Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Computer infected with Metajuan trojan horse.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 3rd, 2009, 3:56 am

Here's the combofix.log

ComboFix 09-09-02.02 - Amy 03/09/2009 8:26.1.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.565 [GMT 1:00]
Running from: c:\documents and settings\Amy\Desktop\Combo-Fix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\recycler\S-1-5-21-1915519111-964205337-987034947-1003
C:\setup.exe
c:\windows\system32\mcrh.tmp
c:\windows\system32\SKYNETakstvuue.dat
c:\windows\system32\SKYNETyljapyah.dat
c:\windows\system32\UACcyuifontie.dat
c:\windows\system32\uacinit.dll
c:\windows\system32\UACjrptgxqoke.db

.
((((((((((((((((((((((((( Files Created from 2009-08-03 to 2009-09-03 )))))))))))))))))))))))))))))))
.

2009-08-26 19:11 . 2009-08-26 19:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 21:49 . 2009-08-24 21:49 -------- d-----w- c:\documents and settings\Amy\Application Data\Creative
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\program files\Norton Support
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 35888 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-18 20:08 . 2009-08-18 20:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-18 20:08 . 2009-08-18 20:08 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\windows\system32\drivers\NAV
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Norton AntiVirus
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Windows Sidebar
2009-08-18 19:58 . 2009-08-18 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-18 19:58 . 2009-08-18 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-18 19:58 . 2009-08-18 19:58 -------- d-----w- c:\program files\NortonInstaller
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\PrivacIE
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\IETldCache
2009-08-18 13:18 . 2009-08-18 18:51 -------- d-----w- c:\program files\techguysctss
2009-08-17 22:28 . 2009-08-17 22:28 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Google
2009-08-11 19:10 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 14:02 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\scripting
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\en
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\bits
2009-08-10 13:48 . 2009-08-10 13:48 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 13:43 . 2009-08-10 13:43 -------- d-----w- c:\windows\EHome
2009-08-10 12:32 . 2008-04-13 18:40 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2009-08-10 12:31 . 2004-08-03 21:41 1309184 ------w- c:\windows\system32\drivers\mtlstrm.sys
2009-08-10 12:30 . 2008-04-14 00:11 15423 ------w- c:\windows\system32\drivers\ch7xxnt5.dll
2009-08-09 16:54 . 2009-08-09 16:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-09 16:40 . 2009-08-09 16:40 -------- d-sh--w- c:\documents and settings\Amy\IECompatCache
2009-08-09 16:38 . 2009-08-09 16:38 -------- d-sh--w- c:\documents and settings\Amy\PrivacIE
2009-08-09 16:38 . 2009-08-09 16:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-09 16:37 . 2009-08-09 16:37 -------- d-sh--w- c:\documents and settings\Amy\IETldCache
2009-08-09 16:36 . 2009-08-09 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-09 16:34 . 2009-08-09 16:34 -------- d-----w- c:\windows\ie8updates
2009-08-09 16:33 . 2009-08-09 16:33 -------- dc-h--w- c:\windows\ie8
2009-08-09 16:29 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-09 16:29 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-09 16:29 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-09 14:05 . 2009-08-09 14:15 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-09 14:05 . 2009-08-09 14:15 16160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-09 14:05 . 2009-08-09 14:14 -------- d-----w- c:\documents and settings\Gamer\Application Data\Virgin Broadband
2009-08-09 13:44 . 2009-08-10 13:50 -------- d-----w- c:\windows\l2schemas
2009-08-09 13:43 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\MSBuild
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 11:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 11:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- C:\1fd7176ac590664ec748c9d83e4342aa
2009-08-09 11:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 11:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 11:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-09 11:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 11:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-09 10:44 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-09 10:42 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-08-09 10:42 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-09 10:42 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-08-05 09:01 . 2009-08-05 09:01 204800 ------w- c:\windows\system32\dllcache\mswebdvd.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-03 07:36 . 2007-09-30 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-03 07:36 . 2006-12-11 21:26 -------- d-----w- c:\program files\lx_cats
2009-09-03 07:35 . 2008-08-28 15:39 -------- d-----w- c:\program files\Common Files\Akamai
2009-09-02 20:39 . 2008-09-07 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-01 14:22 . 2009-06-07 23:35 -------- d-----w- c:\documents and settings\Amy\Application Data\Spotify
2009-09-01 14:02 . 2008-12-02 23:59 -------- d-----w- c:\program files\Celtx
2009-09-01 12:38 . 2009-04-06 14:18 -------- d-----w- c:\documents and settings\Amy\Application Data\uTorrent
2009-08-18 20:11 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 20:09 . 2006-01-16 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-18 20:08 . 2009-08-18 20:08 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-18 20:08 . 2006-01-16 03:34 -------- d-----w- c:\program files\Symantec
2009-08-18 18:53 . 2008-08-03 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-14 02:21 . 2006-04-23 15:04 32176 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 14:00 . 2007-09-30 20:07 -------- d-----w- c:\program files\Kontiki
2009-08-10 12:38 . 2006-04-23 22:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-10 12:37 . 2009-01-22 17:18 -------- d-----w- c:\program files\Microsoft Works
2009-08-09 14:15 . 2009-08-09 14:05 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-09 14:15 . 2009-08-09 14:05 1292 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\program files\Virgin Broadband
2009-08-09 13:39 . 2006-01-16 03:34 -------- d-----w- c:\program files\InstallShield Installation Information
2009-08-09 13:30 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Real
2009-08-09 12:54 . 2009-02-07 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 09:01 . 2003-01-03 03:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-01-03 03:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2003-01-03 03:53 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-07 11:47 . 2009-07-07 11:47 1915520 ----a-w- c:\documents and settings\Amy\Application Data\Macromedia\Flash Player\www.macromedia.com\bin\fpupdateax\fpupdateax.exe
2009-07-03 17:09 . 2003-01-03 03:53 915456 ----a-w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2003-01-03 03:53 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-01-03 03:53 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-01-03 03:53 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-01-03 03:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2003-01-03 03:52 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-01-03 03:52 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2003-01-03 03:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2003-01-03 03:53 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-01-03 03:52 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2003-01-03 03:53 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-01-03 03:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2003-01-03 05:05 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-01-03 03:53 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-02-03 323216]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-6-30 303104]
Metacafe.lnk - c:\program files\Metacafe\MetacafeAgent.exe [2008-6-29 145736]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.CHIP^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator.CHIP\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\Powercinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2233:TCP"= 2233:TCP:Akamai NetSession Interface
"1178:TCP"= 1178:TCP:Akamai NetSession Interface
"4904:TCP"= 4904:TCP:Akamai NetSession Interface
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"1151:TCP"= 1151:TCP:Akamai NetSession Interface
"2643:TCP"= 2643:TCP:Akamai NetSession Interface
"4295:TCP"= 4295:TCP:Akamai NetSession Interface
"1237:TCP"= 1237:TCP:Akamai NetSession Interface
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"1089:TCP"= 1089:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface
"2348:TCP"= 2348:TCP:Akamai NetSession Interface
"2359:TCP"= 2359:TCP:Akamai NetSession Interface
"1284:TCP"= 1284:TCP:Akamai NetSession Interface
"3732:TCP"= 3732:TCP:Akamai NetSession Interface
"1064:TCP"= 1064:TCP:Akamai NetSession Interface
"1075:TCP"= 1075:TCP:Akamai NetSession Interface
"3522:TCP"= 3522:TCP:Akamai NetSession Interface
"1918:TCP"= 1918:TCP:Akamai NetSession Interface
"1061:TCP"= 1061:TCP:Akamai NetSession Interface
"1937:TCP"= 1937:TCP:Akamai NetSession Interface
"3513:TCP"= 3513:TCP:Akamai NetSession Interface
"3515:TCP"= 3515:TCP:Akamai NetSession Interface
"4343:TCP"= 4343:TCP:Akamai NetSession Interface
"4394:TCP"= 4394:TCP:Akamai NetSession Interface
"1611:TCP"= 1611:TCP:Akamai NetSession Interface
"2028:TCP"= 2028:TCP:Akamai NetSession Interface
"3221:TCP"= 3221:TCP:Akamai NetSession Interface
"3065:TCP"= 3065:TCP:Akamai NetSession Interface
"1414:TCP"= 1414:TCP:Akamai NetSession Interface
"1670:TCP"= 1670:TCP:Akamai NetSession Interface
"2424:TCP"= 2424:TCP:Akamai NetSession Interface
"2437:TCP"= 2437:TCP:Akamai NetSession Interface
"3599:TCP"= 3599:TCP:Akamai NetSession Interface
"2351:TCP"= 2351:TCP:Akamai NetSession Interface
"3490:TCP"= 3490:TCP:Akamai NetSession Interface
"2995:TCP"= 2995:TCP:Akamai NetSession Interface
"3006:TCP"= 3006:TCP:Akamai NetSession Interface
"4645:TCP"= 4645:TCP:Akamai NetSession Interface
"3112:TCP"= 3112:TCP:Akamai NetSession Interface
"4206:TCP"= 4206:TCP:Akamai NetSession Interface
"4573:TCP"= 4573:TCP:Akamai NetSession Interface
"2458:TCP"= 2458:TCP:Akamai NetSession Interface
"1651:TCP"= 1651:TCP:Akamai NetSession Interface
"1723:TCP"= 1723:TCP:Akamai NetSession Interface
"4146:TCP"= 4146:TCP:Akamai NetSession Interface
"3255:TCP"= 3255:TCP:Akamai NetSession Interface
"3359:TCP"= 3359:TCP:Akamai NetSession Interface
"3376:TCP"= 3376:TCP:Akamai NetSession Interface
"3755:TCP"= 3755:TCP:Akamai NetSession Interface
"4607:TCP"= 4607:TCP:Akamai NetSession Interface
"2632:TCP"= 2632:TCP:Akamai NetSession Interface
"3026:TCP"= 3026:TCP:Akamai NetSession Interface
"2659:TCP"= 2659:TCP:Akamai NetSession Interface
"3944:TCP"= 3944:TCP:Akamai NetSession Interface
"2038:TCP"= 2038:TCP:Akamai NetSession Interface

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [18/08/2009 21:08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [18/08/2009 21:08 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [18/08/2009 21:08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [18/08/2009 21:11 276344]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [03/01/2003 04:53 14336]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [18/08/2009 21:08 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/08/2009 03:15 102448]
S2 LXCRCustomerConnect;LXCRCustomerConnect;c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe [?]
S3 acfva;acfva;c:\windows\system32\DRIVERS\acfva.sys --> c:\windows\system32\DRIVERS\acfva.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [15/04/2008 14:49 16512]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [23/04/2006 16:18 201728]
S3 nenum13E;nenum13E;\??\c:\docume~1\Maffu\LOCALS~1\Temp\nenum13E.sys --> c:\docume~1\Maffu\LOCALS~1\Temp\nenum13E.sys [?]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [13/02/2009 21:05 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [13/02/2009 21:05 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [13/02/2009 21:05 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [13/02/2009 21:05 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [13/02/2009 21:05 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [13/02/2009 21:05 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [13/02/2009 21:05 117544]

--- Other Services/Drivers In Memory ---

*Deregistered* - VolumeFilter

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-03 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 13:40]

2009-09-03 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-01-06 18:14]

2009-09-03 c:\windows\Tasks\Norton AntiVirus - Amy - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.0.0.125\Navw32.exe [2009-08-18 20:08]
.
- - - - ORPHANS REMOVED - - - -

Toolbar-{4dd6071a-038f-4806-9a54-6ea74c49760c} - c:\program files\football365Toolbar\insptbar.dll
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKCU-Run-adfwxaaa - c:\windows\system32\adfwxaaa.exe
HKLM-Run-ISTray - c:\program files\techguysctss\sscommon\common\snapins\toolkit_techguys\bin\sdscanner\pctsTray.exe
HKLM-Run-BVRPLiveUpdate - c:\program files\Avanquest update\Engine\Setup.exe
Notify-cbxuvvu - cbxuvvu.dll


.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = hxxp://www.pjonline.com/Editorial/20060 ... stion.html
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\9a55r9c6.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-03 08:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326614594-1740654645-2243009310-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3248)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\program files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Kontiki\KService.exe
c:\windows\wanmpsvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\lxcrcoms.exe
c:\progra~1\MICROS~3\rapimgr.exe
.
**************************************************************************
.
Completion time: 2009-09-03 8:40 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-03 07:40

Pre-Run: 4,758,556,672 bytes free
Post-Run: 4,714,180,608 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
Timeout=2
Default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
359 --- E O F --- 2009-08-30 15:56






And here's the new HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:54:43, on 03/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pjonline.com/Editorial/20060 ... stion.html
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5208034546
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8750 bytes
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm
Advertisement
Register to Remove

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 3rd, 2009, 4:30 am

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
Folder::
c:\documents and settings\Amy\Application Data\uTorrent

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7E853D72-626A-48EC-A868-BA8D5E23E045}]

[-HKEY_CLASSES_ROOT\CLSID\{7E853D72-626A-48EC-A868-BA8D5E23E045}]



  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    Image
  • Refering to the picture below, drag CFScript into ComboFix.exe

    Image
  • When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.




ATF-Cleaner

Please download ATF Cleaner by Atribune.

  • Save it to your desktop
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.

    NOTE: If you would like to keep your saved passwords please click No at the prompt.
  • Click Exit on the Main menu to close the program.



Kaspersky Online Scan

You can use either Internet Explorer or Mozilla FireFox for this scan.

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

  • Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
  • Click on My Computer under Scan.
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Please post this log in your next reply along with a fresh HijackThis log.



Uninstall list

Make an uninstall list using HijackThis. To access the Uninstall Manager you would do the following:

  • Start HijackThis
  • Click on the Config button
  • Click on the Misc Tools button
  • Click on the Open Uninstall Manager button.
  • Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Hijackthis uninstall list
  • ComboFix log (found at C:\Combofix.txt)
  • Kaspersky Log
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 6th, 2009, 7:16 am

HijackThis Uninstall list:

Acrobat.com
Acrobat.com
Adobe AIR
Adobe Flash Player 10 ActiveX
Adobe Flash Player 10 Plugin
Adobe Reader 9
Adobe Shockwave Player 11.5
AoA Audio Extractor 1.0
AOL Uninstaller (Choose which Products to Remove)
Apple Software Update
AudibleManager
Avanquest update
CardRd81
CCScore
CDisplay 1.8
Celtx (1.0)
CR2
Creative Jukebox Driver
Creative MediaSource 5
Creative Removable Disk Manager
Creative System Information
Creative ZEN V Series (R2)
CueClub
deskPDF 2.5 Professional Edition
Disc2Phone
Docudesk GPL Ghostscript 8.15
ESSBrwr
ESSCDBK
ESScore
ESSCT
ESSEMAIL
ESSgui
ESShelp
ESSini
ESSPCD
ESSPDock
ESSSONIC
ESSTOOLS
ESSTUTOR
essvcpt
ESSvpaht
ESSvpot
FM Modifier 2.0
football365.com
football365.com (remove only)
FUJIFILM FinePixViewer S Ver.2.1
Google Earth
Google Updater
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 2.0.2
HLPIndex
HLPPDOCK
HLPSFO
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB958484)
Hotfix for Windows XP (KB970653-v3)
J2SE Runtime Environment 5.0 Update 3
Kodak EasyShare software
KSU
Learn2 Player (Uninstall Only)
Lexmark 2400 Series
Lexmark Fax Solutions
Lexmark Toolbar
LiveUpdate 3.0 (Symantec Corporation)
Lovefilm Download Manager
Macromedia Shockwave Player
Metacafe
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 3.5 SP1
Microsoft ActiveSync
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (3.5.2)
MP3 Player Recovery Tool
MS Access 97 SP2
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 (KB954430)
MSXML 6 Service Pack 2 (KB954459)
Music Manager
Napster
Napster Burn Engine
NetWaiting
Norton AntiVirus
Notifier
OfotoXMI
OTtBP
OTtBPSDK
QuickTime
Realtek AC'97 Audio
Respiratory Therapeutics
RPS CRT
Security Update for CAPICOM (KB931906)
SFR
SHASTA
Shockwave
SiS VGA Utilities
SiSAGP driver
SKIN0001
SKINXSDK
Sonic RecordNow!
Sonic Update Manager
Sony Ericsson Media Manager 1.1
Sony Ericsson PC Suite 4.010.00
SpeedTouch USB Software
Spotify
Symantec Technical Support Web Controls
The Simpsons Hit & Run(TM)
Update for Microsoft .NET Framework 3.5 SP1 (KB963707)
Update for Windows XP (KB968389)
Update Service
VideoLAN VLC media player 0.8.5
Viewpoint Media Player
Virgin Broadband advisor 1.5.24
VPRINTOL
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Imaging Component
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Mobile® Device Handbook
Windows XP Service Pack 3
WinRAR archiver
WIRELESS
WMA To Wav Converter version 1.0
ZENcast Organizer
Zoom V92 USB Faxmodem



Combofix log:
ComboFix 09-09-03.02 - Amy 04/09/2009 17:26.2.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.627 [GMT 1:00]
Running from: c:\documents and settings\Amy\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Amy\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amy\Application Data\uTorrent
c:\documents and settings\Amy\Application Data\uTorrent\[TNT Village] Discografia Oasis.torrent
c:\documents and settings\Amy\Application Data\uTorrent\077 Playboy Naughty Amature Home Videos DVDRip Divx.torrent
c:\documents and settings\Amy\Application Data\uTorrent\1995 - Saturday Night Armistice.torrent
c:\documents and settings\Amy\Application Data\uTorrent\1998 - Friday Night Armistice.torrent
c:\documents and settings\Amy\Application Data\uTorrent\All.About.Anna.2005.DVDRip.XviD.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Bare.Behind.Bars.1980.DVDRip.XviD.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Bare.Naked.Survivor.2001.DVDRip.XviD-FiCO.[www.FilmsBT.com].torrent
c:\documents and settings\Amy\Application Data\uTorrent\Belle.Epoque.The.Age.of.Beauty.1992.DVDRip.XviD.ENG.PtBR.Subtitles.by.espantalho.torrent
c:\documents and settings\Amy\Application Data\uTorrent\BlackAdder Britains Best Sitcom.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Britain's Best Sitcom - Yes Minister.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Buffy Comics Season 8 #1-26.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Bug.DvDRip.Eng.Ac3-FxM.torrent
c:\documents and settings\Amy\Application Data\uTorrent\celeb.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Charlie Brooker's Screen Wipe - A Very Screenwipe Christmas (21st December 2006) [PDTV (XviD)].avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Charlie Brooker's Screenwipe - Series 4 (2008) [WS.PDTV(XviD)].torrent
c:\documents and settings\Amy\Application Data\uTorrent\Clara Morgane.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Cue Club snooker, pool best game fully patched full version by (alizee).exe.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Devil in the Flesh (1986) [DvdRip] [Uncut] [Xvid] {1337x}-Noir.torrent
c:\documents and settings\Amy\Application Data\uTorrent\dht.dat
c:\documents and settings\Amy\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\Election Night Armistice - complete.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Election Night Armistice - complete.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Emmanuelle - First Contact.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Fahrenheit 9-11 (2004).torrent
c:\documents and settings\Amy\Application Data\uTorrent\Fawlty Towers britains best sitcom.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Flight of the Conchords - Season 1.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Flight of the Conchords - Season 1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Good.Bye.Emmanuelle.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Grand Prix (1966) Frankenheimer [ENG] [VHS RIP MULTI XVID 224 MP3].torrent
c:\documents and settings\Amy\Application Data\uTorrent\History Of The Championship[2007][Eng][WWE][Dvdrip]-Titan.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother - Season 4.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother [4x24] (XviD asd) EnglishV+NapisyPL - www.xvidasd.com.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother Complete Season 4.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother S04E20 XviD VOSTFR --Antoine 4011--.avi.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother S04E20 XviD VOSTFR --Antoine 4011--.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother S04E21.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother S04E24 XviD VOSTFR --Reda Kenzouza--.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother Seasons 1-4.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother Seasons 1-4.2.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother Seasons 1-4.3.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother Seasons 1-4.4.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother Seasons 1-4.5.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How I Met Your Mother Seasons 1-4.torrent
c:\documents and settings\Amy\Application Data\uTorrent\how.i.met.your.mother.423.hdtv-lol.avi.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\how.i.met.your.mother.423.hdtv-lol.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\how.i.met.your.mother.424.hdtv-lol.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\How.I.Met.Your.Mother.S04E22.HDTV.XviD-LOL.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\how.i.met.your.mother.s4e24.hdtv-lol-BTARENA.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\how.i.met.your.mother.s4e24.hdtv-lol-BTARENA.avi.torrent.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Ilsa_Exploitation_Trilogy (xvid110-sickboy88).torrent
c:\documents and settings\Amy\Application Data\uTorrent\Immoral Tales (1974) Dvdrip.torrent
c:\documents and settings\Amy\Application Data\uTorrent\JJ72.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\JJ72.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Joy.Division.2007.DVDRiP.XViD-DOCUMENT.torrent
c:\documents and settings\Amy\Application Data\uTorrent\La Bete (Aka The Beast) Uncut - Fra 1975.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Le Mans - 1971 - Steve McQueen.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Lee.Mack.Live.2008.STV.DVDRiP.XviD-SLi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Les.Anges.Exterminateurs.FS.FRENCH.DVDRip.XviD.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Manic Street Preachers - Journal for Plague Lovers (2009).torrent
c:\documents and settings\Amy\Application Data\uTorrent\Manon Des Sources 1986 Jean de florette 2nd part.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\monarch.of.the.glen.entire.series.dvdrip.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\monarch.of.the.glen.entire.series.dvdrip.2.torrent
c:\documents and settings\Amy\Application Data\uTorrent\monarch.of.the.glen.entire.series.dvdrip.3.torrent
c:\documents and settings\Amy\Application Data\uTorrent\monarch.of.the.glen.entire.series.dvdrip.4.torrent
c:\documents and settings\Amy\Application Data\uTorrent\monarch.of.the.glen.entire.series.dvdrip.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Mylene.Farmer.-.L'Amour.n'est.rien.(2006).DVDRip.XviD-Leon166.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Only Fools And Horses Britains Best Sitcom.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy-Best Of Naughty Amateur Home Videos(Filmy-Erotyczne Int Pl).mpg.torrent
c:\documents and settings\Amy\Application Data\uTorrent\PlayBoy-Hot.Lips.Hot.Legs.DvDrip-aXXo-[LMD-T34M][wWw.LiMiTeDiVx.CoM].torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy - Tales Of Erotic Fantasies.mpg.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy - Tales Of Erotic Fantasies.mpg.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy Cyber Girls.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy Girls In Uniform.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy Playmate Calendar 2009 DVDr-sailo1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy.50.Years.of.Playmates.2004.DVDRip.Xvid.synek.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy.Playmate.Video.Calendar.2009.DVDRip.XVID-BTARENA.org.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy_Playmates_in_bed.2002.DVDrip.Xvid.synek.avi.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy_Playmates_in_bed.2002.DVDrip.Xvid.synek.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboy_Wet_and_Wild_Complete.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Playboys.Nude.Celebrities.2007 DVDrip.x264-sailo1.mkv.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Red Shoe Diaries.torrent
c:\documents and settings\Amy\Application Data\uTorrent\resume.dat
c:\documents and settings\Amy\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\Ronnie Barker.torrent
c:\documents and settings\Amy\Application Data\uTorrent\rss.dat
c:\documents and settings\Amy\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\Satan's School for Lust (2002, misty mundae, darian caine, dvd rip)-Xvid-SV-T3.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Saturday and Friday Night Armistice Specials.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Scrubs.S08E13.HDTV.XviD-2HD.[VTV].avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Scrubs.S08E14.HDTV.XviD-2HD.[VTV].avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Scrubs.S08E15.HDTV.XviD-0TV.[VTV].avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Scrubs.S08E16.HDTV.XviD-0TV.[VTV].avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Scrubs.S08E17.My.Chief.Concern.HDTV.XviD-FQM.[VTV].avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Scrubs.S08E18.HDTV.XviD-NoTV.[VTV].avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\settings.dat
c:\documents and settings\Amy\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\The Antichrist.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Greatest Snooker Final Of All Time Taylor V Davis 1985 [DVDRip (XviD)] .avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Last House On the Left(1972)dvdrip(xvid).torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Mary Whitehouse Experience (seasons 1 and 2) tv show.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Mary Whitehouse Experience (seasons 1 and 2) tv show.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Mary Whitehouse Experience Series 2.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Wire Season 1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The X Files I Want to Believe.[2008].R5.DVDRIP.XVID[Eng]-DUQA.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.Big.Bang.Theory.S02E20.HDTV.XviD-VAiN.avi.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.Big.Bang.Theory.S02E20.HDTV.XviD-VAiN.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.Big.Bang.Theory.S02E21.HDTV.XviD-DOT.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.Big.Bang.Theory.S02E22.HDTV.XviD-0TV.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.Big.Bang.Theory.S02E23.HDTV.XviD-NoTV.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.IT.Crowd Season 1and 2.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.IT.Crowd Season 1and 2.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The.Seduction.Of.Misty.Mundae.2004.DVDRip.DivX-iMAGiCA.torrent
c:\documents and settings\Amy\Application Data\uTorrent\TheMightyBoosh.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Top Gear - [10x04] - Botswana Special DVD.avi.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Torchwood - Series 2 - Complete [BBC Two] [Xvid].torrent
c:\documents and settings\Amy\Application Data\uTorrent\Torchwood Season 1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Travis - Singles 320Kbps.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Travis - The Boy With No Name [2007][CD+SkidVid+Cov].torrent
c:\documents and settings\Amy\Application Data\uTorrent\Vampyres.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WRESTLEMANIA Anthology.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.Raw.08.31.09.DSR.XviD-XWT.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.Summerslam.2009.DSR.XviD-XWT.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.The.History.Of.The.WWE.Championship.DVDRip.XviD-XWT.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.The.History.Of.The.WWE.Championship.DVDRip.XviD-XWT.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.Wrestlemania.XXV.DSR.XviD-XWT.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.Wrestlemania.XXV.DSR.XviD-XWT.2.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.Wrestlemania.XXV.DSR.XviD-XWT.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE_WWF Themes.torrent
c:\documents and settings\Amy\Application Data\uTorrent\You're Welcome America.avi.torrent

.
((((((((((((((((((((((((( Files Created from 2009-08-04 to 2009-09-04 )))))))))))))))))))))))))))))))
.

2009-08-26 19:11 . 2009-08-26 19:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 21:49 . 2009-08-24 21:49 -------- d-----w- c:\documents and settings\Amy\Application Data\Creative
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\program files\Norton Support
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 35888 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-18 20:08 . 2009-08-18 20:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-18 20:08 . 2009-08-18 20:08 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\windows\system32\drivers\NAV
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Norton AntiVirus
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Windows Sidebar
2009-08-18 19:58 . 2009-08-18 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-18 19:58 . 2009-08-18 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-18 19:58 . 2009-08-18 19:58 -------- d-----w- c:\program files\NortonInstaller
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\PrivacIE
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\IETldCache
2009-08-18 13:18 . 2009-08-18 18:51 -------- d-----w- c:\program files\techguysctss
2009-08-17 22:28 . 2009-08-17 22:28 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Google
2009-08-11 19:10 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 14:02 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\scripting
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\en
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\bits
2009-08-10 13:48 . 2009-08-10 13:48 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 13:43 . 2009-08-10 13:43 -------- d-----w- c:\windows\EHome
2009-08-10 12:32 . 2008-04-13 18:40 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2009-08-10 12:31 . 2004-08-03 21:41 1309184 ------w- c:\windows\system32\drivers\mtlstrm.sys
2009-08-10 12:30 . 2008-04-14 00:11 15423 ------w- c:\windows\system32\drivers\ch7xxnt5.dll
2009-08-09 16:54 . 2009-08-09 16:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-09 16:40 . 2009-08-09 16:40 -------- d-sh--w- c:\documents and settings\Amy\IECompatCache
2009-08-09 16:38 . 2009-08-09 16:38 -------- d-sh--w- c:\documents and settings\Amy\PrivacIE
2009-08-09 16:38 . 2009-08-09 16:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-09 16:37 . 2009-08-09 16:37 -------- d-sh--w- c:\documents and settings\Amy\IETldCache
2009-08-09 16:36 . 2009-08-09 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-09 16:34 . 2009-08-09 16:34 -------- d-----w- c:\windows\ie8updates
2009-08-09 16:33 . 2009-08-09 16:33 -------- dc-h--w- c:\windows\ie8
2009-08-09 16:29 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-09 16:29 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-09 16:29 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-09 14:05 . 2009-08-09 14:15 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-09 14:05 . 2009-08-09 14:15 16160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-09 14:05 . 2009-08-09 14:14 -------- d-----w- c:\documents and settings\Gamer\Application Data\Virgin Broadband
2009-08-09 13:44 . 2009-08-10 13:50 -------- d-----w- c:\windows\l2schemas
2009-08-09 13:43 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\MSBuild
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 11:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 11:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- C:\1fd7176ac590664ec748c9d83e4342aa
2009-08-09 11:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 11:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 11:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-09 11:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 11:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-09 10:44 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-09 10:42 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-08-09 10:42 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-09 10:42 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-04 16:33 . 2007-09-30 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-04 15:35 . 2008-08-28 15:39 -------- d-----w- c:\program files\Common Files\Akamai
2009-09-03 21:40 . 2008-09-07 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-03 07:36 . 2006-12-11 21:26 -------- d-----w- c:\program files\lx_cats
2009-09-01 14:22 . 2009-06-07 23:35 -------- d-----w- c:\documents and settings\Amy\Application Data\Spotify
2009-09-01 14:02 . 2008-12-02 23:59 -------- d-----w- c:\program files\Celtx
2009-08-18 20:11 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 20:09 . 2006-01-16 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-18 20:08 . 2009-08-18 20:08 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-18 20:08 . 2006-01-16 03:34 -------- d-----w- c:\program files\Symantec
2009-08-18 18:53 . 2008-08-03 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-14 02:21 . 2006-04-23 15:04 32176 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 14:00 . 2007-09-30 20:07 -------- d-----w- c:\program files\Kontiki
2009-08-10 12:38 . 2006-04-23 22:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-10 12:37 . 2009-01-22 17:18 -------- d-----w- c:\program files\Microsoft Works
2009-08-09 14:15 . 2009-08-09 14:05 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-09 14:15 . 2009-08-09 14:05 1292 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\program files\Virgin Broadband
2009-08-09 13:39 . 2006-01-16 03:34 -------- d-----w- c:\program files\InstallShield Installation Information
2009-08-09 13:30 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Real
2009-08-09 12:54 . 2009-02-07 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 09:01 . 2003-01-03 03:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-01-03 03:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2003-01-03 03:53 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2003-01-03 03:53 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2003-01-03 03:53 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-01-03 03:53 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-01-03 03:53 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-01-03 03:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2003-01-03 03:52 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-01-03 03:52 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2003-01-03 03:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2003-01-03 03:53 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-01-03 03:52 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2003-01-03 03:53 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-01-03 03:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2003-01-03 05:05 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-01-03 03:53 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-02-03 323216]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-6-30 303104]
Metacafe.lnk - c:\program files\Metacafe\MetacafeAgent.exe [2008-6-29 145736]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.CHIP^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator.CHIP\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\Powercinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2233:TCP"= 2233:TCP:Akamai NetSession Interface
"1178:TCP"= 1178:TCP:Akamai NetSession Interface
"4904:TCP"= 4904:TCP:Akamai NetSession Interface
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"1151:TCP"= 1151:TCP:Akamai NetSession Interface
"2643:TCP"= 2643:TCP:Akamai NetSession Interface
"4295:TCP"= 4295:TCP:Akamai NetSession Interface
"1237:TCP"= 1237:TCP:Akamai NetSession Interface
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"1089:TCP"= 1089:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface
"2348:TCP"= 2348:TCP:Akamai NetSession Interface
"2359:TCP"= 2359:TCP:Akamai NetSession Interface
"1284:TCP"= 1284:TCP:Akamai NetSession Interface
"3732:TCP"= 3732:TCP:Akamai NetSession Interface
"1064:TCP"= 1064:TCP:Akamai NetSession Interface
"1075:TCP"= 1075:TCP:Akamai NetSession Interface
"3522:TCP"= 3522:TCP:Akamai NetSession Interface
"1918:TCP"= 1918:TCP:Akamai NetSession Interface
"1061:TCP"= 1061:TCP:Akamai NetSession Interface
"1937:TCP"= 1937:TCP:Akamai NetSession Interface
"3513:TCP"= 3513:TCP:Akamai NetSession Interface
"3515:TCP"= 3515:TCP:Akamai NetSession Interface
"4343:TCP"= 4343:TCP:Akamai NetSession Interface
"4394:TCP"= 4394:TCP:Akamai NetSession Interface
"1611:TCP"= 1611:TCP:Akamai NetSession Interface
"2028:TCP"= 2028:TCP:Akamai NetSession Interface
"3221:TCP"= 3221:TCP:Akamai NetSession Interface
"3065:TCP"= 3065:TCP:Akamai NetSession Interface
"1414:TCP"= 1414:TCP:Akamai NetSession Interface
"1670:TCP"= 1670:TCP:Akamai NetSession Interface
"2424:TCP"= 2424:TCP:Akamai NetSession Interface
"2437:TCP"= 2437:TCP:Akamai NetSession Interface
"3599:TCP"= 3599:TCP:Akamai NetSession Interface
"2351:TCP"= 2351:TCP:Akamai NetSession Interface
"3490:TCP"= 3490:TCP:Akamai NetSession Interface
"2995:TCP"= 2995:TCP:Akamai NetSession Interface
"3006:TCP"= 3006:TCP:Akamai NetSession Interface
"4645:TCP"= 4645:TCP:Akamai NetSession Interface
"3112:TCP"= 3112:TCP:Akamai NetSession Interface
"4206:TCP"= 4206:TCP:Akamai NetSession Interface
"4573:TCP"= 4573:TCP:Akamai NetSession Interface
"2458:TCP"= 2458:TCP:Akamai NetSession Interface
"1651:TCP"= 1651:TCP:Akamai NetSession Interface
"1723:TCP"= 1723:TCP:Akamai NetSession Interface
"4146:TCP"= 4146:TCP:Akamai NetSession Interface
"3255:TCP"= 3255:TCP:Akamai NetSession Interface
"3359:TCP"= 3359:TCP:Akamai NetSession Interface
"3376:TCP"= 3376:TCP:Akamai NetSession Interface
"3755:TCP"= 3755:TCP:Akamai NetSession Interface
"4607:TCP"= 4607:TCP:Akamai NetSession Interface
"2632:TCP"= 2632:TCP:Akamai NetSession Interface
"3026:TCP"= 3026:TCP:Akamai NetSession Interface
"2659:TCP"= 2659:TCP:Akamai NetSession Interface
"3944:TCP"= 3944:TCP:Akamai NetSession Interface
"2038:TCP"= 2038:TCP:Akamai NetSession Interface

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [18/08/2009 21:08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [18/08/2009 21:08 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [18/08/2009 21:08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090810.001\IDSXpx86.sys [18/08/2009 21:11 276344]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [03/01/2003 04:53 14336]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [18/08/2009 21:08 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/08/2009 03:15 102448]
S2 LXCRCustomerConnect;LXCRCustomerConnect;c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe [?]
S3 acfva;acfva;c:\windows\system32\DRIVERS\acfva.sys --> c:\windows\system32\DRIVERS\acfva.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [15/04/2008 14:49 16512]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [23/04/2006 16:18 201728]
S3 nenum13E;nenum13E;\??\c:\docume~1\Maffu\LOCALS~1\Temp\nenum13E.sys --> c:\docume~1\Maffu\LOCALS~1\Temp\nenum13E.sys [?]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [13/02/2009 21:05 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [13/02/2009 21:05 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [13/02/2009 21:05 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [13/02/2009 21:05 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [13/02/2009 21:05 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [13/02/2009 21:05 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [13/02/2009 21:05 117544]

--- Other Services/Drivers In Memory ---

*Deregistered* - VolumeFilter

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-04 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 13:40]

2009-09-04 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-01-06 18:14]

2009-09-04 c:\windows\Tasks\Norton AntiVirus - Amy - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.0.0.125\Navw32.exe [2009-08-18 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = hxxp://www.pjonline.com/Editorial/20060 ... stion.html
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\9a55r9c6.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-04 17:34
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326614594-1740654645-2243009310-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-09-04 17:37
ComboFix-quarantined-files.txt 2009-09-04 16:37
ComboFix2.txt 2009-09-03 07:40

Pre-Run: 4,688,367,616 bytes free
Post-Run: 4,645,072,896 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
436 --- E O F --- 2009-08-30 15:56



*Kaspersky didn't produce a log as it didn't detect any threats during the scan.*



HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:30, on 06/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pjonline.com/Editorial/20060 ... stion.html
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_03\bin\npjpi150_03.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5208034546
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8579 bytes



At the moment the computer is still running a bit slower than normal and Norton is still regularly warning me that it has detected 'Trojan.Metajuan' but is unable to remove it. Whenever I open I.E. a message comes up saying that the last session ended unexpectedly (even if that isn't the case) and if I choose to resume the previous session rather than go to the home page lots of pop-ups appear on the screen.
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 6th, 2009, 8:25 am

Hello!


Can you tell me the file and the filepath what Norton is showing?

Download HostsXpert and unzip it to your computer, somewhere where you can find it.
  • Double click on HostsXpert.exe to launch the programme.
  • Check to see if top button on left hand side says Make Writable ?
    • If it does. click on it then proceed to next instruction.
    • If not, just proceed to next instruction
  • Click on Restore MS Hosts File to restore your Hosts file to its default condition.
  • When prompted to confirm, click OK.
  • Click on the Download button (lower left hand side)
    • Click on MVPs Hosts... button.
    • Click on Replace button.
    • Press OK in the box that pops up. (HostsXpert will now download and update your Hosts file)
  • When finished.
    • Click on File Handling button.
    • Click on Make Read Only ? to secure it against infection.
  • Exit the programme.

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
Driver::
nenum13E

File::
c:\docume~1\Maffu\LOCALS~1\Temp\nenum13E.sys


  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    Image
  • Refering to the picture below, drag CFScript into ComboFix.exe

    Image
  • When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.



Update Java Runtime and Run JavaRa

    Download Java Runtime
  • Go to HERE to download Java Runtime Environment Version 6 Update 16
  • Click on the link named Java Runtime Environment (JRE) 6 Update 16
  • Click on the radio button to Accept License Agreement
  • Click on Windows Offline Installation Multi-language and save the downloaded file to your desktop

    Run JavaRa
  • Please download JavaRa and unzip it to your desktop.
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location.

    Install Java
  • Install the new version of Java by running the newly-downloaded file ( jre-6u16-windows-i586-p.exe) with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer



Optional Fix

I see that Viewpoint is installed. Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player's components. You can disable this using the Viewpoint Manager Control Panel found in the Windows Control Panel menu. By selecting Disable auto-updating for the Viewpoint Manager -- the player will no longer attempt to check for updates. Anything that is installed without your consent is suspect. Read what Viewpoint says and make your own decision.
To provide a satisfying consumer experience and to operate effectively, the Viewpoint Media Player periodically sends information to servers at Viewpoint. Each installation of the Viewpoint Media Player is identifiable to Viewpoint via a Customer Unique Identifier (CUID), an alphanumeric identifier embedded in the Viewpoint Media Player. The Viewpoint Media Player randomly generates the CUID during installation and uses it to indicate a unique installation of the product. A CUID is never connected to a user's name, email address, or other personal contact information. CUIDs are used for the sole purpose of filtering redundant information. Each of these information exchanges occurs anonymously.

Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything bad. This may change,read Viewpoint to Plunge Into Adware.

I recommend that you remove the Viewpoint products; however, decide for yourself.

To uninstall the the Viewpoint components :
  1. Click Start, point to Settings, and then click Control Panel.
  2. In Control Panel, double-click Add or Remove Programs.
  3. In Add or Remove Programs, highlight >>Viewpoint component<< , click Remove.


    How to prevent it from being recreated every time you run the AOL software:
    • Open AOL
    • Go to Help on the toolbar
    • Select About AOL
    • Hit Ctrl D and a secret panel can be accessed which will allow you to disable all desktop and IM features associated with Viewpoint.



Logs/Information to Post in Next Reply

Please post the following logs/Information in your reply:
  • Answer to My question
  • ComboFix log (found at C:\Combofix.txt)
  • A fresh HijackThis Log ( after all the above has been done)
  • A description of how your computer is behaving
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 7th, 2009, 11:57 am

Norton says that the affected area for the metajuan.trojan is '6 files, 2 browser caches'.

The 6 listed files are all the same with the same path:

globalroot\systemroot\system32\uacceptgoelwj.dll

Hope that helps.


Here's the Combofix log:

ComboFix 09-09-03.02 - Amy 07/09/2009 16:17.3.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.609 [GMT 1:00]
Running from: c:\documents and settings\Amy\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Amy\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point

FILE ::
"c:\docume~1\Maffu\LOCALS~1\Temp\nenum13E.sys"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NENUM13E
-------\Service_nenum13E


((((((((((((((((((((((((( Files Created from 2009-08-07 to 2009-09-07 )))))))))))))))))))))))))))))))
.

2009-08-26 19:11 . 2009-08-26 19:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 21:49 . 2009-08-24 21:49 -------- d-----w- c:\documents and settings\Amy\Application Data\Creative
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\program files\Norton Support
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 35888 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-18 20:08 . 2009-08-18 20:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-18 20:08 . 2009-08-18 20:08 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\windows\system32\drivers\NAV
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Norton AntiVirus
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Windows Sidebar
2009-08-18 19:58 . 2009-08-18 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-18 19:58 . 2009-08-18 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-18 19:58 . 2009-08-18 19:58 -------- d-----w- c:\program files\NortonInstaller
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\PrivacIE
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\IETldCache
2009-08-18 13:18 . 2009-08-18 18:51 -------- d-----w- c:\program files\techguysctss
2009-08-17 22:28 . 2009-08-17 22:28 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Google
2009-08-11 19:10 . 2009-07-10 13:27 1315328 ------w- c:\windows\system32\dllcache\msoe.dll
2009-08-10 14:02 . 2008-06-13 11:05 272128 ------w- c:\windows\system32\dllcache\bthport.sys
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\scripting
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\en
2009-08-10 13:50 . 2009-08-10 13:50 -------- d-----w- c:\windows\system32\bits
2009-08-10 13:48 . 2009-08-10 13:48 -------- d-----w- c:\windows\ServicePackFiles
2009-08-10 13:43 . 2009-08-10 13:43 -------- d-----w- c:\windows\EHome
2009-08-10 12:32 . 2008-04-13 18:40 10240 ------w- c:\windows\system32\drivers\sffp_mmc.sys
2009-08-10 12:31 . 2004-08-03 21:41 1309184 ------w- c:\windows\system32\drivers\mtlstrm.sys
2009-08-10 12:30 . 2008-04-14 00:11 15423 ------w- c:\windows\system32\drivers\ch7xxnt5.dll
2009-08-09 16:54 . 2009-08-09 16:54 -------- d-sh--w- c:\documents and settings\LocalService\IETldCache
2009-08-09 16:40 . 2009-08-09 16:40 -------- d-sh--w- c:\documents and settings\Amy\IECompatCache
2009-08-09 16:38 . 2009-08-09 16:38 -------- d-sh--w- c:\documents and settings\Amy\PrivacIE
2009-08-09 16:38 . 2009-08-09 16:38 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-08-09 16:37 . 2009-08-09 16:37 -------- d-sh--w- c:\documents and settings\Amy\IETldCache
2009-08-09 16:36 . 2009-08-09 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-09 16:34 . 2009-08-09 16:34 -------- d-----w- c:\windows\ie8updates
2009-08-09 16:33 . 2009-08-09 16:33 -------- dc-h--w- c:\windows\ie8
2009-08-09 16:29 . 2009-07-03 17:09 12800 ------w- c:\windows\system32\dllcache\xpshims.dll
2009-08-09 16:29 . 2009-07-03 17:09 246272 ------w- c:\windows\system32\dllcache\ieproxy.dll
2009-08-09 16:29 . 2009-07-01 07:08 101376 ------w- c:\windows\system32\dllcache\iecompat.dll
2009-08-09 14:05 . 2009-08-09 14:15 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-09 14:05 . 2009-08-09 14:15 16160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-09 14:05 . 2009-08-09 14:14 -------- d-----w- c:\documents and settings\Gamer\Application Data\Virgin Broadband
2009-08-09 13:44 . 2009-08-10 13:50 -------- d-----w- c:\windows\l2schemas
2009-08-09 13:43 . 2008-04-14 00:12 69120 ------w- c:\windows\system32\wlanapi.dll
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\windows\system32\XPSViewer
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\MSBuild
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 11:05 . 2008-07-06 12:06 89088 ------w- c:\windows\system32\dllcache\filterpipelineprintproc.dll
2009-08-09 11:05 . 2008-07-06 12:06 117760 ------w- c:\windows\system32\prntvpt.dll
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- C:\1fd7176ac590664ec748c9d83e4342aa
2009-08-09 11:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\xpsshhdr.dll
2009-08-09 11:05 . 2008-07-06 12:06 575488 ------w- c:\windows\system32\dllcache\xpsshhdr.dll
2009-08-09 11:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\xpssvcs.dll
2009-08-09 11:05 . 2008-07-06 12:06 1676288 ------w- c:\windows\system32\dllcache\xpssvcs.dll
2009-08-09 11:05 . 2008-07-06 10:50 597504 ------w- c:\windows\system32\dllcache\printfilterpipelinesvc.exe
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-09 10:44 . 2008-04-11 19:04 691712 ------w- c:\windows\system32\dllcache\inetcomm.dll
2009-08-09 10:42 . 2008-10-15 16:34 337408 ------w- c:\windows\system32\dllcache\netapi32.dll
2009-08-09 10:42 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-08-09 10:42 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-07 15:29 . 2006-12-11 21:26 -------- d-----w- c:\program files\lx_cats
2009-09-07 15:28 . 2007-09-30 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-07 15:28 . 2008-08-28 15:39 -------- d-----w- c:\program files\Common Files\Akamai
2009-09-07 00:43 . 2008-09-07 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-01 14:22 . 2009-06-07 23:35 -------- d-----w- c:\documents and settings\Amy\Application Data\Spotify
2009-09-01 14:02 . 2008-12-02 23:59 -------- d-----w- c:\program files\Celtx
2009-08-18 20:11 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 20:09 . 2006-01-16 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-18 20:08 . 2009-08-18 20:08 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-18 20:08 . 2006-01-16 03:34 -------- d-----w- c:\program files\Symantec
2009-08-18 18:53 . 2008-08-03 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-14 02:21 . 2006-04-23 15:04 32176 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 14:00 . 2007-09-30 20:07 -------- d-----w- c:\program files\Kontiki
2009-08-10 12:38 . 2006-04-23 22:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-10 12:37 . 2009-01-22 17:18 -------- d-----w- c:\program files\Microsoft Works
2009-08-09 14:15 . 2009-08-09 14:05 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-09 14:15 . 2009-08-09 14:05 1292 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\program files\Virgin Broadband
2009-08-09 13:39 . 2006-01-16 03:34 -------- d-----w- c:\program files\InstallShield Installation Information
2009-08-09 13:30 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Real
2009-08-09 12:54 . 2009-02-07 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-08-05 09:01 . 2003-01-03 03:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-01-03 03:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2003-01-03 03:53 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2003-01-03 03:53 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2003-01-03 03:53 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-01-03 03:53 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-01-03 03:53 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-01-03 03:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2003-01-03 03:52 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-01-03 03:52 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2003-01-03 03:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2003-01-03 03:53 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-01-03 03:52 81920 ----a-w- c:\windows\system32\fontsub.dll
2009-06-12 12:31 . 2003-01-03 03:53 76288 ----a-w- c:\windows\system32\telnet.exe
2009-06-10 14:13 . 2003-01-03 03:52 84992 ----a-w- c:\windows\system32\avifil32.dll
2009-06-10 08:19 . 2003-01-03 05:05 2066432 ----a-w- c:\windows\system32\mstscax.dll
2009-06-10 06:14 . 2003-01-03 03:53 132096 ----a-w- c:\windows\system32\wkssvc.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_07.36.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-07 15:28 . 2009-09-07 15:28 16384 c:\windows\Temp\Perflib_Perfdata_7c0.dat
+ 2009-09-07 15:27 . 2009-09-07 15:27 16384 c:\windows\Temp\Perflib_Perfdata_774.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-02-03 323216]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-6-30 303104]
Metacafe.lnk - c:\program files\Metacafe\MetacafeAgent.exe [2008-6-29 145736]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.CHIP^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator.CHIP\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\Powercinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2233:TCP"= 2233:TCP:Akamai NetSession Interface
"1178:TCP"= 1178:TCP:Akamai NetSession Interface
"4904:TCP"= 4904:TCP:Akamai NetSession Interface
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"1151:TCP"= 1151:TCP:Akamai NetSession Interface
"2643:TCP"= 2643:TCP:Akamai NetSession Interface
"4295:TCP"= 4295:TCP:Akamai NetSession Interface
"1237:TCP"= 1237:TCP:Akamai NetSession Interface
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"1089:TCP"= 1089:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface
"2348:TCP"= 2348:TCP:Akamai NetSession Interface
"2359:TCP"= 2359:TCP:Akamai NetSession Interface
"1284:TCP"= 1284:TCP:Akamai NetSession Interface
"3732:TCP"= 3732:TCP:Akamai NetSession Interface
"1064:TCP"= 1064:TCP:Akamai NetSession Interface
"1075:TCP"= 1075:TCP:Akamai NetSession Interface
"3522:TCP"= 3522:TCP:Akamai NetSession Interface
"1918:TCP"= 1918:TCP:Akamai NetSession Interface
"1061:TCP"= 1061:TCP:Akamai NetSession Interface
"1937:TCP"= 1937:TCP:Akamai NetSession Interface
"3513:TCP"= 3513:TCP:Akamai NetSession Interface
"3515:TCP"= 3515:TCP:Akamai NetSession Interface
"4343:TCP"= 4343:TCP:Akamai NetSession Interface
"4394:TCP"= 4394:TCP:Akamai NetSession Interface
"1611:TCP"= 1611:TCP:Akamai NetSession Interface
"2028:TCP"= 2028:TCP:Akamai NetSession Interface
"3221:TCP"= 3221:TCP:Akamai NetSession Interface
"3065:TCP"= 3065:TCP:Akamai NetSession Interface
"1414:TCP"= 1414:TCP:Akamai NetSession Interface
"1670:TCP"= 1670:TCP:Akamai NetSession Interface
"2424:TCP"= 2424:TCP:Akamai NetSession Interface
"2437:TCP"= 2437:TCP:Akamai NetSession Interface
"3599:TCP"= 3599:TCP:Akamai NetSession Interface
"2351:TCP"= 2351:TCP:Akamai NetSession Interface
"3490:TCP"= 3490:TCP:Akamai NetSession Interface
"2995:TCP"= 2995:TCP:Akamai NetSession Interface
"3006:TCP"= 3006:TCP:Akamai NetSession Interface
"4645:TCP"= 4645:TCP:Akamai NetSession Interface
"3112:TCP"= 3112:TCP:Akamai NetSession Interface
"4206:TCP"= 4206:TCP:Akamai NetSession Interface
"4573:TCP"= 4573:TCP:Akamai NetSession Interface
"2458:TCP"= 2458:TCP:Akamai NetSession Interface
"1651:TCP"= 1651:TCP:Akamai NetSession Interface
"1723:TCP"= 1723:TCP:Akamai NetSession Interface
"4146:TCP"= 4146:TCP:Akamai NetSession Interface
"3255:TCP"= 3255:TCP:Akamai NetSession Interface
"3359:TCP"= 3359:TCP:Akamai NetSession Interface
"3376:TCP"= 3376:TCP:Akamai NetSession Interface
"3755:TCP"= 3755:TCP:Akamai NetSession Interface
"4607:TCP"= 4607:TCP:Akamai NetSession Interface
"2632:TCP"= 2632:TCP:Akamai NetSession Interface
"3026:TCP"= 3026:TCP:Akamai NetSession Interface
"2659:TCP"= 2659:TCP:Akamai NetSession Interface
"3944:TCP"= 3944:TCP:Akamai NetSession Interface
"2038:TCP"= 2038:TCP:Akamai NetSession Interface

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [18/08/2009 21:08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [18/08/2009 21:08 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [18/08/2009 21:08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090904.002\IDSXpx86.sys [05/09/2009 20:20 276344]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [03/01/2003 04:53 14336]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [18/08/2009 21:08 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/08/2009 03:15 102448]
S2 LXCRCustomerConnect;LXCRCustomerConnect;c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe [?]
S3 acfva;acfva;c:\windows\system32\DRIVERS\acfva.sys --> c:\windows\system32\DRIVERS\acfva.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [15/04/2008 14:49 16512]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [23/04/2006 16:18 201728]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [13/02/2009 21:05 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [13/02/2009 21:05 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [13/02/2009 21:05 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [13/02/2009 21:05 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [13/02/2009 21:05 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [13/02/2009 21:05 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [13/02/2009 21:05 117544]

--- Other Services/Drivers In Memory ---

*Deregistered* - VolumeFilter

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-01 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-07 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 13:40]

2009-09-07 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-01-06 18:14]

2009-09-07 c:\windows\Tasks\Norton AntiVirus - Amy - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.0.0.125\Navw32.exe [2009-08-18 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = hxxp://www.pjonline.com/Editorial/20060 ... stion.html
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\9a55r9c6.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPJPI150_03.dll
FF - plugin: c:\program files\Java\jre1.5.0_03\bin\NPOJI610.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-07 16:28
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326614594-1740654645-2243009310-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(3892)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Kontiki\KService.exe
c:\windows\wanmpsvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\windows\system32\lxcrcoms.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\program files\Norton AntiVirus\Engine\16.0.0.125\CLTLMH.EXE
.
**************************************************************************
.
Completion time: 2009-09-07 16:33 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-07 15:33
ComboFix2.txt 2009-09-04 16:37
ComboFix3.txt 2009-09-03 07:40

Pre-Run: 4,443,795,456 bytes free
Post-Run: 4,579,971,072 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
344 --- E O F --- 2009-08-30 15:56



And the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:51:16, on 07/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pjonline.com/Editorial/20060 ... stion.html
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5208034546
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 9092 bytes



The computer is behaving pretty much the same as on my last reply. I have also noticed that everytime I get up in the morning Norton has found 1 tracking cookie which it removes- this happens every morning without fail. i don't know if this has any significance.
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 7th, 2009, 5:32 pm

Hello!

Ok lets run another rootkit scan.

SysProt Antirootkit

Download SysProt Antirootkit from HERE (you will find it at the bottom of the page under attachments, or you can get it from one of the mirrors).

  • Unzip it into a folder on your desktop.
  • Double click Sysprot.exe to start the program.
  • Click on the Log tab.
  • In the Write to log box select the following items.

    • Process
    • Kernel Modules
    • SSDT
    • Kernel Hooks
    • Hidden Files
  • At the bottom of the page slect

    • Hidden Objects Only
  • Click on the Create Log button on the bottom right.
  • After a few seconds a new window should appear.
  • Select Scan Root Drive.
  • Click on the Start button.
  • When it is complete a new window will appear to indicate that the scan is finished.
  • The log will be saved automatically in the same folder Sysprot.exe was extracted to.
  • Open the text file and copy/paste the log here.
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 8th, 2009, 2:42 pm

Here's the SysProt log:

SysProt AntiRootkit v1.0.1.0
by swatkat

******************************************************************************************
******************************************************************************************

No Hidden Processes found

******************************************************************************************
******************************************************************************************
Kernel Modules:
Module Name: SYMEFA.SYS
Service Name: SymEFA
Module Base: BA6B0000
Module End: BA6FF000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_atapi.sys
Service Name: ---
Module Base: B6BE0000
Module End: B6BF8000
Hidden: Yes

Module Name: \SystemRoot\System32\Drivers\dump_WMILIB.SYS
Service Name: ---
Module Base: BADFC000
Module End: BADFE000
Hidden: Yes

******************************************************************************************
******************************************************************************************
SSDT:
Function Name: ZwAlertResumeThread
Address: 898FAF88
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAlertThread
Address: 8A36CF20
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAllocateVirtualMemory
Address: 89934358
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwAssignProcessToJobObject
Address: 89B107E0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwConnectPort
Address: 898F23D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateKey
Address: B704C020
Driver Base: B7036000
Driver End: B705B000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwCreateMutant
Address: 899210E8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateSymbolicLinkObject
Address: 89A91B50
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwCreateThread
Address: 89948E38
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDebugActiveProcess
Address: 89AA5A10
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwDeleteKey
Address: B704C2A0
Driver Base: B7036000
Driver End: B705B000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDeleteValueKey
Address: B704C800
Driver Base: B7036000
Driver End: B705B000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwDuplicateObject
Address: 89852220
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwFreeVirtualMemory
Address: 8998C8D8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateAnonymousToken
Address: 89AACF20
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwImpersonateThread
Address: 8A36FB00
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwLoadDriver
Address: 89943008
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwMapViewOfSection
Address: 89B0E860
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenEvent
Address: 8A350E88
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcess
Address: 89944738
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenProcessToken
Address: 89AA8BE0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenSection
Address: 89B13818
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwOpenThread
Address: 89937120
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwProtectVirtualMemory
Address: 8A37E3C0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwResumeThread
Address: 8A368428
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetContextThread
Address: 899221D0
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetInformationProcess
Address: 8A369908
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetSystemInformation
Address: 89AA7D20
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSetValueKey
Address: B704CA50
Driver Base: B7036000
Driver End: B705B000
Driver Name: \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS

Function Name: ZwSuspendProcess
Address: 8A35B858
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwSuspendThread
Address: 89AFA4F8
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateProcess
Address: 89B0E138
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwTerminateThread
Address: 899B7638
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwUnmapViewOfSection
Address: 89AA9F88
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

Function Name: ZwWriteVirtualMemory
Address: 89909D18
Driver Base: 0
Driver End: 0
Driver Name: _unknown_

******************************************************************************************
******************************************************************************************
No Kernel Hooks found

******************************************************************************************
******************************************************************************************
Hidden files/folders:
Object: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\E843D45F.TMP
Status: Access denied

Object: C:\Documents and Settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\SRTSP\SrtETmp\F399B29A.TMP
Status: Access denied

Object: C:\Documents and Settings\Maffu\Local Settings\Application Data\Microsoft\Messenger\johnnycolumbia@hotmail.com\SharingMetadata\cutecatb@hotmail.com\DFSR\Staging\CS{24B58107-FA8E-FE5A-8B1D-6050F04A7E35}\01\11-{24B58107-FA8E-FE5A-8B1D-6050F04A7E35}-v1-{AECB
Status: Hidden

Object: C:\Documents and Settings\Maffu\Local Settings\Application Data\Microsoft\Messenger\johnnycolumbia@hotmail.com\SharingMetadata\cutecatb@hotmail.com\DFSR\Staging\CS{24B58107-FA8E-FE5A-8B1D-6050F04A7E35}\15\15-{AECB9D5A-655C-43F4-BFAE-87BC8E95B93A}-v15-{AEC
Status: Hidden

Object: C:\Documents and Settings\Maffu\Local Settings\Application Data\Microsoft\Messenger\johnnycolumbia@hotmail.com\SharingMetadata\leighparsons1@hotmail.com\DFSR\Staging\CS{A62BA912-3615-A6A3-A069-FD289AC20FA6}\01\19-{A62BA912-3615-A6A3-A069-FD289AC20FA6}-v1-
Status: Hidden
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 8th, 2009, 3:17 pm

Hello!

Is norton still giving you the same message about the infection?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 8th, 2009, 7:34 pm

Yes it is. Though when I run a full system scan through Norton it doesn't find the infection. It only seems to appear periodically- more so when I'm online but throughout the day really even if I'm not doing anything on the computer. It also appears every time the computer starts up.
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 9th, 2009, 5:29 pm

Hello!

Do you mean this message:

Norton says that the affected area for the metajuan.trojan is '6 files, 2 browser caches'.

The 6 listed files are all the same with the same path:

globalroot\systemroot\system32\uacceptgoelwj.dll


Or about the cookie?
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 10th, 2009, 10:18 am

I mean the message that includes:

"Norton says that the affected area for the metajuan.trojan is '6 files, 2 browser caches'.

The 6 listed files are all the same with the same path:

globalroot\systemroot\system32\uacceptgoelwj.dll"
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 10th, 2009, 5:13 pm

Hello!

Delete the copy of Combofix and follow these instructions below to download it and run it again.


Download and Run ComboFix

  • ComboFix SHOULD NOT be used unless requested by a forum helper.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. A guide to do this can be found HERE
  • Download Combofix from any of the links below. You must rename it before saving it. Save it to your desktop.

    Link 1
    Link 2

    Image


    Image

  • Double click on Combo-Fix.exe and follow the prompts.
  • When finished, it will produce a report for you (C:\ComboFix.txt )
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
  • Combofix should never take more that 20 minutes including the reboot if malware is detected.

    IMPORTANT: Neither I nor sUBs are responsible for any damage you may have caused your machine by running ComboFix on your own.This tool is not a toy and not for everyday use.

    Next Reply

    Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 12th, 2009, 6:31 pm

Combofix log:

ComboFix 09-09-10.01 - Amy 12/09/2009 23:10.4.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.742 [GMT 1:00]
Running from: c:\documents and settings\Amy\Desktop\Combo-Fix.exe
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\RelevantKnowledge
c:\program files\RelevantKnowledge\rlls.dll
c:\program files\RelevantKnowledge\rloci.bin
c:\program files\RelevantKnowledge\rlservice.exe
c:\program files\RelevantKnowledge\rlvknlg.exe
c:\windows\Installer\34f3db.msi

.
((((((((((((((((((((((((( Files Created from 2009-08-12 to 2009-09-12 )))))))))))))))))))))))))))))))
.

2009-09-11 00:11 . 2009-09-11 00:11 -------- d-----w- c:\program files\Audio Encoder
2009-09-11 00:08 . 2009-09-11 00:08 -------- d-----w- c:\program files\One-click FLAC to MP3 Converter
2009-09-11 00:05 . 2009-09-11 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-09 06:16 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-08 12:08 . 2009-09-11 01:47 -------- d-----w- c:\documents and settings\Amy\Application Data\uTorrent
2009-09-07 15:41 . 2009-09-07 15:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-26 19:11 . 2009-08-26 19:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 21:49 . 2009-08-24 21:49 -------- d-----w- c:\documents and settings\Amy\Application Data\Creative
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\program files\Norton Support
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 35888 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-18 20:08 . 2009-08-18 20:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-18 20:08 . 2009-08-18 20:08 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\windows\system32\drivers\NAV
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Norton AntiVirus
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Windows Sidebar
2009-08-18 19:58 . 2009-08-18 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-18 19:58 . 2009-08-18 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-18 19:58 . 2009-08-18 19:58 -------- d-----w- c:\program files\NortonInstaller
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\PrivacIE
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\IETldCache
2009-08-18 13:18 . 2009-08-18 18:51 -------- d-----w- c:\program files\techguysctss
2009-08-17 22:28 . 2009-08-17 22:28 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-12 22:17 . 2007-09-30 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-12 21:52 . 2006-12-11 21:26 -------- d-----w- c:\program files\lx_cats
2009-09-12 21:52 . 2008-09-07 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-12 21:51 . 2008-08-28 15:39 -------- d-----w- c:\program files\Common Files\Akamai
2009-09-09 11:27 . 2009-02-07 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 21:23 . 2008-12-02 23:59 -------- d-----w- c:\program files\Celtx
2009-09-07 15:41 . 2007-04-25 12:21 -------- d-----w- c:\program files\Java
2009-09-01 14:22 . 2009-06-07 23:35 -------- d-----w- c:\documents and settings\Amy\Application Data\Spotify
2009-08-18 20:11 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 20:09 . 2006-01-16 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-18 20:08 . 2009-08-18 20:08 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-18 20:08 . 2006-01-16 03:34 -------- d-----w- c:\program files\Symantec
2009-08-18 18:53 . 2008-08-03 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-14 02:21 . 2006-04-23 15:04 32176 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 14:00 . 2007-09-30 20:07 -------- d-----w- c:\program files\Kontiki
2009-08-10 12:38 . 2006-04-23 22:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-10 12:37 . 2009-01-22 17:18 -------- d-----w- c:\program files\Microsoft Works
2009-08-09 16:36 . 2009-08-09 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-09 14:15 . 2009-08-09 14:05 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-09 14:15 . 2009-08-09 14:05 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-09 14:15 . 2009-08-09 14:05 16160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-09 14:15 . 2009-08-09 14:05 1292 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-09 14:14 . 2009-08-09 14:05 -------- d-----w- c:\documents and settings\Gamer\Application Data\Virgin Broadband
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\program files\Virgin Broadband
2009-08-09 13:39 . 2006-01-16 03:34 -------- d-----w- c:\program files\InstallShield Installation Information
2009-08-09 13:30 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Real
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\MSBuild
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-05 09:01 . 2003-01-03 03:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-01-03 03:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2003-01-03 03:53 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2003-01-03 03:53 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2003-01-03 03:53 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-01-03 03:53 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-01-03 03:53 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-01-03 03:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2003-01-03 03:52 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-01-03 03:52 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2003-01-03 03:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
2009-06-16 14:36 . 2003-01-03 03:53 119808 ----a-w- c:\windows\system32\t2embed.dll
2009-06-16 14:36 . 2003-01-03 03:52 81920 ----a-w- c:\windows\system32\fontsub.dll
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_07.36.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 21:52 . 2009-09-12 21:52 16384 c:\windows\Temp\Perflib_Perfdata_a4.dat
+ 2009-09-12 21:55 . 2009-09-12 21:55 16384 c:\windows\Temp\Perflib_Perfdata_860.dat
+ 2009-09-12 21:51 . 2009-09-12 21:51 16384 c:\windows\Temp\Perflib_Perfdata_7c4.dat
+ 2009-09-11 00:08 . 2009-09-11 00:08 57856 c:\windows\Installer\{C438FF68-F2F2-4322-A8C4-A66721795B73}\fcvticon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-07-11 17:02 . 2009-07-11 17:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 17:02 . 2009-07-11 17:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 17:05 . 2009-07-11 17:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
+ 2003-01-03 03:52 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
- 2003-01-03 03:52 . 2009-03-08 03:33 726528 c:\windows\system32\jscript.dll
+ 2009-09-07 15:41 . 2009-09-07 15:41 149280 c:\windows\system32\javaws.exe
+ 2009-09-07 15:41 . 2009-09-07 15:41 145184 c:\windows\system32\javaw.exe
+ 2009-09-07 15:41 . 2009-09-07 15:41 145184 c:\windows\system32\java.exe
- 2003-01-03 03:52 . 2009-03-08 03:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2003-01-03 03:52 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-11 00:08 . 2009-09-11 00:08 123904 c:\windows\Installer\f28f0c.msi
- 2006-04-23 22:20 . 2009-08-12 02:03 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-09-09 11:06 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-09 11:06 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-09 11:06 . 2009-03-08 03:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2005-12-22 00:50 . 2008-06-18 04:03 2458112 c:\windows\system32\WMVCore.dll
+ 2005-12-22 00:50 . 2009-05-20 03:56 2458112 c:\windows\system32\WMVCore.dll
- 2005-12-22 00:50 . 2008-06-18 04:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2005-12-22 00:50 . 2009-05-20 03:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-09-07 15:41 . 2009-09-07 15:41 1757696 c:\windows\Installer\cf4ac.msi
+ 2009-08-25 13:57 . 2009-08-25 13:57 5518336 c:\windows\Installer\390b866.msp
+ 2005-12-21 23:55 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-09 11:06 . 2009-09-09 11:06 15709696 c:\windows\Installer\390b855.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-02-03 323216]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-07 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-6-30 303104]
Metacafe.lnk - c:\program files\Metacafe\MetacafeAgent.exe [2008-6-29 145736]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.CHIP^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator.CHIP\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\Powercinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2233:TCP"= 2233:TCP:Akamai NetSession Interface
"1178:TCP"= 1178:TCP:Akamai NetSession Interface
"4904:TCP"= 4904:TCP:Akamai NetSession Interface
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"1151:TCP"= 1151:TCP:Akamai NetSession Interface
"2643:TCP"= 2643:TCP:Akamai NetSession Interface
"4295:TCP"= 4295:TCP:Akamai NetSession Interface
"1237:TCP"= 1237:TCP:Akamai NetSession Interface
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"1089:TCP"= 1089:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface
"2348:TCP"= 2348:TCP:Akamai NetSession Interface
"2359:TCP"= 2359:TCP:Akamai NetSession Interface
"1284:TCP"= 1284:TCP:Akamai NetSession Interface
"3732:TCP"= 3732:TCP:Akamai NetSession Interface
"1064:TCP"= 1064:TCP:Akamai NetSession Interface
"1075:TCP"= 1075:TCP:Akamai NetSession Interface
"3522:TCP"= 3522:TCP:Akamai NetSession Interface
"1918:TCP"= 1918:TCP:Akamai NetSession Interface
"1061:TCP"= 1061:TCP:Akamai NetSession Interface
"1937:TCP"= 1937:TCP:Akamai NetSession Interface
"3513:TCP"= 3513:TCP:Akamai NetSession Interface
"3515:TCP"= 3515:TCP:Akamai NetSession Interface
"4343:TCP"= 4343:TCP:Akamai NetSession Interface
"4394:TCP"= 4394:TCP:Akamai NetSession Interface
"1611:TCP"= 1611:TCP:Akamai NetSession Interface
"2028:TCP"= 2028:TCP:Akamai NetSession Interface
"3221:TCP"= 3221:TCP:Akamai NetSession Interface
"3065:TCP"= 3065:TCP:Akamai NetSession Interface
"1414:TCP"= 1414:TCP:Akamai NetSession Interface
"1670:TCP"= 1670:TCP:Akamai NetSession Interface
"2424:TCP"= 2424:TCP:Akamai NetSession Interface
"2437:TCP"= 2437:TCP:Akamai NetSession Interface
"3599:TCP"= 3599:TCP:Akamai NetSession Interface
"2351:TCP"= 2351:TCP:Akamai NetSession Interface
"3490:TCP"= 3490:TCP:Akamai NetSession Interface
"2995:TCP"= 2995:TCP:Akamai NetSession Interface
"3006:TCP"= 3006:TCP:Akamai NetSession Interface
"4645:TCP"= 4645:TCP:Akamai NetSession Interface
"3112:TCP"= 3112:TCP:Akamai NetSession Interface
"4206:TCP"= 4206:TCP:Akamai NetSession Interface
"4573:TCP"= 4573:TCP:Akamai NetSession Interface
"2458:TCP"= 2458:TCP:Akamai NetSession Interface
"1651:TCP"= 1651:TCP:Akamai NetSession Interface
"1723:TCP"= 1723:TCP:Akamai NetSession Interface
"4146:TCP"= 4146:TCP:Akamai NetSession Interface
"3255:TCP"= 3255:TCP:Akamai NetSession Interface
"3359:TCP"= 3359:TCP:Akamai NetSession Interface
"3376:TCP"= 3376:TCP:Akamai NetSession Interface
"3755:TCP"= 3755:TCP:Akamai NetSession Interface
"4607:TCP"= 4607:TCP:Akamai NetSession Interface
"2632:TCP"= 2632:TCP:Akamai NetSession Interface
"3026:TCP"= 3026:TCP:Akamai NetSession Interface
"2659:TCP"= 2659:TCP:Akamai NetSession Interface
"3944:TCP"= 3944:TCP:Akamai NetSession Interface
"2038:TCP"= 2038:TCP:Akamai NetSession Interface
"12016:TCP"= 12016:TCP:uTorrent

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [18/08/2009 21:08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [18/08/2009 21:08 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [18/08/2009 21:08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090910.003\IDSXpx86.sys [10/09/2009 21:31 276344]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [03/01/2003 04:53 14336]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [18/08/2009 21:08 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/08/2009 03:15 102448]
S2 LXCRCustomerConnect;LXCRCustomerConnect;c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe [?]
S3 acfva;acfva;c:\windows\system32\DRIVERS\acfva.sys --> c:\windows\system32\DRIVERS\acfva.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [15/04/2008 14:49 16512]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [23/04/2006 16:18 201728]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [13/02/2009 21:05 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [13/02/2009 21:05 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [13/02/2009 21:05 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [13/02/2009 21:05 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [13/02/2009 21:05 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [13/02/2009 21:05 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [13/02/2009 21:05 117544]

--- Other Services/Drivers In Memory ---

*Deregistered* - VolumeFilter

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-12 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 13:40]

2009-09-12 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-01-06 18:14]

2009-09-11 c:\windows\Tasks\Norton AntiVirus - Amy - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.0.0.125\Navw32.exe [2009-08-18 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = hxxp://www.pjonline.com/Editorial/20060 ... stion.html
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\9a55r9c6.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-12 23:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326614594-1740654645-2243009310-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
Completion time: 2009-09-12 23:21
ComboFix-quarantined-files.txt 2009-09-12 22:21
ComboFix2.txt 2009-09-07 15:33
ComboFix3.txt 2009-09-04 16:37
ComboFix4.txt 2009-09-03 07:40

Pre-Run: 10,078,707,712 bytes free
Post-Run: 10,131,775,488 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
324 --- E O F --- 2009-09-09 11:14



Hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:30:19, on 12/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Kontiki\KHost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\wbem\unsecapp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pjonline.com/Editorial/20060 ... stion.html
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5208034546
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8855 bytes
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm

Re: Computer infected with Metajuan trojan horse.

Unread postby Bio-Hazard » September 13th, 2009, 3:48 am

Run CFScript

  • Close any open browsers.
  • Open Notepad by click start
  • Click Run
  • Type notepad into the box and click enter
  • Notepad will open
  • Copy and Paste everything from the Code box into Notepad:

Code: Select all
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"c:\\Program Files\\uTorrent\\uTorrent.exe"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"12016:TCP"=-

File::
c:\windows\system32\uacceptgoelwj.dll

Folder::
c:\documents and settings\Amy\Application Data\uTorrent
c:\Program Files\uTorrent

Rootkit::
c:\windows\system32\uacceptgoelwj.dll


  • Save this as CFScript.txt, in the same location as ComboFix.exe (on your desktop)

    Image
  • Refering to the picture below, drag CFScript into ComboFix.exe

    Image
  • When finished, it shall produce a log for you at C:\ComboFix.txt

NOTE: Do not mouseclick combofix's window whilst it's running. That may cause it to stall it.

Next Reply

Please reply with:
  • ComboFix log (found at C:\Combofix.txt)
  • New HijackThis log
User avatar
Bio-Hazard
MRU Master Emeritus
 
Posts: 4078
Joined: May 10th, 2007, 8:28 am
Location: Cornwall, UK

Re: Computer infected with Metajuan trojan horse.

Unread postby johnnycolumbia » September 14th, 2009, 11:21 am

Combofix log:

ComboFix 09-09-10.01 - Amy 14/09/2009 15:55.5.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1246.702 [GMT 1:00]
Running from: c:\documents and settings\Amy\Desktop\Combo-Fix.exe
Command switches used :: c:\documents and settings\Amy\Desktop\CFScript.txt
AV: Norton AntiVirus *On-access scanning disabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}
* Created a new restore point

FILE ::
"c:\windows\system32\uacceptgoelwj.dll"
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Amy\Application Data\uTorrent
c:\documents and settings\Amy\Application Data\uTorrent\dht.dat
c:\documents and settings\Amy\Application Data\uTorrent\dht.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\resume.dat
c:\documents and settings\Amy\Application Data\uTorrent\resume.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\rss.dat
c:\documents and settings\Amy\Application Data\uTorrent\rss.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\settings.dat
c:\documents and settings\Amy\Application Data\uTorrent\settings.dat.old
c:\documents and settings\Amy\Application Data\uTorrent\The Beatles in Mono.1.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Beatles in Mono.2.torrent
c:\documents and settings\Amy\Application Data\uTorrent\The Beatles in Mono.torrent
c:\documents and settings\Amy\Application Data\uTorrent\utorrent.lng
c:\documents and settings\Amy\Application Data\uTorrent\WWE.Breaking.Point.2009.DSR.XviD-XWT.torrent
c:\documents and settings\Amy\Application Data\uTorrent\WWE.Raw.10.07.09.DSR.XviD-XWT.torrent
c:\documents and settings\Amy\Application Data\uTorrent\Zack And Miri Make A PornoDvDrip (CanusRG-pill).torrent
c:\program files\uTorrent
c:\program files\uTorrent\uTorrent.exe

.
((((((((((((((((((((((((( Files Created from 2009-08-14 to 2009-09-14 )))))))))))))))))))))))))))))))
.

2009-09-11 00:11 . 2009-09-11 00:11 -------- d-----w- c:\program files\Audio Encoder
2009-09-11 00:08 . 2009-09-11 00:08 -------- d-----w- c:\program files\One-click FLAC to MP3 Converter
2009-09-11 00:05 . 2009-09-11 00:05 -------- d-----w- c:\documents and settings\All Users\Application Data\TEMP
2009-09-09 06:16 . 2009-06-21 21:44 153088 ------w- c:\windows\system32\dllcache\triedit.dll
2009-09-07 15:41 . 2009-09-07 15:41 411368 ----a-w- c:\windows\system32\deploytk.dll
2009-08-26 19:11 . 2009-08-26 19:11 -------- d-----w- c:\program files\Trend Micro
2009-08-24 21:49 . 2009-08-24 21:49 -------- d-----w- c:\documents and settings\Amy\Application Data\Creative
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\program files\Norton Support
2009-08-18 20:18 . 2009-08-18 20:18 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 35888 ----a-r- c:\windows\system32\drivers\SymIM.sys
2009-08-18 20:08 . 2009-08-18 20:08 60808 ----a-w- c:\windows\system32\S32EVNT1.DLL
2009-08-18 20:08 . 2009-08-18 20:08 124464 ----a-w- c:\windows\system32\drivers\SYMEVENT.SYS
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\windows\system32\drivers\NAV
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Norton AntiVirus
2009-08-18 20:07 . 2009-08-18 20:07 -------- d-----w- c:\program files\Windows Sidebar
2009-08-18 19:58 . 2009-08-18 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Norton
2009-08-18 19:58 . 2009-08-18 20:06 -------- d-----w- c:\documents and settings\All Users\Application Data\NortonInstaller
2009-08-18 19:58 . 2009-08-18 19:58 -------- d-----w- c:\program files\NortonInstaller
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\PrivacIE
2009-08-18 19:02 . 2009-08-18 19:02 -------- d-sh--w- c:\documents and settings\Maffu\IETldCache
2009-08-18 13:18 . 2009-08-18 18:51 -------- d-----w- c:\program files\techguysctss
2009-08-17 22:28 . 2009-08-17 22:28 -------- d-----w- c:\documents and settings\Amy\Local Settings\Application Data\Google

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-09-14 15:12 . 2006-12-11 21:26 -------- d-----w- c:\program files\lx_cats
2009-09-14 15:10 . 2007-09-30 20:07 -------- d-----w- c:\documents and settings\All Users\Application Data\Kontiki
2009-09-14 15:05 . 2008-08-28 15:39 -------- d-----w- c:\program files\Common Files\Akamai
2009-09-13 22:53 . 2008-09-07 18:00 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-09-09 11:27 . 2009-02-07 14:54 -------- d-----w- c:\program files\Microsoft Silverlight
2009-09-08 21:23 . 2008-12-02 23:59 -------- d-----w- c:\program files\Celtx
2009-09-07 15:41 . 2007-04-25 12:21 -------- d-----w- c:\program files\Java
2009-09-01 14:22 . 2009-06-07 23:35 -------- d-----w- c:\documents and settings\Amy\Application Data\Spotify
2009-08-18 20:11 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Symantec Shared
2009-08-18 20:09 . 2006-01-16 03:31 -------- d-----w- c:\documents and settings\All Users\Application Data\Symantec
2009-08-18 20:08 . 2009-08-18 20:08 806 ----a-w- c:\windows\system32\drivers\SYMEVENT.INF
2009-08-18 20:08 . 2009-08-18 20:08 10635 ----a-w- c:\windows\system32\drivers\SYMEVENT.CAT
2009-08-18 20:08 . 2006-01-16 03:34 -------- d-----w- c:\program files\Symantec
2009-08-18 18:53 . 2008-08-03 17:40 -------- d-----w- c:\documents and settings\All Users\Application Data\avg8
2009-08-14 02:21 . 2006-04-23 15:04 32176 ----a-w- c:\documents and settings\Amy\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-08-10 14:00 . 2007-09-30 20:07 -------- d-----w- c:\program files\Kontiki
2009-08-10 12:38 . 2006-04-23 22:19 -------- d-----w- c:\program files\Microsoft ActiveSync
2009-08-10 12:37 . 2009-01-22 17:18 -------- d-----w- c:\program files\Microsoft Works
2009-08-09 16:36 . 2009-08-09 16:36 -------- d-----w- c:\documents and settings\All Users\Application Data\AOL
2009-08-09 14:15 . 2009-08-09 14:05 32 --sha-w- c:\windows\system32\drivers\fidbox2.idx
2009-08-09 14:15 . 2009-08-09 14:05 32 --sha-w- c:\windows\system32\drivers\fidbox2.dat
2009-08-09 14:15 . 2009-08-09 14:05 16160 --sha-w- c:\windows\system32\drivers\fidbox.dat
2009-08-09 14:15 . 2009-08-09 14:05 1292 --sha-w- c:\windows\system32\drivers\fidbox.idx
2009-08-09 14:14 . 2009-08-09 14:05 -------- d-----w- c:\documents and settings\Gamer\Application Data\Virgin Broadband
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\documents and settings\All Users\Application Data\Virgin Broadband
2009-08-09 14:14 . 2009-04-06 13:22 -------- d-----w- c:\program files\Virgin Broadband
2009-08-09 13:39 . 2006-01-16 03:34 -------- d-----w- c:\program files\InstallShield Installation Information
2009-08-09 13:30 . 2006-01-16 03:34 -------- d-----w- c:\program files\Common Files\Real
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\MSBuild
2009-08-09 11:05 . 2009-08-09 11:05 -------- d-----w- c:\program files\Reference Assemblies
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\MSXML 6.0
2009-08-09 11:00 . 2009-08-09 11:00 -------- d-----w- c:\program files\Microsoft CAPICOM 2.1.0.2
2009-08-05 09:01 . 2003-01-03 03:52 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-17 19:01 . 2003-01-03 03:52 58880 ----a-w- c:\windows\system32\atl.dll
2009-07-13 22:43 . 2003-01-03 03:53 286208 ----a-w- c:\windows\system32\wmpdxm.dll
2009-07-03 17:09 . 2003-01-03 03:53 915456 ------w- c:\windows\system32\wininet.dll
2009-06-25 08:25 . 2003-01-03 03:53 54272 ----a-w- c:\windows\system32\wdigest.dll
2009-06-25 08:25 . 2003-01-03 03:53 56832 ----a-w- c:\windows\system32\secur32.dll
2009-06-25 08:25 . 2003-01-03 03:53 147456 ----a-w- c:\windows\system32\schannel.dll
2009-06-25 08:25 . 2003-01-03 03:52 136192 ----a-w- c:\windows\system32\msv1_0.dll
2009-06-25 08:25 . 2003-01-03 03:52 730112 ----a-w- c:\windows\system32\lsasrv.dll
2009-06-25 08:25 . 2003-01-03 03:52 301568 ----a-w- c:\windows\system32\kerberos.dll
2009-06-24 11:18 . 2003-01-03 03:52 92928 ----a-w- c:\windows\system32\drivers\ksecdd.sys
.

((((((((((((((((((((((((((((( SnapShot@2009-09-03_07.36.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-09-12 21:52 . 2009-09-12 21:52 16384 c:\windows\Temp\Perflib_Perfdata_a4.dat
- 2009-09-03 07:35 . 2009-09-03 07:35 16384 c:\windows\Temp\Perflib_Perfdata_7f8.dat
+ 2009-09-14 15:06 . 2009-09-14 15:06 16384 c:\windows\Temp\Perflib_Perfdata_7f8.dat
+ 2009-09-14 15:05 . 2009-09-14 15:05 16384 c:\windows\Temp\Perflib_Perfdata_7d0.dat
+ 2009-09-14 15:05 . 2009-09-14 15:05 16384 c:\windows\Temp\Perflib_Perfdata_778.dat
+ 2009-09-11 00:08 . 2009-09-11 00:08 57856 c:\windows\Installer\{C438FF68-F2F2-4322-A8C4-A66721795B73}\fcvticon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 23040 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 27136 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 11264 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 12288 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 4096 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2009-07-11 17:02 . 2009-07-11 17:02 653120 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcr90.dll
+ 2009-07-11 17:02 . 2009-07-11 17:02 569664 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcp90.dll
+ 2009-07-11 17:05 . 2009-07-11 17:05 225280 c:\windows\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.30729.4148_x-ww_d495ac4e\msvcm90.dll
- 2003-01-03 03:52 . 2009-03-08 03:33 726528 c:\windows\system32\jscript.dll
+ 2003-01-03 03:52 . 2009-06-22 06:44 726528 c:\windows\system32\jscript.dll
+ 2009-09-07 15:41 . 2009-09-07 15:41 149280 c:\windows\system32\javaws.exe
+ 2009-09-07 15:41 . 2009-09-07 15:41 145184 c:\windows\system32\javaw.exe
+ 2009-09-07 15:41 . 2009-09-07 15:41 145184 c:\windows\system32\java.exe
+ 2003-01-03 03:52 . 2009-06-22 06:44 726528 c:\windows\system32\dllcache\jscript.dll
- 2003-01-03 03:52 . 2009-03-08 03:33 726528 c:\windows\system32\dllcache\jscript.dll
+ 2009-09-11 00:08 . 2009-09-11 00:08 123904 c:\windows\Installer\f28f0c.msi
- 2006-04-23 22:20 . 2009-08-12 02:03 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 409600 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 286720 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 249856 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 794624 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2006-04-23 22:20 . 2009-09-09 11:08 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2006-04-23 22:20 . 2009-08-12 02:03 135168 c:\windows\Installer\{91120409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2009-09-09 11:06 . 2008-07-08 13:02 382840 c:\windows\ie8updates\KB971961-IE8\spuninst\updspapi.dll
+ 2009-09-09 11:06 . 2008-07-08 13:02 231288 c:\windows\ie8updates\KB971961-IE8\spuninst\spuninst.exe
+ 2009-09-09 11:06 . 2009-03-08 03:33 726528 c:\windows\ie8updates\KB971961-IE8\jscript.dll
- 2005-12-22 00:50 . 2008-06-18 04:03 2458112 c:\windows\system32\WMVCore.dll
+ 2005-12-22 00:50 . 2009-05-20 03:56 2458112 c:\windows\system32\WMVCore.dll
+ 2005-12-22 00:50 . 2009-05-20 03:56 2458112 c:\windows\system32\dllcache\WMVCore.dll
- 2005-12-22 00:50 . 2008-06-18 04:03 2458112 c:\windows\system32\dllcache\WMVCore.dll
+ 2009-09-07 15:41 . 2009-09-07 15:41 1757696 c:\windows\Installer\cf4ac.msi
+ 2009-08-25 13:57 . 2009-08-25 13:57 5518336 c:\windows\Installer\390b866.msp
+ 2005-12-21 23:55 . 2009-08-28 21:38 24689600 c:\windows\system32\MRT.exe
+ 2009-09-09 11:06 . 2009-09-09 11:06 15709696 c:\windows\Installer\390b855.msp
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-14 1695232]
"H/PC Connection Agent"="c:\program files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 1289000]
"Sony Ericsson PC Suite"="c:\program files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" [2008-02-20 356352]
"kdx"="c:\program files\Kontiki\KHost.exe" [2007-11-27 1032376]
"WMPNSCFG"="c:\program files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXCRCATS"="c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll" [2005-12-01 65536]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2008-06-12 34672]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-10-19 286720]
"NapsterShell"="c:\program files\Napster\napster.exe" [2009-02-03 323216]
"Broadbandadvisor.exe"="c:\program files\Virgin Broadband\advisor\Broadbandadvisor.exe" [2009-05-27 2303216]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2009-09-07 149280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Exif Launcher S.lnk - c:\program files\FinePixViewerS\QuickDCF2.exe [2009-6-30 303104]
Metacafe.lnk - c:\program files\Metacafe\MetacafeAgent.exe [2008-6-29 145736]

[HKLM\~\startupfolder\C:^Documents and Settings^Administrator.CHIP^Start Menu^Programs^Startup^desktop.ini]
path=c:\documents and settings\Administrator.CHIP\Start Menu\Programs\Startup\desktop.ini
backup=c:\windows\pss\desktop.iniStartup

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\APPS\\Powercinema\\PowerCinema.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Kodak\\Kodak EasyShare software\\bin\\EasyShare.exe"=
"c:\\Program Files\\AOL 9.0\\waol.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLAcsd.exe"=
"c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"c:\\Program Files\\MSN Messenger\\livecall.exe"=
"c:\\Program Files\\Kontiki\\KService.exe"=
"c:\program files\Microsoft ActiveSync\rapimgr.exe"= c:\program files\Microsoft ActiveSync\rapimgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync RAPI Manager
"c:\program files\Microsoft ActiveSync\wcescomm.exe"= c:\program files\Microsoft ActiveSync\wcescomm.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Connection Manager
"c:\program files\Microsoft ActiveSync\WCESMgr.exe"= c:\program files\Microsoft ActiveSync\WCESMgr.exe:169.254.2.0/255.255.255.0:Enabled:ActiveSync Application
"c:\\Program Files\\Sony Ericsson\\Sony Ericsson Media Manager\\MediaManager.exe"=
"c:\\Program Files\\Sony Ericsson\\Update Service\\Update Service.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Spotify\\spotify.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Akamai NetSession Interface
"5000:UDP"= 5000:UDP:Akamai NetSession Interface
"26675:TCP"= 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"2233:TCP"= 2233:TCP:Akamai NetSession Interface
"1178:TCP"= 1178:TCP:Akamai NetSession Interface
"4904:TCP"= 4904:TCP:Akamai NetSession Interface
"1099:TCP"= 1099:TCP:Akamai NetSession Interface
"1151:TCP"= 1151:TCP:Akamai NetSession Interface
"2643:TCP"= 2643:TCP:Akamai NetSession Interface
"4295:TCP"= 4295:TCP:Akamai NetSession Interface
"1237:TCP"= 1237:TCP:Akamai NetSession Interface
"1069:TCP"= 1069:TCP:Akamai NetSession Interface
"1089:TCP"= 1089:TCP:Akamai NetSession Interface
"1057:TCP"= 1057:TCP:Akamai NetSession Interface
"1065:TCP"= 1065:TCP:Akamai NetSession Interface
"2348:TCP"= 2348:TCP:Akamai NetSession Interface
"2359:TCP"= 2359:TCP:Akamai NetSession Interface
"1284:TCP"= 1284:TCP:Akamai NetSession Interface
"3732:TCP"= 3732:TCP:Akamai NetSession Interface
"1064:TCP"= 1064:TCP:Akamai NetSession Interface
"1075:TCP"= 1075:TCP:Akamai NetSession Interface
"3522:TCP"= 3522:TCP:Akamai NetSession Interface
"1918:TCP"= 1918:TCP:Akamai NetSession Interface
"1061:TCP"= 1061:TCP:Akamai NetSession Interface
"1937:TCP"= 1937:TCP:Akamai NetSession Interface
"3513:TCP"= 3513:TCP:Akamai NetSession Interface
"3515:TCP"= 3515:TCP:Akamai NetSession Interface
"4343:TCP"= 4343:TCP:Akamai NetSession Interface
"4394:TCP"= 4394:TCP:Akamai NetSession Interface
"1611:TCP"= 1611:TCP:Akamai NetSession Interface
"2028:TCP"= 2028:TCP:Akamai NetSession Interface
"3221:TCP"= 3221:TCP:Akamai NetSession Interface
"3065:TCP"= 3065:TCP:Akamai NetSession Interface
"1414:TCP"= 1414:TCP:Akamai NetSession Interface
"1670:TCP"= 1670:TCP:Akamai NetSession Interface
"2424:TCP"= 2424:TCP:Akamai NetSession Interface
"2437:TCP"= 2437:TCP:Akamai NetSession Interface
"3599:TCP"= 3599:TCP:Akamai NetSession Interface
"2351:TCP"= 2351:TCP:Akamai NetSession Interface
"3490:TCP"= 3490:TCP:Akamai NetSession Interface
"2995:TCP"= 2995:TCP:Akamai NetSession Interface
"3006:TCP"= 3006:TCP:Akamai NetSession Interface
"4645:TCP"= 4645:TCP:Akamai NetSession Interface
"3112:TCP"= 3112:TCP:Akamai NetSession Interface
"4206:TCP"= 4206:TCP:Akamai NetSession Interface
"4573:TCP"= 4573:TCP:Akamai NetSession Interface
"2458:TCP"= 2458:TCP:Akamai NetSession Interface
"1651:TCP"= 1651:TCP:Akamai NetSession Interface
"1723:TCP"= 1723:TCP:Akamai NetSession Interface
"4146:TCP"= 4146:TCP:Akamai NetSession Interface
"3255:TCP"= 3255:TCP:Akamai NetSession Interface
"3359:TCP"= 3359:TCP:Akamai NetSession Interface
"3376:TCP"= 3376:TCP:Akamai NetSession Interface
"3755:TCP"= 3755:TCP:Akamai NetSession Interface
"4607:TCP"= 4607:TCP:Akamai NetSession Interface
"2632:TCP"= 2632:TCP:Akamai NetSession Interface
"3026:TCP"= 3026:TCP:Akamai NetSession Interface
"2659:TCP"= 2659:TCP:Akamai NetSession Interface
"3944:TCP"= 3944:TCP:Akamai NetSession Interface
"2038:TCP"= 2038:TCP:Akamai NetSession Interface

R0 SymEFA;Symantec Extended File Attributes;c:\windows\system32\drivers\NAV\1000000.07D\SymEFA.sys [18/08/2009 21:08 309296]
R1 BHDrvx86;Symantec Heuristics Driver;c:\windows\system32\drivers\NAV\1000000.07D\BHDrvx86.sys [18/08/2009 21:08 254512]
R1 ccHP;Symantec Hash Provider;c:\windows\system32\drivers\NAV\1000000.07D\ccHPx86.sys [18/08/2009 21:08 362544]
R1 IDSxpx86;IDSxpx86;c:\documents and settings\All Users\Application Data\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\Norton\Definitions\IPSDefs\20090910.003\IDSXpx86.sys [10/09/2009 21:31 276344]
R2 Akamai;Akamai;c:\windows\System32\svchost.exe -k Akamai [03/01/2003 04:53 14336]
R2 Norton AntiVirus;Norton AntiVirus;c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe [18/08/2009 21:08 115560]
R3 EraserUtilRebootDrv;EraserUtilRebootDrv;c:\program files\Common Files\Symantec Shared\EENGINE\EraserUtilRebootDrv.sys [30/08/2009 03:15 102448]
S2 LXCRCustomerConnect;LXCRCustomerConnect;c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe --> c:\windows\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe [?]
S3 acfva;acfva;c:\windows\system32\DRIVERS\acfva.sys --> c:\windows\system32\DRIVERS\acfva.sys [?]
S3 ASPI;Advanced SCSI Programming Interface Driver;c:\windows\system32\drivers\ASPI32.SYS [15/04/2008 14:49 16512]
S3 HSFHWCD2;HSFHWCD2;c:\windows\system32\drivers\HSFHWCD2.sys [23/04/2006 16:18 201728]
S3 s3117bus;Sony Ericsson Device 3117 driver (WDM);c:\windows\system32\drivers\s3117bus.sys [13/02/2009 21:05 90408]
S3 s3117mdfl;Sony Ericsson Device 3117 USB WMC Modem Filter;c:\windows\system32\drivers\s3117mdfl.sys [13/02/2009 21:05 15016]
S3 s3117mdm;Sony Ericsson Device 3117 USB WMC Modem Driver;c:\windows\system32\drivers\s3117mdm.sys [13/02/2009 21:05 122024]
S3 s3117mgmt;Sony Ericsson Device 3117 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\s3117mgmt.sys [13/02/2009 21:05 115368]
S3 s3117nd5;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (NDIS);c:\windows\system32\drivers\s3117nd5.sys [13/02/2009 21:05 25768]
S3 s3117obex;Sony Ericsson Device 3117 USB WMC OBEX Interface;c:\windows\system32\drivers\s3117obex.sys [13/02/2009 21:05 111784]
S3 s3117unic;Sony Ericsson Device 3117 USB Ethernet Emulation SEMC3117 (WDM);c:\windows\system32\drivers\s3117unic.sys [13/02/2009 21:05 117544]

--- Other Services/Drivers In Memory ---

*Deregistered* - VolumeFilter

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
Akamai REG_MULTI_SZ Akamai

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder

2009-09-08 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 14:57]

2009-09-14 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2008-09-07 13:40]

2009-09-14 c:\windows\Tasks\HDReg.job
- c:\apps\HDReg\HDRegRem.exe [2003-01-06 18:14]

2009-09-14 c:\windows\Tasks\Norton AntiVirus - Amy - Full System Scan.job
- c:\program files\Norton AntiVirus\Engine\16.0.0.125\Navw32.exe [2009-08-18 20:08]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.virginmedia.com/
uInternet Connection Wizard,ShellNext = hxxp://www.pjonline.com/Editorial/20060 ... stion.html
IE: &AOL Toolbar search - c:\program files\AOL Toolbar\toolbar.dll/SEARCH.HTML
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Amy\Application Data\Mozilla\Firefox\Profiles\9a55r9c6.default\
FF - prefs.js: keyword.URL - hxxp://uk.yhs.search.yahoo.com/avg/sear ... -web_uk&p=
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npstrlnk.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
FF - plugin: c:\program files\Virgin Broadband\advisor\nprpspa.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-09-14 16:11
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
LXCRCATS = rundll32 c:\windows\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16???????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet009\Services\Norton AntiVirus]
"ImagePath"="\"c:\program files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe\" /s \"Norton AntiVirus\" /m \"c:\program files\Norton AntiVirus\Engine\16.0.0.125\diMaster.dll\" /prefetch:1"
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_USERS\S-1-5-21-326614594-1740654645-2243009310-1006\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(2212)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Common Files\AOL\ACS\AOLacsd.exe
c:\program files\Symantec\LiveUpdate\AluSchedulerSvc.exe
c:\apps\Powercinema\Kernel\TV\CLCapSvc.exe
c:\windows\system32\CTSVCCDA.EXE
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
c:\program files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Kontiki\KService.exe
c:\windows\wanmpsvc.exe
c:\apps\Powercinema\Kernel\TV\CLSched.exe
c:\program files\Windows Media Player\wmpnetwk.exe
c:\windows\system32\wscntfy.exe
c:\progra~1\MICROS~3\rapimgr.exe
c:\windows\system32\lxcrcoms.exe
c:\windows\system32\notepad.exe
.
**************************************************************************
.
Completion time: 2009-09-14 16:15 - machine was rebooted
ComboFix-quarantined-files.txt 2009-09-14 15:15
ComboFix2.txt 2009-09-12 22:21
ComboFix3.txt 2009-09-07 15:33
ComboFix4.txt 2009-09-04 16:37
ComboFix5.txt 2009-09-14 14:53

Pre-Run: 7,763,185,664 bytes free
Post-Run: 7,727,321,088 bytes free

Current=9 Default=9 Failed=8 LastKnownGood=10 Sets=1,2,3,4,5,6,7,8,9,10
366 --- E O F --- 2009-09-09 11:14




HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:17:49, on 14/09/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Kontiki\KService.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
c:\APPS\Powercinema\Kernel\TV\CLSched.exe
C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\Napster\napster.exe
C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\lxcrcoms.exe
C:\Program Files\FinePixViewerS\QuickDCF2.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.virginmedia.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.pjonline.com/Editorial/20060 ... stion.html
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\IPSBHO.DLL
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NapsterShell] C:\Program Files\Napster\napster.exe /systray
O4 - HKLM\..\Run: [Broadbandadvisor.exe] "C:\Program Files\Virgin Broadband\advisor\Broadbandadvisor.exe" /AUTORUN
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe" /systray /nologon
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Exif Launcher S.lnk = ?
O4 - Global Startup: Metacafe.lnk = C:\Program Files\Metacafe\MetacafeAgent.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.virgin.net
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/200 ... oader5.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Fac ... loader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 5208034546
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMe ... loader.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/ractrl.cab?lmi=100
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\Program Files\Common Files\AOL\AOL Spyware Protection\\aolserv.exe (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CyberLink Background Capture Service (CBCS) (CLCapSvc) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLCapSvc.exe
O23 - Service: CyberLink Task Scheduler (CTS) (CLSched) - Unknown owner - c:\APPS\Powercinema\Kernel\TV\CLSched.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: CyberLink Media Library Service - Cyberlink - C:\Program Files\CyberLink\Shared Files\CLML_NTService\CLMLServer.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LXCRCustomerConnect - Unknown owner - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\\LXCRserv.exe (file missing)
O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe
O23 - Service: Norton AntiVirus - Symantec Corporation - C:\Program Files\Norton AntiVirus\Engine\16.0.0.125\ccSvcHst.exe
O23 - Service: Symantec RemoteAssist - Symantec, Inc. - C:\Program Files\Common Files\Symantec Shared\Support Controls\ssrc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8997 bytes
johnnycolumbia
Regular Member
 
Posts: 18
Joined: August 18th, 2009, 7:21 pm
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 31 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware