1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: "Your Privacy is in danger" Virus has infected my computer

Discussion in 'Virus & Other Malware Removal' started by James Judkins, Aug 27, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. James Judkins

    James Judkins Thread Starter

    Joined:
    Feb 17, 2008
    Messages:
    24
    Hi i have the "your pivacy is in danger" red screen virus that appears to have infected many othe users.
    Similarly i have limited acces to my computer, have numerous popups and am generally frustrated.
    I have posted my hijackthis log below

    Really hope someone can help.

    Regards

    James


    Hijack This Log:


    Logfile of HijackThis v1.99.1
    Scan saved at 19:05: VIRUS ALERT!, on 27/08/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\ewido\ewidoctrl.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Windows Media Player\WMPNetwk.exe
    C:\WINDOWS\System32\alg.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
    C:\Program Files\DNA\btdna.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Documents and Settings\James\My Documents\Spyware Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarereferral.com/jump.php?wmid=6010&mid=MjI6Ojg5&lid=2
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
    O2 - BHO: (no name) - {74CE56FF-3469-47C0-93E1-D0CB8B203EA9} - C:\WINDOWS\system32\yayxxxXo.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O2 - BHO: QXK Olive - {E350B1C6-A8DC-4EEF-90DB-61DCAE9D1B67} - C:\WINDOWS\rodqgpvlkoa.dll
    O3 - Toolbar: qalkfxor - {18C388BB-5014-4906-AE38-E62BA5AA7387} - C:\WINDOWS\qalkfxor.dll
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - HKCU\..\Run: [s9201] "C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe" /autorun
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
    O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfishgames.com/en_we...orld-game/online/WeddingDash2Web.1.0.0.11.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 85.255.113.108,85.255.112.10
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.108 85.255.112.10
    O17 - HKLM\System\CS2\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 85.255.113.108,85.255.112.10
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS3\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS4\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.108 85.255.112.10
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O20 - Winlogon Notify: yayxxxXo - C:\WINDOWS\SYSTEM32\yayxxxXo.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: pdoskegl - {E7DB86B4-FD62-464C-8CD2-BC2357A00549} - C:\WINDOWS\pdoskegl.dll
    O21 - SSODL: rqbmvpso - {9BE40AB9-D022-4935-B381-D6BE101960AC} - C:\WINDOWS\rqbmvpso.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\ewidoctrl.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
     
  2. James Judkins

    James Judkins Thread Starter

    Joined:
    Feb 17, 2008
    Messages:
    24
    I've tried to restart in safe mode and it makes no difference, almost all of the same problems remain.

    I've even tried to restore to a previous date but the virus has blocked my use of system restore.

    Please help!
     
  3. James Judkins

    James Judkins Thread Starter

    Joined:
    Feb 17, 2008
    Messages:
    24
    still having major probems with this using other cpersons computer as unable to access anything from home need advice soon as thanks
     
  4. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Welcome to TSG :)

    Sorry for the delay.

    If you still require help, please post a fresh Hijackthis. thanks
     
  5. James Judkins

    James Judkins Thread Starter

    Joined:
    Feb 17, 2008
    Messages:
    24
    Yes still having same problems.

    Sorry for the delayed reply but my browser is redirecting my attempts to access Techguy and other sites, so having to use works computer.

    Here is my most recent Hijack this log

    Logfile of HijackThis v1.99.1
    Scan saved at 22:31: VIRUS ALERT!, on 04/09/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\James\My Documents\Spyware Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O3 - Toolbar: qalkfxor - {18C388BB-5014-4906-AE38-E62BA5AA7387} - C:\WINDOWS\qalkfxor.dll (file missing)
    O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
    O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ec41e342] rundll32.exe "C:\WINDOWS\system32\unyjoqpc.dll",b
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://www.pandasecurity.com
    O15 - Trusted Zone: http://forums.techguy.org
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {288C5F13-7E52-4ADA-A32E-F5BF9D125F99} (CR64Loader Object) - http://www.miniclip.com/bestfriends/miniclipGameLoader.dll
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
    O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfishgames.com/en_we...orld-game/online/WeddingDash2Web.1.0.0.11.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 85.255.115.58,85.255.112.159
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS1\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.5 85.255.112.65
    O17 - HKLM\System\CS2\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 85.255.114.5,85.255.112.65
    O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 194.168.4.100 194.168.8.100
    O17 - HKLM\System\CS3\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 194.168.4.100,194.168.8.100
    O17 - HKLM\System\CS4\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.159
    O17 - HKLM\System\CS4\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 85.255.115.58,85.255.112.159
    O17 - HKLM\System\CS5\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.159
    O17 - HKLM\System\CS5\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 85.255.115.58,85.255.112.159
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.58 85.255.112.159
    O20 - AppInit_DLLs: lvwmnt.dll wndjfj.dll vyllvb.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O21 - SSODL: rqbmvpso - {F1C7F24B-E4E7-416F-8DC7-A9E19AB0AAAD} - C:\WINDOWS\rqbmvpso.dll (file missing)
    O21 - SSODL: pdoskegl - {6E5CD42A-3658-4796-86C4-A844B74A283E} - C:\WINDOWS\pdoskegl.dll (file missing)
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

    Thanks

    James
     
  6. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Download Combofix from this webpage: http://www.bleepingcomputer.com/combofix/how-to-use-combofix

    **Note: It is important that it is saved directly to your desktop**

    --------------------------------------------------------------------

    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.
    Note:
    Do not mouseclick combofix's window while it's running. That may cause it to stall
     
  7. James Judkins

    James Judkins Thread Starter

    Joined:
    Feb 17, 2008
    Messages:
    24
    That is one sweet piece of software!

    Looks like its sorted everything visible. Can now access the internet and all sites such as this one that were previously being redirected. I have access to task manager and all my drives etc.

    Thanks for getting me this far!

    Hopefully not too much left to clean.

    Below are the Combofix and Hijackthis logs


    HIJACKTHIS


    Logfile of HijackThis v1.99.1
    Scan saved at 23:27, on 06/09/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\MagicDisc\MagicDisc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\explorer.exe
    C:\Documents and Settings\James\My Documents\Spyware Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://www.pandasecurity.com
    O15 - Trusted Zone: http://forums.techguy.org
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
    O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfishgames.com/en_we...orld-game/online/WeddingDash2Web.1.0.0.11.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.114.5 85.255.112.65
    O17 - HKLM\System\CS2\Services\Tcpip\..\{09CF67F9-5590-428B-BD1D-C0F4EB4266F2}: NameServer = 85.255.114.5,85.255.112.65
    O20 - AppInit_DLLs: lvwmnt.dll wndjfj.dll pmuqwg.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)



    COMBOFIX


    ComboFix 08-09-05.02 - James 2008-09-06 23:02:41.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.644 [GMT 1:00]
    Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\James\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\DOCUME~1\James\LOCALS~1\Temp\tmp2.tmp
    C:\Documents and Settings\All Users\Application Data\Secure Solutions
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\as2008xp.exe
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080825151439750.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080825185438312.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080827190137390.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080827191611465.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080828181910664.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080828231436743.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080829181653518.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080829200722050.log
    C:\Documents and Settings\All Users\Application Data\Secure Solutions\Antispyware 2008 XP\LOG\20080830100800742.log
    C:\Documents and Settings\Claire\Application Data\addon.dat
    C:\Documents and Settings\Claire\Desktop\Error Cleaner.url
    C:\Documents and Settings\Claire\Desktop\Privacy Protector.url
    C:\Documents and Settings\Claire\Desktop\Spyware&Malware Protection.url
    C:\Documents and Settings\Claire\Favorites\Error Cleaner.url
    C:\Documents and Settings\Claire\Favorites\Privacy Protector.url
    C:\Documents and Settings\Claire\Favorites\Spyware&Malware Protection.url
    C:\Documents and Settings\James\Application Data\addon.dat
    C:\Documents and Settings\James\Application Data\Adssite Advanced Toolbar
    C:\Documents and Settings\James\Application Data\Adssite Advanced Toolbar\selected.xml
    C:\Documents and Settings\James\Cookies\[email protected][2].txt
    C:\Documents and Settings\Paul\Cookies\[email protected][2].txt
    C:\Program Files\outlook
    C:\Program Files\winupdates
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\eskd.exe
    C:\WINDOWS\etbr.exe
    C:\WINDOWS\system32\bbjtochr.ini
    C:\WINDOWS\system32\bHQpoUtv.ini
    C:\WINDOWS\system32\bHQpoUtv.ini2
    C:\WINDOWS\system32\bszip.dll
    C:\WINDOWS\system32\cmd.com
    C:\WINDOWS\system32\cpqojynu.ini
    C:\WINDOWS\system32\cxvlrd.dll
    C:\WINDOWS\system32\drivers\msliksurserv.sys
    C:\WINDOWS\system32\ewdhacgy.ini
    C:\WINDOWS\system32\fccaAqqr.dll
    C:\WINDOWS\system32\fccdbXpO.dll
    C:\WINDOWS\system32\ffgekewe.dll
    C:\WINDOWS\system32\flynyiyo.ini
    C:\WINDOWS\system32\friayals.dll
    C:\WINDOWS\system32\hwaeylgx.dll
    C:\WINDOWS\system32\iylefh.dll
    C:\WINDOWS\system32\lvwmnt.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\msliksurcredo.dll
    C:\WINDOWS\system32\msliksurdns.dll
    C:\WINDOWS\system32\netstat.com
    C:\WINDOWS\system32\npfbhjjm.dll
    C:\WINDOWS\system32\ping.com
    C:\WINDOWS\system32\pmuqwg.dll
    C:\WINDOWS\system32\psazlh.dll
    C:\WINDOWS\system32\pscqxa.dll
    C:\WINDOWS\system32\pwyubrxg.ini
    C:\WINDOWS\system32\rhbmpdlo.dll
    C:\WINDOWS\system32\rwsirrva.dll
    C:\WINDOWS\system32\slayairf.ini
    C:\WINDOWS\system32\smbols~1
    C:\WINDOWS\system32\smwyfhqx.dll
    C:\WINDOWS\system32\stem32~1
    C:\WINDOWS\system32\taskkill.com
    C:\WINDOWS\system32\tasklist.com
    C:\WINDOWS\system32\tdssadw.dll
    C:\WINDOWS\system32\tdssinit.dll
    C:\WINDOWS\system32\tdssl.dll
    C:\WINDOWS\system32\tdsslog.dll
    C:\WINDOWS\system32\tdssmain.dll
    C:\WINDOWS\system32\tdssservers.dat
    C:\WINDOWS\system32\tracert.com
    C:\WINDOWS\system32\uanbshmp.dll
    C:\WINDOWS\system32\uvungcrc.ini
    C:\WINDOWS\system32\vpqaqcsm.dll
    C:\WINDOWS\system32\vyllvb.dll
    C:\WINDOWS\system32\wfmcvfsl.ini
    C:\WINDOWS\system32\wndjfj.dll
    C:\WINDOWS\system32\wxddhnjf.ini
    C:\WINDOWS\system32\yayxxxXo.dll
    C:\WINDOWS\wnsxs~1

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_6TO4
    -------\Service_6to4


    ((((((((((((((((((((((((( Files Created from 2008-08-06 to 2008-09-06 )))))))))))))))))))))))))))))))
    .

    2008-09-06 13:44 . 2008-09-06 13:45 <DIR> d-------- C:\Program Files\BitLord
    2008-09-04 23:05 . 2008-09-04 23:05 103,552 --a------ C:\WINDOWS\system32\rhcotjbb.dll
    2008-09-03 12:59 . 2008-09-06 18:47 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
    2008-09-01 19:28 . 2008-09-01 19:28 124,544 --a------ C:\WINDOWS\system32\vlatbl.dll
    2008-09-01 19:28 . 2008-09-01 19:28 124,544 --a------ C:\WINDOWS\system32\bwxjiulw.dll
    2008-08-30 11:38 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-08-30 11:38 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-08-30 11:38 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-08-30 11:38 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
    2008-08-30 11:38 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-08-30 11:38 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-08-30 11:38 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-08-30 11:23 . 2008-08-30 11:48 3,946 --a------ C:\WINDOWS\system32\tmp.reg
    2008-08-29 20:15 . 2008-08-29 20:15 169 --a------ C:\WINDOWS\AvDetected.ini
    2008-08-29 19:29 . 2008-08-29 19:29 12,288 --a------ C:\WINDOWS\system32\tdssserf.dll
    2008-08-25 18:33 . 2008-08-25 18:33 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\Virgin Broadband
    2008-08-25 18:33 . 2008-08-25 18:33 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\TmpRecentIcons
    2008-08-25 18:33 . 2008-08-25 18:33 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\Grisoft
    2008-08-25 16:15 . 2008-08-25 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
    2008-08-25 15:14 . 2008-08-25 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
    2008-08-25 15:07 . 2008-08-25 15:07 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
    2008-08-25 15:07 . 2008-08-25 15:07 106,496 --a------ C:\WINDOWS\system32\sniffer.ocx
    2008-08-25 15:06 . 2008-08-25 15:06 <DIR> d-------- C:\Documents and Settings\James\Saved Games
    2008-08-25 15:06 . 2008-08-25 15:06 <DIR> d-------- C:\Documents and Settings\James\Application Data\FloodLightGames
    2008-08-25 15:06 . 2008-08-25 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-06 13:10 --------- d-----w C:\Documents and Settings\Paul\Application Data\Ahead
    2008-09-04 19:12 --------- d-----w C:\Program Files\SpywareGuard
    2008-09-04 18:55 --------- d-----w C:\Program Files\Hidden Expedition Titanic
    2008-09-04 18:55 --------- d-----w C:\Program Files\DNA
    2008-09-04 18:54 --------- d-----w C:\Documents and Settings\James\Application Data\Lavasoft
    2008-09-04 18:53 --------- d-----w C:\Program Files\DivX
    2008-08-30 09:09 --------- d-----w C:\Program Files\InstallShield Installation Information
    2008-08-25 17:33 --------- d-----w C:\Documents and Settings\Claire\Application Data\Ahead
    2008-08-25 15:02 --------- d-----w C:\Program Files\FinalBurner
    2008-08-25 14:16 --------- d-----w C:\Program Files\Football Manager 2008
    2008-08-06 18:57 --------- d-----w C:\Documents and Settings\James\Application Data\GanymedeNet
    2008-08-01 20:43 --------- d-----w C:\Program Files\iTunes
    2008-08-01 20:43 --------- d-----w C:\Program Files\iPod
    2008-08-01 20:41 --------- d-----w C:\Program Files\QuickTime
    2008-07-30 19:25 23,416 ----a-w C:\Documents and Settings\James\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-26 17:17 --------- d-----w C:\Program Files\Ganymede
    2008-07-16 17:56 --------- d-----w C:\Program Files\Java
    2005-06-30 11:13 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    2006-08-29 21:39 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
    2006-08-29 21:39 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2007-06-27 152872]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "NBKeyScan"="C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-06-29 1373480]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
    "VTTimer"="VTTimer.exe" [2004-10-22 C:\WINDOWS\system32\VTTimer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

    C:\Documents and Settings\James\Start Menu\Programs\Accessories\Startup\
    MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-12-24 557568]
    SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 360448]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoTaskMng"= 1 (0x1)

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=lvwmnt.dll wndjfj.dll pmuqwg.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.3iv2"= 3ivxVfWCodec.dll
    "msacm.divxa32"= divxa32.acm
    "VIDC.HFYU"= huffyuv.dll
    "VIDC.VP31"= vp31vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\BitLord\\BitLord.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    R0 usmrsjza;usmrsjza;C:\WINDOWS\system32\drivers\ppreaxgv.dat [ ]
    S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [ ]
    S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [ ]
    S2 sysbus32;32bit system bus driver;C:\WINDOWS\system32\drivers\sysbus32.sys [ ]

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{38D33011-7115-0816-4F85-8571E5873992}]
    C:\WINDOWS\aplication\Intals.exe s
    .
    Contents of the 'Scheduled Tasks' folder
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{26ECF5C9-37A4-44FD-97B9-FB91EF81967A} - C:\WINDOWS\system32\vtUopQHb.dll
    BHO-{8939ec1e-b0d4-4657-b6be-4c2d24b156ef} - C:\WINDOWS\system32\pmuqwg.dll
    HKCU-Run-yg2oTLiEy08u00XvskNzVYlUywUK3R0ebcEqdYDUn4GRF5bcWNOLgjRZfESR4pYH5iENUeglsowPUfzxusZckTNxB8FePmfNOwY9fT4sJqmZ9sfvWBpwlVzr6a03dMmKnehDIIAhrFcTqSQDsRfLQxJV4lK4BJ5zEHmjJddMryzOyniCwjUd4JNXhBJgbOxXV0Wt3IpPFbhVKM3VmLz2hQftuFJGuRVBhkyWFU8z6SoHzdqgfLMqcln2jR6vITdUf - (no file)
    HKLM-Run-ec41e342 - C:\WINDOWS\system32\friayals.dll
    HKLM-Run-Cmaudio - cmicnfg.cpl
    HKLM-Run-NWEReboot - (no file)
    HKLM-Run-yg2oTLiEy08u00XvskNzVYlUywUK3R0ebcEqdYDUn4GRF5bcWNOLgjRZfESR4pYH5iENUeglsowPUfzxusZckTNxB8FePmfNOwY9fT4sJqmZ9sfvWBpwlVzr6a03dMmKnehDIIAhrFcTqSQDsRfLQxJV4lK4BJ5zEHmjJddMryzOyniCwjUd4JNXhBJgbOxXV0Wt3IpPFbhVKM3VmLz2hQftuFJGuRVBhkyWFU8z6SoHzdqgfLMqcln2jR6vITdUf - (no file)
    SSODL-rqbmvpso-{F1C7F24B-E4E7-416F-8DC7-A9E19AB0AAAD} - C:\WINDOWS\rqbmvpso.dll
    SSODL-pdoskegl-{6E5CD42A-3658-4796-86C4-A844B74A283E} - C:\WINDOWS\pdoskegl.dll


    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - C:\Documents and Settings\James\Application Data\Mozilla\Firefox\Profiles\6u7ucs14.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://en-GB.start.mozilla.com/firefox?client=firefox-a&rls=org.mozilla:en-GB:eek:fficial
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-06 23:15:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet004\Services\usmrsjza]
    "ImagePath"="system32\drivers\ppreaxgv.dat"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\Citrix\ICA Client\pnsson.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-06 23:21:17 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-06 22:21:12

    Pre-Run: 47,990,042,624 bytes free
    Post-Run: 48,583,221,248 bytes free

    WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
    [operating systems]
    C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn

    256 --- E O F --- 2008-08-14 07:38:49
     
  8. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Almost clean just a few more things to clean up.


    Download the attached file CFScript.txt to your Desktop


    [​IMG]

    Refering to the picture above, drag CFScript into ComboFix.exe

    When finished, it shall produce a log for you at "C:\ComboFix.txt". In your next reply, please include the ComboFix log and a fresh HIjackthis log.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall



    Note:Please do not use this script on another computer, you may damage the system. The script is made especially for this user's computer only!!!!



    ==========================================================



    Please download Malwarebytes Anti-Malware from Here or Here
    Double Click mbam-setup.exe to install the application.
    • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform Quick Scan, then click Scan.
    • The scan may take some time to finish,so please be patient.
    • When the scan is complete, click OK, then Show Results to view the results.
    • Make sure that everything is checked, and click Remove Selected.
    • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
    • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
    • Copy&Paste the entire report in your next reply with a fresh Hijackthis log too.
    Extra Note:

    If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer, please do so immediately.
     

    Attached Files:

  9. James Judkins

    James Judkins Thread Starter

    Joined:
    Feb 17, 2008
    Messages:
    24
    Here goes

    COMBO FIX LOG

    ComboFix 08-09-05.02 - James 2008-09-07 7:19:31.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.642 [GMT 1:00]
    Running from: C:\Documents and Settings\James\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\James\Desktop\CFScript.txt
    * Created a new restore point
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\system32\bwxjiulw.dll
    C:\WINDOWS\system32\drivers\ppreaxgv.dat
    C:\WINDOWS\system32\rhcotjbb.dll
    C:\WINDOWS\system32\tdssserf.dll
    C:\WINDOWS\system32\vlatbl.dll

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Legacy_USMRSJZA
    -------\Service_usmrsjza


    ((((((((((((((((((((((((( Files Created from 2008-08-07 to 2008-09-07 )))))))))))))))))))))))))))))))
    .

    2008-09-06 13:44 . 2008-09-06 13:45 <DIR> d-------- C:\Program Files\BitLord
    2008-09-03 12:59 . 2008-09-06 18:47 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
    2008-08-30 11:38 . 2007-09-06 00:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
    2008-08-30 11:38 . 2006-04-27 17:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2008-08-30 11:38 . 2008-05-18 21:40 82,944 --a------ C:\WINDOWS\system32\IEDFix.exe
    2008-08-30 11:38 . 2008-08-18 12:19 82,432 --a------ C:\WINDOWS\system32\404Fix.exe
    2008-08-30 11:38 . 2003-06-05 21:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2008-08-30 11:38 . 2004-07-31 18:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2008-08-30 11:38 . 2007-10-04 00:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
    2008-08-30 11:23 . 2008-08-30 11:48 3,946 --a------ C:\WINDOWS\system32\tmp.reg
    2008-08-29 20:15 . 2008-08-29 20:15 169 --a------ C:\WINDOWS\AvDetected.ini
    2008-08-25 18:33 . 2008-08-25 18:33 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\Virgin Broadband
    2008-08-25 18:33 . 2008-08-25 18:33 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\TmpRecentIcons
    2008-08-25 18:33 . 2008-08-25 18:33 <DIR> d-------- C:\Documents and Settings\Claire\Application Data\Grisoft
    2008-08-25 16:15 . 2008-08-25 16:15 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
    2008-08-25 15:14 . 2008-08-25 15:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\services
    2008-08-25 15:07 . 2008-08-25 15:07 108,336 --a------ C:\WINDOWS\system32\MSWINSCK.OCX
    2008-08-25 15:07 . 2008-08-25 15:07 106,496 --a------ C:\WINDOWS\system32\sniffer.ocx
    2008-08-25 15:06 . 2008-08-25 15:06 <DIR> d-------- C:\Documents and Settings\James\Saved Games
    2008-08-25 15:06 . 2008-08-25 15:06 <DIR> d-------- C:\Documents and Settings\James\Application Data\FloodLightGames
    2008-08-25 15:06 . 2008-08-25 15:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FloodLightGames

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-09-06 13:10 --------- d-----w C:\Documents and Settings\Paul\Application Data\Ahead
    2008-09-04 19:12 --------- d-----w C:\Program Files\SpywareGuard
    2008-09-04 18:55 --------- d-----w C:\Program Files\Hidden Expedition Titanic
    2008-09-04 18:55 --------- d-----w C:\Program Files\DNA
    2008-09-04 18:54 --------- d-----w C:\Documents and Settings\James\Application Data\Lavasoft
    2008-09-04 18:53 --------- d-----w C:\Program Files\DivX
    2008-08-30 09:09 --------- d-----w C:\Program Files\InstallShield Installation Information
    2008-08-25 17:33 --------- d-----w C:\Documents and Settings\Claire\Application Data\Ahead
    2008-08-25 15:02 --------- d-----w C:\Program Files\FinalBurner
    2008-08-25 14:16 --------- d-----w C:\Program Files\Football Manager 2008
    2008-08-06 18:57 --------- d-----w C:\Documents and Settings\James\Application Data\GanymedeNet
    2008-08-01 20:43 --------- d-----w C:\Program Files\iTunes
    2008-08-01 20:43 --------- d-----w C:\Program Files\iPod
    2008-08-01 20:41 --------- d-----w C:\Program Files\QuickTime
    2008-07-30 19:25 23,416 ----a-w C:\Documents and Settings\James\Application Data\GDIPFONTCACHEV1.DAT
    2008-07-26 17:17 --------- d-----w C:\Program Files\Ganymede
    2008-07-16 17:56 --------- d-----w C:\Program Files\Java
    2005-06-30 11:13 32 ----a-r C:\Documents and Settings\All Users\hash.dat
    2006-08-29 21:39 548,864 ----a-w C:\Program Files\mozilla firefox\plugins\msvcp80.dll
    2006-08-29 21:39 626,688 ----a-w C:\Program Files\mozilla firefox\plugins\msvcr80.dll
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
    "BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2007-06-27 152872]
    "WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 144784]
    "Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 57344]
    "PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-07 200704]
    "NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 153136]
    "NBKeyScan"="C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe" [2007-06-29 1373480]
    "AppleSyncNotifier"="C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-07-22 116040]
    "QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-05-27 413696]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-07-30 289064]
    "VTTimer"="VTTimer.exe" [2004-10-22 C:\WINDOWS\system32\VTTimer.exe]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
    "CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 15360]

    C:\Documents and Settings\James\Start Menu\Programs\Accessories\Startup\
    MagicDisc.lnk - C:\Program Files\MagicDisc\MagicDisc.exe [2007-12-24 557568]
    SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 360448]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2008-04-23 29696]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 83360]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
    "vidc.3iv2"= 3ivxVfWCodec.dll
    "msacm.divxa32"= divxa32.acm
    "VIDC.HFYU"= huffyuv.dll
    "VIDC.VP31"= vp31vfw.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center]
    "AntiVirusDisableNotify"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "C:\\Program Files\\Messenger\\msmsgs.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "C:\\Program Files\\BitLord\\BitLord.exe"=
    "C:\\Program Files\\iTunes\\iTunes.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "3389:TCP"= 3389:TCP:*:Disabled:mad:xpsp2res.dll,-22009

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\IcmpSettings]
    "AllowInboundEchoRequest"= 1 (0x1)

    S1 ShldDrv;Panda File Shield Driver;C:\WINDOWS\system32\DRIVERS\ShlDrv51.sys [ ]
    S2 PavProc;Panda Process Protection Driver;C:\WINDOWS\system32\DRIVERS\PavProc.sys [ ]
    S2 sysbus32;32bit system bus driver;C:\WINDOWS\system32\drivers\sysbus32.sys [ ]
    .
    Contents of the 'Scheduled Tasks' folder
    .

    **************************************************************************

    catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-09-07 07:24:55
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\system32\winlogon.exe
    -> C:\Program Files\Citrix\ICA Client\pnsson.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\Windows Media Player\wmpnetwk.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    .
    **************************************************************************
    .
    Completion time: 2008-09-07 7:30:44 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-09-07 06:30:40
    ComboFix2.txt 2008-09-06 22:21:19

    Pre-Run: 48,567,431,168 bytes free
    Post-Run: 48,557,461,504 bytes free

    147 --- E O F --- 2008-08-14 07:38:49



    POST COMBOFIX HIJACKTHIS LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 07:44, on 07/09/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\James\My Documents\Spyware Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://www.pandasecurity.com
    O15 - Trusted Zone: http://forums.techguy.org
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
    O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfishgames.com/en_we...orld-game/online/WeddingDash2Web.1.0.0.11.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)



    MBAM LOG

    Malwarebytes' Anti-Malware 1.26
    Database version: 1122
    Windows 5.1.2600 Service Pack 2

    07/09/2008 08:08:33
    mbam-log-2008-09-07 (08-08-33).txt

    Scan type: Quick Scan
    Objects scanned: 50770
    Time elapsed: 4 minute(s), 19 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 23
    Registry Values Infected: 0
    Registry Data Items Infected: 4
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\gnucdna.core (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{0be385a3-85a5-4722-b677-68dae891ff21} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{272c0d60-0561-4c83-b3db-eb0a71f9d2eb} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{284477e4-a7cb-4055-9e1b-0ea7cba28945} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{450b9e4d-4014-4de3-b34e-014a81468293} (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{70ca4938-6a0f-4641-a9a9-c936e4c1e7de} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{7468213e-010e-4ec6-a17d-642e909ba7ec} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{89dc33a2-f86f-42a1-8b5f-d4d1943efc9c} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{a916af3c-976d-4358-8736-95bea0b5fd2c} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{b86f4810-19a9-4050-9ac9-b5cf60b5799a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{bb5b7e14-f8b4-4365-a24d-f4965c33e1ee} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{be45f056-e005-437b-be88-23acf70b0b6a} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{c13d4627-02f5-4b03-897a-bf6a90022dd2} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{c636f1fc-6ae4-4e6a-90ab-6d61d821a0dd} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{cb971ac0-6408-40da-a540-92f9f256f51f} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{d5694dfe-43b6-4e05-aa29-8c556c968973} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{e2032ec2-a9ac-4ed7-9bdb-ebecacf076f2} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{ebab4a71-8c34-461a-b57d-dd041d439555} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{f06fea43-0cc3-4bf6-a85b-5efb1c07aa4b} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Interface\{fc94a0f7-9c7c-4ae2-9106-5c212332b209} (Adware.WhenUSave) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\Typelib\{c7f00a9a-f1bc-436e-82c7-e8cae6fd67f7} (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\qalkfxor.bpqk (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    HKEY_CLASSES_ROOT\qalkfxor.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.5 85.255.112.65 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.5 85.255.112.65 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{09cf67f9-5590-428b-bd1d-c0f4eb4266f2}\DhcpNameServer (Trojan.DNSChanger) -> Data: 85.255.114.5,85.255.112.65 -> Quarantined and deleted successfully.
    HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip\Parameters\Interfaces\{09cf67f9-5590-428b-bd1d-c0f4eb4266f2}\NameServer (Trojan.DNSChanger) -> Data: 85.255.114.5,85.255.112.65 -> Quarantined and deleted successfully.

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\Documents and Settings\All Users\Application Data\services\services.dll (Trojan.Agent) -> Quarantined and deleted successfully.



    POST MBAM HIJACKTHIS LOG

    Logfile of HijackThis v1.99.1
    Scan saved at 08:15, on 07/09/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16705)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\ewido anti-spyware 4.0\guard.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Citrix\ICA Client\ssonsvr.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
    C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
    C:\Program Files\PowerISO\PWRISOVM.EXE
    C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe
    C:\Program Files\QuickTime\QTTask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Windows Media Player\WMPNSCFG.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\MagicDisc\MagicDisc.exe
    C:\Program Files\SpywareGuard\sgmain.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\SpywareGuard\sgbhp.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Documents and Settings\James\My Documents\Spyware Protection\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing)
    O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
    O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
    O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
    O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero 7\Nero BackItUp\NBKeyScan.exe"
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
    O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
    O4 - Startup: MagicDisc.lnk = C:\Program Files\MagicDisc\MagicDisc.exe
    O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
    O11 - Options group: [INTERNATIONAL] International*
    O15 - Trusted Zone: http://www.pandasecurity.com
    O15 - Trusted Zone: http://forums.techguy.org
    O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/FacebookPhotoUploader5.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
    O16 - DPF: {4E62C4DE-627D-4604-B157-4B7D6B09F02E} (AccountTracking Profile Manager Class) - https://moneymanager.egg.com/Pinsafe/accounttracking.cab
    O16 - DPF: {74EF5274-F439-2168-B543-14745B625C72} (CPlayFirstWeddingDasControl Object) - http://games.bigfishgames.com/en_we...orld-game/online/WeddingDash2Web.1.0.0.11.cab
    O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebook.com/controls/FacebookPhotoUploader4_5.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
    O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
     
  10. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    logs look good. How is everything running??
     
  11. James Judkins

    James Judkins Thread Starter

    Joined:
    Feb 17, 2008
    Messages:
    24
    Everything seems to be running perfectly. Better than before i got the virus!

    Thanks for all your help.

    Much appreciated

    James
     
  12. sjpritch25

    sjpritch25

    Joined:
    Sep 8, 2005
    Messages:
    9,113
    Your Welcome !!! :)

    Just need to clean up some tools.

    Go to Start ---> Run---> Type ComboFix /u and press Enter.


    Now that your system is clean you should SET A NEW RESTORE POINT to prevent future reinfection from the old restore point AFTER cleaning your system of any malware infection. Any trojans or spyware you picked up could have been saved in System Restore and are waiting to re-infect you. Since System Restore is a protected directory, your tools can not access it to delete files, trapping viruses inside. Setting a new restore point should be done to prevent any future reinfection from the old restore point and enable your computer to "roll-back" in case there is a future problem.

    To SET A NEW RESTORE POINT:
    1. Go to Start > Programs > Accessories > System Tools and click "System Restore".
    2. Choose the radio button marked "Create a Restore Point" on the first screen then click "Next". Give the R.P. a name then click "Create". The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
    3. Then go to Start > Run and type: Cleanmgr
    4. Click "OK".
    5. Click the "More Options" Tab.
    6. Click "Clean Up" in the System Restore section to remove all previous restore points except the newly created one.

    Graphics for doing this are in the following links if you need them.
    How to Create a Restore Point.
    How to use Cleanmgr.

    ======================================

    Here is some useful information on keeping your computer clean:
    1. Most important thing is to make sure Windows is kept up to date with the latest patches and updates from Windows Update.
    2. Here are two great Preventive programs
    :
    • SpywareBlaster protects you from malicious ActiveX controls and cookies. Make sure and check for updates twice a month.
    • Surf Safe with McAfee's SiteAdisor. SiteAdisor will work with Internet Explorer and Mozilla Firefox. SiteAdisor is a browser plugin that assigns a safety rating to domains listed in your search engine. SiteAdvisor uses the following color codes to indicate the safety level of each site.
    • Red for Warning
    • Yellow for Use Caution
    • Green for Safe
    • Grey for Unknown

    Here are the link to install SiteAdisor in Internet Explorer and Firefox
    • Anti-Spyware Programs I Recommend:
    • Free Anti-Spyware Programs
    • Free Firewalls
    1. Sunbelt Personal Firewall
    2. ZoneAlarm Free Firewall by Check Point
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/744321

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice