WiredWX Hobby Weather ToolsLog in

 


virus/spyware/trojan or malware

3 posters

descriptionSolvedvirus/spyware/trojan or malware

more_horiz
Hi,
Hopefully I'm posting this correctly.
Fisrtly it's my laptop that has some sort of problem.
Im running windows XP.
It started off with Antivitus 2009 then spyware protect 2009, followed by win32/Nuqel.E.
I cannot log onto laptop in normal or selective start up.
I can start it in safe mode.
If I try in safe mode with networking, then whatever I put into the search engine bar, jumps to some other program to do with spyware protect.
I'm typing this on my sons PC as mine cannot use internet on the laptop and use is limited.
I read your terms and conditions.
I have registered on your system.
I have tried to install latest Java and JavaRa and Adobe Reader 9, by copying them from sons pc onto my laptop by card reader however when I try to install I get " system administrator has set policies to prevent this installation".
I have turned word wrap off in notedpad and have managed to get a hijack this log file, as below.

Please can you help?
thanks in anticipation
Ade

Logfile of HijackThis v1.99.1
Scan saved at 11:59:28, on 07/02/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Ade\My Documents\AntiVirusStuff\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sky.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.sky.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided By Sky Broadband
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
O2 - BHO: (no name) - {CDBFB8EA-840A-4C3A-9E6D-0511BE8F909D} - C:\WINDOWS\system32\atkctr.dll
O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ZCfgSvc.exe] C:\WINDOWS\system32\ZCfgSvc.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SMcfg] smcfg.exe -s
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe"
O4 - HKLM\..\Run: [Xziburowo] rundll32.exe "C:\WINDOWS\Bvuxoxihuvuwox.dll",e
O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKLM\..\Run: [SystemTray Monitor] SysTraymon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" /hide
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [EPSON Stylus Photo RX685 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE /FU "C:\WINDOWS\TEMP\E_SC7.tmp" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Ade\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [TomTomHOME.exe] "C:\Program Files\TomTom HOME 2\HOMERunner.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [L08AXLRD_4183064] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [L08AXLRD_3587278] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [L08AXLRD_24200738] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [L08AXLRD_2356017] "C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" -m
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - Startup: ChkDisk.dll
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HotKeyDriver.lnk = C:\Program Files\HotKey_Driver\HotKeyDriver.exe
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Encarta Search Bar - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=http://www.Viglen.co.uk/
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: dimsntfy - %SystemRoot%\System32\dimsntfy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Sebring - C:\WINDOWS\system32\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: zppavayf - zppavayf32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\ISafe.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Indexing Service (cisvc) - Unknown owner - C:\WINDOWS\system32\cisvc.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logishrd\lvmvfm\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\system32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\system32\S24EvMon.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus\VetMsg.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
Hello.

  • Open HijackThis
  • Choose "Do a system scan only"
  • Check the boxes in front of these lines:


    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O1 - Hosts: 195.245.119.131 browser-security.microsoft.com
    O2 - BHO: (no name) - {CDBFB8EA-840A-4C3A-9E6D-0511BE8F909D} - C:\WINDOWS\system32\atkctr.dll
    O2 - BHO: C:\WINDOWS\system32\rah3b8ffdnd.dll - {D5BF4552-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\rah3b8ffdnd.dll
    O4 - HKLM\..\Run: [Xziburowo] rundll32.exe "C:\WINDOWS\Bvuxoxihuvuwox.dll",e
    O4 - HKLM\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
    O4 - HKCU\..\Run: [lrijh8s73jhbfgfd] C:\WINDOWS\TEMP\winlognn.exe
    O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\Ade\LOCALS~1\Temp\csrssc.exe
    O20 - Winlogon Notify: zppavayf - zppavayf32.dll (file missing)


  • Press "Fix Checked"
  • Close Hijack This.

Please download and run this tool.

Download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.


Post the contents of the MBAM Log.

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
I have run the scan of highjack this and 'fix checked' the files mentioned, however I cannot run Malwarebytes' anti malware as the program will not start in safe mode.
I can only start the pc in this mode. If I when I launch XP normally it immediately logs off again.
I do hope you can help,
thanks
Ade

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
Lets do a rootkit scan.

1. Please download The Avenger by Swandog46 to your Desktop
Link: HERE or HERE.

  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop
2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to delete:
C:\WINDOWS\system32\atkctr.dll
C:\WINDOWS\system32\rah3b8ffdnd.dll
C:\WINDOWS\Bvuxoxihuvuwox.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.

  • Under "Input script here:", paste in the script from the quote box above.
  • Leave the ticked box "Scan for rootkit" ticked.
  • Then tick "Disable any rootkits found"
  • Now click on the Execute to begin execution of the script.
  • Answer "Yes" twice when prompted.

    The Avenger will automatically do the following:

  • It will Restart your computer.
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
4. Please copy/paste the content of c:\avenger.txt into your reply.

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
The process did exactly as you said.
When it rebooted it did not start normally and I had to again press F8 for safe mode, then once I copied the avenger.txt file to card reader I was able to transfer to my sons PC as below for your viewing,
thanks
Ade

Logfile of The Avenger Version 2.0, (c) by Swandog46
http://swandog46.geekstogo.com

Platform: Windows XP

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.

Hidden driver "TDSSserv.sys" found!
ImagePath: \systemroot\system32\drivers\TDSSmaxt.sys
Driver disabled successfully.

Rootkit scan completed.


Error: could not open file "C:\WINDOWS\system32\atkctr.dll"
Deletion of file "C:\WINDOWS\system32\atkctr.dll" failed!
Status: 0xc0000022 (STATUS_ACCESS_DENIED)

File "C:\WINDOWS\system32\rah3b8ffdnd.dll" deleted successfully.
File "C:\WINDOWS\Bvuxoxihuvuwox.dll" deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
Hello.
MBAM should work now, give it a try.

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
So far so good. It did launch Malwarebytes, however wouldn't update in safe mode without networking. I restarted laptop again in safe mode with networking and it did update. I immediately got warnings from windows security alert about a virus(BankerFox.A).
Anyway ran malwarebytes and it found 28 objects infected. You were right some could not be removed unless pc was restarted. I have done this in safe mode without networking. Found log created by malwarebytes as below.
Thanks once again
Ade

Malwarebytes' Anti-Malware 1.33
Database version: 1738
Windows 5.1.2600 Service Pack 3

08/02/2009 15:57:48
mbam-log-2009-02-08 (15-57-48).txt

Scan type: Quick Scan
Objects scanned: 61458
Time elapsed: 4 minute(s), 52 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 8
Registry Data Items Infected: 6
Folders Infected: 1
Files Infected: 28

Memory Processes Infected:
C:\WINDOWS\Temp\rdlB9.tmp (Trojan.Downloader) -> Unloaded process successfully.
C:\WINDOWS\Temp\rdlBA.tmp (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c9c42510-9b21-41c1-9dcd-8382a2d07c61} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\protect (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\tdssdata (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\tdss (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysguard (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\autochk (Trojan.Opachki) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{d5bf4552-94f1-42bd-f434-3604812c807d} (Adware.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\xziburowo (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bf (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\bk (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\iu (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Settings\mu (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\pdbcopy.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\pdbcopy.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\7z.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\7z.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Microsoft Common (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\iehelper.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\sysguard.exe (Trojan.FakeAlert.H) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdlB9.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdlBA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSScfum.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSfxwp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSofxh.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSriqp.dll (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\protect.sys (Trojan.NtRootkit.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\TDSSmaxt.sys (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ade\Start Menu\Programs\Startup\ChkDisk.dll (Trojan.Opachki) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl92.tmp (Trojan.Hiloti) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl9B.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\rdl9F.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS2802.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Program Files\Microsoft Common\svchost.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\Bvuxoxihuvuwox.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pdbcopy.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\7z.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vmware-ufad.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Ade\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\TDSS26c1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\ntdll64.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\mousehook.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\winlognn.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\csrssc.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSbubx.log (Trojan.TDSS) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\TDSSnmxh.dll (Rootkit.Agent) -> Quarantined and deleted successfully.

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
Lets make sure it's gone now.


  • Please download DDS by sUBs to your Desktop (Important!!) from one of these locations:
    Link 1
    Link 2
    Link 3
  • Double click DDS.scr to run
  • When complete, DDS.txt will open.
  • Save the report to your Desktop.
  • Copy and paste DDS.txt back here, I don't need to see attach.txt.

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
Well I thought things were going well.
I mentioned earlier I was unable to use the laptop to post this as the internet would not launch nor would normal startup, well with me transfering the data for your viewing from the laptop to my sons pc via card reader, the spyware virus has transferred via the card reader to my sons pc.
I ran malwarebytes on it as I had it downloaded and all seems well with the sons pc.(so far)
Anyway, that'll be another issue later, back to my pc and I managed to get the DDS.txt log as below,
thanks again
Ade
PS the posted message was too big, its continued on below.


DDS (Ver_09-01-07.01) - NTFSx86 MINIMAL
Run by Ade at 16:35:44.95 on 08/02/2009
Internet Explorer: 7.0.5730.11
Microsoft Windows XP Home Edition 5.1.2600.3.1252.44.1033.18.991.769 [GMT 0:00]

AV: eTrust EZ Antivirus *On-access scanning enabled* (Updated)
FW: eTrust EZ Firewall *enabled*

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe -k netsvcs
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Ade\Desktop\dds.com

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.sky.com
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uWindow Title = Internet Explorer Provided By Sky Broadband
uDefault_Page_URL = hxxp://www.sky.com
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
BHO: {cdbfb8ea-840a-4c3a-9e6d-0511be8f909d} - c:\windows\system32\atkctr.dll
TB: &Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar.dll
TB: {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - No File
TB: {C4069E3A-68F1-403E-B40E-20066696354B} - No File
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [EPSON Stylus Photo RX685 Series] c:\windows\system32\spool\drivers\w32x86\3\e_faticje.exe /fu "c:\windows\temp\E_SC7.tmp" /EF "HKCU"
uRun: [TomTomHOME.exe] "c:\program files\tomtom home 2\HOMERunner.exe"
uRun: [IDMan] c:\program files\internet download manager\IDMan.exe /onboot
uRun: [updateMgr] "c:\program files\adobe\acrobat 7.0\reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
uRun: [swg] c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe
uRun: [MSMSGS] "c:\program files\messenger\msmsgs.exe" /background
uRun: [L08AXLRD_4183064] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [L08AXLRD_3587278] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [L08AXLRD_24200738] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
uRun: [L08AXLRD_2356017] "c:\program files\microsoft student\microsoft student with encarta premium 2008 dvd\EDICT.EXE" -m
mRun: [ZCfgSvc.exe] c:\windows\system32\ZCfgSvc.exe
mRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exe
mRun: [SynTPEnh] c:\program files\synaptics\syntp\SynTPEnh.exe
mRun: [SMcfg] smcfg.exe -s
mRun: [PRONoMgr.exe] c:\program files\intel\prosetwireless\ncs\proset\PRONoMgr.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [igfxhkcmd] c:\windows\system32\hkcmd.exe
mRun: [igfxpers] c:\windows\system32\igfxpers.exe
mRun: [HotKeysCmds] c:\windows\system32\hkcmd.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre1.6.0_02\bin\jusched.exe"
mRun: [Sony Ericsson PC Suite] "c:\program files\sony ericsson\mobile2\application launcher\Application Launcher.exe" /startoptions
mRun: [RoxioEngineUtility] "c:\program files\common files\roxio shared\system\EngUtil.exe"
mRun: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
mRun: [Zone Labs Client] "c:\program files\ca\etrust ez armor\etrust ez firewall\ca.exe"
mRun: [RoxioDragToDisc] "c:\program files\roxio\easy cd creator 6\dragtodisc\DrgToDsc.exe"
mRun: [RemoteControl] "c:\program files\cyberlink\powerdvd\PDVDServ.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [NeroFilterCheck] c:\windows\system32\NeroCheck.exe
mRun: [LogitechQuickCamRibbon] "c:\program files\logitech\quickcam10\QuickCam10.exe" /hide
mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"
mRun: [GrooveMonitor] "c:\program files\microsoft office\office12\GrooveMonitor.exe"
mRun: [ccApp] "c:\program files\common files\symantec shared\ccApp.exe"
mRun: [CAVRID] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVRID.exe"
mRun: [CaAvTray] "c:\program files\ca\etrust ez armor\etrust ez antivirus\CAVTray.exe"
mRun: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
mRun: [AppleSyncNotifier] c:\program files\common files\apple\mobile device support\bin\AppleSyncNotifier.exe
mRun: [Xziburowo] rundll32.exe "c:\windows\Bvuxoxihuvuwox.dll",e
mRunOnce: [Cleanup] C:\cleanup.exe
mRunOnce: [Malwarebytes' Anti-Malware] c:\program files\malwarebytes' anti-malware\mbamgui.exe /install /silent
mRunOnce: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
dRun: [CTFMON.EXE] c:\windows\system32\CTFMON.EXE
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\hotkey~1.lnk - c:\program files\hotkey_driver\HotKeyDriver.exe
dPolicies-explorer: NoSetActiveDesktop = 1 (0x1)
dPolicies-explorer: NoActiveDesktopChanges = 1 (0x1)
IE: Download all links with IDM - c:\program files\internet download manager\IEGetAll.htm
IE: Download FLV video content with IDM - c:\program files\internet download manager\IEGetVL.htm
IE: Download with IDM - c:\program files\internet download manager\IEExt.htm
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBC} - c:\program files\java\jre1.6.0_02\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - {552781AF-37E4-4FEE-920A-CED9E648EADD} - c:\program files\common files\microsoft shared\encarta search bar\ENCSBAR.DLL
Handler: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - c:\program files\microsoft office\office12\GrooveSystemServices.dll
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
Notify: igfxcui - igfxsrvc.dll
Notify: Sebring - c:\windows\system32\LgNotify.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: Groove GFS Stub Execution Hook: {b5a7f190-dda6-4420-b3ba-52453494e6cd} - c:\program files\microsoft office\office12\GrooveShellExtensions.dll
SEH: Windows Desktop Search Namespace Manager: {56f9679e-7826-4c84-81f3-532071a8bcc5} - c:\program files\windows desktop search\MSNLNamespaceMgr.dll
SEH: CShellExecuteHookImpl Object: {57b86673-276a-48b2-bae7-c6dbb3020eb8} - c:\program files\grisoft\avg anti-spyware 7.5\shellexecutehook.dll

============= SERVICES / DRIVERS ===============

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
R0 gchkihsb;gchkihsb;c:\windows\system32\drivers\gchkihsb.sys [2004-9-16 23424]
R1 AvgAsCln;AVG Anti-Spyware Clean Driver;c:\windows\system32\drivers\AvgAsCln.sys [2007-11-22 10872]
R1 VETFDDNT;VET Floppy Boot Sector Monitor;c:\windows\system32\drivers\VetFDDNT.sys [2009-2-5 15671]
R4 AVG Anti-Spyware Guard;AVG Anti-Spyware Guard;c:\program files\grisoft\avg anti-spyware 7.5\guard.exe [2007-5-30 312880]
S0 ati1chxx;ati1chxx;c:\windows\system32\drivers\ati1chxx.sys [2009-2-3 32768]
S0 ati7hkxx;ati7hkxx;c:\windows\system32\drivers\ati7hkxx.sys [2009-2-3 32768]
S1 AVG Anti-Spyware Driver;AVG Anti-Spyware Driver;c:\program files\grisoft\avg anti-spyware 7.5\guard.sys [2007-5-30 11000]
S1 ethacyss;ethacyss;c:\windows\system32\drivers\ethacyss.sys [2009-2-2 137280]
S1 VET-FILT;VET File System Filter;c:\windows\system32\drivers\Vet-Filt.sys [2009-2-5 21031]
S1 VET-REC;VET File System Recognizer;c:\windows\system32\drivers\Vet-Rec.sys [2009-2-5 15478]
S1 VETEFILE;VET File Scan Engine;c:\windows\system32\drivers\VetEFile.sys [2009-2-5 879832]
S1 VETMONNT;VET File Monitor;c:\windows\system32\drivers\vetmonnt.sys [2009-2-6 26787]
S1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2009-2-5 271792]
S3 ggflt;SEMC USB Flash Driver Filter;c:\windows\system32\drivers\ggflt.sys [2007-11-9 13352]
S3 pmxscan;USB USB FlatBed Scanner Driver;c:\windows\system32\drivers\usbscan.sys [2006-6-9 15104]
S3 Unilocator;Unilocator;c:\windows\system32\LOCATRNT.EXE [1996-9-30 138240]
S3 VETEBOOT;VET Boot Scan Engine;c:\windows\system32\drivers\VetEBoot.sys [2009-2-5 108360]
S4 CAISafe;CAISafe;c:\program files\ca\etrust ez armor\etrust ez antivirus\iSafe.exe [2009-2-5 259184]
S4 ccEvtMgr;Symantec Event Manager;c:\program files\common files\symantec shared\ccEvtMgr.exe [2005-9-17 192112]
S4 ccSetMgr;Symantec Settings Manager;c:\program files\common files\symantec shared\ccSetMgr.exe [2005-9-17 169584]
S4 VETMSGNT;VET Message Service;c:\program files\ca\etrust ez armor\etrust ez antivirus\VetMsg.exe [2009-2-5 197744]
S4 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]

=============== Created Last 30 ================

2009-02-08 15:50 78,613 a------- c:\windows\system32\B8.tmp
2009-02-08 15:50 67,585 a------- c:\windows\system32\B7.tmp
2009-02-08 15:50 168 a------- c:\windows\system32\B6.tmp
2009-02-08 15:48 5,613 a------- c:\windows\system32\B5.tmp
2009-02-08 15:48 67,585 a------- c:\windows\system32\B4.tmp
2009-02-08 15:48 168 a------- c:\windows\system32\B3.tmp
2009-02-08 15:43 15,504 a------- c:\windows\system32\drivers\mbam.sys
2009-02-08 15:43 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2009-02-08 15:43 --d----- c:\program files\Malwarebytes' Anti-Malware
2009-02-08 08:39 471,876 a------- C:\zip.exe
2009-02-08 08:39 19,286 a------- C:\cleanup.exe
2009-02-08 08:39 574 a------- C:\cleanup.bat
2009-02-07 09:49 --d----- c:\windows\Internet Logs
2009-02-06 18:46 26,787 a------- c:\windows\system32\drivers\vetmonnt.sys
2009-02-06 18:44 441 a------- c:\windows\system32\TDSSnrsr.dat
2009-02-05 21:29 --d----- c:\program files\CA
2009-02-05 07:13 32,768 a---h--- c:\documents and settings\ade\aajcv.exe
2009-02-05 07:13 66,560 ----h--- c:\windows\system32\secupdat.dat
2009-02-05 07:12 162,628 a------- c:\windows\system32\20.tmp
2009-02-05 07:12 88 a------- c:\windows\system32\1F.tmp
2009-02-05 07:10 616 a------- c:\windows\system32\1E.tmp
2009-02-05 07:09 162,628 a------- c:\windows\system32\1A.tmp
2009-02-05 07:09 88 a------- c:\windows\system32\18.tmp
2009-02-04 20:45 67 a------- C:\Ntf14.tmp
2009-02-04 20:45 67 a------- C:\Ntf13.tmp
2009-02-04 18:03 67 a------- C:\Ntf12.tmp
2009-02-04 18:03 67 a------- C:\Ntf11.tmp
2009-02-04 17:50 96,256 a------- c:\windows\system32\atkctr.dll
2009-02-04 17:49 67 a------- C:\NtfF.tmp
2009-02-04 17:49 67 a------- C:\Ntf10.tmp
2009-02-03 19:42 1,333,698 a------- C:\NtfD.tmp
2009-02-03 19:42 67 a------- C:\NtfE.tmp
2009-02-03 19:22 1,135,405 a------- C:\NtfB.tmp
2009-02-03 19:22 67 a------- C:\NtfC.tmp
2009-02-03 18:42 32,768 a------- c:\windows\system32\drivers\ati7hkxx.sys
2009-02-03 18:42 1,030,621 a------- C:\Ntf9.tmp
2009-02-03 18:42 67 a------- C:\NtfA.tmp
2009-02-03 16:57 0 a------- c:\windows\system32\10.tmp
2009-02-03 16:57 820,981 a------- C:\Ntf7.tmp
2009-02-03 16:57 67 a------- C:\Ntf8.tmp
2009-02-03 13:55 67 a------- C:\Ntf6.tmp
2009-02-03 13:55 67 a------- C:\Ntf5.tmp
2009-02-03 13:15 88,790 a------- c:\windows\system32\11.tmp
2009-02-03 13:13 67 a------- C:\Ntf4.tmp
2009-02-03 13:13 67 a------- C:\Ntf3.tmp
2009-02-03 12:58 0 a------- c:\windows\system32\19.tmp
2009-02-03 12:55 136,990 a------- c:\windows\system32\17.tmp
2009-02-03 12:54 8,510 a------- c:\windows\system32\13.tmp
2009-02-03 06:56 16,896 a------- c:\windows\system32\zppavayf.dll
2009-02-03 06:48 32,768 a------- c:\windows\system32\drivers\ati1chxx.sys
2009-02-03 06:48 527 a------- c:\windows\system32\win32hlp.cnf
2009-02-02 22:04 --d----- c:\program files\TomTom DesktopSuite
2009-02-02 21:36 137,280 a------- c:\windows\system32\drivers\ethacyss.sys
2009-02-02 21:31 5 a------- c:\windows\_id.dat
2009-02-02 21:31 124 a------- c:\windows\adobe.bat
2009-02-02 21:30 64,512 a------- c:\windows\system32\res2coff.exe
2009-02-02 19:32 128,306 a------- c:\windows\system32\126_av.exe
2009-02-02 19:08 --d----- c:\docume~1\ade\applic~1\Malwarebytes
2009-02-02 19:08 --d----- c:\docume~1\alluse~1\applic~1\Malwarebytes
2009-02-02 18:58 0 a------- c:\windows\system32\20B.tmp
2009-02-02 17:11 --dsh--- c:\windows\system32\twain32
2009-02-02 17:02 67 a------- C:\Ntf2.tmp
2009-02-02 17:02 67 a------- C:\Ntf1.tmp
2009-02-02 07:18 --d----- c:\program files\common files\Download Manager
2009-02-01 22:43 61,440 a------- c:\windows\system32\chert13-303374.exe
2009-02-01 22:36 1 a------- c:\windows\system32\uniq.tll
2009-02-01 22:36 43,520 a------- c:\windows\system32\303374.exe
2009-01-18 18:32 --d----- c:\program files\common files\Adobe Systems Shared
2009-01-11 21:35 --d----- c:\docume~1\ade\applic~1\HandBrake
2009-01-11 21:25 --d----- c:\program files\HandBrake
2009-01-11 21:07 --d----- c:\docume~1\ade\applic~1\AVS4YOU
2009-01-11 21:07 --d----- c:\docume~1\alluse~1\applic~1\AVS4YOU
2009-01-11 21:05 --d----- c:\program files\common files\AVSMedia
2009-01-11 21:05 24,576 a------- c:\windows\system32\msxml3a.dll
2009-01-11 21:05 --d----- c:\program files\AVS4YOU

==================== Find3M ====================

2009-02-06 18:45 879,832 a------- c:\windows\system32\drivers\VetEFile.sys
2009-02-06 18:45 108,360 a------- c:\windows\system32\drivers\VetEBoot.sys
2009-02-05 21:29 4,212 -c--h--- c:\windows\system32\zllictbl.dat
2009-02-05 21:29 115,824 a------- c:\windows\UnVet32.exe
2009-02-05 21:29 107,632 a------- c:\windows\AVShlExt.dll
2009-02-05 21:29 74,864 a------- c:\windows\system32\VetRedir.dll
2009-02-05 21:29 21,031 a------- c:\windows\system32\drivers\Vet-Filt.sys
2009-02-05 21:29 15,671 a------- c:\windows\system32\drivers\VetFDDNT.sys
2009-02-05 21:29 15,478 a------- c:\windows\system32\drivers\Vet-Rec.sys
2009-02-05 07:12 14,336 a------- c:\windows\system32\svchost.exe
2009-02-02 07:20 142,848 a------- c:\windows\system32\userinit.exe
2009-01-03 17:47 10,344 a------- c:\windows\system32\drivers\symlcbrd.sys
2008-12-13 06:40 3,593,216 a------- c:\windows\system32\dllcache\mshtml.dll
2008-12-12 11:18 87,336 a------- c:\windows\system32\dns-sd.exe
2008-12-12 11:11 61,440 a------- c:\windows\system32\dnssd.dll
2008-12-11 10:57 333,952 a------- c:\windows\system32\drivers\srv.sys
2008-12-11 10:57 333,952 a------- c:\windows\system32\dllcache\srv.sys
2008-12-11 00:33 200,704 a------- c:\windows\system32\dtu100.dll
2008-12-11 00:33 86,016 a------- c:\windows\system32\dpl100.dll
2008-12-09 02:28 593,920 a------- c:\windows\system32\dpuGUI11.dll
2008-12-09 02:28 344,064 a------- c:\windows\system32\dpus11.dll
2008-12-09 02:28 294,912 a------- c:\windows\system32\dpu11.dll
2008-12-09 02:28 57,344 a------- c:\windows\system32\dpv11.dll
2008-05-23 09:05 87,608 ac------ c:\docume~1\ade\applic~1\inst.exe
2008-05-23 09:05 47,360 ac------ c:\docume~1\ade\applic~1\pcouffin.sys
2007-01-10 10:42 52,400 ac------ c:\docume~1\ade\applic~1\GDIPFONTCACHEV1.DAT

============= FINISH: 16:36:28.23 ===============

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
Hello.
Some of your legit files are patched, do you have your XP disc?


  • Download combofix from here combofix.exe
  • Please disable your local AV (Anti-virus) by right clicking it's icon in the tray, and exit it. See HERE for how to disable your AV.
  • Double click on ComboFix.exe.
  • Follow the prompts. NOTE:
  • ComboFix will check to see if the Microsoft Windows Recovery Console is installed.
    ***It's strongly recommended to have the Recovery Console installed before doing any malware removal.***

    **Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will automatically proceed with its scan.


  • The Recovery Console provides a recovery/repair mode should a problem occur during a Combofix run.

    virus/spyware/trojan or malware Rcauto10

  • Allow ComboFix to download the Recovery Console.
  • Accept the End-User License Agreement.
  • The Recovery Console will be installed.
  • You will then get this next prompt that asks if you want to continue the malware scan, select yes

    virus/spyware/trojan or malware Whatne10

  • Allow combofix to run
  • Post C:\combofix.txt back here.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
WOW- I'm already amazed. The laptop did exactly as you said.

I haven't got the XP disc as it was pre-installed when purchased. I do have recovery disc.
I am reluctant to reboot as I have many family photos on the laptop.

It rebooted normally.
Here is the C:\combofix.txt log in two posts

ComboFix 09-02-07.01 - Ade 2009-02-08 19:42:57.1 - NTFSx86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.991.762 [GMT 0:00]
Running from: C:\Documents and Settings\Ade\Desktop\Combo-Fix.exe
FW: eTrust EZ Firewall *enabled*
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Ade\Application Data\inst.exe
C:\WINDOWS\system32\3.tmp
C:\WINDOWS\system32\303374.exe
C:\WINDOWS\system32\4.tmp
C:\WINDOWS\system32\drivers\protect.sys
C:\WINDOWS\system32\TDSSnrsr.dat
C:\WINDOWS\system32\TDSSosvd.dat
C:\WINDOWS\system32\zppavayf.dll
E:\autorun.inf
.
---- Previous Run -------
.
C:\WINDOWS\system32\uniq.tll
C:\WINDOWS\system32\win32hlp.cnf
C:\WINDOWS\system32\zlbw.dll

C:\WINDOWS\system32\userinit.exe . . . is infected!!

C:\WINDOWS\system32\svchost.exe . . . is infected!!

C:\WINDOWS\system32\spoolsv.exe . . . is infected!!

C:\WINDOWS\explorer.exe . . . is infected!!

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_FCI
-------\Legacy_ICF
-------\Legacy_PROTECT
-------\Legacy_TDSSSERV.SYS
-------\Service_Passthru
-------\Service_protect
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-08 to 2009-02-08 )))))))))))))))))))))))))))))))
.

2009-02-08 19:47 . 2009-02-08 19:47 67,585 --a------ C:\WINDOWS\system32\1C.tmp
2009-02-08 19:47 . 2009-02-08 19:47 168 --a------ C:\WINDOWS\system32\1B.tmp
2009-02-08 19:47 . 2009-02-08 19:48 0 --a------ C:\WINDOWS\system32\1D.tmp
2009-02-08 19:46 . 2009-02-08 19:46 67 --a------ C:\Ntf16.tmp
2009-02-08 19:46 . 2009-02-08 19:46 67 --a------ C:\Ntf15.tmp
2009-02-08 19:38 . 2009-02-08 19:38 64,512 --a------ C:\WINDOWS\system32\idag.exe
2009-02-08 19:38 . 2009-02-08 19:38 168 --a------ C:\WINDOWS\system32\2.tmp
2009-02-08 15:50 . 2009-02-08 15:51 78,613 --a------ C:\WINDOWS\system32\B8.tmp
2009-02-08 15:50 . 2009-02-08 15:50 67,585 --a------ C:\WINDOWS\system32\B7.tmp
2009-02-08 15:50 . 2009-02-08 15:50 168 --a------ C:\WINDOWS\system32\B6.tmp
2009-02-08 15:48 . 2009-02-08 15:48 67,585 --a------ C:\WINDOWS\system32\B4.tmp
2009-02-08 15:48 . 2009-02-08 15:48 5,613 --a------ C:\WINDOWS\system32\B5.tmp
2009-02-08 15:48 . 2009-02-08 15:48 168 --a------ C:\WINDOWS\system32\B3.tmp
2009-02-08 15:43 . 2009-02-08 15:43 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2009-02-08 15:43 . 2009-01-14 16:11 38,496 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2009-02-08 15:43 . 2009-01-14 16:11 15,504 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2009-02-07 09:49 . 2009-02-07 10:56 d-------- C:\WINDOWS\Internet Logs
2009-02-05 21:29 . 2009-02-05 21:29 d-------- C:\Program Files\CA
2009-02-05 07:13 . 2009-02-05 07:13 66,560 ---h----- C:\WINDOWS\system32\secupdat.dat
2009-02-05 07:13 . 2009-02-05 07:13 32,768 --ah----- C:\Documents and Settings\Ade\aajcv.exe
2009-02-05 07:12 . 2009-02-05 07:12 162,628 --a------ C:\WINDOWS\system32\20.tmp
2009-02-05 07:12 . 2009-02-05 07:12 88 --a------ C:\WINDOWS\system32\1F.tmp
2009-02-05 07:10 . 2009-02-05 07:10 616 --a------ C:\WINDOWS\system32\1E.tmp
2009-02-05 07:09 . 2009-02-05 07:09 162,628 --a------ C:\WINDOWS\system32\1A.tmp
2009-02-05 07:09 . 2009-02-05 07:09 88 --a------ C:\WINDOWS\system32\18.tmp
2009-02-04 20:45 . 2009-02-04 20:45 67 --a------ C:\Ntf14.tmp
2009-02-04 20:45 . 2009-02-04 20:45 67 --a------ C:\Ntf13.tmp
2009-02-04 18:03 . 2009-02-04 18:03 67 --a------ C:\Ntf12.tmp
2009-02-04 18:03 . 2009-02-04 18:03 67 --a------ C:\Ntf11.tmp
2009-02-04 17:50 . 2004-08-04 13:00 96,256 --a------ C:\WINDOWS\system32\atkctr.dll
2009-02-04 17:49 . 2009-02-04 17:49 67 --a------ C:\NtfF.tmp
2009-02-04 17:49 . 2009-02-04 17:49 67 --a------ C:\Ntf10.tmp
2009-02-03 19:42 . 2009-02-03 20:13 1,333,698 --a------ C:\NtfD.tmp
2009-02-03 19:42 . 2009-02-03 19:42 67 --a------ C:\NtfE.tmp
2009-02-03 19:22 . 2009-02-03 19:41 1,135,405 --a------ C:\NtfB.tmp
2009-02-03 19:22 . 2009-02-03 19:22 67 --a------ C:\NtfC.tmp
2009-02-03 18:42 . 2009-02-03 19:21 1,030,621 --a------ C:\Ntf9.tmp
2009-02-03 18:42 . 2009-02-05 16:25 32,768 --a------ C:\WINDOWS\system32\drivers\ati7hkxx.sys
2009-02-03 18:42 . 2009-02-03 18:42 67 --a------ C:\NtfA.tmp
2009-02-03 16:57 . 2009-02-03 18:40 820,981 --a------ C:\Ntf7.tmp
2009-02-03 16:57 . 2009-02-03 16:57 67 --a------ C:\Ntf8.tmp
2009-02-03 16:57 . 2009-02-03 16:57 0 --a------ C:\WINDOWS\system32\10.tmp
2009-02-03 13:55 . 2009-02-03 13:55 67 --a------ C:\Ntf6.tmp
2009-02-03 13:55 . 2009-02-03 13:55 67 --a------ C:\Ntf5.tmp
2009-02-03 13:15 . 2009-02-03 13:15 88,790 --a------ C:\WINDOWS\system32\11.tmp
2009-02-03 13:13 . 2009-02-03 13:14 67 --a------ C:\Ntf4.tmp
2009-02-03 13:13 . 2009-02-03 13:14 67 --a------ C:\Ntf3.tmp
2009-02-03 12:58 . 2009-02-03 12:58 0 --a------ C:\WINDOWS\system32\19.tmp
2009-02-03 12:55 . 2009-02-03 12:56 136,990 --a------ C:\WINDOWS\system32\17.tmp
2009-02-03 12:54 . 2009-02-03 12:55 8,510 --a------ C:\WINDOWS\system32\13.tmp
2009-02-03 06:48 . 2009-02-03 17:36 32,768 --a------ C:\WINDOWS\system32\drivers\ati1chxx.sys
2009-02-02 22:04 . 2009-02-02 22:04 d-------- C:\Program Files\TomTom DesktopSuite
2009-02-02 21:36 . 2009-02-05 07:09 137,280 --a------ C:\WINDOWS\system32\drivers\ethacyss.sys
2009-02-02 21:31 . 2009-02-03 20:17 124 --a------ C:\WINDOWS\adobe.bat
2009-02-02 21:31 . 2009-02-02 21:31 5 --a------ C:\WINDOWS\_id.dat
2009-02-02 21:30 . 2009-02-02 21:30 64,512 --a------ C:\WINDOWS\system32\res2coff.exe
2009-02-02 19:32 . 2009-02-02 19:32 128,306 --a------ C:\WINDOWS\system32\126_av.exe
2009-02-02 19:08 . 2009-02-02 19:08 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2009-02-02 19:08 . 2009-02-02 19:08 d-------- C:\Documents and Settings\Ade\Application Data\Malwarebytes
2009-02-02 18:58 . 2009-02-02 18:58 0 --a------ C:\WINDOWS\system32\20B.tmp
2009-02-02 17:12 . 2009-02-02 17:12 22,016 --ahs---- C:\WINDOWS\system32\config\systemprofile\protect.dll
2009-02-02 17:11 . 2009-02-05 07:13 d--hs---- C:\WINDOWS\system32\twain32
2009-02-02 17:02 . 2009-02-02 17:02 67 --a------ C:\Ntf2.tmp
2009-02-02 17:02 . 2009-02-02 17:02 67 --a------ C:\Ntf1.tmp
2009-02-02 07:18 . 2009-02-02 07:18 d-------- C:\Program Files\Common Files\Download Manager
2009-02-01 22:43 . 2009-02-01 22:43 61,440 --a------ C:\WINDOWS\system32\chert13-303374.exe
2009-01-18 18:33 . 2009-01-18 18:33 d-------- C:\Documents and Settings\All Users\Application Data\Macrovision
2009-01-18 18:32 . 2009-01-18 18:32 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2009-01-11 21:35 . 2009-01-11 21:35 d-------- C:\Documents and Settings\Ade\Application Data\HandBrake
2009-01-11 21:25 . 2009-01-11 21:25 d-------- C:\Program Files\HandBrake
2009-01-11 21:07 . 2009-01-11 21:07 d-------- C:\Documents and Settings\All Users\Application Data\AVS4YOU
2009-01-11 21:07 . 2009-01-11 21:07 d-------- C:\Documents and Settings\Ade\Application Data\AVS4YOU
2009-01-11 21:05 . 2009-02-04 18:28 d-------- C:\Program Files\Common Files\AVSMedia
2009-01-11 21:05 . 2009-02-04 18:28 d-------- C:\Program Files\AVS4YOU
2009-01-11 21:05 . 2007-02-27 18:36 24,576 --a------ C:\WINDOWS\system32\msxml3a.dll

Last edited by Ade3277 on 8th February 2009, 8:07 pm; edited 1 time in total

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-08 19:48 --------- d-----w C:\Documents and Settings\Ade\Application Data\DMCache
2009-02-08 19:47 18,944 ---ha-w C:\WINDOWS\system32\drivers\protect.sys
2009-02-05 21:42 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2009-02-02 19:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2009-02-02 19:09 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2009-02-02 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Norton
2009-01-18 18:31 --------- d-----w C:\Program Files\Common Files\Adobe
2009-01-16 20:56 --------- d-----w C:\Program Files\Google
2009-01-14 21:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2009-01-11 21:31 --------- d-----w C:\Program Files\DivX
2009-01-11 21:21 --------- d-----w C:\Documents and Settings\Ade\Application Data\Vso
2009-01-11 20:14 --------- d-----w C:\Program Files\DVDVideoSoft
2009-01-11 20:14 --------- d-----w C:\Program Files\Common Files\DVDVideoSoft
2009-01-06 11:52 --------- d--h--w C:\Program Files\InstallShield Installation Information
2009-01-05 15:39 --------- d-----w C:\Program Files\Bonjour
2009-01-05 15:37 --------- d-----w C:\Program Files\iTunes
2009-01-05 15:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
2009-01-05 15:36 --------- d-----w C:\Program Files\iPod
2009-01-05 15:36 --------- d-----w C:\Program Files\Common Files\Apple
2009-01-05 15:27 --------- d-----w C:\Program Files\QuickTime
2009-01-05 15:09 --------- d-----w C:\Program Files\Safari
2009-01-05 13:12 --------- d-----w C:\Program Files\Free WMA to MP3 Converter
2009-01-05 11:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\NortonInstaller
2009-01-04 12:05 --------- d-----w C:\Program Files\Ahead
2009-01-04 11:55 --------- d-----w C:\Program Files\Common Files\Nero
2009-01-04 11:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2009-01-03 17:47 10,344 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2009-01-03 11:05 --------- d-----w C:\Program Files\Common Files\Ahead
2008-12-27 10:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\TomTom
2008-12-27 10:33 --------- d-----w C:\Program Files\TomTom HOME 2
2008-12-27 10:33 --------- d-----w C:\Documents and Settings\Ade\Application Data\TomTom
2008-12-11 10:57 333,952 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-05-23 09:05 47,360 -c--a-w C:\Documents and Settings\Ade\Application Data\pcouffin.sys
2007-01-10 10:42 52,400 -c--a-w C:\Documents and Settings\Ade\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2004-08-04 13:00 31744 e9fd36c652215e4d22893485ed1c1573 C:\WINDOWS\$NtServicePackUninstall$\svchost.exe
2008-04-14 00:12 31744 d62497f87012485acd7bc10bcfda6f57 C:\WINDOWS\ServicePackFiles\i386\svchost.exe
2009-02-05 07:12 14336 b6d2734935fc224edca6138f9f958bcd C:\WINDOWS\system32\svchost.exe

2008-04-14 00:12 1051136 0b5e0b75fea14ad060a6bf0eb1aebf9d C:\WINDOWS\explorer.exe
2007-06-13 11:26 1050624 4908b19a9c830a6145766f18471c0131 C:\WINDOWS\$hf_mig$\KB938828\SP2QFE\explorer.exe
2007-06-13 10:23 1050624 0cd253ded4d3b3d95174bf17fa7cfdbc C:\WINDOWS\$NtServicePackUninstall$\explorer.exe
2004-08-04 13:00 1049600 3351a6e5b389a846b7c2a56e43a1119d C:\WINDOWS\$NtUninstallKB938828$\explorer.exe
2008-04-14 00:12 1051136 5f303aac89951cafc6b753f74529275d C:\WINDOWS\ServicePackFiles\i386\explorer.exe

2004-08-04 13:00 32768 1c511de92cf006f779c33f5b880662ea C:\WINDOWS\$NtServicePackUninstall$\ctfmon.exe
2008-04-14 00:12 32768 3eba43f2baf8902fba14264e2fa20eeb C:\WINDOWS\ServicePackFiles\i386\ctfmon.exe
2008-04-14 00:12 32768 2fe8ef9cc99ed7d5b5fb686131562a7b C:\WINDOWS\system32\ctfmon.exe

2005-06-11 00:17 75264 b77a1fa98288e51383135052d3e7c8cd C:\WINDOWS\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
2005-06-10 23:53 75264 dd026ed8d08f17aaf21663ad5006be7b C:\WINDOWS\$NtServicePackUninstall$\spoolsv.exe
2004-08-04 13:00 75264 a80b51046367382a4a11a177fbce1065 C:\WINDOWS\$NtUninstallKB896423$\spoolsv.exe
2008-04-14 00:12 75264 0e53f5810137eda413dee64cd11427ce C:\WINDOWS\ServicePackFiles\i386\spoolsv.exe
2008-04-14 00:12 75264 fbf11f1eda44a70cc3001177212d7737 C:\WINDOWS\system32\spoolsv.exe

2004-08-04 13:00 41984 93432176a24edb23caecbe66f130ca4e C:\WINDOWS\$NtServicePackUninstall$\userinit.exe
2008-04-14 00:12 43520 a842a873acb1c915d7689ff273a50104 C:\WINDOWS\ServicePackFiles\i386\userinit.exe
2009-02-02 07:20 142848 e27a3a0d47f219ce34d3e1692fc7f333 C:\WINDOWS\system32\userinit.exe
2009-02-02 07:20 142848 d441ea8e9119938f356dbf1d960ad6ef C:\WINDOWS\system32\dllcache\userinit.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CDBFB8EA-840A-4C3A-9E6D-0511BE8F909D}]
2004-08-04 13:00 96256 --a------ C:\WINDOWS\system32\atkctr.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-04-14 00:12 32768]
"EPSON Stylus Photo RX685 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATICJE.EXE" [2007-04-13 06:00 199680]
"TomTomHOME.exe"="C:\Program Files\TomTom HOME 2\HOMERunner.exe" [2008-12-09 10:12 234856]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-11-21 09:38 2553264]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 15:45 313472]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 18:55 68856]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2008-04-14 00:12 1712640]
"L08AXLRD_4183064"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_3587278"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_24200738"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]
"L08AXLRD_2356017"="C:\Program Files\Microsoft Student\Microsoft Student with Encarta Premium 2008 DVD\EDICT.EXE" [2007-05-21 11:00 351000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ZCfgSvc.exe"="C:\WINDOWS\system32\ZCfgSvc.exe" [2004-09-06 05:28 442368]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2002-12-06 08:45 151552]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2002-12-06 16:32 593920]
"PRONoMgr.exe"="C:\Program Files\Intel\PROSetWireless\NCS\PROSet\PRONoMgr.exe" [2004-05-10 03:50 126976]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2004-07-01 13:02 180224]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 12:58 147456]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-02-07 07:40 143360]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2004-07-01 12:58 147456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00 132496]
"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 17:17 180224]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 18:44 86016]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 09:25 6731312]
"Zone Labs Client"="C:\Program Files\CA\eTrust EZ Armor\eTrust EZ Firewall\ca.exe" [2004-10-12 08:33 722192]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2004-02-24 09:55 888832]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2004-11-02 20:24 53248]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-11-04 10:30 434176]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 180224]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam10\QuickCam10.exe" [2007-02-08 00:13 774168]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-11-20 13:20 290088]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2007-08-24 06:00 33648]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-09-17 09:27 52848]
"AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 14:16 111936]
"SMcfg"="smcfg.exe" [2004-11-01 16:55 102400 C:\WINDOWS\SmCfg.exe]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2008-04-14 00:12 110592 C:\WINDOWS\system32\bthprops.cpl]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2008-04-14 00:12 32768]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HotKeyDriver.lnk - C:\Program Files\HotKey_Driver\HotKeyDriver.exe [2005-04-27 12:07:03 2306048]

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
Hello.
Bad news.

Your machine is infected with Virut.
Virut is a file infector, but it wasn't written properly and these infected files may become corrupt, there is nothing we can do now.
Your machine is also compromised, use a clean machine and change any passwords for any online banking, msn, etc.

To help you understand more, please take some time to read the following articles:

What are Remote Access Trojans and why are they dangerous
How do I respond to a possible identity theft and how do I prevent it
When should do a reformat and reinstallation of my OS
Where to backup your files
How to backup your files in Windows XP
Restoring your backups

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
And I thought all was going well.
thankyou for your time.
Ade

descriptionSolvedRe: virus/spyware/trojan or malware

more_horiz
privacy_tip Permissions in this forum:
You cannot reply to topics in this forum