Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Hi, have been infected.

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Hi, have been infected.

Unread postby dan12 » April 6th, 2008, 6:13 pm

And you sent them off for me?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Re: Hi, have been infected.

Unread postby gingernick » April 6th, 2008, 6:43 pm

Sorry Dan, I really am a beginner, please give me step by step. What do you want me to send & how. Thanks.
gingernick
Regular Member
 
Posts: 20
Joined: April 3rd, 2008, 4:25 pm

Re: Hi, have been infected.

Unread postby dan12 » April 6th, 2008, 6:59 pm

In my last post to you I gave you a cf script to run when done it should of placed a couple of files one being a zip on the desktop and all you had to do was copy and paste the file as my example below shows.
Note: this is my example for demonstaration, yours will have the file I want uploading.

Code: Select all
< url to log >

Suspect::
< sample files >

Warning: The above script is just for sern6. If you are not sern6, please do not use this script as it may damage the workings of your system.

Click on File > Save As....

In the File Name field, copy and paste in CFScript.txt. Do not change the file name.

Click Save.

Referring to the picture below, drag CFScript into Combofix.

Image

Combofix will start running. When done, a log will be produced. Please post this log in your next reply.

In addition, it will prompt you to submit some files for analyzing.

Image

Click OK.

Copy and paste the file path into the text box next to the Browse button (boxed up in red).

Image

Click on Send File.

Do not mouse click on Combofix while it is running. That may cause it to stall.

let me know if that helped.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hi, have been infected.

Unread postby gingernick » April 7th, 2008, 12:11 pm

Ok here is the results of the combofix scan, it also asked me to send a zip file to bleeping computer which I did.

ComboFix 08-04-03.5 - Nick 2008-04-07 16:59:14.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.594 [GMT 1:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\yfmkwrbh.dll
.

((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 09:56 . 2008-04-06 09:57 <DIR> d-------- C:\Program Files\Panda Security
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Malwarebytes
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-04 22:44 . 2008-04-04 22:44 <DIR> d-------- C:\Program Files\CCleaner
2008-04-03 21:19 . 2008-04-03 21:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:54 . 2008-04-04 21:58 1,246 ---hs---- C:\WINDOWS\system32\rootoapd.ini
2008-03-28 23:53 . 2008-04-05 12:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\cfivihuj
2008-03-18 18:49 . 2008-03-18 18:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-07 15:03 . 2008-03-07 15:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 15:03 . 2008-03-07 15:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 14:40 . 2008-03-07 14:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 14:40 . 2008-03-07 14:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 14:39 . 2008-03-07 14:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 14:39 . 2008-03-07 14:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 14:39 . 2008-03-07 14:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 14:39 . 2008-03-07 14:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 14:39 . 2008-03-07 14:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 14:39 . 2008-03-07 14:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 14:39 . 2008-03-07 14:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 16:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-07 15:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-06 21:47 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 17:00 --------- d-----w C:\Program Files\Minilyrics
2008-04-01 16:59 --------- d-----w C:\Program Files\Microsoft Games
2008-03-10 21:24 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-06 21:32 706 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 21:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 21:32 10,537 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-04 21:00 --------- d-----w C:\Program Files\Kontiki
2008-02-17 16:59 --------- d-----w C:\Program Files\Channel4
2008-02-17 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2007-03-20 07:43 0 -c--a-w C:\Documents and Settings\Tom\Application Data\wklnhst.dat
2007-03-18 19:59 0 -c--a-w C:\Documents and Settings\Nick\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((( snapshot@2008-04-04_23.02.04.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 17:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 12:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-04-07 15:51:48 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_108.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 18:56 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 03:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 21:05 344064]
"TGX2_VFD"="C:\WINDOWS\system32\TGVFDMsgservice.exe" [2004-12-01 14:12 233472]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 14:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"AOL_Demo"="C:\Applications\Tool\AOL Demo\DSGDemo.exe" [ ]
"BtcMaestro"="C:\Program Files\KMaestro\KMaestro.exe" [2004-05-07 15:26 237568]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 08:11 771704]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 08:19 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 18:56 1032376]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\Amy\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\Mum\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FreeventsSchedule.lnk - C:\Freevents\FreeventsSchedule.exe [2006-04-25 14:57:54 16384]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-04-28 10:53:02 593920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R1 CXAVSAUD;Conexant 2388x Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2005-10-25 02:56]
R3 CXAVSTS;Conexant 2388x AVStream TS Capture;C:\WINDOWS\system32\drivers\cxavsts.sys [2005-10-25 02:56]
R3 CXBDATUNE;Conexant BDA DVB Tuner/Demod;C:\WINDOWS\system32\drivers\cxBDAtun.sys [2005-10-25 02:56]
S3 TGX263;TriGem X2 Device Driver;C:\WINDOWS\system32\Drivers\TGX263.sys [2004-11-03 15:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-09 16:04:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-31 19:00:14 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Nick.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 17:00:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-07 17:01:27
ComboFix-quarantined-files.txt 2008-04-07 16:01:23
ComboFix2.txt 2008-04-06 10:08:02
ComboFix3.txt 2008-04-06 08:51:50
ComboFix4.txt 2008-04-05 11:23:36
ComboFix5.txt 2008-04-04 22:02:25
Pre-Run: 142,858,186,752 bytes free
Post-Run: 142,843,457,536 bytes free
.
2008-03-11 22:10:58 --- E O F ---
gingernick
Regular Member
 
Posts: 20
Joined: April 3rd, 2008, 4:25 pm

Re: Hi, have been infected.

Unread postby dan12 » April 7th, 2008, 1:49 pm

I want to know if this file exists if yes, please delete it.
Right click start, In the drop down menu click "Explore" Then navigate to each file\ folder in the left hand pane, which will reveal its content in the right hand pane, highlight file or folder right click and Delete, if present:

C:\WINDOWS\system32\yfmkwrbh.dll << This file



1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
    File::
C:\WINDOWS\system32\Tools\Restart.exe
C:\WINDOWS\PSEXESVC.EXE

Folder::
C:\Documents and Settings\All Users\Application Data\cfivihuj

    DirLook::
c:\documents and settings\nick\favorites\shop

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AOL_Demo"=-





    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall



post the combo log thanks
dan


.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hi, have been infected.

Unread postby gingernick » April 7th, 2008, 4:04 pm

Hi Dan, did not find yfmkwrbh.dll here is the Combofix log

ComboFix 08-04-03.5 - Nick 2008-04-07 20:36:48.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.586 [GMT 1:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\system32\Tools\Restart.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\cfivihuj
C:\WINDOWS\PSEXESVC.EXE
C:\WINDOWS\system32\Tools\Restart.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-07 to 2008-04-07 )))))))))))))))))))))))))))))))
.

2008-04-06 09:56 . 2008-04-06 09:57 <DIR> d-------- C:\Program Files\Panda Security
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Documents and Settings\Nick\Application Data\Malwarebytes
2008-04-05 12:30 . 2008-04-05 12:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-04-04 22:44 . 2008-04-04 22:44 <DIR> d-------- C:\Program Files\CCleaner
2008-04-03 21:19 . 2008-04-03 21:19 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-03 17:54 . 2008-04-04 21:58 1,246 ---hs---- C:\WINDOWS\system32\rootoapd.ini
2008-03-18 18:49 . 2008-03-18 18:50 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-03-07 15:03 . 2008-03-07 15:03 625,032 --a------ C:\WINDOWS\system32\SymNeti.dll
2008-03-07 15:03 . 2008-03-07 15:03 242,056 --a------ C:\WINDOWS\system32\SymRedir.dll
2008-03-07 14:40 . 2008-03-07 14:40 13,035 --a------ C:\WINDOWS\system32\drivers\SymRedir.cat
2008-03-07 14:40 . 2008-03-07 14:40 1,358 --a------ C:\WINDOWS\system32\drivers\SymRedir.inf
2008-03-07 14:39 . 2008-03-07 14:39 191,536 --a------ C:\WINDOWS\system32\drivers\symtdi.sys
2008-03-07 14:39 . 2008-03-07 14:39 145,968 --a------ C:\WINDOWS\system32\drivers\symfw.sys
2008-03-07 14:39 . 2008-03-07 14:39 39,984 --a------ C:\WINDOWS\system32\drivers\symids.sys
2008-03-07 14:39 . 2008-03-07 14:39 37,936 --a------ C:\WINDOWS\system32\drivers\symndisv.sys
2008-03-07 14:39 . 2008-03-07 14:39 35,120 --a------ C:\WINDOWS\system32\drivers\symndis.sys
2008-03-07 14:39 . 2008-03-07 14:39 27,696 --a------ C:\WINDOWS\system32\drivers\symredrv.sys
2008-03-07 14:39 . 2008-03-07 14:39 12,848 --a------ C:\WINDOWS\system32\drivers\symdns.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-07 19:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\Kontiki
2008-04-07 19:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-04-07 16:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-01 17:00 --------- d-----w C:\Program Files\Minilyrics
2008-04-01 16:59 --------- d-----w C:\Program Files\Microsoft Games
2008-03-10 21:24 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-06 21:32 706 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.inf
2008-03-06 21:32 23,904 ----a-w C:\WINDOWS\system32\drivers\COH_Mon.sys
2008-03-06 21:32 10,537 -c--a-w C:\WINDOWS\system32\drivers\COH_Mon.cat
2008-03-04 21:00 --------- d-----w C:\Program Files\Kontiki
2008-02-17 16:59 --------- d-----w C:\Program Files\Channel4
2008-02-17 16:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\Channel4
2007-03-20 07:43 0 -c--a-w C:\Documents and Settings\Tom\Application Data\wklnhst.dat
2007-03-18 19:59 0 -c--a-w C:\Documents and Settings\Nick\Application Data\wklnhst.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\documents and settings\nick\favorites\shop ----

2008-04-03 17:07 2023 --a--c--- c:\documents and settings\nick\favorites\shop\eBay UK.url
2008-03-24 13:27 242 --a--c--- c:\documents and settings\nick\favorites\shop\M and M.url
2008-03-22 21:34 389 --a------ c:\documents and settings\nick\favorites\shop\Halfords.url
2008-03-19 23:59 291 --a--c--- c:\documents and settings\nick\favorites\shop\Lidl Online.url
2008-02-29 16:24 236 --a--c--- c:\documents and settings\nick\favorites\shop\B&Q Online.url
2008-02-24 10:27 434 --a--c--- c:\documents and settings\nick\favorites\shop\Tesco.com.url
2008-02-18 19:09 1809 --a--c--- c:\documents and settings\nick\favorites\shop\ALDI UK.url
2008-02-10 13:16 275 --a--c--- c:\documents and settings\nick\favorites\shop\Dabs.com.url
2008-02-02 14:13 371 --a------ c:\documents and settings\nick\favorites\shop\Dixons.url
2007-08-27 15:26 238 --a--c--- c:\documents and settings\nick\favorites\shop\Play.com (UK).url
2007-08-26 08:41 183 --a--c--- c:\documents and settings\nick\favorites\shop\Co-op.co.uk.url
2007-08-26 08:39 498 --a--c--- c:\documents and settings\nick\favorites\shop\eBay Express.url
2007-07-06 17:22 243 --a--c--- c:\documents and settings\nick\favorites\shop\Firebox.com.url
2007-07-05 20:08 238 --a--c--- c:\documents and settings\nick\favorites\shop\Additions Direc.url
2007-05-14 19:16 114 --a--c--- c:\documents and settings\nick\favorites\shop\Askdirect.co.uk.url
2007-03-25 13:14 267 --a--c--- c:\documents and settings\nick\favorites\shop\Woolworths.url
2007-03-24 16:22 199 --a--c--- c:\documents and settings\nick\favorites\shop\7dayshop.com - Online Store.url
2007-03-13 17:56 345 --a--c--- c:\documents and settings\nick\favorites\shop\Ebuyer.com.url
2007-03-12 19:36 237 --a--c--- c:\documents and settings\nick\favorites\shop\Komplett.co.uk.url
2007-03-12 16:42 189 --a--c--- c:\documents and settings\nick\favorites\shop\Toys R Us.url
2007-03-12 16:34 238 --a--c--- c:\documents and settings\nick\favorites\shop\pcworld.co.uk.url
2007-03-12 16:29 211 --a--c--- c:\documents and settings\nick\favorites\shop\MFI.co.uk.url
2007-03-12 00:11 249 --a--c--- c:\documents and settings\nick\favorites\shop\Shopping.com.url
2007-02-15 16:44 414 --a--c--- c:\documents and settings\nick\favorites\shop\Amazon.co.uk.url
2004-02-26 22:25 183 --a--c--- c:\documents and settings\nick\favorites\shop\eXpansys.com.url
2004-02-10 22:31 178 --a--c--- c:\documents and settings\nick\favorites\shop\Choice Stationery Supplies Limited Online Catalogue.url
2004-01-16 12:20 202 --a--c--- c:\documents and settings\nick\favorites\shop\24-7 Electrical.url
2004-01-08 16:57 146 --a--c--- c:\documents and settings\nick\favorites\shop\Posternow.org.url
2003-11-30 21:18 285 --a--c--- c:\documents and settings\nick\favorites\shop\AllPosters.com.url
2003-10-30 15:35 354 --a--c--- c:\documents and settings\nick\favorites\shop\Currys.co.uk.url
2003-10-27 16:48 234 --a--c--- c:\documents and settings\nick\favorites\shop\Littlewoods Index.url
2003-10-15 14:18 148 --a--c--- c:\documents and settings\nick\favorites\shop\Compare prices online - UK delivery.url
2003-10-03 18:14 260 --a--c--- c:\documents and settings\nick\favorites\shop\Argos.co.uk.url
2003-07-04 17:40 608 --a--c--- c:\documents and settings\nick\favorites\shop\Simply Scuba - The UK's biggest online dive store!.url
2003-07-01 15:55 226 --a--c--- c:\documents and settings\nick\favorites\shop\Johnlewis.com.url
2003-07-01 15:02 256 --a--c--- c:\documents and settings\nick\favorites\shop\Comet.co.uk.url
2003-06-16 21:55 198 --a--c--- c:\documents and settings\nick\favorites\shop\Disney prints.url
2003-05-23 22:51 120 --a--c--- c:\documents and settings\nick\favorites\shop\Ikea.co.uk.url
2003-04-26 00:06 378 --a--c--- c:\documents and settings\nick\favorites\shop\Crucial.com.url
2003-03-24 17:45 146 --a--c--- c:\documents and settings\nick\favorites\shop\Robertsons-online.co.uk.url
2003-02-18 21:22 128 --a--c--- c:\documents and settings\nick\favorites\shop\Dealtime.co.uk.url
2003-02-09 18:00 150 --a--c--- c:\documents and settings\nick\favorites\shop\Thepriceguide.co.uk.url
2003-01-21 19:21 219 --a--c--- c:\documents and settings\nick\favorites\shop\Digitalfirst.co.uk.url
2003-01-12 23:20 278 --a--c--- c:\documents and settings\nick\favorites\shop\Sainsburys.com.url
2003-01-05 22:58 230 --a--c--- c:\documents and settings\nick\favorites\shop\Artrepublic.com.url
2003-01-03 18:20 224 --a--c--- c:\documents and settings\nick\favorites\shop\QXL.com.url
2002-12-03 17:55 126 --a--c--- c:\documents and settings\nick\favorites\shop\UKplaystation.com.url
2002-11-30 14:34 116 --a--c--- c:\documents and settings\nick\favorites\shop\Loot.com.url
2002-11-05 00:20 464 --a--c--- c:\documents and settings\nick\favorites\shop\My eBay.co.uk.url
2002-09-26 20:24 377 --a--c--- c:\documents and settings\nick\favorites\shop\Unbeatable.co.uk.url
2002-07-21 18:11 70 --a--c--- c:\documents and settings\nick\favorites\shop\Photoglossy.com.url
2002-07-21 18:11 58 --a--c--- c:\documents and settings\nick\favorites\shop\Checkaprice.com.url
2002-07-21 18:11 55 --a--c--- c:\documents and settings\nick\favorites\shop\Jessops.com.url
2002-07-21 18:11 45 --a--c--- c:\documents and settings\nick\favorites\shop\Kelkoo.com.url
2002-07-21 18:11 43 --a--c--- c:\documents and settings\nick\favorites\shop\MX2.org.url


((((((((((((((((((((((((((((( snapshot@2008-04-04_23.02.04.26 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-25 17:13:04 124,208 ----a-w C:\WINDOWS\Downloaded Program Files\as2stubie.dll
+ 2007-07-18 12:49:56 12,592 ----a-w C:\WINDOWS\Downloaded Program Files\libcomm.dll
+ 2008-04-07 19:31:52 16,384 ----atw C:\WINDOWS\TEMP\Perflib_Perfdata_650.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 20:00 15360]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 18:56 1032376]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-05 21:56 64512]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2002-09-13 22:42 212992]
"AGRSMMSG"="AGRSMMSG.exe" [2004-10-08 03:50 88363 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-06-28 21:05 344064]
"TGX2_VFD"="C:\WINDOWS\system32\TGVFDMsgservice.exe" [2004-12-01 14:12 233472]
"SoundMan"="SOUNDMAN.EXE" [2005-06-20 14:42 77824 C:\WINDOWS\SOUNDMAN.EXE]
"BtcMaestro"="C:\Program Files\KMaestro\KMaestro.exe" [2004-05-07 15:26 237568]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 06:59 115816]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-01-14 08:11 771704]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-13 08:19 185632]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-12-11 11:56 286720]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2008-02-27 18:56 1032376]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 18:38 583048]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 23:16 39792]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\CTFMON.EXE" [2004-08-10 20:00 15360]

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\Amy\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\Mum\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\Tom\Start Menu\Programs\Startup\
Philips Media Manager.lnk - C:\Program Files\Philips\Media Manager\Philips Media Manager.exe [2007-03-14 19:56:35 136704]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
FreeventsSchedule.lnk - C:\Freevents\FreeventsSchedule.exe [2006-04-25 14:57:54 16384]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 21:05:56 65588]
Ralink Wireless Utility.lnk - C:\Program Files\RALINK\Common\RaUI.exe [2006-04-28 10:53:02 593920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"MSVideo8"= VfWWDM32.dll
"msacm.clmp3enc"= C:\PROGRA~1\CYBERL~1\Power2Go\CLMP3Enc.ACM

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Philips\\Media Manager\\Philips Media Manager.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Kontiki\\KService.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

R1 CXAVSAUD;Conexant 2388x Audio Capture;C:\WINDOWS\system32\DRIVERS\cxavsaud.sys [2005-10-25 02:56]
R3 CXAVSTS;Conexant 2388x AVStream TS Capture;C:\WINDOWS\system32\drivers\cxavsts.sys [2005-10-25 02:56]
R3 CXBDATUNE;Conexant BDA DVB Tuner/Demod;C:\WINDOWS\system32\drivers\cxBDAtun.sys [2005-10-25 02:56]
S3 TGX263;TriGem X2 Device Driver;C:\WINDOWS\system32\Drivers\TGX263.sys [2004-11-03 15:16]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

*Newly Created Service* - COMHOST
.
Contents of the 'Scheduled Tasks' folder
"2007-09-09 16:04:21 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-07 19:29:16 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Nick.job"
- C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exeh/TASK:
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-07 20:38:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-04-07 20:38:57
ComboFix-quarantined-files.txt 2008-04-07 19:38:54
ComboFix2.txt 2008-04-07 16:01:28
ComboFix3.txt 2008-04-06 10:08:02
ComboFix4.txt 2008-04-06 08:51:50
ComboFix5.txt 2008-04-05 11:23:36
Pre-Run: 142,951,567,360 bytes free
Post-Run: 142,936,338,432 bytes free
.
2008-03-11 22:10:58 --- E O F ---
gingernick
Regular Member
 
Posts: 20
Joined: April 3rd, 2008, 4:25 pm

Re: Hi, have been infected.

Unread postby dan12 » April 7th, 2008, 4:46 pm

Hi, gingernic


Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti
Copy/paste the the following file path into the window
C:\Documents and Settings\Tom\Application Data\wklnhst.dat
Click Submit/Send File
Please post back, to let me know the results.



If Jotti is too busy please try Virustotal

Post the complete report.
dan

.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hi, have been infected.

Unread postby gingernick » April 7th, 2008, 4:54 pm

Hi Dan, got this reply

The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
gingernick
Regular Member
 
Posts: 20
Joined: April 3rd, 2008, 4:25 pm

Re: Hi, have been infected.

Unread postby dan12 » April 8th, 2008, 5:06 am

Not forgot you, can you tell me how things are with your machine at this point in time?
I'm still looking into that file,I don't think it's bad but want to research a little more.
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hi, have been infected.

Unread postby gingernick » April 8th, 2008, 1:45 pm

Hi Dan, web sites have stopped popping up every time I navigate from one page to another or to another site. On my Norton Internet suite the phishing protection seems to get turned off every time I power down, & I have to download a registration entry from Norton, install it power down etc then it's ok till I power down again.
gingernick
Regular Member
 
Posts: 20
Joined: April 3rd, 2008, 4:25 pm

Re: Hi, have been infected.

Unread postby dan12 » April 8th, 2008, 4:49 pm

Hi Dan, web sites have stopped popping up every time I navigate from one page to another or to another site.


That's good news. :D

On my Norton Internet suite the phishing protection seems to get turned off every time I power down, & I have to download a registration entry from Norton, install it power down etc then it's ok till I power down again.

Have you contacted Symantec support? regarding this issue?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hi, have been infected.

Unread postby gingernick » April 8th, 2008, 5:38 pm

Not contacted Norton as yet, as it has only happened twice (the last two times I have powered down the computer) will see if it persists. Many thanks for your help so far Dan.
gingernick
Regular Member
 
Posts: 20
Joined: April 3rd, 2008, 4:25 pm

Re: Hi, have been infected.

Unread postby dan12 » April 8th, 2008, 6:26 pm

I need to go over the posts to make sure I have everything, in the meantime can I see a fresh HJT log just to check over, then we can wrap this one up :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Hi, have been infected.

Unread postby gingernick » April 9th, 2008, 1:41 pm

Hi dan, Norton Internet Suite now behaving, as (it would appear) is everything else.

Here is the HJT log you requested...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:38:19, on 09/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\TGVFDMsgservice.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\KMaestro\KMaestro.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
C:\Program Files\Symantec\LiveUpdate\AUPDATE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\NAVW32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\drwtsn32.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.philips.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TGX2_VFD] "C:\WINDOWS\system32\TGVFDMsgservice.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [BtcMaestro] C:\Program Files\KMaestro\KMaestro.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - .DEFAULT User Startup: Philips Media Manager.lnk = C:\Program Files\Philips\Media Manager\Philips Media Manager.exe (User 'Default user')
O4 - Global Startup: FreeventsSchedule.lnk = C:\Freevents\FreeventsSchedule.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O9 - Extra button: Sky - {08E730A4-FB02-45BD-A900-01E4AD8016F6} - http://www.sky.com (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.pcservicecall.co.uk
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan ... stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O16 - DPF: {D821DC4A-0814-435E-9820-661C543A4679} (CRLDownloadWrapper Class) - http://drmlicense.one.microsoft.com/crl ... crlocx.ocx
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: KService - Kontiki Inc. - C:\Program Files\Kontiki\KService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 7995 bytes
gingernick
Regular Member
 
Posts: 20
Joined: April 3rd, 2008, 4:25 pm

Re: Hi, have been infected.

Unread postby dan12 » April 9th, 2008, 4:12 pm

Hi, can you throw any light on this "C:\Freevents\FreeventsSchedule.exe" program?
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 291 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware