Hijacked PC

B

BCs

Member
My system seems to get hijacked often. you can be in the middle of anything and all of a suden the system goes haywire. It tries to open programs and run them and opens the start menu and opens programs from that. The only way to stop it is to wait for 20 seconds until it stops and then close down the open programs, hit the ESC key which sometimes stops it or reboot.Very annoying when the kids are doing homework and the program they are using closes on them. I am running XP SP3 & IE 8.

I am also running NIS 2009 & spyware terminator. Neither program is picking up anything.

Anyone with any ideas would be appreciated.
This is the 4th attempt to post as "it" keeps closing IE down

:confused:





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:57 PM, on 17/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\wisco\BackupOutlook\BackupOutlook.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.ninemsn.com.au
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: BTjunkie Toolbar - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\tbBTj1.dll
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BTjunkie Toolbar - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\tbBTj1.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: BTjunkie Toolbar - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\tbBTj1.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BackupOutlook] "C:\Program Files\wisco\BackupOutlook\BackupOutlook.exe" silent
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ComproRemote.lnk
O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222386794109
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O20 - Winlogon Notify: 30112d3c573 - C:\WINDOWS\System32\divx_xx0732.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 10354 bytes


Malwarebytes' Anti-Malware 1.40
Database version: 2747
Windows 5.1.2600 Service Pack 3

6/09/2009 2:54:24 PM
mbam-log-2009-09-06 (14-54-12).txt

Scan type: Full Scan (C:\|D:\|E:\|F:\|G:\|H:\|I:\|J:\|)
Objects scanned: 185445
Time elapsed: 1 hour(s), 0 minute(s), 48 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 20
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 4
Files Infected: 132

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\tbsb09835.ietoolbar (Adware.BullseyeToolbar) -> No action taken.
HKEY_CLASSES_ROOT\tbsb09835.ietoolbar.1 (Adware.BullseyeToolbar) -> No action taken.
HKEY_CLASSES_ROOT\tbsb09835.tbsb09835 (Adware.BullseyeToolbar) -> No action taken.
HKEY_CLASSES_ROOT\toolbar3.tbsb09835 (Adware.BullseyeToolbar) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{255c13ae-4bb0-45c3-bae1-ba6c088c43b3} (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{8fbb0d9a-1f7b-465b-8292-1593b880e92a} (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6226ba26-c017-4007-928c-de9715c6fa67} (Adware.BullseyeToolbar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{d97fc677-694d-4a75-ac89-a5b85c2bcfed} (Adware.BullseyeToolbar) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\imwrvsfusmkvcmsc (Adware.AdRotator) -> No action taken.
HKEY_CLASSES_ROOT\tbsb05288.ietoolbar (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\tbsb05288.ietoolbar.1 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\tbsb05288.tbsb05288 (Trojan.BHO) -> No action taken.
HKEY_CLASSES_ROOT\toolbar3.tbsb05288 (Trojan.BHO) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\TBSB05288 (Adware.IEToolbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\runit (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\runit (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\UAC (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\UACd.sys (Trojan.Agent) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{6226ba26-c017-4007-928c-de9715c6fa67} (Adware.BullseyeToolbar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{90b8b761-df2b-48ac-bbe0-bcc03a819b3b} (Adware.Zango) -> No action taken.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search\Local Page (Hijack.SearchPage) -> Bad: (http://www.iesearch.com/) Good: (http://www.Google.com/) -> No action taken.

Folders Infected:
C:\Program Files\runit (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Start Menu\Programs\BitDownload (Trojan.Swizzor) -> No action taken.
C:\WINDOWS\system32\LocalService32 (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32 (Worm.Archive) -> No action taken.

Files Infected:
C:\Documents and Settings\Administrator\Local Settings\Temp\wopsetqfvb.tmp (Rootkit.TDSS) -> No action taken.
C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\BASH\Clone\BHCFB.tmp (Rootkit.TDSS) -> No action taken.
C:\Program Files\runit\runit_32.exe (Trojan.Agent) -> No action taken.
C:\RECYCLER\S-1-5-21-1957994488-1645522239-725345543-500\Dc53.exe (Trojan.Downloader) -> No action taken.
C:\System Volume Information\_restore{70DB4145-2119-4107-9DA1-50CD64812B1E}\RP438\A0167372.exe (Adware.AdRotator) -> No action taken.
C:\System Volume Information\_restore{70DB4145-2119-4107-9DA1-50CD64812B1E}\RP438\A0167417.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\ojaee2878.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\hqpb8081.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\vvvxq62447.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\lkug77003.exe (Trojan.Dropper) -> No action taken.
C:\WINDOWS\qomut5121.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\qpbl08125.exe (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\kbiwkmfjpexnsv.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\kbiwkmxvpopset.dll (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\system32\imwrvsfusmkvcmsc.exe (Adware.AdRotator) -> No action taken.
C:\Program Files\runit\config.txt (Trojan.Agent) -> No action taken.
C:\Program Files\runit\runitu_32.exe (Trojan.Agent) -> No action taken.
C:\Documents and Settings\Administrator\Start Menu\Programs\BitDownload\BitDownload Downloads.lnk (Trojan.Swizzor) -> No action taken.
C:\WINDOWS\system32\LocalService32\48.music.mp3.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\49.music.snd.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\50.crack.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\50.crack.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\51.keygen.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\51.keygen.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\52.keymaker.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\52.keymaker.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\53.serial.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\53.serial.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\54.setup.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\54.setup.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\55.unpack.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\LocalService32\55.unpack.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\101.crack.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\101.crack.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\102.keygen.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\102.keygen.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\103.serial.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\103.serial.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\104.setup.zip (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\104.setup.zip.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\105.music.mp3.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\106.music.snd.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\107.music.au.kwd (Worm.Archive) -> No action taken.
C:\WINDOWS\system32\NetworkService32\108.video.wmv.kwd (Worm.Archive) -> No action taken.
C:\Documents and Settings\Administrator\Desktop\BitDownload Downloads.lnk (Trojan.Swizzor) -> No action taken.
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\runit_32.lnk (Rogue.Link) -> No action taken.
C:\WINDOWS\system32\els3232.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\atmlib32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\batt32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\bitsprx232.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\BROWSELC32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\camocx32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\CATSRVUT32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\CERTCLI32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\clbcatex32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\clbcatq32.dll (Trojan.Tracur) -> No action taken.
C:\WINDOWS\system32\CLICONFG32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\cmdial3232.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\cmutil32.dll (Trojan.Tracur) -> No action taken.
C:\WINDOWS\system32\CNBJMON32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\cnvfat32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\COMADDIN32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\comctl3232.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\compobj32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\comrepl32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\confmsp32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\corpol32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\CRYPT3232.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\cryptui32.dll (Worm.P2P) -> No action taken.
C:\WINDOWS\system32\cscdll32.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\cscui32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\csrsrv32.dll (Trojan.Tracur) -> No action taken.
C:\WINDOWS\system32\D3D8THK32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\d3dim32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\D3DPMESH32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\d3drm32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\danim32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dbgeng32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DBMSRPCN32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dbnmpntw32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DDRAWEX32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\deskadp32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\deskperf32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DFRGRES32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dfrgui32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dgrpsetu32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DHCPMON32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dhcpsapi32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\digest32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DINPUT832.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dispex32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dmdlgs32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dmime32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DMLOADER32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DMSCRIPT32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DMSYNTH32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dmutil32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dnsrslvr32.dll (Worm.P2P) -> No action taken.
C:\WINDOWS\system32\dot3api32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dplayx32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DPNADDR32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DPNHPAST32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dpnlobby32.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\DPSERIAL32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DPVOICE32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DPWSOCK32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\drmclien32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\ds32gt32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dsdmo32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dskquoui32.dll (Trojan.Tracur) -> No action taken.
C:\WINDOWS\system32\DSOUND3D32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\DSPRPRES32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dssec32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dswave32.dll (Worm.P2P) -> No action taken.
C:\WINDOWS\system32\dx7vb32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dxdiagn32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\dxtmsft32.dll (Worm.P2P) -> No action taken.
C:\WINDOWS\system32\els32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\encdec32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\es32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\esent9732.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\eventcls32.dll (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\expsrv32.dll (Trojan.Tracur) -> No action taken.
C:\WINDOWS\system32\fde32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\feclient32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\fltlib32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\fontext32.dll (Worm.P2P) -> No action taken.
C:\WINDOWS\system32\framebuf32.dll (Trojan.Agent) -> No action taken.
C:\WINDOWS\system32\GroupPolicy000.dat (Malware.Trace) -> No action taken.
C:\WINDOWS\system32\kbiwkmqswativu.dat (Rootkit.TDSS) -> No action taken.
C:\WINDOWS\GnuHashes.ini (Malware.Trace) -> No action taken.
C:\WINDOWS\kdiue732.txt (Malware.Trace) -> No action taken.
 
A

aviation_man

New Member
Last edited:
kimsland

kimsland

New Member
I would suggest the thread is locked by a Mod, instead of support members trying to help someone with "cracks" in their log

But I'll just squeeze this info in:
Malwarebytes is up to Database version: 2814 and Program version: 1.41
Yours is too old, and you need to update the program then then database, and then scan again

Also: "No action taken." on Malwarebytes scan. Means that you did not select Next at the end of the scan and remove all found Malwares, therefore the scan was a waste of time (I note you scanned for 1 Hour)

Update Malwarebytes fully
Then run a new full scan
And remove all Malwares at the end of the scan ;)
 
H

hayimj

New Member
remove trojan with free adaware

hi,
You should install Ad-Aware, this is the best free adware.
(I'm not working ther..)
you can download free hear myFixPc/

Good Luck :good:
 
B

BCs

Member
Have updated and re run Malware See following:

Malwarebytes' Anti-Malware 1.41
Database version: 2818
Windows 5.1.2600 Service Pack 3

18/09/2009 4:10:08 PM
mbam-log-2009-09-18 (16-10-08).txt

Scan type: Quick Scan
Objects scanned: 109482
Time elapsed: 9 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

This was run as a quick scan as distinct from the previous one which was run as a full scan.
 
kimsland

kimsland

New Member
Please download Combofix, direct link here: http://download.bleepingcomputer.com/sUBs/ComboFix.exe
Disable your antivirus or just allow the process to run (ie if Norton pops up a warning just allow Combofix to run)
Combofix will save a log file to C:\Combofix folder, please attach >
attach.gif
this log to a new reply.

By the way running uTorrent and Norton Internet Security together probably will never work ;)
Utorrent is a filesharing program that can easily allow Malware into your computer. Disable (close) this first, or ideally uninstall it (I would)

And Norton (IS) is probably good at slowing computers down and that's about all. This can be proved specifically by the mess you are presently in (a good example of this poor antivirus)
Ideally un-install it and then run the removal tool (as Norton will not uninstall fully without this: http://service1.symantec.com/Support/tsgeninfo.nsf/docid/2005033108162039)

Then download and install free Avira: http://www.free-av.com/
Install; update and run a full scan
Once Avira removes all the remaining Viruses you'll never pay for an Antivirus again. But if you want to revert back to Norton afterwards that's your choice.
 
B

BCs

Member
Ok here is the log from combo fix.


ComboFix 09-09-18.02 - Administrator 19/09/2009 9:57.1.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3326.2567 [GMT 10:00]
Running from: c:\documents and settings\Administrator\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Administrator\Application Data\020000008ccd966e548C.manifest
c:\documents and settings\Administrator\Application Data\020000008ccd966e548O.manifest
c:\documents and settings\Administrator\Application Data\020000008ccd966e548P.manifest
c:\documents and settings\Administrator\Application Data\020000008ccd966e548S.manifest
c:\documents and settings\Administrator\Application Data\020000008ccd966e573C.manifest
c:\documents and settings\Administrator\Application Data\020000008ccd966e573O.manifest
c:\documents and settings\Administrator\Application Data\020000008ccd966e573P.manifest
c:\documents and settings\Administrator\Application Data\020000008ccd966e573S.manifest
c:\documents and settings\Administrator\Application Data\inst.exe
c:\windows\Alcmtr.exe
c:\windows\Downloaded Program Files\ODCTOOLS
c:\windows\Downloaded Program Files\ODCTOOLS\ef6b26db-344d-4ad3-ba24-aca0bdaa999a.cab
c:\windows\Downloaded Program Files\ODCTOOLS\f04d289f-c60a-422b-8396-6c372047042e.cab
c:\windows\system32\ATIDEMGX32.dll
c:\windows\system32\atikvmag32.dll
c:\windows\system32\atipdlxx32.dll
c:\windows\system32\ativcoxx32.dll
c:\windows\system32\ativvaxx32.dll
c:\windows\system32\atl32.dll
c:\windows\system32\atrace32.dll
c:\windows\system32\audiosrv32.dll
c:\windows\system32\avifile32.dll
c:\windows\system32\avtapi32.dll
c:\windows\system32\azroles32.dll
c:\windows\system32\bdco1ins32.dll
c:\windows\system32\bitsprx432.dll
c:\windows\system32\browseui32.dll
c:\windows\system32\bthci32.dll
c:\windows\system32\btpanui32.dll
c:\windows\system32\capicom32.dll
c:\windows\system32\catsrv32.dll
c:\windows\system32\cdintf25132.dll
c:\windows\system32\cdmodem32.dll
c:\windows\system32\cfgbkend32.dll
c:\windows\system32\ciadmin32.dll
c:\windows\system32\ciodm32.dll
c:\windows\system32\clusapi32.dll
c:\windows\system32\clusapi3232.dll
c:\windows\system32\cmprops32.dll
c:\windows\system32\cmsetacl32.dll
c:\windows\system32\cnbjmon3232.dll
c:\windows\system32\comcat32.dll
c:\windows\system32\comdlg3232.dll
c:\windows\system32\comdlg323232.dll
c:\windows\system32\COMMTB3232.dll
c:\windows\system32\compobj3232.dll
c:\windows\system32\comres32.dll
c:\windows\system32\comres3232.dll
c:\windows\system32\comsvcs32.dll
c:\windows\system32\confmsp3232.dll
c:\windows\system32\credssp32.dll
c:\windows\system32\credui32.dll
c:\windows\system32\credui3232.dll
c:\windows\system32\crypt323232.dll
c:\windows\system32\cryptdll32.dll
c:\windows\system32\cryptnet32.dll
c:\windows\system32\csrsrv3232.dll
c:\windows\system32\ctl3d3232.dll
c:\windows\system32\d3dx9_3232.dll
c:\windows\system32\DATAZAP32.dll
c:\windows\system32\DATZAP1632.dll
c:\windows\system32\DDAO3632.dll
c:\windows\system32\dfsshlex32.dll
c:\windows\system32\dimsntfy32.dll
c:\windows\system32\dmcompos32.dll
c:\windows\system32\DOCOBJ32.dll
c:\windows\system32\dot3dlg32.dll
c:\windows\system32\dot3msm32.dll
c:\windows\system32\dot3ui32.dll
c:\windows\system32\eapp3hst32.dll
c:\windows\system32\eappgnui32.dll
c:\windows\system32\eappprxy32.dll
c:\windows\system32\eapsvc32.dll
c:\windows\system32\EMLCNS3232.dll
c:\windows\system32\exts32.dll
c:\windows\system32\fdco132.dll
c:\windows\system32\FM20ENU32.dll
c:\windows\system32\private.inf
c:\windows\winhelp.ini
I:\autorun.inf
J:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2009-08-19 to 2009-09-19 )))))))))))))))))))))))))))))))
.

2009-09-18 14:00 . 2009-09-18 14:00 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-09-18 07:47 . 1999-12-17 12:43 86016 ----a-w- c:\windows\unvise32.exe
2009-09-18 07:47 . 2009-09-18 13:26 -------- d-----w- c:\program files\RegistryPatrol3.0
2009-09-10 21:49 . 2009-06-21 21:44 153088 -c----w- c:\windows\system32\dllcache\triedit.dll
2009-09-06 05:14 . 2009-09-06 05:14 -------- d-----w- c:\program files\Trend Micro
2009-09-06 03:51 . 2009-09-06 03:51 -------- d-----w- c:\documents and settings\Administrator\Application Data\Malwarebytes
2009-09-06 03:51 . 2009-09-10 04:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-09-06 03:51 . 2009-09-18 06:17 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-09-06 03:51 . 2009-09-10 04:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-09-06 03:51 . 2009-09-06 03:51 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-08-31 09:49 . 2008-11-11 03:42 24832 ----a-w- c:\windows\system32\drivers\lgusbmodem.sys
2009-08-31 09:49 . 2008-11-11 03:41 19968 ----a-w- c:\windows\system32\drivers\lgusbdiag.sys
2009-08-31 09:49 . 2008-11-11 03:41 13056 ----a-w- c:\windows\system32\drivers\lgusbbus.sys
2009-08-31 09:49 . 2009-08-31 09:49 -------- d-----w- c:\program files\LG Electronics
2009-08-25 08:52 . 2009-08-25 08:52 -------- d-----w- C:\Sounds
2009-08-25 08:48 . 2009-09-07 04:07 -------- d-----w- C:\Temp
2009-08-25 08:18 . 2009-08-25 08:18 -------- d-----w- c:\documents and settings\Administrator\Application Data\LG Electronics
2009-08-24 07:35 . 2009-08-24 07:35 -------- d-----w- c:\program files\BurnAware Free
2009-08-24 07:13 . 2005-03-11 08:37 1986560 ----a-w- c:\windows\system32\AudFile.dll
2009-08-24 07:13 . 2005-02-24 03:11 1212416 ----a-w- c:\windows\system32\AudioInfos.dll
2009-08-24 07:13 . 2005-02-24 02:51 348160 ----a-w- c:\windows\system32\WMAFile.dll
2009-08-24 07:13 . 2000-10-01 08:00 119568 ----a-w- c:\windows\system32\VB6FR.DLL
2009-08-24 07:13 . 1999-03-25 08:00 101888 ----a-w- c:\windows\system32\VB6STKIT.DLL
2009-08-24 07:13 . 1998-07-12 12:00 15360 ----a-w- c:\windows\system32\inetfr.DLL
2009-08-24 07:13 . 2003-04-18 05:29 44544 ----a-w- c:\windows\system32\msxml4a.dll
2009-08-24 07:13 . 1998-07-12 12:00 141312 ----a-w- c:\windows\system32\MSCMCFR.DLL
2009-08-24 07:13 . 1998-07-12 08:00 32768 ----a-w- c:\windows\system32\CMDLGFR.DLL
2009-08-24 06:45 . 2004-07-02 22:08 139264 ----a-w- c:\windows\system32\xvidvfw.dll
2009-08-24 06:45 . 2004-07-02 21:59 524288 ----a-w- c:\windows\system32\xvidcore.dll
2009-08-24 06:45 . 2009-09-07 04:16 -------- d-----w- c:\program files\Extra DVD Ripper Free

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-19 00:03 . 2008-09-19 06:49 -------- d-----w- c:\documents and settings\Administrator\Application Data\uTorrent
2009-09-19 00:03 . 2008-09-25 01:22 -------- d---a-w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-18 05:47 . 2009-04-22 03:41 -------- d-----w- c:\program files\Spyware Terminator
2009-09-18 05:47 . 2009-04-22 03:41 -------- d-----w- c:\documents and settings\All Users\Application Data\Spyware Terminator
2009-09-18 05:45 . 2009-04-22 03:41 -------- d-----w- c:\documents and settings\Administrator\Application Data\Spyware Terminator
2009-09-11 23:51 . 2008-09-23 04:05 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-07 06:44 . 2009-05-14 10:52 148200 ----a-w- c:\documents and settings\LocalService\Local Settings\Application Data\FontCache3.0.0.0.dat
2009-09-01 04:49 . 2008-08-11 02:37 -------- d--h--w- c:\program files\InstallShield Installation Information
2009-08-25 08:39 . 2009-04-08 10:19 -------- d-----w- c:\program files\DivX
2009-08-24 07:25 . 2009-05-14 08:50 -------- d-----w- c:\program files\NCH Swift Sound
2009-08-21 05:36 . 2009-07-19 04:20 -------- d-----w- c:\program files\Burn4Free
2009-08-19 07:36 . 2009-08-19 07:36 -------- d-----r- c:\program files\Norton Support
2009-08-19 06:12 . 2008-09-18 07:58 -------- d-----w- c:\program files\Symantec
2009-08-19 06:12 . 2009-08-16 08:50 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-19 06:12 . 2009-08-16 08:50 7456 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-19 06:12 . 2009-08-16 08:50 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-19 06:12 . 2009-08-16 08:50 124976 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 19:11 . 2009-08-16 08:50 36400 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-17 08:40 . 2008-09-19 02:05 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-16 08:50 . 2008-10-23 04:38 -------- d-----w- c:\program files\Norton Internet Security
2009-08-16 08:50 . 2008-10-22 17:25 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-16 08:50 . 2009-08-16 08:50 -------- d-----w- c:\program files\Windows Sidebar
2009-08-16 08:50 . 2008-09-19 02:05 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-16 08:49 . 2008-10-22 17:24 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-15 12:46 . 2009-01-14 11:04 -------- d-----w- c:\program files\Windows Live
2009-08-15 12:46 . 2009-08-15 12:46 -------- d-----w- c:\program files\Microsoft Sync Framework
2009-08-09 06:40 . 2009-08-08 04:53 -------- d-----w- c:\program files\NortonInstaller
2009-08-08 05:31 . 2009-03-07 04:55 -------- d-----w- c:\documents and settings\All Users\Application Data\WinZip
2009-08-07 09:32 . 2009-06-23 06:02 -------- d-----w- c:\program files\Bitcollider
2009-08-05 09:24 . 2008-09-18 07:12 -------- d-----w- c:\program files\Java
2009-08-05 09:01 . 2007-07-27 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-08-03 07:31 . 2009-08-03 07:16 -------- d-----w- c:\program files\Common Files\DVDVideoSoft
2009-08-03 07:16 . 2009-08-03 07:16 -------- d-----w- c:\program files\AskBarDis
2009-07-24 19:23 . 2008-12-16 10:11 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-07-17 19:01 . 2007-07-27 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-17 05:42 . 2008-09-28 06:02 47360 ----a-w- c:\documents and settings\Administrator\Application Data\pcouffin.sys
2009-07-17 05:41 . 2008-09-28 06:02 47360 ----a-w- c:\windows\system32\drivers\pcouffin.sys
2009-07-13 13:43 . 2007-07-27 12:00 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2007-07-27 12:00 915456 ----a-w- c:\windows\system32\wininet.dll
2008-12-25 08:33 . 2008-12-25 08:33 713526 ----a-w- c:\program files\dvd43.zip
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{1a71246c-3eb0-4d6c-af77-3ab756017c3a}"= "c:\program files\BTjunkie\tbBTj1.dll" [2009-07-08 2215960]

[HKEY_CLASSES_ROOT\clsid\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]
2009-07-08 03:55 2215960 ----a-w- c:\program files\BTjunkie\tbBTj1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{1a71246c-3eb0-4d6c-af77-3ab756017c3a}"= "c:\program files\BTjunkie\tbBTj1.dll" [2009-07-08 2215960]

[HKEY_CLASSES_ROOT\clsid\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{1A71246C-3EB0-4D6C-AF77-3AB756017C3A}"= "c:\program files\BTjunkie\tbBTj1.dll" [2009-07-08 2215960]

[HKEY_CLASSES_ROOT\clsid\{1a71246c-3eb0-4d6c-af77-3ab756017c3a}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupOutlook"="c:\program files\wisco\BackupOutlook\BackupOutlook.exe" [2008-09-11 1146232]
"uTorrent"="c:\program files\uTorrent\uTorrent.exe" [2009-09-16 288560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"Lexmark 2200 Series"="c:\program files\Lexmark 2200 Series\lxbvbmgr.exe" [2004-02-13 57344]
"dvd43"="c:\program files\dvd43\dvd43_tray.exe" [2008-04-09 826880]
"basicsmssmenu"="c:\program files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe" [2007-10-09 169328]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2009-02-27 35696]
"SpywareTerminator"="c:\progra~1\SPYWAR~1\SpywareTerminatorShield.exe" [2009-07-18 2173440]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-07-24 149280]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.exe [2007-09-27 16844800]
"SkyTel"="SkyTel.EXE" - c:\windows\SkyTel.exe [2007-08-03 1826816]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
ComproRemote.lnk - c:\program files\Common Files\VideoMate\ComproRemote.exe [2008-9-19 147456]
ComproSchedulerDTV.lnk - c:\program files\Common Files\VideoMate\ComproSchedulerDTV.exe [2008-9-19 77824]
Microsoft Office Fast Start.lnk - c:\msoffice\Office\FASTBOOT.EXE [1995-10-6 14848]
QuickBooks Update Agent.lnk - c:\program files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2008-4-29 969792]
Smart Wizard Wireless Settings.lnk - c:\program files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe [2008-9-25 1044572]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SymEFA.sys]
@="FSFilter Activity Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Intuit\\QuickBooks 2008-09\\QBDBMgrN.exe"=
"c:\\Program Files\\Joost Plugin\\joostws.exe"=
"c:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"c:\\WINDOWS\\system32\\LEXPPS.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
"AllowInboundEchoRequest"= 1 (0x1)

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NIS\1007020.00B\SymEFA.sys [16/09/2009 1:49 PM 310320]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NIS\1007020.00B\BHDrvx86.sys [16/09/2009 1:49 PM 259632]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NIS\1007020.00B\cchpx86.sys [16/09/2009 1:49 PM 482432]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090916.003\IDSXpx86.sys [17/09/2009 1:31 PM 329080]
R1 sp_rsdrv2;Spyware Terminator Driver 2;c:\windows\system32\drivers\sp_rsdrv2.sys [22/04/2009 1:41 PM 142592]
R2 fssfltr;FssFltr;c:\windows\system32\drivers\fssfltr_tdi.sys [24/02/2009 3:08 PM 55152]
R2 Norton Internet Security;Norton Internet Security;c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe [16/09/2009 1:49 PM 117640]
R3 ComproDTVNet;Compro DTV Ethernet;c:\windows\system32\drivers\CpDTVNet.sys [19/09/2008 1:43 PM 20992]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [26/08/2009 6:00 PM 102448]
R3 VMHybrid;VMHybrid service;c:\windows\system32\drivers\VMHybrid.sys [25/08/2008 12:31 PM 947840]
S3 fsssvc;Windows Live Family Safety;c:\program files\Windows Live\Family Safety\fsssvc.exe [6/02/2009 5:08 PM 533360]
S3 Usbnic;OTi Network Driver Module;c:\windows\system32\drivers\Usbnic.sys [18/09/2008 2:39 PM 11536]
S3 W35UND;IS89C35 802.11bg WLAN USB Adapter Driver;c:\windows\system32\drivers\W35UND.SYS [12/09/2006 4:18 PM 117632]
.
Contents of the 'Scheduled Tasks' folder

2009-09-18 c:\windows\Tasks\NeroLiveEpgUpdate-BRENDAN_Administrator.job
- c:\program files\Nero\Nero 9\Nero Live\NeroLive.exe [2008-09-18 03:51]

2009-09-18 c:\windows\Tasks\User_Feed_Synchronization-{9D0D8826-48B5-4844-9723-FA73C8CB0539}.job
- c:\windows\system32\msfeedssync.exe [2007-08-13 17:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://ninemsn.com.au/
uInternet Settings,ProxyOverride = *.local
IE: Crawler Search - tbr:iemenu
Trusted Zone: myspace.com\www
Handler: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - c:\progra~1\Crawler\Toolbar\ctbr.dll
DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} - hxxp://www.nero.com/doc/NeroVersionCheckerControl.cab
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{604BC32A-9680-40D1-9AC6-E06B23A1BA4C} - (no file)
Notify-30112d3c573 - c:\windows\System32\divx_xx0732.dll
AddRemove-3da8b6e7-2867-a7ba-194f-8cf8ad7397fb - c:\windows\system32\3da8b6e7-2867-a7ba-194f-8cf8ad7397fb.exe
AddRemove-HijackThis - c:\documents and settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\KKSKUPUP\HijackThis.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-19 10:03
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\Norton Internet Security]
"ImagePath"="\"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe\" /s \"Norton Internet Security\" /m \"c:\program files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-1957994488-1645522239-725345543-500\Software\Microsoft\Internet Explorer\User Preferences]
@Denied: (2) (Administrator)
"88D7D0879DAB32E14DE5B3A805A34F98AFF34F5977"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,6b,b0,2f,cb,40,67,01,4d,bf,2f,5c,\
"2D53CFFC5C1A3DD2E97B7979AC2A92BD59BC839E81"=hex:01,00,00,00,d0,8c,9d,df,01,15,
d1,11,8c,7a,00,c0,4f,c2,97,eb,01,00,00,00,27,63,8a,41,73,f2,b3,48,be,00,73,\

[HKEY_USERS\S-1-5-21-1957994488-1645522239-725345543-500\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)

[HKEY_USERS\S-1-5-21-1957994488-1645522239-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*"*Å*#\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1957994488-1645522239-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*;*C*b%\OpenWithList]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1957994488-1645522239-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*"*v*]
@Class="Shell"

[HKEY_USERS\S-1-5-21-1957994488-1645522239-725345543-500\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.*"*v*\OpenWithList]
@Class="Shell"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(1436)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4028)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\windows\system32\LEXBCES.EXE
c:\windows\system32\LEXPPS.EXE
c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
c:\program files\Lexmark 2200 Series\lxbvbmon.exe
c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
c:\program files\Seagate\Basics\Service\SyncServicesBasics.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\LightScribe\LSSrvc.exe
c:\program files\Common Files\Nero\Nero BackItUp 4\NBService.exe
c:\program files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
c:\program files\Spyware Terminator\sp_rsser.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-09-19 10:06 - machine was rebooted




ComboFix-quarantined-files.txt 2009-09-19 00:06

Pre-Run: 435,846,311,936 bytes free
Post-Run: 441,732,681,728 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

334 --- E O F --- 2009-09-11 13:33
 
kimsland

kimsland

New Member
Wow that worked really well and removed lots of horrible stuff
Please Start > Run > Combofix /U to uninstall it (Note: It will look like its about to run again but it won't ;))

Please Restart (if haven't done already)

Then download and run CCleaner
And also run CCleaner "Registry" fix buuton (run this fix and repair all (without backup) at least 3 times

Then restart again

Then provide a new HJT log again
By the way I have to go out, but will check back later :)
Also you decided to keep Norton, are you also still running File Share programs too?
 
B

BCs

Member
Have run Ccleaner and seemed to work well. Latest log from Hijack this is attached. Problem i now have is from time of shutdown restart to machine actually restsrting is now 7 minutes. Never been more than ~ 90 secs.
My turn to head out now. Brother in laws 50th Bday have to set up some gear
Cheers

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:32:24 PM, on 19/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\dvd43\dvd43_tray.exe
C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe
C:\Program Files\Lexmark 2200 Series\lxbvbmon.exe
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\wisco\BackupOutlook\BackupOutlook.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\VideoMate\ComproRemote.exe
C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\MSN\Toolbar\3.0.1203.0\msntask.exe
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Companion\Installs\cpn\ytbb.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ninemsn.com.au/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: BTjunkie Toolbar - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\tbBTj1.dll
R3 - URLSearchHook: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: BTjunkie Toolbar - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\tbBTj1.dll
O2 - BHO: (no name) - {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: Symantec NCO BHO - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\IPSBHO.DLL
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar Helper - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O2 - BHO: SingleInstance Class - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll
O3 - Toolbar: BTjunkie Toolbar - {1a71246c-3eb0-4d6c-af77-3ab756017c3a} - C:\Program Files\BTjunkie\tbBTj1.dll
O3 - Toolbar: MSN Toolbar - {1E61ED7C-7CB8-49d6-B9E9-AB4C880C8414} - C:\Program Files\MSN\Toolbar\3.0.1203.0\msneshellx.dll
O3 - Toolbar: &Crawler Toolbar - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O3 - Toolbar: Norton Toolbar - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O3 - Toolbar: Yahoo!7 Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Lexmark 2200 Series] "C:\Program Files\Lexmark 2200 Series\lxbvbmgr.exe"
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [basicsmssmenu] "C:\Program Files\Seagate\Basics\Basics Status\MaxMenuMgrBasics.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SpywareTerminator] "C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [BackupOutlook] "C:\Program Files\wisco\BackupOutlook\BackupOutlook.exe" silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: ComproRemote.lnk
O4 - Global Startup: ComproSchedulerDTV.lnk = C:\Program Files\Common Files\VideoMate\ComproSchedulerDTV.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: Crawler Search - tbr:iemenu
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - https://support.microsoft.com/OAS/ActiveX/MSDcode.cab
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} - https://www-secure.symantec.com/techsupp/asa/ss/sa/sa_cabs/tgctlsr.cab
O16 - DPF: {680285A8-96D3-43DA-9D3D-51DD987D0B77} (NeroVersionCheckerControl Control) - http://www.nero.com/doc/NeroVersionCheckerControl.cab
O16 - DPF: {6A344D34-5231-452A-8A57-D064AC9B7862} (Symantec Download Manager) - https://webdl.symantec.com/activex/symdlmgr.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1222386794109
O18 - Protocol: symres - {AA1061FE-6C41-421F-9344-69640C9732AB} - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\coIEPlg.dll
O18 - Protocol: tbr - {4D25FB7A-8902-4291-960E-9ADA051CFBBF} - C:\PROGRA~1\Crawler\Toolbar\ctbr.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Basics Service - Seagate Technology LLC - C:\Program Files\Seagate\Basics\Service\SyncServicesBasics.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Nero BackItUp Scheduler 4.0 - Nero AG - C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Internet Security - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.7.2.11\ccSvcHst.exe
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe

--
End of file - 10465 bytes
 
johnb35

johnb35

Administrator
Staff member
You were very infected. Most likely being that infected has caused some windows file issues now and is causing the slow down. You might want to think about doing a clean install of windows now. Back up any data you want saved though.
 
B

BCs

Member
Thanks for that thought. It had actually already crossed my mind that it might be a good option.
Also interested in thoughts on Spyware Terminator and Malwarebytes.
Especially malware as i ran a full scan overnight and came back 10 H later and time was till ticking away yet the program had stopped scanning because of an error code 721 (0, 5)
 
kimsland

kimsland

New Member
BCs said:
Problem i now have is from time of shutdown restart to machine actually restsrting is now 7 minutes. Never been more than ~ 90 secs.
Click to expand...
Yes, I'd say another Restart may fix that a bit ;)

But johnb35 has a good point, you were very infected and both Spyware Terminator and Norton IS really didn't help (except to continually keep your system slow) How attached are you to these programs? (Note I did suggest already, to use free Avira)

You have a number of startups still loading that are just not required, and I'm also concerned about how much resource Lexmark printer software is taking in Task Manager
There is a good tool here called Startup Control Panel that can help you to remove some of these not required startups http://www.mlin.net/StartupCPL.shtml
Note that disabling the startup may still leave services startups happening with Windows (ie Spyware Terminator)

Did you end up uninstalling uTorrent, or is it presently closed? (I think you may have uninstalled it, and if so well done, especially whilst tring to remove malware

It may be a good time to clean out any System Restore points as well
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
 
Last edited:
B

BCs

Member
OK,

We have run both programs and have shaved acouple of minutes
of reboot time - but still unacceptableby high.
U torrent and terminator have been terminated. NIS I like as a product mainly because it blocks my long lost uncles/aunts from Nigeria who constantly want to give me their millions of dollars from their long lost relatives via the package that Fed Ex is holding for me (still)!!

We are still being hijacked but they may be on an extermal hard drive that has now bwcome corrupt and unreadble. I will format the external drive and see how we go from there.
:good:
 
B

BCs

Member
No luck formatting the external hard drice. Ureadble/corrupt.
Thoughts as we are still being hijacked ? Just ran Malware in sfe mode nothing showing but was hijaked at the :(end.
 
kimsland

kimsland

New Member
If you're willing to hang in there we are slowly but surely getting through this

Download SDFix, SDFix Instructions can be found HERE. But here's a quick rundown:
  • Download SDFix
  • Double click on SDFix, it will automatically extract to C:\SDFix folder
  • Restart to Safe Mode
  • Start > Run > C:\SDFix\RunThis.bat
  • When requested, press "Y" key, then Enter
  • The scan will begin and eventually your computer will restart to Normal Mode
  • A Notepad log will automatically open, please save this log to your Desktop, and then attach it to a new reply
 
B

BCs

Member
Sd fix has been run & log is attached:

b]SDFix: Version 1.240 [/b]
Run by Administrator on Mon 21/09/2009 at 02:45 PM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\sdfix

Checking Services :


Restoring Default Security Values
Restoring Default Hosts File

Rebooting


Checking Files :

No Trojan Files Found






Removing Temp Files

ADS Check :



Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-21 15:01:01
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services :




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Intuit\\QuickBooks 2008-09\\QBDBMgrN.exe"="C:\\Program Files\\Intuit\\QuickBooks 2008-09\\QBDBMgrN.exe:*:Enabled:QuickBooks 2007 Data Manager"
"C:\\Program Files\\Joost Plugin\\joostws.exe"="C:\\Program Files\\Joost Plugin\\joostws.exe:*:Enabled:joostws"
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"="C:\\Program Files\\TVUPlayer\\TVUPlayer.exe:*:Enabled:TVUPlayer Component"
"C:\\WINDOWS\\system32\\LEXPPS.EXE"="C:\\WINDOWS\\system32\\LEXPPS.EXE:*:Enabled:LEXPPS.EXE"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:mad:xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:mad:xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"="C:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe:*:Enabled:Windows Live Sync"

Remaining Files :



Files with Hidden Attributes :

Mon 22 Oct 2007 25,600 A..H. --- "C:\Documents and Settings\My Documents\~WRL0001.tmp"
Fri 28 Sep 2007 113,664 A..H. --- "C:\Documents and Settings\My Documents\~WRL0002.tmp"
Thu 13 Dec 2007 19,456 A..H. --- "C:\Documents and Settings\My Documents\~WRL0003.tmp"
Mon 1 Oct 2007 20,480 A..H. --- "C:\Documents and Settings\My Documents\~WRL0004.tmp"
Mon 12 Nov 2007 1,112,064 A..H. --- "C:\Documents and Settings\My Documents\~WRL0005.tmp"
Wed 27 Feb 2008 20,480 A..H. --- "C:\Documents and Settings\My Documents\~WRL0006.tmp"
Mon 21 Apr 2008 29,696 A..H. --- "C:\Documents and Settings\My Documents\~WRL0165.tmp"
Mon 23 Jun 2008 24,064 A..H. --- "C:\Documents and Settings\My Documents\~WRL1687.tmp"
Sun 19 Aug 2007 19,968 A..H. --- "C:\Documents and Settings\My Documents\~WRL2660.tmp"
Mon 14 Apr 2008 1,695,232 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 14 Apr 2008 60,416 A.SH. --- "C:\Program Files\Outlook Express\msimn.exe"
Sun 2 Nov 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 20 Oct 2008 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Mon 18 Aug 2008 20,992 A..H. --- "C:\Documents and Settings\My Documents\Alex's school work\english literature\~WRL3993.tmp"
Thu 15 Jan 2009 13 ...H. --- "C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Silverlight\BIT2.tmp"

Finished!
 
kimsland

kimsland

New Member
Please fully uninstall LimeWire
Then run CCleaner again
Then restart
Is it fast now?

You can re-install LimeWire if you still want this File Sharing program installed
 
kimsland

kimsland

New Member
Try Safe Mode instead (F8 at system startup)

You know all this is probably happened due to File Sharing (that and norton)
 
You must log in or register to reply here.
Top