Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Blue Screen

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Blue Screen

Unread postby clintjm » July 29th, 2008, 11:36 am

Hi, my computer would not boot up after trying to remove a virus infection with spydoctor and RegCure. It would blue screen (Stop: 0x00000008E (0x0000005,0x006F0063,0xA856C6AL,0x00000000)) I booted in safe mode and ran MSCONFIG and turned off some startup programs. This allowed it to boot up. Symantec anti virus still finds Trojan.BrisV.A!Inf and Trojan.AWAX. Internet explorer or Firefox both barely function so I am using another computer to post this.
Here is the Log.

Deckard's System Scanner v20071014.68
Run by MurphC02 on 2008-07-29 12:26:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

System Restore is disabled; attempting to re-enable...success.


-- Last 1 Restore Point(s) --
1: 2008-07-29 11:26:13 UTC - RP1 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as MurphC02.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:27:51, on 29/07/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\nsl.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\Program Files\Reflection\rnnfserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\dwrcst.exe
c:\program files\itunes\ituneshelper.exe
c:\windows\system32\hkcmd.exe
c:\program files\dell\dell laser mfp 1600n\networkscan\dnscst.exe
c:\program files\common files\symantec shared\ccapp.exe
c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe
c:\progra~1\symant~1\vptray.exe
c:\windows\system32\rundll32.exe
c:\windows\system32\ctfmon.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\proquota.exe
c:\documents and settings\murphc02\desktop\dss.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
c:\PROGRA~1\TRENDM~1\HIJACK~1\MurphC02.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099ac52c-1cd4-434c-9cc6-ff56dabb5010} - (no file)
O2 - BHO: (no name) - {53b7248a-5edc-4d77-9b15-6574e0f39863} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: Adobe PDF Reader Link Helper - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - C:\WINDOWS\system32\AcroIEHelpe.dll
O2 - BHO: (no name) - {C3F0B821-8B81-49DF-A282-19BD5B095CBD} - C:\Documents and Settings\MurphC02\Local Settings\Temporary Internet Files\Content.IE5\6HTBZCXR\3077ahntdksr[1].dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [MSConfig] c:\windows\pchealth\helpctr\binaries\msconfig.exe /auto
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DellNSCST] "C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [BM17b9addc] Rundll32.exe "C:\WINDOWS\system32\gmemnqed.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.google.ie
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5570695656
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O20 - Winlogon Notify: rnnfsnp - C:\WINDOWS\SYSTEM32\rnnfsnp.dll
O20 - Winlogon Notify: wvulmnmm - wvUlmnmM.dll (file missing)
O20 - Winlogon Notify: wxinfoclient - C:\Program Files\Cordaware\Infoband\wxInfoclient.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cordaware Infoclient(User) (InfoclientUserDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: Cordaware Infoclient(Winlogon) (InfoclientWinlogonDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: WRQ Reflection NFS Client (ReflectionNFS) - WRQ, Inc. - C:\Program Files\Reflection\rnnfserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 12760 bytes

-- File Associations -----------------------------------------------------------

.js - JSFile - DefaultIcon - C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe,2
.js - JSFile - shell\open\command - "C:\Program Files\Macromedia\Dreamweaver MX\Dreamweaver.exe" "%1"


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R3 ReflectionNFSRDR (NFS Redirector) - c:\windows\system32\drivers\rrdr_2k.sys <Not Verified; WRQ, Inc.; WRQ Reflection NFS Client>

S0 cercsr6 - c:\windows\system32\drivers\cercsr6.sys <Not Verified; Adaptec, Inc.; Dell RAID Controller>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 DWMRCS (DameWare Mini Remote Control) - c:\windows\system32\dwrcs.exe -service <Not Verified; DameWare Development LLC; DameWare Development DWRCS>
R2 InfoclientUserDesktop (Cordaware Infoclient(User)) - c:\program files\cordaware\infoband\infoclient.exe <Not Verified; Cordaware; Cordaware bestinformed>
R2 InfoclientWinlogonDesktop (Cordaware Infoclient(Winlogon)) - c:\program files\cordaware\infoband\infoclient.exe w <Not Verified; Cordaware; Cordaware bestinformed>
R2 Lotus Notes Single Logon - c:\windows\system32\nslsvice.exe <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 Multi-user Cleanup Service - "c:\program files\lotus\notes\ntmulti.exe" <Not Verified; IBM Corp; IBM Lotus Notes/Domino>
R2 ReflectionNFS (WRQ Reflection NFS Client) - c:\program files\reflection\rnnfserv.exe <Not Verified; WRQ, Inc.; WRQ Reflection NFS Client>
R3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>

S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 ServiceLayer - "c:\program files\pc connectivity solution\servicelayer.exe" <Not Verified; Nokia.; PC Connectivity Solution>


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {EEC5AD98-8080-425F-922A-DABF3DE3F69A}
Description: Nokia E65
Device ID: ROOT\WPD\0000
Manufacturer: Nokia
Name: Nokia E65
PNP Device ID: ROOT\WPD\0000
Service: WUDFRd


-- Scheduled Tasks -------------------------------------------------------------

2008-07-29 09:00:54 444 --a------ C:\WINDOWS\Tasks\RegCure Program Check.job
2008-07-28 11:07:04 378 --a------ C:\WINDOWS\Tasks\RegCure.job
2008-07-19 13:23:13 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2008-06-29 and 2008-07-29 -----------------------------

2008-07-29 12:42:57 0 d-------- H:\Deckard
2008-07-29 11:35:38 0 d-------- C:\Program Files\Panda Security
2008-07-29 11:35:37 0 d-------- C:\WINDOWS\LastGood
2008-07-29 08:45:56 0 d-------- C:\Program Files\Trend Micro
2008-07-28 12:46:44 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-28 12:46:42 0 d-------- C:\Documents and Settings\MurphC02\Application Data\Mozilla
2008-07-28 11:24:28 0 d-------- C:\WINDOWS\pss
2008-07-28 10:47:56 0 d-------- C:\Program Files\RegCure
2008-07-28 09:55:13 0 d-------- H:\Rustbfix
2008-07-28 08:08:21 94416 --a------ C:\WINDOWS\system32\AcroIEHelpe.dll <Not Verified; Adobe Systems, Incorporated; Adobe PDF Reader Link Helper>
2008-07-28 08:03:50 0 d-------- C:\WINDOWS\setup.pss
2008-07-28 08:03:34 0 d-------- C:\WINDOWS\system32\dtw5d
2008-07-28 08:03:34 0 d-------- C:\WINDOWS\system32\cks
2008-07-28 07:57:04 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-25 13:08:40 85050 --a------ C:\WINDOWS\system32\drivers\776c687c.sys
2008-07-25 12:14:51 0 d-------- C:\Program Files\Spyware Doctor
2008-07-25 12:14:51 0 d-------- C:\Documents and Settings\MurphC02\Application Data\PC Tools
2008-07-24 22:46:46 117760 --a------ C:\WINDOWS\system32\vgyaqrih.dll
2008-07-24 22:46:28 117760 --a------ C:\WINDOWS\system32\vbtfcpma.dll
2008-07-24 22:44:07 117760 --a------ C:\WINDOWS\system32\dpdefgts.dll
2008-07-24 22:41:07 117760 --a------ C:\WINDOWS\system32\guqnxakv.dll
2008-07-24 22:38:07 90624 --a------ C:\WINDOWS\system32\gmemnqed.dll
2008-07-24 14:21:37 0 dr-h----- C:\Documents and Settings\MurphC02\Recent
2008-07-24 10:34:37 372659 --ahs---- C:\WINDOWS\system32\WxGOnUtv.ini2
2008-07-24 10:29:07 36864 --a------ C:\WINDOWS\system32\hgGvsrsS.dll
2008-07-22 13:36:40 0 d-------- C:\Program Files\Common Files\PCSuite
2008-07-22 13:35:18 0 d-------- C:\Program Files\PC Connectivity Solution
2008-07-09 08:33:16 0 d-------- C:\WINDOWS\system32\Adobe


-- Find3M Report ---------------------------------------------------------------

2008-07-29 12:25:50 0 d-------- C:\Program Files\Symantec AntiVirus
2008-07-29 10:44:01 0 d-------- C:\Program Files\DYMO Label
2008-07-28 12:46:05 21504 --a------ C:\WINDOWS\system32\powrprof.dll <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-07-28 10:52:09 0 d-------- C:\Documents and Settings\MurphC02\Application Data\BPFTP
2008-07-25 12:02:05 3888 --a------ C:\WINDOWS\system32\tmp.reg
2008-07-25 09:12:09 0 d-------- C:\Program Files\Java
2008-07-24 14:57:35 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-07-24 11:46:33 0 d-------- C:\Program Files\DigiGuide TV Guide
2008-07-24 08:56:23 0 d-------- C:\Program Files\Microsoft Games
2008-07-22 14:01:51 0 d-------- C:\Documents and Settings\MurphC02\Application Data\Nokia
2008-07-22 13:36:40 0 d-------- C:\Program Files\Nokia
2008-07-22 13:36:35 0 d-------- C:\Program Files\Common Files
2008-07-22 13:36:35 0 d-------- C:\Program Files\Common Files\Nokia
2008-07-09 08:14:29 0 d-------- C:\Documents and Settings\MurphC02\Application Data\Adobe
2008-06-24 14:13:38 98 --a------ C:\WINDOWS\system32\winlogs32.dll
2008-06-24 14:12:11 0 d-------- C:\Program Files\igoodsoft
2008-06-24 14:11:56 0 d-------- C:\Program Files\Common Files\Download Manager
2008-06-12 08:29:31 0 d-------- C:\Documents and Settings\MurphC02\Application Data\PC Suite


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{099ac52c-1cd4-434c-9cc6-ff56dabb5010}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53b7248a-5edc-4d77-9b15-6574e0f39863}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B782EDE4-CCB3-4E3E-981F-96C68116F38C}]
28/07/2008 08:08 94416 --a------ C:\WINDOWS\system32\AcroIEHelpe.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C3F0B821-8B81-49DF-A282-19BD5B095CBD}]
C:\Documents and Settings\MurphC02\Local Settings\Temporary Internet Files\Content.IE5\6HTBZCXR\3077ahntdksr[1].dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\binaries\msconfig.exe" [04/08/2004 11:00]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [30/03/2008 10:36]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [21/07/2006 17:48]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [21/07/2006 17:50]
"DellNSCST"="C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" [20/02/2006 15:07]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [29/05/2007 18:33]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [11/01/2008 19:54]
"!AVG Anti-Spyware"="c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" [06/09/2007 08:26]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [06/06/2007 15:25]
"BM17b9addc"="C:\WINDOWS\system32\gmemnqed.dll" [24/07/2008 22:38]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 11:00]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [13/09/2006 12:12]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [15/06/2007 13:52]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Nokia.PCSync"=C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ProfileQuotaMessage"=You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"EnableProfileQuota"=1 (0x1)
"MaxProfileSize"=30000 (0x7530)
"IncludeRegInProQuota"=1 (0x1)
"WarnUser"=1 (0x1)
"WarnUserTimeout"=0 (0x0)
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rnnfsnp]
rnnfsnp.dll 29/03/2004 04:41 155648 C:\WINDOWS\system32\rnnfsnp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvulmnmm]
wvUlmnmM.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wxinfoclient]
C:\Program Files\Cordaware\Infoband\wxInfoclient.dll 29/07/2008 08:57 47104 C:\Program Files\Cordaware\Infoband\wxInfoclient.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtUnOGxW

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Infoclient]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISTray]
"C:\Program Files\Spyware Doctor\pctsTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Suite Tray]
"C:\Program Files\Nokia\Nokia PC Suite 6\PCSuite.exe" -onlytray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Persistence]
C:\WINDOWS\system32\igfxpers.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
%SystemRoot%\system32\mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_9


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##amssanfile01#itadmin$]
AutoRun\command- setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
AutoRun\command- D:\autorun.exe
setup\command- D:\setup.exe




-- End of Deckard's System Scanner: finished at 2008-07-29 12:28:22 ------------
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am
Advertisement
Register to Remove

Re: Blue Screen

Unread postby Shaba » July 31st, 2008, 1:22 am

Hi clintjm

If you already have Combofix, please delete this copy and download it again as it's being updated regularly.

Please visit this webpage for download links, and instructions for running the tool:

http://www.bleepingcomputer.com/combofi ... e-combofix

Please ensure you read this guide carefully and install the Recovery Console first.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once Recovery Console is installed, you should see a blue screen prompt like the one below:

Image

Click Yes to allow Combofix to continue scanning for malware.

When done, a log will be produced. Please post that log and a new HijackThis log in your next reply.

Do not mouse click on Combofix while it is running. That may cause it to stall.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Blue Screen

Unread postby clintjm » August 1st, 2008, 10:43 am

Hi,

Sorry my PC is my work pc so I don't have the CD to run the recovery console. I have been working on this problem for a few days now and it has stopped blue screen crashing on startup. Here are the latest logs.

ComboFix 08-07-30.01 - MurphC02 2008-08-01 15:33:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.493 [GMT 1:00]
Running from: c:\documents and settings\murphc02\desktop\combofix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-07-01 to 2008-08-01 )))))))))))))))))))))))))))))))
.

2008-08-01 15:32 . 2008-08-01 09:46 31,445 --a------ C:\ltr.ARSTMT-ENDDAY.20080731-002004.output
2008-08-01 10:58 . 2008-07-31 23:43 2,793 --a------ C:\ltr.ARSTMT-ENDDAY.20080731-002004.output.gz
2008-07-31 15:34 . 2008-07-31 18:34 477 --a------ C:\WINDOWS\system32\blck1.wav
2008-07-31 09:34 . 2008-07-31 09:34 92,712 --a------ C:\WINDOWS\system32\AcroIEHelpe.dll
2008-07-31 09:21 . 2008-07-31 09:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 09:21 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 09:21 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 12:28 . 2008-07-30 12:28 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-07-30 12:28 . 2008-07-30 12:28 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-07-30 11:22 . 2005-01-14 04:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-07-30 11:21 . 2008-07-30 11:28 45,796 --a------ C:\MGlogs.zip
2008-07-30 11:20 . 2008-07-30 11:28 <DIR> d-------- C:\MGtools
2008-07-30 11:20 . 2008-05-10 00:16 725,138 --a------ C:\MGtools.exe
2008-07-30 11:13 . 2008-07-30 11:13 <DIR> d-------- C:\Documents and Settings\MurphC02\Application Data\Malwarebytes
2008-07-30 11:13 . 2008-07-30 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 10:58 . 2008-07-30 10:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-30 10:04 . 2008-07-30 10:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-30 10:04 . 2008-07-30 10:04 <DIR> d-------- C:\Documents and Settings\MurphC02\Application Data\SUPERAntiSpyware.com
2008-07-30 10:04 . 2008-07-30 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-30 10:03 . 2008-07-31 09:20 <DIR> d-------- C:\Virus
2008-07-30 09:23 . 2008-07-30 09:23 <DIR> d-------- C:\Program Files\CCleaner
2008-07-29 11:35 . 2008-07-29 11:35 <DIR> d-------- C:\Program Files\Panda Security
2008-07-29 11:35 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-29 08:45 . 2008-07-29 08:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-28 12:46 . 2008-07-28 12:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-28 10:47 . 2008-07-28 11:03 <DIR> d-------- C:\Program Files\RegCure
2008-07-28 08:03 . 2008-07-28 08:03 <DIR> d-------- C:\WINDOWS\system32\dtw5d
2008-07-28 08:03 . 2008-07-28 08:03 <DIR> d-------- C:\WINDOWS\system32\cks
2008-07-28 08:03 . 2008-07-28 08:03 136 --a------ C:\WINDOWS\system32\srvblck.tmp
2008-07-28 07:57 . 2008-07-28 07:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-25 13:08 . 2008-07-25 13:08 <DIR> d-------- C:\SPYWARE
2008-07-25 13:08 . 2008-07-31 09:16 992,768 --a------ C:\WINDOWS\system32\nwklr.ini
2008-07-25 13:08 . 2007-04-16 16:52 984,576 --a------ C:\WINDOWS\system32\korlg.ini
2008-07-25 13:08 . 2008-07-31 09:16 846,848 --a------ C:\WINDOWS\system32\nwwlnt.ini
2008-07-25 13:08 . 2008-04-23 05:16 826,368 --a------ C:\WINDOWS\system32\worlg.ini
2008-07-25 13:08 . 2008-07-31 09:16 34,304 --a------ C:\WINDOWS\system32\ldshyr.old
2008-07-25 13:08 . 2008-07-31 09:16 21,504 --a------ C:\WINDOWS\system32\nwpp.ini
2008-07-25 13:08 . 2004-08-04 11:00 17,408 --a------ C:\WINDOWS\system32\pporlg.ini
2008-07-25 13:08 . 2008-07-25 13:08 16,384 --a------ C:\xxdxsn.exe
2008-07-25 13:08 . 2008-07-25 13:08 2 --a------ C:\344628975
2008-07-25 12:14 . 2008-07-29 07:37 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-25 12:14 . 2008-07-25 12:14 <DIR> d-------- C:\Documents and Settings\MurphC02\Application Data\PC Tools
2008-07-25 12:14 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-25 12:14 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-25 12:14 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-25 12:14 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-25 11:48 . 2008-07-25 11:52 <DIR> d-------- C:\SmitfraudFix
2008-07-25 11:26 . 2008-07-25 11:33 <DIR> d-------- C:\fixwareout
2008-07-22 13:36 . 2008-07-22 13:36 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-22 13:35 . 2008-07-22 13:35 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-22 13:35 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-07-16 10:47 . 2008-07-16 10:47 <DIR> d-------- C:\072008
2008-07-15 12:42 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-07-15 12:42 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-15 12:42 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-07-15 12:42 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-07-15 12:42 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-07-15 12:42 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-07-09 08:33 . 2008-07-09 08:14 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-01 14:17 --------- d-----w C:\Program Files\DYMO Label
2008-08-01 14:06 --------- d-----w C:\Documents and Settings\MurphC02\Application Data\BPFTP
2008-07-31 09:16 --------- d-----w C:\Program Files\DigiGuide TV Guide
2008-07-31 08:32 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-31 08:16 846,848 ----a-w C:\WINDOWS\system32\wininet.dll
2008-07-31 08:16 21,504 ----a-w C:\WINDOWS\system32\powrprof.dll
2008-07-30 11:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 10:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-30 09:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 11:02 3,888 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-25 08:12 --------- d-----w C:\Program Files\Java
2008-07-24 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 07:56 --------- d-----w C:\Program Files\Microsoft Games
2008-07-22 13:01 --------- d-----w C:\Documents and Settings\MurphC02\Application Data\Nokia
2008-07-22 12:36 --------- d-----w C:\Program Files\Nokia
2008-07-22 12:36 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-22 12:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-06-24 13:12 --------- d-----w C:\Program Files\igoodsoft
2008-06-24 13:11 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 07:29 --------- d-----w C:\Documents and Settings\MurphC02\Application Data\PC Suite
2008-06-09 11:45 --------- d-----w C:\Documents and Settings\ObrieT01\Application Data\PC Suite
2008-05-07 06:38 90,624 ----a-w C:\WINDOWS\system32\nmwcdcls.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-13 08:46 31 ----a-w C:\Program Files\Notes.ini
2007-01-08 12:28 898 ----a-w C:\Program Files\nb120ilc.sms
2007-01-08 12:28 2,931 ----a-w C:\Program Files\WRQMSI.ini
2007-01-08 12:28 1,094,144 ----a-w C:\Program Files\nb120ilc.msi
2004-04-08 12:47 98,304 ----a-w C:\Program Files\jpn.mst
2004-04-08 12:46 83,968 ----a-w C:\Program Files\fra.mst
2004-04-08 12:46 79,872 ----a-w C:\Program Files\deu.mst
2006-01-13 17:53 57,344 ------w C:\Program Files\internet explorer\plugins\FTDWSER.DLL
2007-05-24 08:29 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-03-04 04:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2007-03-07 18:40 823296 b8f4db39ca7353752f245379d285c80e C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 10:08 823808 431defbb4a3d7b0dc062c1b064623a2f C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 15:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 11:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-11 00:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 03:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 14:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 04:35 827392 41546b396a526918da7995a02ea04e51 C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2006-03-04 04:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2006-03-04 04:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 09:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\ie7\wininet.dll
2006-11-07 22:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
2007-03-07 18:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
2007-04-25 09:41 822784 0586a7f0b2fdb94d624f399d4728e7c8 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 15:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 11:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-11 00:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 03:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 14:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
2008-07-31 09:16 846848 d85a31287df3bb284563276602386a3b C:\WINDOWS\system32\wininet.dll
2008-07-31 09:16 846848 d85a31287df3bb284563276602386a3b C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-31_ 9.40.42.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-11 09:32:21 6,826 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\delr1en.DAT
+ 2008-07-31 08:46:54 6,833 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\delr1en.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 12:12 139264]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 13:52 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"PC Suite Tray"="c:\program files\nokia\nokia pc suite 6\pcsuite.exe" [2008-04-16 12:53 1079808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 17:48 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 17:50 86016]
"DellNSCST"="C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" [2006-02-20 15:07 278528]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 18:33 52840]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"!AVG Anti-Spyware"="c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" [2007-09-06 08:26 6731312]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-06-06 15:25 125632]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 11:00 143360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2008-03-28 23:37 413696]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 17:47 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"EnableProfileQuota"= 1 (0x1)
"MaxProfileSize"= 30000 (0x7530)
"IncludeRegInProQuota"= 1 (0x1)
"WarnUser"= 1 (0x1)
"WarnUserTimeout"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wxinfoclient]
2008-07-31 09:32 47104 C:\Program Files\Cordaware\Infoband\wxInfoclient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rnnfsnp]
2004-03-29 04:41 155648 C:\WINDOWS\system32\rnnfsnp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DELL\\Dell Laser MFP 1600n\\NetworkScan\\DNSCST.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00]
R2 InfoclientUserDesktop;Cordaware Infoclient(User);C:\Program Files\Cordaware\Infoband\Infoclient.exe [2007-09-08 16:42]
R2 InfoclientWinlogonDesktop;Cordaware Infoclient(Winlogon);C:\Program Files\Cordaware\Infoband\Infoclient.exe W []
R2 ReflectionNFS;WRQ Reflection NFS Client;C:\Program Files\Reflection\rnnfserv.exe [2004-03-29 04:41]
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 18:00]
R3 ReflectionNFSRDR;NFS Redirector;C:\WINDOWS\system32\DRIVERS\rrdr_2k.sys [2004-03-29 04:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##amssanfile01#itadmin$]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe
\Shell\setup\command - D:\setup.exe

*Newly Created Service* - catchme
.
Contents of the 'Scheduled Tasks' folder

2008-07-19 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-07-31 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 22:21]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 22:21]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\MurphC02\Application Data\Mozilla\Firefox\Profiles\v8a5thpr.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.ie/
FF -: plugin - C:\Program Files\DivX\DivX Content Uploader\npUpload.dll
FF -: plugin - C:\Program Files\iTunes\Mozilla Plugins\npitunes.dll


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-01 15:36:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-01 15:37:30
ComboFix-quarantined-files.txt 2008-08-01 14:37:23
ComboFix2.txt 2008-07-31 08:40:58

Pre-Run: 56,680,919,040 bytes free
Post-Run: 56,649,207,808 bytes free

243 --- E O F --- 2008-07-22 12:56:57








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:38, on 2008-08-01
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Reflection\rnnfserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\windows\system32\dwrcst.exe
c:\program files\itunes\ituneshelper.exe
c:\windows\system32\hkcmd.exe
c:\program files\dell\dell laser mfp 1600n\networkscan\dnscst.exe
c:\program files\common files\symantec shared\ccapp.exe
c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe
c:\progra~1\symant~1\vptray.exe
c:\program files\java\jre1.6.0_07\bin\jusched.exe
c:\program files\analog devices\core\smax4pnp.exe
c:\windows\system32\igfxpers.exe
c:\windows\system32\ctfmon.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\superantispyware\superantispyware.exe
c:\program files\nokia\nokia pc suite 6\pcsuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\pc connectivity solution\transports\nclusbsrv.exe
c:\program files\pc connectivity solution\transports\nclrssrv.exe
C:\WINDOWS\explorer.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DellNSCST] "C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 6\pcsuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.google.ie
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5570695656
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rnnfsnp - C:\WINDOWS\SYSTEM32\rnnfsnp.dll
O20 - Winlogon Notify: wxinfoclient - C:\Program Files\Cordaware\Infoband\wxInfoclient.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cordaware Infoclient(User) (InfoclientUserDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: Cordaware Infoclient(Winlogon) (InfoclientWinlogonDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: WRQ Reflection NFS Client (ReflectionNFS) - WRQ, Inc. - C:\Program Files\Reflection\rnnfserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13787 bytes
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am

Re: Blue Screen

Unread postby Shaba » August 1st, 2008, 11:48 am

Hi

Please click this link-->Jotti

Copy/paste the first file on the list into the white Upload a file box and click Submit/Send (depends on which one you are using Jotti or VirusTotal).

C:\WINDOWS\system32\rnnfsnp.dll

Please post back the results of the scan in your next post.

If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Blue Screen

Unread postby clintjm » August 5th, 2008, 5:30 am

Service
Service load: 0% 100%

File: rnnfsnp.dll
Status: OK
MD5: c50f602240065eb2088fef0265b24f36
Packers detected: -

Scanner results
Scan taken on 05 Aug 2008 09:24:27 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Powered by

Disclaimer
This service is by no means 100% safe. If this scanner says 'OK', it does not necessarily mean the file is clean. There could be a whole new virus on the loose. NEVER EVER rely on one single product only, not even this service, even though it utilizes several products. Therefore, We cannot and will not be held responsible for any damage caused by results presented by this non-profit online service.

Also, we are aware of the implications of a setup like this. We are sure this whole thing is by no means scientifically correct, since this is a fully automated service (although manual correction is possible). We are aware, in spite of efforts to proactively counter these, false positives might occur, for example. We do not consider this a very big issue, so please do not e-mail us about it. This is a simple online scan service, not the university of Wichita.

Scanning can take a while, since several scanners are being used, plus the fact some scanners use very high levels of (time consuming) heuristics. Scanners used are Linux versions, differences with Windows scanners may or may not occur. Another note: some scanners will only report one virus when scanning archives with multiple pieces of malware.

Virus definitions are updated every hour. There is a 10Mb limit per file. Please refrain from uploading tons of hex-edited or repacked variants of the same sample.

Please do not ask for viruses uploaded here, unless you work for an anti-virus vendor. They are not for trade. This is a legitimate service, not a VX site. Viruses uploaded here will be distributed to antivirus vendors without exception. Read more about this in our privacy policy. If you do not want your files to be distributed, please do not send them at all.

Sponsored by HotelScraper.com.
--------------------------------------------------------------------------------


Statistics
Last file scanned at least one scanner reported something about: userinit.exe (MD5: bc0409a18900d5c3f1222ab1be57761e, size: 33056 bytes), detected by:

Scanner Malware name
A-Squared X
AntiVir TR/Crypt.XPACK.Gen
ArcaVir X
Avast X
AVG Antivirus X
BitDefender Trojan.PWS.Lich.A
ClamAV X
CPsecure X
Dr.Web Trojan.PWS.Lich
F-Prot Antivirus X
F-Secure Anti-Virus Trojan.Win32.Pakes.jwi
Fortinet X
Ikarus X
Kaspersky Anti-Virus Trojan.Win32.Pakes.jwi
NOD32 X
Norman Virus Control W32/Smalltroj.FPFH
Panda Antivirus X
Sophos Antivirus X
VirusBuster X
VBA32 X


You're free to (mis)interpret these automated, flawed statistics at your own discretion. For antivirus comparisons, visit AV comparatives
We are not affiliated with any third parties that conduct tests using this service.
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am

Re: Blue Screen

Unread postby Shaba » August 5th, 2008, 8:14 am

Please upload it to VirusTotal as well and post back results :)
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Blue Screen

Unread postby clintjm » August 5th, 2008, 12:19 pm

File rnnfsnp.dll received on 08.05.2008 18:14:04 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/36 (0%)
Loading server information...
Your file is queued in position: ___.
Estimated start time is between ___ and ___ .
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2008.8.6.0 2008.08.05 -
AntiVir 7.8.1.15 2008.08.05 -
Authentium 5.1.0.4 2008.08.05 -
Avast 4.8.1195.0 2008.08.05 -
AVG 8.0.0.156 2008.08.05 -
BitDefender 7.2 2008.08.05 -
CAT-QuickHeal 9.50 2008.08.05 -
ClamAV 0.93.1 2008.08.05 -
DrWeb 4.44.0.09170 2008.08.05 -
eSafe 7.0.17.0 2008.08.05 -
eTrust-Vet 31.6.6011 2008.08.05 -
Ewido 4.0 2008.08.05 -
F-Prot 4.4.4.56 2008.08.04 -
F-Secure 7.60.13501.0 2008.08.05 -
Fortinet 3.14.0.0 2008.08.05 -
GData 2.0.7306.1023 2008.08.05 -
Ikarus T3.1.1.34.0 2008.08.05 -
K7AntiVirus 7.10.404 2008.08.05 -
Kaspersky 7.0.0.125 2008.08.05 -
McAfee 5353 2008.08.04 -
Microsoft 1.3807 2008.08.05 -
NOD32v2 3329 2008.08.05 -
Norman 5.80.02 2008.08.05 -
Panda 9.0.0.4 2008.08.04 -
PCTools 4.4.2.0 2008.08.05 -
Prevx1 V2 2008.08.05 -
Rising 20.56.12.00 2008.08.05 -
Sophos 4.31.0 2008.08.05 -
Sunbelt 3.1.1537.1 2008.08.01 -
Symantec 10 2008.08.05 -
TheHacker 6.2.96.393 2008.08.04 -
TrendMicro 8.700.0.1004 2008.08.05 -
VBA32 3.12.8.2 2008.08.05 -
ViRobot 2008.8.5.1324 2008.08.05 -
VirusBuster 4.5.11.0 2008.08.04 -
Webwasher-Gateway 6.6.2 2008.08.05 -
Additional information
File size: 155648 bytes
MD5...: c50f602240065eb2088fef0265b24f36
SHA1..: 17c4ddf3b72b72f07fde56ac6dfd7446c84921e4
SHA256: 026aebf27da30270244b7b839d577e05456041c536848fe42e8925b835ac4fe4
SHA512: f13cfb3e3a7ae0121d947f4213876ae6df3feb1c8c111dc0745015de4fb39b51
179eea458d0a61664fbf9fbfbc297bcfc85fb309b917293d1340ea3117f82f28
PEiD..: -
PEInfo: PE Structure information

( base data )
entrypointaddress.: 0x61101b74
timedatestamp.....: 0x4067fd61 (Mon Mar 29 10:41:37 2004)
machinetype.......: 0x14c (I386)

( 5 sections )
name viradd virsiz rawdsiz ntrpy md5
.text 0x1000 0x16e1c 0x17000 6.62 c66c96c44243f789b371fb84f6d314f0
.rdata 0x18000 0x49a8 0x5000 5.09 cc15435950335865e0a7597848999e2b
.data 0x1d000 0x2848 0x1000 2.75 6ad91d5bae9b526fc937d31db2bbe598
.rsrc 0x20000 0x4c18 0x5000 3.34 eae5bb2cef72b3389e73dab879f90e73
.reloc 0x25000 0x2084 0x3000 3.81 e2f23069738775f29291f438a1183e18

( 10 imports )
> rnnfs32.dll: sys_GetPort, sys_ResetAuthTokenUSER, _ProduceMapValueFromUNC@12, _GetExportsFromMap@20, sys_ListPrintersUSER, sys_GetDeviceNameUSER, sys_EnumHostsUSER, AddListToCacheUSER, StartNetUSER, _startPMandNSMthreads@0, Deregister, Register, GetAutomountHosts, StopNet, sys_CreateRedirHandleUSER, sys_InitPrinterUSER, sys_LinkRedirHandleUSER, sys_ModifyLinkParamsUSER, sys_VerifyHostUSER, GetAuthTokenByAddrUSER, InitHostCache, DeInitHostCache, sys_EnumHandlesUSER, rpcAuthenticate, sys_AuthenticateUSER, sys_GetLinkParamsUSER, rpcResolveNameToIp, AddNameToCacheUSER, FindAuthenticationTokenUSER, PassBannedHostlist, sys_StatusUSER, _sys_GetRemotePathFromDevicenameUSER@12, sys_DeleteRedirHandleUSER, sys_DeAuthenticateUSER, sys_GetExportsUSER, sys_isHostBannedUSER, _MatchLongestKey@8, GetCritDataPtr, sys_GetHandleByUNCPathUSER, sys_GetHandleByDeviceUSER, sys_GetRedirecEntryUSER, setLogonScriptSync
> nfslog.dll: RNReportEvent
> REG_ACC.DLL: ReadAuthinfoDevice, UpdateRegParams, GetNFSSettingDefault, _IsLegalAutomountName@4, GetNFSSetting, SetNFSSetting, WriteAuthinfo, _IsNISEnabled@0, ReadAuthinfo, ReadRegGlobal, _IsRunNISScriptEnabled@0, _WriteLogonStatus@4, _WritePCUserName@4, GetNfsProviderName, WriteAuthinfoDevice, _DoesDeviceExist@4, _DeletePCUserName@0, _DeleteLogonStatus@0, _ReadLogonStatus@4, ReadRegDevice, isDeviceCustomized, WriteToRegistry, _IsAutomountEnabled@0, RegGetConnectDevices
> WS2_32.dll: -, -, -
> GDI32.dll: DeleteObject
> USER32.dll: SetActiveWindow, GetDlgCtrlID, IsWindow, IsIconic, GetSystemMetrics, GetWindowRect, ShowWindow, CharUpperBuffA, CharUpperA, SetCursor, LoadCursorA, GetTopWindow, wsprintfA, MessageBoxA, CharPrevA, SendMessageA, LoadStringA, CharNextA, SetWindowTextA, SetForegroundWindow, EndDialog, SetFocus, GetWindowTextA, GetDlgItem, DialogBoxParamA, WinHelpA, SetWindowPos, GetActiveWindow
> ADVAPI32.dll: GetTokenInformation, ConvertSidToStringSidA, RegOpenKeyExA, RegQueryValueExA, RegCloseKey, InitializeSecurityDescriptor, SetSecurityDescriptorDacl
> VERSION.dll: GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA
> KERNEL32.dll: GetLocaleInfoA, GetCPInfo, WriteFile, GetEnvironmentStringsW, FreeEnvironmentStringsW, GetEnvironmentStrings, FreeEnvironmentStringsA, GetFileType, GetStdHandle, SetHandleCount, HeapSize, SetUnhandledExceptionFilter, LCMapStringW, LCMapStringA, VirtualQuery, GetSystemInfo, VirtualProtect, UnhandledExceptionFilter, GetCurrentProcess, TerminateProcess, HeapReAlloc, GetStringTypeA, QueryPerformanceCounter, GetModuleHandleA, TlsGetValue, TlsSetValue, TlsFree, TlsAlloc, GetCommandLineA, RaiseException, RtlUnwind, CreateThread, GetCurrentThreadId, ExitThread, HeapAlloc, HeapFree, ExitProcess, GetModuleFileNameA, GetACP, GlobalUnlock, VirtualAlloc, VirtualFree, HeapCreate, GetStringTypeW, GetOEMCP, InterlockedExchange, IsBadReadPtr, IsBadCodePtr, SetFilePointer, GetSystemTimeAsFileTime, GetSystemDirectoryA, CreateFileMappingA, MapViewOfFileEx, GetCurrentProcessId, GetVersionExA, FormatMessageA, lstrcatA, IsDBCSLeadByte, IsBadWritePtr, UnmapViewOfFile, OpenFileMappingA, MapViewOfFile, lstrlenA, IsBadStringPtrW, WideCharToMultiByte, MultiByteToWideChar, InitializeCriticalSection, lstrcpyA, OpenEventA, GetTickCount, SetEvent, LoadLibraryA, GetProcAddress, FreeLibrary, DefineDosDeviceA, GetLastError, LocalFree, Sleep, GetStartupInfoA, lstrcmpW, SetStdHandle, FlushFileBuffers, DeleteCriticalSection, OpenMutexA, SetErrorMode, HeapDestroy, SetLastError, LocalAlloc, GlobalAlloc, GlobalLock, GlobalFree, LeaveCriticalSection, CreateMutexA, WaitForSingleObject, ReleaseMutex, CloseHandle, EnterCriticalSection
> MPR.dll: WNetSetLastErrorW, WNetSetLastErrorA

( 55 exports )
_nfsHaveConnections@@YGHXZ, _nfsUpdateAllSettings@@YGXXZ, AddConnectNotify, CancelConnectNotify, GetAuthId, GetDriveProps, GetEventErrorText, NPAddConnection, NPAddConnection3, NPCancelConnection, NPCloseEnum, NPEnumResource, NPFormatNetworkName, NPGetCaps, NPGetConnection, NPGetConnection3, NPGetConnectionPerformance, NPGetDirectoryType, NPGetResourceInformation, NPGetResourceParent, NPGetUniversalName, NPGetUser, NPLogonNotify, NPOpenEnum, NPPasswordChangeNotify, WNetSetLastErrorA, WNetSetLastErrorW, nfsAddConnection, nfsBackgroundLogin, nfsBrowseExports, nfsBrowseExportsEx, nfsBrowseServers, nfsCancelConnection, nfsConnectWithLogin, nfsConnectWithLoginEx, nfsDeregisterThreads, nfsGetDefaultLoginInfo, nfsIsLoggedIn, nfsIsServerAutomount, nfsKillBrowseCache, nfsLogin, nfsLogoff, nfsLogoffEx, nfsNisAuthenticationInUse, nfsOwned, nfsPath, nfsRegisterThreads, nfsResetAuthentication, nfsServer, nfsServerEx, nfsStart, nfsStop, nfsUpdateCustomSettings, onLogoff, onLogon
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am

Re: Blue Screen

Unread postby Shaba » August 5th, 2008, 12:38 pm

OK, that seems to be legit.

Open notepad and copy/paste the text in the codebox below into it:

Code: Select all
File::
C:\xxdxsn.exe
C:\WINDOWS\system32\srvblck.tmp

Folder::
C:\WINDOWS\system32\dtw5d
C:\WINDOWS\system32\cks


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Blue Screen

Unread postby clintjm » August 6th, 2008, 3:47 am

ComboFix 08-07-30.01 - MurphC02 2008-08-06 8:35:54.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.436 [GMT 1:00]
Running from: c:\documents and settings\murphc02\desktop\combofix.exe
Command switches used :: C:\Documents and Settings\MurphC02\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\srvblck.tmp
C:\xxdxsn.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\cks
C:\WINDOWS\system32\dtw5d
C:\WINDOWS\system32\srvblck.tmp
C:\xxdxsn.exe

.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.

2008-08-01 15:32 . 2008-08-01 09:46 31,445 --a------ C:\ltr.ARSTMT-ENDDAY.20080731-002004.output
2008-08-01 10:58 . 2008-07-31 23:43 2,793 --a------ C:\ltr.ARSTMT-ENDDAY.20080731-002004.output.gz
2008-07-31 15:34 . 2008-07-31 18:34 477 --a------ C:\WINDOWS\system32\blck1.wav
2008-07-31 09:34 . 2008-07-31 09:34 92,712 --a------ C:\WINDOWS\system32\AcroIEHelpe.dll
2008-07-31 09:21 . 2008-07-31 09:21 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-07-31 09:21 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-07-31 09:21 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-07-30 12:28 . 2008-07-30 12:28 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-07-30 12:28 . 2008-07-30 12:28 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-07-30 11:22 . 2005-01-14 04:41 11,254 --a------ C:\WINDOWS\system32\locate.com
2008-07-30 11:21 . 2008-07-30 11:28 45,796 --a------ C:\MGlogs.zip
2008-07-30 11:20 . 2008-07-30 11:28 <DIR> d-------- C:\MGtools
2008-07-30 11:20 . 2008-05-10 00:16 725,138 --a------ C:\MGtools.exe
2008-07-30 11:13 . 2008-07-30 11:13 <DIR> d-------- C:\Documents and Settings\MurphC02\Application Data\Malwarebytes
2008-07-30 11:13 . 2008-07-30 11:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-07-30 10:58 . 2008-07-30 10:58 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-07-30 10:04 . 2008-07-30 10:04 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-07-30 10:04 . 2008-07-30 10:04 <DIR> d-------- C:\Documents and Settings\MurphC02\Application Data\SUPERAntiSpyware.com
2008-07-30 10:04 . 2008-07-30 10:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-07-30 10:03 . 2008-07-31 09:20 <DIR> d-------- C:\Virus
2008-07-30 09:23 . 2008-07-30 09:23 <DIR> d-------- C:\Program Files\CCleaner
2008-07-29 11:35 . 2008-07-29 11:35 <DIR> d-------- C:\Program Files\Panda Security
2008-07-29 11:35 . 2008-06-19 17:24 28,544 --a------ C:\WINDOWS\system32\drivers\pavboot.sys
2008-07-29 08:45 . 2008-07-29 08:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-07-28 12:46 . 2008-07-28 12:46 0 --a------ C:\WINDOWS\nsreg.dat
2008-07-28 10:47 . 2008-07-28 11:03 <DIR> d-------- C:\Program Files\RegCure
2008-07-28 07:57 . 2008-07-28 07:57 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2008-07-25 13:08 . 2008-07-25 13:08 <DIR> d-------- C:\SPYWARE
2008-07-25 13:08 . 2008-07-31 09:16 992,768 --a------ C:\WINDOWS\system32\nwklr.ini
2008-07-25 13:08 . 2007-04-16 16:52 984,576 --a------ C:\WINDOWS\system32\korlg.ini
2008-07-25 13:08 . 2008-07-31 09:16 846,848 --a------ C:\WINDOWS\system32\nwwlnt.ini
2008-07-25 13:08 . 2008-04-23 05:16 826,368 --a------ C:\WINDOWS\system32\worlg.ini
2008-07-25 13:08 . 2008-07-31 09:16 34,304 --a------ C:\WINDOWS\system32\ldshyr.old
2008-07-25 13:08 . 2008-07-31 09:16 21,504 --a------ C:\WINDOWS\system32\nwpp.ini
2008-07-25 13:08 . 2004-08-04 11:00 17,408 --a------ C:\WINDOWS\system32\pporlg.ini
2008-07-25 13:08 . 2008-07-25 13:08 2 --a------ C:\344628975
2008-07-25 12:14 . 2008-07-29 07:37 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-07-25 12:14 . 2008-07-25 12:14 <DIR> d-------- C:\Documents and Settings\MurphC02\Application Data\PC Tools
2008-07-25 12:14 . 2008-06-10 21:22 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-07-25 12:14 . 2008-06-02 15:19 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-07-25 12:14 . 2008-06-02 15:19 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-07-25 12:14 . 2008-06-02 15:19 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-07-25 11:48 . 2008-07-25 11:52 <DIR> d-------- C:\SmitfraudFix
2008-07-25 11:26 . 2008-07-25 11:33 <DIR> d-------- C:\fixwareout
2008-07-22 13:36 . 2008-07-22 13:36 <DIR> d-------- C:\Program Files\Common Files\PCSuite
2008-07-22 13:35 . 2008-07-22 13:35 <DIR> d-------- C:\Program Files\PC Connectivity Solution
2008-07-22 13:35 . 2007-09-17 15:53 21,632 --a------ C:\WINDOWS\system32\drivers\pccsmcfd.sys
2008-07-16 10:47 . 2008-07-16 10:47 <DIR> d-------- C:\072008
2008-07-15 12:42 . 2008-05-07 07:39 1,419,232 --a------ C:\WINDOWS\system32\wdfcoinstaller01005.dll
2008-07-15 12:42 . 2008-05-07 07:38 659,968 --a------ C:\WINDOWS\system32\nmwcdcocls.dll
2008-07-15 12:42 . 2008-05-07 07:38 20,864 --a------ C:\WINDOWS\system32\drivers\ccdcmbo.sys
2008-07-15 12:42 . 2008-05-07 07:38 17,536 --a------ C:\WINDOWS\system32\drivers\ccdcmb.sys
2008-07-15 12:42 . 2008-05-07 07:38 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerfltj.sys
2008-07-15 12:42 . 2008-06-06 09:24 8,064 --a------ C:\WINDOWS\system32\drivers\usbser_lowerflt.sys
2008-07-09 08:33 . 2008-07-09 08:14 <DIR> d-------- C:\WINDOWS\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 07:34 --------- d-----w C:\Documents and Settings\MurphC02\Application Data\BPFTP
2008-08-05 15:25 --------- d-----w C:\Program Files\DYMO Label
2008-08-05 09:33 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-07-31 09:16 --------- d-----w C:\Program Files\DigiGuide TV Guide
2008-07-31 08:16 846,848 ----a-w C:\WINDOWS\system32\wininet.dll
2008-07-31 08:16 21,504 ----a-w C:\WINDOWS\system32\powrprof.dll
2008-07-30 11:11 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 10:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-07-30 09:04 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-07-25 11:02 3,888 ----a-w C:\WINDOWS\system32\tmp.reg
2008-07-25 08:12 --------- d-----w C:\Program Files\Java
2008-07-24 13:57 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-07-24 07:56 --------- d-----w C:\Program Files\Microsoft Games
2008-07-22 13:01 --------- d-----w C:\Documents and Settings\MurphC02\Application Data\Nokia
2008-07-22 12:36 --------- d-----w C:\Program Files\Nokia
2008-07-22 12:36 --------- d-----w C:\Program Files\Common Files\Nokia
2008-07-22 12:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Installations
2008-06-24 13:12 --------- d-----w C:\Program Files\igoodsoft
2008-06-24 13:11 --------- d-----w C:\Program Files\Common Files\Download Manager
2008-06-20 17:41 245,248 ----a-w C:\WINDOWS\system32\mswsock.dll
2008-06-20 10:45 360,320 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-06-20 10:44 138,368 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-06-17 01:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\FLEXnet
2008-06-13 13:10 272,128 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-06-12 07:29 --------- d-----w C:\Documents and Settings\MurphC02\Application Data\PC Suite
2008-06-09 11:45 --------- d-----w C:\Documents and Settings\ObrieT01\Application Data\PC Suite
2008-05-07 06:38 90,624 ----a-w C:\WINDOWS\system32\nmwcdcls.dll
2008-05-07 05:18 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2008-02-13 08:46 31 ----a-w C:\Program Files\Notes.ini
2007-01-08 12:28 898 ----a-w C:\Program Files\nb120ilc.sms
2007-01-08 12:28 2,931 ----a-w C:\Program Files\WRQMSI.ini
2007-01-08 12:28 1,094,144 ----a-w C:\Program Files\nb120ilc.msi
2004-04-08 12:47 98,304 ----a-w C:\Program Files\jpn.mst
2004-04-08 12:46 83,968 ----a-w C:\Program Files\fra.mst
2004-04-08 12:46 79,872 ----a-w C:\Program Files\deu.mst
2006-01-13 17:53 57,344 ------w C:\Program Files\internet explorer\plugins\FTDWSER.DLL
2007-05-24 08:29 2,516 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

------- Sigcheck -------

2006-03-04 04:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$hf_mig$\KB912812\SP2QFE\wininet.dll
2007-03-07 18:40 823296 b8f4db39ca7353752f245379d285c80e C:\WINDOWS\$hf_mig$\KB931768-IE7\SP2QFE\wininet.dll
2007-04-25 10:08 823808 431defbb4a3d7b0dc062c1b064623a2f C:\WINDOWS\$hf_mig$\KB933566-IE7\SP2QFE\wininet.dll
2007-06-27 15:40 824320 d6ed5e042c5207553e7f5e842918137f C:\WINDOWS\$hf_mig$\KB937143-IE7\SP2QFE\wininet.dll
2007-08-20 11:02 825344 357d54bf94fe9d6d8505a96b5c2a3bca C:\WINDOWS\$hf_mig$\KB939653-IE7\SP2QFE\wininet.dll
2007-10-11 00:47 825344 0e5d918f87efa7d2424d66b499c7eb04 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
2007-12-07 03:01 825344 b5b411bb229ae6ead7652a32ed47bfb9 C:\WINDOWS\$hf_mig$\KB944533-IE7\SP2QFE\wininet.dll
2008-03-01 14:03 827392 6316c2f0c61271c8abdff7429174879e C:\WINDOWS\$hf_mig$\KB947864-IE7\SP2QFE\wininet.dll
2008-04-23 04:35 827392 41546b396a526918da7995a02ea04e51 C:\WINDOWS\$hf_mig$\KB950759-IE7\SP2QFE\wininet.dll
2006-03-04 04:33 658432 1c0979c7a489bee573cd0bf4ad94bb06 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
2006-03-04 04:58 663552 c0845ecbf4f9164e618ee381b79c9032 C:\WINDOWS\$NtUninstallKB922760$\wininet.dll
2006-09-14 09:31 664576 d207370287cf769aebebf03837784963 C:\WINDOWS\ie7\wininet.dll
2006-11-07 22:03 818688 92995334f993e6e49c25c6d02ec04401 C:\WINDOWS\ie7updates\KB928090-IE7\wininet.dll
2007-01-12 10:27 822784 be43d00d802c92f01c8cc952c6f483f8 C:\WINDOWS\ie7updates\KB931768-IE7\wininet.dll
2007-03-07 18:45 822784 5b35dae6e4886f64d1da58c4e3e01eb9 C:\WINDOWS\ie7updates\KB933566-IE7\wininet.dll
2007-04-25 09:41 822784 0586a7f0b2fdb94d624f399d4728e7c8 C:\WINDOWS\ie7updates\KB937143-IE7\wininet.dll
2007-06-27 15:34 823808 8068cbb58fe60cc95aeb2cff70178208 C:\WINDOWS\ie7updates\KB939653-IE7\wininet.dll
2007-08-20 11:04 824832 774435e499d8e9643ec961a6103c361f C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
2007-10-11 00:56 824832 30c1e0f34ad2972c72a01db5c74ab065 C:\WINDOWS\ie7updates\KB944533-IE7\wininet.dll
2007-12-07 03:21 824832 806d274c9a6c3aaea5eae8e4af841e04 C:\WINDOWS\ie7updates\KB947864-IE7\wininet.dll
2008-03-01 14:06 826368 ad21461aef8244edec2ef18e55e1dcf3 C:\WINDOWS\ie7updates\KB950759-IE7\wininet.dll
2008-07-31 09:16 846848 d85a31287df3bb284563276602386a3b C:\WINDOWS\system32\wininet.dll
2008-07-31 09:16 846848 d85a31287df3bb284563276602386a3b C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((( snapshot@2008-07-31_ 9.40.42.70 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-12-11 09:32:21 6,826 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\delr1en.DAT
+ 2008-08-05 08:59:28 6,878 ----a-w C:\WINDOWS\system32\spool\drivers\w32x86\3\delr1en.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 11:00 15360]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-09-13 12:12 139264]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-15 13:52 68856]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 10:33 1506544]
"PC Suite Tray"="c:\program files\nokia\nokia pc suite 6\pcsuite.exe" [2008-04-16 12:53 1079808]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-03-30 10:36 267048]
"IgfxTray"="C:\WINDOWS\system32\igfxtray.exe" [2006-07-21 17:48 98304]
"HotKeysCmds"="C:\WINDOWS\system32\hkcmd.exe" [2006-07-21 17:50 86016]
"DellNSCST"="C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" [2006-02-20 15:07 278528]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-05-29 18:33 52840]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-11 19:54 623992]
"!AVG Anti-Spyware"="c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" [2007-09-06 08:26 6731312]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2007-06-06 15:25 125632]
"Synchronization Manager"="C:\WINDOWS\system32\mobsync.exe" [2004-08-04 11:00 143360]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2006-05-01 11:07 843776]
"QuickTime Task"="c:\program files\quicktime\qttask.exe" [2008-03-28 23:37 413696]
"Persistence"="C:\WINDOWS\system32\igfxpers.exe" [2006-07-21 17:47 81920]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 17:40 155648]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Nokia.PCSync"="C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe" [2008-03-26 18:41 1232896]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"ProfileQuotaMessage"= You have exceeded your profile storage space. Before you can log off, you need to move some items from your profile to network or local storage.
"EnableProfileQuota"= 1 (0x1)
"MaxProfileSize"= 30000 (0x7530)
"IncludeRegInProQuota"= 1 (0x1)
"WarnUser"= 1 (0x1)
"WarnUserTimeout"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!saswinlogon]
2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wxinfoclient]
2008-07-31 09:32 47104 C:\Program Files\Cordaware\Infoband\wxInfoclient.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rnnfsnp]
2004-03-29 04:41 155648 C:\WINDOWS\system32\rnnfsnp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.ffds"= C:\PROGRA~1\COMBIN~1\Filters\FFDShow\ff_vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DELL\\Dell Laser MFP 1600n\\NetworkScan\\DNSCST.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\WINDOWS\\system32\\winver.exe"=
"C:\\Program Files\\Microsoft Games\\Age of Empires III\\age3x.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"6129:TCP"= 6129:TCP:DameWare Mini Remote Control Service

R0 pavboot;pavboot;C:\WINDOWS\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;C:\WINDOWS\system32\DRIVERS\dwvkbd.sys [2007-02-15 17:00]
R2 InfoclientUserDesktop;Cordaware Infoclient(User);C:\Program Files\Cordaware\Infoband\Infoclient.exe [2007-09-08 16:42]
R2 InfoclientWinlogonDesktop;Cordaware Infoclient(Winlogon);C:\Program Files\Cordaware\Infoband\Infoclient.exe W []
R2 ReflectionNFS;WRQ Reflection NFS Client;C:\Program Files\Reflection\rnnfserv.exe [2004-03-29 04:41]
R3 DwMirror;DwMirror;C:\WINDOWS\system32\DRIVERS\DamewareMini.sys [2007-02-07 18:00]
R3 ReflectionNFSRDR;NFS Redirector;C:\WINDOWS\system32\DRIVERS\rrdr_2k.sys [2004-03-29 04:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\##amssanfile01#itadmin$]
\Shell\AutoRun\command - setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\autorun.exe
\Shell\setup\command - D:\setup.exe

*Newly Created Service* - catchme
.
Contents of the 'Scheduled Tasks' folder

2008-08-02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 17:57]

2008-08-05 C:\WINDOWS\Tasks\RegCure Program Check.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 22:21]

2008-07-31 C:\WINDOWS\Tasks\RegCure.job
- C:\Program Files\RegCure\RegCure.exe [2008-04-21 22:21]
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{8FF5E180-ABDE-46EB-B09E-D2AAB95CABE3} - (no file)


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 08:38:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-08-06 8:39:34
ComboFix-quarantined-files.txt 2008-08-06 07:39:25
ComboFix2.txt 2008-08-01 14:37:31
ComboFix3.txt 2008-07-31 08:40:58

Pre-Run: 56,457,515,008 bytes free
Post-Run: 56,450,260,992 bytes free

245 --- E O F --- 2008-07-22 12:56:57


Hi,

Combofix ran without a reboot and with no errors.

Sorry I should point out that symantec now no longer detects anything.
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am

Re: Blue Screen

Unread postby Shaba » August 6th, 2008, 9:09 am

Please post also a fresh HijackThis log and tell me if you recognize these?

2008-07-25 13:08 . 2008-07-31 09:16 992,768 --a------ C:\WINDOWS\system32\nwklr.ini
2008-07-25 13:08 . 2007-04-16 16:52 984,576 --a------ C:\WINDOWS\system32\korlg.ini
2008-07-25 13:08 . 2008-07-31 09:16 846,848 --a------ C:\WINDOWS\system32\nwwlnt.ini
2008-07-25 13:08 . 2008-04-23 05:16 826,368 --a------ C:\WINDOWS\system32\worlg.ini
2008-07-25 13:08 . 2008-07-31 09:16 34,304 --a------ C:\WINDOWS\system32\ldshyr.old
2008-07-25 13:08 . 2008-07-31 09:16 21,504 --a------ C:\WINDOWS\system32\nwpp.ini
2008-07-25 13:08 . 2004-08-04 11:00 17,408 --a------ C:\WINDOWS\system32\pporlg.ini
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Blue Screen

Unread postby clintjm » August 7th, 2008, 4:48 am

Hi,

Sorry I don't know what any of those are. Here is the latest log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:08, on 2008-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Reflection\rnnfserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\dwrcst.exe
c:\program files\itunes\ituneshelper.exe
c:\windows\system32\hkcmd.exe
c:\program files\dell\dell laser mfp 1600n\networkscan\dnscst.exe
c:\program files\common files\symantec shared\ccapp.exe
c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe
c:\progra~1\symant~1\vptray.exe
c:\program files\java\jre1.6.0_07\bin\jusched.exe
c:\program files\analog devices\core\smax4pnp.exe
c:\windows\system32\igfxpers.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\windows\system32\ctfmon.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\nokia\nokia pc suite 6\pcsuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\pc connectivity solution\transports\nclusbsrv.exe
c:\program files\pc connectivity solution\transports\nclrssrv.exe
c:\program files\internet explorer\iexplore.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DellNSCST] "C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 6\pcsuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.google.ie
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5570695656
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rnnfsnp - C:\WINDOWS\SYSTEM32\rnnfsnp.dll
O20 - Winlogon Notify: wxInfoclient - C:\Program Files\Cordaware\Infoband\wxInfoclient.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cordaware Infoclient(User) (InfoclientUserDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: Cordaware Infoclient(Winlogon) (InfoclientWinlogonDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: WRQ Reflection NFS Client (ReflectionNFS) - WRQ, Inc. - C:\Program Files\Reflection\rnnfserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13854 bytes
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am

Re: Blue Screen

Unread postby Shaba » August 7th, 2008, 7:59 am

Please go to Kaspersky website and perform an online antivirus scan.

  1. Read through the requirements and privacy statement and click on Accept button.
  2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  3. When the downloads have finished, click on Settings.
  4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
      Spyware, Adware, Dialers, and other potentially dangerous programs
      Archives
  5. Click on My Computer under Scan.
  6. Once the scan is complete, it will display the results. Click on View Scan Report.
  7. You will see a list of infected items there. Click on Save Report As....
  8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  9. Please post this log in your next reply along with a fresh HijackThis log.
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Blue Screen

Unread postby clintjm » August 7th, 2008, 11:46 am

Hi,

I could not get to the kaspersky site on Internet explorer as it kept saying it was unreachable. I used mozilla and it worked. Here is the log.

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7 REPORT
Thursday, August 7, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Thursday, August 07, 2008 14:05:14
Records in database: 1066620
--------------------------------------------------------------------------------

Scan settings:
Scan using the following database: extended
Scan archives: yes
Scan mail databases: yes

Scan area - My Computer:
C:\
D:\
F:\
H:\
O:\
V:\
X:\
Y:\
Z:\

Scan statistics:
Files scanned: 78807
Threat name: 23
Infected objects: 31
Suspicious objects: 1
Duration of the scan: 02:09:18


File name / Threat name / Threats count
C:\Program Files\RealVNC\VNC4\WinVNC4.exe/C:\Program Files\RealVNC\VNC4\WinVNC4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: not-virus:BadJoke.Win32.Delf.af 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: not-virus:BadJoke.Win32.RJL.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: not-virus:BadJoke.Win32.FakeFormat.105 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: Hoax.Win32.BadJoke.RJL.c 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: Trojan.Win32.Delf.fh 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: not-virus:BadJoke.Win32.MADFlop.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: not-virus:BadJoke.Win32.Krepper.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: not-virus:BadJoke.Win32.RJL.a 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: not-virus:BadJoke.Win32.Finger.b 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08380000\48B84E41.VBN Infected: Trojan.Win32.Pakes.cyw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08F80000\48F9CDD1.VBN Infected: Trojan.Win32.Pakes.cyw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09BC0000\49BEC0C2.VBN Infected: Trojan.Win32.Monderb.adq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09BC0001\49BEC0D1.VBN Infected: Trojan.Win32.Monderb.adq 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B140002\4B9D944F.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C480000\4CD835CC.VBN Infected: not-a-virus:AdWare.Win32.BHO.cdw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C480001\4CD835E4.VBN Infected: not-a-virus:AdWare.Win32.BHO.cdw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C480002\4CD83627.VBN Infected: not-a-virus:AdWare.Win32.BHO.cdw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C480003\4CD83633.VBN Infected: not-a-virus:AdWare.Win32.BHO.cdw 1
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EC80000\4ECDA1E0.VBN Infected: Rootkit.Win32.Podnuha.zn 1
C:\Documents and Settings\MurphC02\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Spy.Win32.Zbot.dkf 1
C:\Documents and Settings\MurphC02\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Email-Worm.Win32.NetSky.b 1
C:\Documents and Settings\MurphC02\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Infected: Trojan-Downloader.HTML.Agent.km 1
C:\Documents and Settings\MurphC02\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Suspicious: Trojan-Spy.HTML.Fraud.gen 1
C:\Documents and Settings\MurphC02\Local Settings\temp\conlf.ini Infected: Trojan.Win32.Patcher.br 1
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 1
C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Virus\malwarethings\mbam-setup.exe Infected: not-a-virus:FraudTool.Win32.SpyNoMore.g 1
C:\WINDOWS\system32\AcroIEHelpe.dll Infected: Trojan.Win32.BHO.fqx 1


Also a hijack this log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:43, on 2008-08-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\nslsvice.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Reflection\rnnfserv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\Program Files\Cordaware\Infoband\Infoclient.exe
C:\Program Files\lotus\notes\ntmulti.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\dwrcst.exe
c:\program files\itunes\ituneshelper.exe
c:\windows\system32\hkcmd.exe
c:\program files\dell\dell laser mfp 1600n\networkscan\dnscst.exe
c:\program files\common files\symantec shared\ccapp.exe
c:\program files\adobe\acrobat 8.0\acrobat\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe
c:\progra~1\symant~1\vptray.exe
c:\program files\java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\analog devices\core\smax4pnp.exe
c:\windows\system32\igfxpers.exe
c:\windows\system32\ctfmon.exe
c:\program files\common files\ahead\lib\nmbgmonitor.exe
c:\program files\google\googletoolbarnotifier\googletoolbarnotifier.exe
C:\WINDOWS\system32\proquota.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
c:\program files\nokia\nokia pc suite 6\pcsuite.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
c:\program files\pc connectivity solution\transports\nclusbsrv.exe
c:\program files\pc connectivity solution\transports\nclrssrv.exe
c:\program files\mozilla firefox\firefox.exe
c:\program files\trend micro\hijackthis\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.ie/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 127.0.0.1:81
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = local
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 7\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
O2 - BHO: (no name) - {B782EDE4-CCB3-4E3E-981F-96C68116F38C} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 7\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DellNSCST] "C:\Program Files\DELL\Dell Laser MFP 1600n\NetworkScan\DNSCST.exe" /HIDEUI
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "c:\program files\grisoft\avg anti-spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [PC Suite Tray] "c:\program files\nokia\nokia pc suite 6\pcsuite.exe" -onlytray
O4 - HKUS\S-1-5-18\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Nokia.PCSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - cmdmapping - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.google.ie
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200 ... plugin.cab
O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5570695656
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = hun.astron,rrd.com,rrd.net,ams.astron.int
O20 - Winlogon Notify: !saswinlogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: rnnfsnp - C:\WINDOWS\SYSTEM32\rnnfsnp.dll
O20 - Winlogon Notify: wxInfoclient - C:\Program Files\Cordaware\Infoband\wxInfoclient.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DB2 JDBC Applet Server (DB2JDS) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2jds.exe
O23 - Service: DB2 Security Server (DB2NTSECSERVER) - International Business Machines Corporation - C:\Program Files\IBM\SQLLIB\BIN\db2sec.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Cordaware Infoclient(User) (InfoclientUserDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: Cordaware Infoclient(Winlogon) (InfoclientWinlogonDesktop) - Cordaware - C:\Program Files\Cordaware\Infoband\Infoclient.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lotus Notes Single Logon - IBM Corp - C:\WINDOWS\system32\nslsvice.exe
O23 - Service: Multi-user Cleanup Service - IBM Corp - C:\Program Files\lotus\notes\ntmulti.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: WRQ Reflection NFS Client (ReflectionNFS) - WRQ, Inc. - C:\Program Files\Reflection\rnnfserv.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 13851 bytes


Thanks.
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am

Re: Blue Screen

Unread postby Shaba » August 7th, 2008, 12:43 pm

Empty this folder:

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5

Delete these:

C:\WINDOWS\system32\AcroIEHelpe.dll
C:\Documents and Settings\MurphC02\Local Settings\temp\conlf.ini

Empty Recycle Bin.

Still problems?
User avatar
Shaba
Admin/Teacher Emeritus
 
Posts: 26974
Joined: March 24th, 2006, 4:42 am
Location: Finland

Re: Blue Screen

Unread postby clintjm » August 7th, 2008, 1:29 pm

Hi again,

Ok I have done all you asked. Any idea why internet explorer will not display the kaspersky web site and firefox will. Is this a sign of further infection?

Thanks.
clintjm
Active Member
 
Posts: 10
Joined: July 29th, 2008, 11:23 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 71 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware