal mode run the ComboFix once again and post back the logs from both programs.

.

[AdvancedSetup]

Make sure you have Data backups as well.

Please not that ESET NOD32 has had a recent False Positive that could potentially delete data files and or single archive mail files.

Please read more about it below.

Directions on how to update the NOD32 program.

Help: My PC is freezing during startup

NOD32 3.0 messing up Adobe CS3 applications (false positives)

From another forum:

Son of a... B)

I'd never heard of ESET before so decided to check it out via their online scanning tool. It found 56 threats, all email attachments in my "Eudora 2004" attachments directory. (Yes, I have most of my emails -- since 1996!).

Then the freakin' thing found Phishing.gen in my 2007 inbox archive file and PROCEEDED TO DELETE ALL MY 2007 INBOX!!! B) Granted, the entire archive is a single .mbx file, but STILL! Hopefully I have a backup somewhere. whistle

Edit: Nope! No backup :/

I know you were asked to use NOD32 as a scanner for this malware so I don't want you to accidentally become one of these unhappy users.

[dutchroll]

Alright, thanks very much AdvancedSetup. I'm away overseas for a couple of days for work at the moment but I'll be back early this Thurs morning my local time (which I think is Wed afternoon/evening your time). I'll do all that stuff and post the results & log as soon as I get back.

Thanks for the warning about the NOD32 incident. That's a rather unfortunate bug. I'll do another email & data backup to the Maxtor when I get home, as I haven't done one for a month or 2. The wife has had a bit of important work correspondence over the last 2 weeks (he says, staring at ceiling trying to think of a reason why he hasn't already backed it up). I'm getting a creepy, uncomfortable feeling trying to imagine her reaction if it was wiped with no backup.

[dutchroll]

Just got back this morning. The link for SafeBootKeyRepair is not working (it's just giving me a "page not found"). In the meantime I'll run the other stuff.

EDIT:

Just tried the safebootkeyrepair link one more time and it downloaded. Running now........

[dutchroll]

OK all done except the safeboot repair as mentioned above.

The SDFix Log:

SDFix: Version 1.186

Run by Administrator on Thu 29/05/2008 at 10:05 AM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Checking Services :

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Rebooting

Checking Files :

Trojan Files Found:

C:\.exe - Deleted

C:\.exe - Deleted

Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-29 10:08:40

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully

hidden processes: 0

hidden services: 0

hidden files: 0

Remaining Services :

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"="C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe:*:Enabled:SmartFTP Client 2.0"

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"="C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil"

"E:\\tomtom home\\TomTomHOME.exe"="E:\\tomtom home\\TomTomHOME.exe:*:Enabled:TomTomHOME"

"C:\\WINDOWS\\system32\\mmc.exe"="C:\\WINDOWS\\system32\\mmc.exe:*:Enabled:Microsoft Management Console"

"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"="F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD:*:Disabled:Age of Empires II Expansion"

"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"

"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"="D:\\Microsoft Office\\Office12\\OUTLOOK.EXE:*:Enabled:Microsoft Office Outlook"

"D:\\Microsoft Office\\Office12\\GROOVE.EXE"="D:\\Microsoft Office\\Office12\\GROOVE.EXE:*:Enabled:Microsoft Office Groove"

"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"="D:\\Microsoft Office\\Office12\\ONENOTE.EXE:*:Enabled:Microsoft Office OneNote"

"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"="C:\\Program Files\\Orbitdownloader\\orbitdm.exe:*:Enabled:Orbit"

"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"="C:\\Program Files\\Orbitdownloader\\orbitnet.exe:*:Enabled:Orbit"

"C:\\WINDOWS\\system32\\dpvsetup.exe"="C:\\WINDOWS\\system32\\dpvsetup.exe:*:Enabled:Microsoft DirectPlay Voice Test"

"C:\\Program Files\\Skype\\Phone\\Skype.exe"="C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"="D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe:*:Enabled:Logitech Harmony Remote Software 7"

"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"

Remaining Files :

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes :

Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"

Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"

Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

Fri 23 May 2008 145,920 ..SHR --- "C:\Program Files\BillP Studios\WinPatrol\Setup.exe"

Fri 10 Nov 2006 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Thu 8 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT7D.tmp"

Wed 28 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd52934c80a35f08ed61683a6bd658a4\BITA.tmp"

Fri 12 Jan 2007 15,505,200 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\0df81499cac89a98c5419c9cf752b89e\BIT13.tmp"

Finished!

The Combofix Log:

ComboFix 08-05-24.1 - Mike&Sarah 2008-05-29 10:21:45.9 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1476 [GMT 10:00]

Running from: C:\Documents and Settings\Mike&Sarah\Desktop\ComboFix.exe

.

Error: Cfiles.dat

Error: Cfolders.dat

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))

.

2008-05-29 10:04 . 2008-05-29 10:04 <DIR> d-------- C:\WINDOWS\ERUNT

2008-05-29 09:54 . 2008-05-29 10:13 <DIR> d-------- C:\SDFix

2008-05-29 09:46 . 2008-05-29 09:46 <DIR> d-------- C:\Program Files\ERUNT

2008-05-26 08:52 . 2008-05-26 08:52 <DIR> d-------- C:\Deckard

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\SpywareBlaster

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Program Files\BillP Studios

2008-05-23 21:52 . 2008-05-23 21:52 <DIR> d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol

2008-05-23 21:46 . 2008-05-23 21:46 <DIR> d-------- C:\MBHOLDING

2008-05-17 18:30 . 2008-05-17 18:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 10:38 . 2008-05-17 10:38 <DIR> d-------- C:\Program Files\Interapple

2008-05-17 10:38 . 1997-01-24 04:52 19,968 --a------ C:\WINDOWS\system32\cpuinf32.dll

2008-05-17 10:37 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2008-05-17 10:22 . 2008-05-17 10:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-16 20:30 . 2008-05-16 20:53 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy

2008-05-16 17:53 . 2008-05-16 17:53 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 16:21 . 2008-05-16 16:26 <DIR> d-------- C:\Program Files\EsetOnlineScanner

2008-05-16 15:42 . 2008-05-16 15:42 54,156 --ah----- C:\WINDOWS\QTFont.qfn

2008-05-16 15:42 . 2008-05-16 15:42 1,409 --a------ C:\WINDOWS\QTFont.for

2008-05-16 15:08 . 2008-05-16 15:18 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00 . 2008-05-17 10:37 <DIR> d-------- C:\Documents and Settings\Administrator

2008-05-08 10:12 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys

2008-05-08 10:12 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05 . 2008-04-29 09:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2008-05-29 00:15 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-21 14:37 --------- d-----w C:\Program Files\Microsoft Silverlight

2008-05-17 08:00 --------- d-----w C:\Program Files\Common Files\Symantec Shared

2008-05-17 00:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy

2008-05-16 10:20 --------- d-----w C:\Program Files\Logitech

2008-05-16 06:07 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 05:45 --------- d-----w C:\Program Files\QuickTime

2008-05-16 05:13 --------- d-----w C:\Program Files\Common Files\Macromedia

2008-05-14 11:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help

2008-04-24 23:29 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 05:47 --------- d-----w C:\Program Files\Common Files\Autodesk Shared

2008-04-24 05:24 --------- d-----w C:\Program Files\Windows Defender

2008-04-24 05:23 --------- d-----w C:\Program Files\Panda Security

2008-04-24 04:11 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 04:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Malwarebytes

2008-04-24 02:54 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft

2008-04-24 02:51 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2008-04-24 02:38 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-16 04:18 --------- d-----w C:\Program Files\Canon

2008-04-09 11:04 --------- d-----w C:\Program Files\Common Files\SureThing Shared

2008-04-09 07:47 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 07:43 --------- d-----w C:\Program Files\Gabest

2008-04-09 07:41 --------- d-----w C:\Program Files\URLSnooper2

2008-04-09 07:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grass Valley

2008-04-09 07:40 --------- d--h--w C:\Program Files\InstallShield Installation Information

2008-04-09 07:40 --------- d-----w C:\Program Files\Common Files\Canopus Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 07:39 --------- d-----w C:\Program Files\Common Files\Grass Valley

2008-04-09 04:01 --------- d-----w C:\Program Files\Orbitdownloader

2008-04-09 03:52 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 04:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet

2008-04-03 01:52 --------- d-----w C:\Program Files\Common Files\Adobe

2008-04-03 01:51 --------- d-----w C:\Program Files\Common Files\Macrovision Shared

2008-04-03 01:49 9,464 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys

2008-04-03 01:49 9,336 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys

2008-04-03 01:49 43,528 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys

2008-04-03 01:49 129,784 ------w C:\WINDOWS\system32\pxafs.dll

2008-04-03 01:49 118,520 ------w C:\WINDOWS\system32\pxinsi64.exe

2008-04-03 01:49 116,472 ------w C:\WINDOWS\system32\pxcpyi64.exe

2008-04-03 00:12 --------- d-----w C:\Documents and Settings\LocalService\Application Data\Ahead

2008-03-31 05:52 --------- d-----w C:\Program Files\LCDHype

2008-03-31 05:44 --------- d-----w C:\Program Files\DIFX

2008-03-31 05:44 --------- d-----w C:\Program Files\Common Files\Ulead Systems

2008-03-31 05:43 --------- d-----w C:\Program Files\Common Files\Aladdin Shared

2008-03-31 05:43 --------- d-----w C:\Program Files\Chief Architect Inc

2008-03-31 05:43 --------- d-----w C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 04:58 --------- d-----w C:\Program Files\MSBuild

2008-03-31 04:58 --------- d-----w C:\Program Files\Microsoft Works

2008-03-31 04:57 --------- d-----w C:\Program Files\Microsoft.NET

2008-03-31 04:54 --------- d-----w C:\Program Files\Microsoft Visual Studio 8

2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll

2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys

2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll

.

((((((((((((((((((((((((((((( snapshot@2008-05-25_20.38.08.51 )))))))))))))))))))))))))))))))))))))))))

.

- 2008-05-25 04:50:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-29 00:07:34 2,048 --s-a-w C:\WINDOWS\bootstat.dat

+ 2008-05-26 17:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE

+ 2008-05-29 00:04:07 950,272 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT

+ 2008-05-29 00:04:07 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat

+ 2008-05-26 17:11:56 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE

+ 2008-05-29 00:04:05 950,272 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT

+ 2008-05-29 00:04:05 8,192 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat

+ 2008-02-26 11:59:50 294,912 -c----w C:\WINDOWS\system32\dllcache\msctf.dll

- 2004-08-03 14:56:44 294,400 ----a-w C:\WINDOWS\system32\msctf.dll

+ 2008-02-26 11:59:50 294,912 ----a-w C:\WINDOWS\system32\msctf.dll

- 2008-05-25 04:55:12 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat

+ 2008-05-29 00:12:05 64,828 ----a-w C:\WINDOWS\system32\perfc009.dat

- 2008-05-25 04:55:12 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat

+ 2008-05-29 00:12:05 410,006 ----a-w C:\WINDOWS\system32\perfh009.dat

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49 153136]

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-03-30 13:34 25263144]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [2004-02-09 14:03 163840]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-09-20 22:27 185784]

"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 13:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-02-13 23:05 7557120]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-02-13 23:05 86016]

"RTHDCPL"="RTHDCPL.EXE" [2006-10-30 19:49 16269312 C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [2006-05-16 18:04 2879488 C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [2006-03-27 15:04 712704]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [2005-10-17 16:24 81920]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 159744]

"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53 153136]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 15:02 563984]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 15:06 2027792]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [2007-03-26 17:45 389120]

"egui"="D:\ESET NOD32 Antivirus\egui.exe" [2008-03-13 16:48 1443072]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2008-04-26 03:31 333120]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]

"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsNetHood"= 01000000

"NoSMMyDocs"= 01000000

"NoSMMyPictures"= 01000000

"NoUserNameInStartMenu"= 01000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]

"vidc.CDVC"= cdvccodc.dll

"vidc.CDVH"= cdvhcodc.dll

"vidc.CUVC"= cuvccodc.dll

"vidc.CLLC"= cllccodc.dll

"vidc.CDV5"= cdv5codc.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"C:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=

"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=

"E:\\tomtom home\\TomTomHOME.exe"=

"C:\\WINDOWS\\system32\\mmc.exe"=

"D:\\Logitech\\Logitech Harmony Remote Software 7\\HarmonyRemote.exe"=

"F:\\Age of Empires II\\age2_x1\\AGE2_X1.ICD"=

"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

"C:\\Program Files\\Messenger\\msmsgs.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"D:\\Microsoft Office\\Office12\\OUTLOOK.EXE"=

"D:\\Microsoft Office\\Office12\\GROOVE.EXE"=

"D:\\Microsoft Office\\Office12\\ONENOTE.EXE"=

"C:\\Program Files\\Orbitdownloader\\orbitdm.exe"=

"C:\\Program Files\\Orbitdownloader\\orbitnet.exe"=

"C:\\WINDOWS\\system32\\dpvsetup.exe"=

"C:\\Program Files\\Skype\\Phone\\Skype.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]

"1947:TCP"= 1947:TCP:HASP SRM

"1947:UDP"= 1947:UDP:HASP SRM

R1 epfwtdir;epfwtdir;C:\WINDOWS\system32\DRIVERS\epfwtdir.sys [2008-03-13 16:52]

R2 aksfridge;aksfridge;C:\WINDOWS\system32\drivers\aksfridge.sys [2007-03-12 19:48]

R2 hasplms;HASP License Manager;C:\WINDOWS\system32\hasplms.exe -run []

S3 ausbmon;Advanced USB Port Monitor Filter Driver;C:\WINDOWS\system32\ausbmon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0d077a16-2a04-11dd-94a4-101111111111}]

\Shell\AutoRun\command - K:\WD_Windows_Tools\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{59196830-250e-11db-8298-101111111111}]

\Shell\AutoRun\command - H:\InstallTomTomHOME.exe

*Newly Created Service* - CATCHME

.

Contents of the 'Scheduled Tasks' folder

"2008-05-29 00:10:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"

- C:\Program Files\Windows Defender\MpCmdRun.exe

"2008-04-16 14:43:28 C:\WINDOWS\Tasks\Windows Update.job"

- C:\WINDOWS\system32\wupdmgr.exe

.

**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2008-05-29 10:24:49

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

.

Completion time: 2008-05-29 10:26:48

ComboFix-quarantined-files.txt 2008-05-29 00:26:40

ComboFix2.txt 2008-05-29 00:20:27

ComboFix3.txt 2008-05-25 22:51:54

ComboFix4.txt 2008-05-25 22:42:57

ComboFix5.txt 2008-05-25 10:38:55

Pre-Run: 4,832,190,464 bytes free

Post-Run: 4,815,482,880 bytes free

205 --- E O F --- 2008-05-28 11:33:52

[AdvancedSetup]

Okay it looks like we're just about done. Just want to run a few more things first before we call it a day.

I updated the URL for the SafeBootKeyRepair.exe repair file. Download and run this file. (link above)

Start a DOS prompt by clicking START - RUN and type in CMD and press the ENTER KEY

Then type each command below followed by the ENTER KEY

proxycfg -d

net stop wuauserv

Then start Windows Explorer or My Computer and browse and find this folder C:\WINDOWS\SoftwareDistribution and delete the folder SoftwareDistribution

Then in the DOS prompt type this

net start wuauserv

CHKDSK C: /F /V

The chkdsk will alert and ask to run on reboot. Press the Y key and then the ENTER KEY

You can now quit this DOS prompt.

Then launch Internet Explorer and check for and install all CRITICAL UPDATES as found. Windows Update

Then reboot the system [the Disk Check should run] once back in normal Windows run the Deckard's System Scan

Deckard's System Scanner (DSS)

Then update MB and run a Quick Scan and post back both logs.

.

[dutchroll]

Excellent - done all that list. Checkdisk was OK.

I tried that safeboot link again and posted an edit to say it worked OK, but I think we "crossed posts" on the thread just after you fixed it. Anyway it ran fine.

Sorry, I accidentally ran the MB before the Deckards (ie, in the reverse order to what you asked for) - hope that's not an issue. MB picked up more "trojan.fakealert" items, which I selected to fix. Also this morning I installed Kaspersky AV full version, so that's up and running now (though I disabled it for the MB and Deckards scans), and did a bit of a cleanout (uninstall) of Adobe and a few other programs unrelated to any malware tools. I've been on a shopping spree so the latest versions of some of that stuff will go on when this system is clean, and the rest, well it can go into the dustbin.

Here are the logs:

Malwarebytes' Anti-Malware 1.12

Database version: 796

Scan type: Quick Scan

Objects scanned: 41407

Time elapsed: 2 minute(s), 35 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuAdminTools (Trojan.FakeAlert) -> Quarantined and deleted successfully.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuFavorites (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Deckard's System Scanner v20071014.68

Run by Mike&Sarah on 2008-05-29 12:23:49

Computer is in Normal Mode.

--------------------------------------------------------------------------------

-- HijackThis (run as Mike&Sarah.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 12:23:50 PM, on 29/05/2008

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16640)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Defender\MsMpEng.exe

C:\WINDOWS\System32\svchost.exe

D:\Lavasoft\Ad-Aware 2007\aawservice.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\WINDOWS\RTHDCPL.EXE

D:\Maxtor\OneTouch\utils\Onetouch.exe

C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe

D:\Microsoft Office\Office12\GrooveMonitor.exe

C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

C:\WINDOWS\system32\hasplms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Documents and Settings\Mike&Sarah\Desktop\dss.exe

D:\Computer\MIKE&S~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll

O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\Microsoft Office\Office12\GrooveShellExtensions.dll

O4 - HKLM\..\Run: [GW Port Controller] C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE

O4 - HKLM\..\Run: [skyTel] SkyTel.EXE

O4 - HKLM\..\Run: [MaxtorOneTouch] D:\Maxtor\OneTouch\utils\Onetouch.exe

O4 - HKLM\..\Run: [mxomssmenu] "C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe"

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"

O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide

O4 - HKLM\..\Run: [GrooveMonitor] "D:\Microsoft Office\Office12\GrooveMonitor.exe"

O4 - HKLM\..\Run: [NexusServer] "C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" -SelfLaunch

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot

O4 - HKLM\..\Run: [AVP] "D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

O4 - HKCU\..\Run: [bgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

O4 - HKCU\..\Run: [skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')

O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll

O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\MICROS~1\Office12\ONBttnIE.dll

O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\PROGRA~1\Skype\Phone\IEPlugin\SKYPEI~1.DLL (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\MICROS~1\Office12\REFIEBAR.DLL

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\WINDOWS\System32\shdocvw.dll

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab

O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab

O16 - DPF: {5EDB10D9-7E95-4833-A218-62F375DAFCF1} (Aventail Installer ) - https://qvpn.qantas.com.au/postauthI/epi.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686252156

O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1188686237640

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/flas...ent/swflash.cab

O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\Microsoft Office\Office12\GrooveSystemServices.dll

O18 - Protocol: hiro - {50BA1131-168F-4C08-A69B-4012273F222E} - C:\Program Files\Hiro-Media\HiroClient\HiroProtocolHandler.dll

O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL

O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - D:\Lavasoft\Ad-Aware 2007\aawservice.exe

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: Automatic LiveUpdate Scheduler - Unknown owner - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe (file missing)

O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe

O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe

O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe

O23 - Service: HASP License Manager (hasplms) - Aladdin Knowledge Systems Ltd. - C:\WINDOWS\system32\hasplms.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe

O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe

O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe

O23 - Service: MaxBackServiceInt - Unknown owner - D:\Maxtor\Maxtor Backup\MaxBackServiceInt.exe

O23 - Service: MaxSyncService (NTService1) - - D:\Maxtor\OneTouch\Utils\SyncServices.exe

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--

End of file - 8688 bytes

-- Files created between 2008-04-29 and 2008-05-29 -----------------------------

2008-05-29 12:06:59 0 dr-h----- C:\Documents and Settings\Mike&Sarah\Recent

2008-05-29 11:44:27 0 d-------- C:\WINDOWS\SoftwareDistribution

2008-05-29 11:39:51 96966 --a------ C:\WINDOWS\system32\drivers\klin.dat

2008-05-29 11:39:51 88262 --a------ C:\WINDOWS\system32\drivers\klick.dat

2008-05-29 11:39:51 331552 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat

2008-05-29 11:39:19 6688 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat

2008-05-29 11:39:19 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

2008-05-29 11:38:24 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files

2008-05-29 10:04:03 0 d-------- C:\WINDOWS\ERUNT

2008-05-25 20:33:58 68096 --a------ C:\WINDOWS\zip.exe

2008-05-25 20:33:58 49152 --a------ C:\WINDOWS\VFind.exe

2008-05-25 20:33:58 212480 --a------ C:\WINDOWS\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>

2008-05-25 20:33:58 136704 --a------ C:\WINDOWS\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>

2008-05-25 20:33:58 161792 --a------ C:\WINDOWS\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>

2008-05-25 20:33:58 98816 --a------ C:\WINDOWS\sed.exe

2008-05-25 20:33:58 80412 --a------ C:\WINDOWS\grep.exe

2008-05-25 20:33:58 89504 --a------ C:\WINDOWS\fdsv.exe <Not Verified; Smallfrogs Studio; >

2008-05-23 21:52:54 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\WinPatrol

2008-05-23 21:52:48 0 d-------- C:\Program Files\BillP Studios

2008-05-23 21:52:31 0 d-------- C:\Program Files\SpywareBlaster

2008-05-23 21:46:00 0 d-------- C:\MBHOLDING

2008-05-17 19:51:53 6528 -r-h----t C:\Documents and Settings\Mike&Sarah\Backup Status

2008-05-17 18:30:46 0 d-------- C:\Documents and Settings\All Users\Application Data\ESET

2008-05-17 17:31:11 0 dr------- C:\Documents and Settings\NetworkService\Favorites

2008-05-17 10:37:11 0 d-------- C:\Documents and Settings\Administrator\WINDOWS

2008-05-16 17:53:37 0 d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes

2008-05-16 15:08:25 0 d-------- C:\Documents and Settings\Administrator\Application Data\Orbit

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Templates

2008-05-16 15:00:19 0 dr------- C:\Documents and Settings\Administrator\Start Menu

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\SendTo

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Recent

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\PrintHood

2008-05-16 15:00:19 1048576 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\NetHood

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\My Documents

2008-05-16 15:00:19 0 d--h----- C:\Documents and Settings\Administrator\Local Settings

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Favorites

2008-05-16 15:00:19 0 d-------- C:\Documents and Settings\Administrator\Desktop

2008-05-16 15:00:19 0 d--hs---- C:\Documents and Settings\Administrator\Cookies

2008-05-16 15:00:19 0 dr-h----- C:\Documents and Settings\Administrator\Application Data

2008-05-16 15:00:19 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft

2008-04-29 17:19:08 45568 --a------ C:\WINDOWS\system32\WNDTLS32.DLL <Not Verified; DBS GmbH, Bremen-Germany; TX Text-Control>

2008-04-29 17:19:08 64000 --a------ C:\WINDOWS\system32\TXTLS32.DLL <Not Verified; DBS GmbH; TX Text-Control>

2008-04-29 17:19:08 250880 --a------ C:\WINDOWS\system32\TX32.DLL

2008-04-29 17:19:05 0 d-------- C:\acrsk

2008-04-29 09:05:38 0 d-------- C:\Program Files\Hiro-Media

2008-04-29 09:05:38 0 d-------- C:\Documents and Settings\All Users\Application Data\Hiro-Media

-- Find3M Report ---------------------------------------------------------------

2008-05-29 12:08:51 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Skype

2008-05-29 11:31:16 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Adobe

2008-05-29 11:18:02 0 d-------- C:\Program Files\Common Files\Adobe

2008-05-29 11:09:50 0 d-------- C:\Program Files\Common Files\Ahead

2008-05-22 00:37:41 0 d-------- C:\Program Files\Microsoft Silverlight

2008-05-17 18:00:35 0 d-------- C:\Program Files\Common Files\Symantec Shared

2008-05-17 17:39:14 0 d-------- C:\Program Files\Common Files

2008-05-16 20:20:42 0 d-------- C:\Program Files\Logitech

2008-05-16 16:07:06 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Orbit

2008-05-16 15:45:48 0 d-------- C:\Program Files\QuickTime

2008-05-16 15:13:35 0 d-------- C:\Program Files\Common Files\Macromedia

2008-05-02 13:41:36 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Macromedia

2008-04-25 09:29:26 356 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\preferences.xml

2008-04-25 09:29:13 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Jeppesen Sanderson

2008-04-24 15:47:17 0 d-------- C:\Program Files\Common Files\Autodesk Shared

2008-04-24 15:24:48 0 d-------- C:\Program Files\Windows Defender

2008-04-24 15:23:14 0 d-------- C:\Program Files\Panda Security

2008-04-24 14:11:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Malwarebytes

2008-04-24 12:51:31 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard

2008-04-24 12:38:48 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Lavasoft

2008-04-22 18:22:46 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Real

2008-04-16 14:18:37 0 d-------- C:\Program Files\Canon

2008-04-09 21:04:22 0 d-------- C:\Program Files\Common Files\SureThing Shared

2008-04-09 17:47:17 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Grass Valley

2008-04-09 17:43:42 0 d-------- C:\Program Files\Gabest

2008-04-09 17:41:26 0 d-------- C:\Program Files\URLSnooper2

2008-04-09 17:40:02 0 d-------- C:\Program Files\Common Files\Canopus Shared

2008-04-09 17:40:01 0 d--h----- C:\Program Files\InstallShield Installation Information

2008-04-09 17:39:21 0 d-------- C:\Program Files\Common Files\Snell & Wilcox Shared

2008-04-09 17:39:07 0 d-------- C:\Program Files\Common Files\Grass Valley

2008-04-09 14:15:50 556 --a------ C:\Documents and Settings\Mike&Sarah\Application Data\AutoGK.ini

2008-04-09 14:01:09 0 d-------- C:\Program Files\Orbitdownloader

2008-04-09 13:52:44 46 --a------ C:\WINDOWS\system32\DonationCoder_urlsnooper_InstallInfo.dat

2008-04-09 13:52:44 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\DonationCoder

2008-04-03 11:51:38 0 d-------- C:\Program Files\Common Files\Macrovision Shared

2008-03-31 15:52:15 0 d-------- C:\Program Files\LCDHype

2008-03-31 15:44:01 0 d-------- C:\Program Files\DIFX

2008-03-31 15:44:00 0 d-------- C:\Program Files\Common Files\Ulead Systems

2008-03-31 15:43:37 0 d-------- C:\Program Files\Common Files\Aladdin Shared

2008-03-31 15:43:24 0 d-------- C:\Documents and Settings\Mike&Sarah\Application Data\Chief Architect Full Version 11

2008-03-31 15:43:01 0 d-------- C:\Program Files\Chief Architect Inc

2008-03-31 14:58:24 0 d-------- C:\Program Files\Microsoft Works

2008-03-31 14:58:14 0 d-------- C:\Program Files\MSBuild

2008-03-31 14:57:10 0 d-------- C:\Program Files\Microsoft.NET

2008-03-31 14:54:14 0 d-------- C:\Program Files\Microsoft Visual Studio 8

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"GW Port Controller"="C:\Program Files\Samsung\SmarThru\PORTCTRL.EXE" [09/02/2004 02:03 PM]

"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [20/09/2006 10:27 PM]

"CTxfiHlp"="CTXFIHLP.EXE" [11/08/2006 01:56 PM C:\WINDOWS\system32\CTXFIHLP.EXE]

"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [13/02/2006 11:05 PM]

"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [13/02/2006 11:05 PM]

"RTHDCPL"="RTHDCPL.EXE" [30/10/2006 07:49 PM C:\WINDOWS\RTHDCPL.exe]

"SkyTel"="SkyTel.EXE" [16/05/2006 06:04 PM C:\WINDOWS\SkyTel.exe]

"MaxtorOneTouch"="D:\Maxtor\OneTouch\utils\Onetouch.exe" [27/03/2006 03:04 PM]

"mxomssmenu"="C:\Program Files\Maxtor\OneTouch Status\maxmenumgr.exe" [17/10/2005 04:24 PM]

"Sony Ericsson PC Suite"="D:\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [26/10/2005 05:17 PM]

"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [25/07/2007 03:02 PM]

"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [25/07/2007 03:06 PM]

"GrooveMonitor"="D:\Microsoft Office\Office12\GrooveMonitor.exe" [24/08/2007 06:00 AM]

"NexusServer"="C:\Program Files\Common Files\Grass Valley\ProCoder 3\Kernel\PNXSERVR.exe" [26/03/2007 05:45 PM]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [26/04/2008 03:31 AM]

"AVP"="D:\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [28/06/2007 12:51 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Start WingMan Profiler"="" []

"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" []

"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [30/03/2007 01:34 PM]

"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 12:56 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]

"HideLegacyLogonScripts"=0 (0x0)

"HideLogoffScripts"=0 (0x0)

"RunLogonScriptSync"=1 (0x1)

"RunStartupScriptSync"=0 (0x0)

"HideStartupScripts"=0 (0x0)

"DisableRegistryTools"=0 (0x0)

[AdvancedSetup]

Looks good. You can delete this folder and contents

C:\MBHOLDING

Click on START - RUN and type in

ComboFix /u

and remove this application and it's settings.

I would also delete the other tools as they could be dangerous if not properly used and also become out of date quickly.

IceSword, SDFIX, and HiJackThis. If you ever do need them again they're easily downloaded with up to date versions.

At this time I no longer see anything to indicate that you're system is infected.

I believe you're already running a hosts file application but if not then please take a look at the following:

hpHosts

What is hpHosts?

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites.

• Keep all your Security applications up to date and do scans at least once a week
• There is no single application out there that can scan and locate everything as I think you've seen, so use at least a couple of anti-malware scanners as well as your anti-virus product to ensure your system is clean.
  
  

Look at using the following software which will help to protect you
• WinPatrol
  
  
• FireFox
  
  
• NoScript
  
  
• Adblock Plus
  
  
• Enable Microsoft Automatic Updates to perform the critical updates for Microsoft products for you.
  
  
• As you've already been doing, review your Add/Remove programs and remove any applications that you no longer use or want and look for updates to any programs that might require an update due to security issues such as plugins for Internet Explorer.
  
  

Best of luck and let me know if you have any questions and don't forget to tell your friends and also

don't forget we also offer Free PC support in the

PC Help

forum.

[dutchroll]

Well, I don't think there is any real way to thank you enough for the inordinate amount of time you've spent helping me clean this very insidious and difficult piece of malware. Suffice to say that you are a bloody legend in my opinion, AdvancedSetup, and I would buy you a beer (or several) any day.

I'll go through and delete all the tools apart from the ones you recommended. Despite considering myself relatively computer-literate, some of them are downright frightening in their power & I'd hate to accidentally have them do something bad to my system. I'll get some serious system house-keeping done too. Kaspersky seems to be working well and gets very complimentary reviews at the moment.

Thanks again.