Inactive Suspected virus. Critical drive C errors, can't see files. Start menu gone.

[JesusIsmylife]

Hi,

Any help would be extremely welcome.

My laptop suddenly started complaining I may have a virus (I have Sophos Antivirus installed, and I think it is pretty up to date)

Then I get loads of errors starting with pop up window (titled delayed write failed) saying "Failed to save all the components for the file \\System32\\0003101. The file is corrupted or unreadable. This may be caused by a PC hardware problem "

This windows keeps popping up with a different file name each time. I then got another popup window which I thought was the genuine Windows Error fixing program, and I stupidly clicked on the button to repair and fix my computer. I think this installed a program on the laptop as it listed a new program on the start menu.

However, after a while (and a re-boot or two) I have no programs on the start menu, and I cannot see any of the C drive. The cdrive is there,as I can see it from another machine on my LAN, but I cannot access all the files as it sayd "Access Denied" to a lot of them.

Where do I start please?!!

Thanks

Simon

 

[JesusIsmylife]

Update

Ok, after looking around this great site, I think I have got the "System Check" virus. My symptoms match those of other who have experienced this.

So, I have downloaded the "unhide" utility, and ran this. I can now see all my desktop icons again and I can see my files correctly.

I have downloaded Malwarebytes anti malware, and installed this. I made sure Update and Launch were checked and clicked Finish.

A window has now popped up with a window title of vbAccelerator SGrid II Control and it say Run-time error '0'

I only have the option to click OK, which when I do I get another popup with the title "Malwarebytes Anti-Malware and in the window is says Run-time error '440': Automation error" Again I can only click OK.

I click OK and I get another pop up identical to the first. I click OK and I get the second pop up again. I click OK and I dont seem to get any more pop ups.

I'm now going to download and run aswMBR and I will post the log shortly.

Am I doing the right things?!!

Simon

 

[Bobbye]

STOP! running random programs! You have rogue malware and every time click on one of the fake warnings, you run the malware again!!!!

Download Unhide.exe and save to the desktop.

• Double-click on Unhide.exe icon to run the program.
• This program will remove the +H, or hidden, attribute from all the files on your hard drives.

Note 1: This does not remove the malware- only the attribute causing the 'missing' problem.So it is important for you to continue.
Note 2: If you are infected with System Check it is important that you do not delete any files from your Temp folder or use any temp file cleaners
=======================================
Please follow these steps: Preliminary Virus and Malware Removal.

NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

When you have finished, leave the logs for review in your next reply .
NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
==================================
My Guidelines: please read and follow:

• Be patient. Malware cleaning takes time. I am also working with other members while I am helping you.
• Read my instructions carefully. If you don't understand or have a problem, ask me. Follow the order of the tasks I give you. Order is crucial in cleaning process.
• If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
• File sharing programs should be uninstalled or disabled during the cleaning process..
• Observe these:
  [o] Don't follow directions given to someone else
  [o] Don't use any other cleaning programs or scans while I'm helping you.
  [o] Don't use a Registry cleaner or make any changes in the Registry.
  [o] Don't download and install new programs- except those I give you.

If I haven't replied back to you within 48 hours, you can send a PM with your thread link in it as a reminder. Do not include technical problems from your thread. Support is given only in the forum.
Threads are closed after 5 days if there is no reply.

 

[JesusIsmylife]

Clarification

Hi,

Sorry for getting impatient. I will follow your instructions to the letter from now on !

Firstly, I had already downloaded unhide.exe from your site and run it. It has removed the hidden attribute and I can now see all my files and desktop icons. As this only removes the attribute, and it has done so correctly I am assuming you do not need me to run it again?

Next I have previously installed Malwarebytes Anti-Malware and it appears on my list of programs. I have therefore selected to uninstall this (using the Uninstall option on the programs list) as per your instructions. However, the uninstall status window is showing no progress, and looks like it is frozen. It has been like this for about 10 minutes. There is little, if any, disk activity.

Should I just let it run or do I need to do anything else?

(For information, I also keep getting an alert displayed in a balloon from the system tray. It claims to be from Sophos (I have Sophos Antivirus installed and running on my system) and it reports "suspicious behaviour HIPS/RegMod-009 has been detected and moved to quarantine. No Action Taken. ")

Thanks very much for your help.

 

[JesusIsmylife]

Hi,

Just to let you know the Maware Anti-Malware uninstall program is still just sitting there, with no progress showing on the progress bar. Also, I am unable to get focus on the window.

Its been like this for one hour and 30 minutes.

 

[Bobbye]

You don't need to run Unhide again.

See if you can back off the Malwarebytes uninstall.. See if it will update, then run the scan.
====================================
IF Mbam seems to be 'stuck' in the uninstall mode, shut it down and run the following:

SuperAntiSpyware Home Edition Free Version

• Please download SuperAntiSpyware from HERE
• Launch SuperAntiSpyware and click on 'Check for updates'.
• Wait for the updates to be installed
• On the main screen click on 'Scan your computer'.
• Check: 'Perform Complete Scan then Click 'Next' to start the scan.
• Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
• Make sure everything found has a checkmark next to it,then press 'Next'.
• Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:

• Click on 'Preferences'.
• Click on the 'Statistics/Logs' tab.
• Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.

It will then open in your default text editor,such as Notepad. Paste the notepad file here on your reply
========================================
You can then go ahead and run the following:
Please note: If you have previously run Combofix and it's still on the system, please uninstall it. Then download the current version and do the scan: Uninstall directions, if needed

• Click START> then RUN
• Now type Combofix /Uninstall in the runbox and click OK. Note the space between the X and the U, it needs to be there.

--------------------------------------
Expect these- they are normal:
1. If asked to install or or update the Recovery Console, allow. (you will need internet connection for this)
2. Before you run the Combofix scan, please disable any security software you have running.
3. Combofix may need to reboot your computer more than once to do its job this is normal.

Download Combofix from HERE or HEREhttp://www.forospyware.com/sUBs/ComboFix.exe and save to the desktop

• Double click combofix.exe
  
  & follow the prompts.
• If prompted for Recovery Console, please allow.
• Once installed, you should see a blue screen prompt that says:
  • The Recovery Console was successfully installed.[/b]
  • Note: If Combofix was downloaded to a flash drive, the Recovery Console will not install- just bypass and go on.[/b]
  • Note: No query will be made if the Recovery Console is already on the system.
• .Close/disable all anti virus and anti malware programs
  (If you need help with this, please see HERE)
• .Close any open browsers.
• .Click on Yes, to continue scanning for malware
• .If Combofix asks you to update the program, allow
• When the scan completes , a report will be generated-it will open a text window. Please paste the C:\ComboFix.txt in next reply..

Re-enable your Antivirus software.
Note 1:Do not mouse-click Combofix's window while it is running. That may cause it to stall.
Note 2:If you receive an error "Illegal operation attempted on a registry key that has been marked for deletion", restart the computer.
Note 3:CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.
===================================
Please leave the logs in your next reply. When I review them I will determine what we do next.
==================================
Regarding the Sophos 'balloon: HIPS/RegMod-009
Category: Suspicious Behavior and Files
Type: Suspicious behavior
Sophos advises as follows:

• To reduce the chance of unwanted detections, Sophos HIPS should be set to 'Alert only' mode for the duration of any software installations.
• You have 2 options if you've received an alert:
  [o]Authorize the file if it's from a trusted source.
  [o] Send for analysis if you do not trust the file or think it may be compromised.

Since we are aware that there is rogue malware on the system it is possible that the malware has generated this fake alert. Make sure Sophos is set in the 'Alert' only mode, then ignore the message for now. It is important that you do not click on the 'alerts' or 'warnings' as that can activate the malware to run again.
=======================================

 

[JesusIsmylife]

I am trying to downoad Super Anti Spyware, but my PC is almost unuseable now. It is running incredbily slowly, and the System Check screen is on top of my desktop and connot be moved. (I cannot get focus.)
I have managed to click on the download link, but it is sitting there at 0%.

What is most worrying is that I have Teamviewer installed and I can see (partially behind the system check screen) a Teamviewer pop up window which is inviting me to choose a partner (i.e. one of my PC's on my LAN) to present this application with Teamviewer. The "Allow Partner to interact" check box is not checked.

I suspect someone is trying to use Teamviewer to get on to other PCs on my LAN.

Can I disconnect the internet and download any progams I need from a known clean PC and put them on a USB stick and run them on the infected PC like this?

I am very worried about my PC being on the internet like this.

 

[Bobbye]

Can I disconnect the internet and download any progams I need from a known clean PC and put them on a USB stick and run them on the infected PC like this?

Yes, you can use a flash drive.

Have to tried to run Malwarebytes? I need something to see what we're working with. I can give you some 'cosmetic' help for the system, but it doesn't remove the malware itself and may not be successful with the malware still on the system.

Correct Display Changes if needed:
If the desktop background is black or if the theme has been removed:

• Click on Start> Control Panel> Appearance & Personalization
• Select Change Theme or Change Desktop Background

=====================================
Some items may not show on the Start menu. To add them back:

• Right click on Start> Properties
• Taskbar and Start Menu Properties screen appears
• choose Start Menu tab> Click on Customize
• For Windows XP> Choose Advanced tab
• Check the items you want back on the Start Menu
• When finished> click on OK> Apply and close.

=====================================

 

[JesusIsmylife]

Thanks for this. I appreciate you have no logs from me yet but I will get them posted as soon as I can.

I rebooted with no network connection and the PC came up ok and allowed me to tidy up the desktop, and re-enable the stuff from the Start Bar.

I have copied Superantispyware on to the desktop and have intstalled it. I re-connected the LAN and ran the software. It downloaded an update successfully. The PC also launched a new IE browser, with a picture of a scantily clad young woman, who was claiming they wanted to chat with me.

The virus/malware/whatever it is is still there I guess.

Anyway, I have disconnected the network again and am running superantispyware which is going well. So far we have 86 threats detected, and once it is finished I'll post the logs so you know where we are.

Once I've posted the logs I will await your further instructions before running combofix.

Thanks for your help. It really is greatly appreciated.

 

[JesusIsmylife]

Hi,

Superantispyware completed and found 860 odd threats. The log file is to big to post in one reply. The first half is :-

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 02/15/2012 at 00:52 AM

Application Version : 5.0.1144

Core Rules Database Version : 8173
Trace Rules Database Version: 5985

Scan type : Complete Scan
Total Scan Time : 02:19:25

Operating System Information
Windows XP Professional 32-bit, Service Pack 3 (Build 5.01.2600)
Administrator

Memory items scanned : 778
Memory threats detected : 0
Registry items scanned : 24090
Registry threats detected : 0
File items scanned : 72719
File threats detected : 530

Edit: Tracking Cookies reviewed and deleted by Bobbye

 

[JesusIsmylife]

... and the second half is :-

Edit: Tracking Cookies reviewed and deleted by Bobbye

Trojan.Agent/Gen-IRCBot
C:\DOCUMENTS AND SETTINGS\CLLR EDWARDS\APPLICATION DATA\THINSTALL\{F11EE647-FF6A-4EEE-886A-89B5F2DF2728}\300000003400002I\DWWIN.EXE


Do you want me to now run combofix?

 

[Bobbye]

Yes, please go ahead and run Combofix.

Note: I have reviewed the Tracking Cookies in the SAS log. I am going to edit the post and delete them. Hopefully you check the line in SAS to remove the entries it found. If you did not, please run it again and do so.

The following will prevent the Tracking Cookies:

Reset Cookies

For Internet Explorer: Internet Options (through Tools or Control Panel) Privacy tab> Advanced button> CHECK 'override automatic Cookie handling'> CHECK 'accept first party Cookies'> CHECK 'Block third party Cookies'> CHECK 'allow per session Cookies'> Apply> OK.

For Firefox: Tools> Options> Privacy> Cookies> CHECK ‘accept Cookies from Sites’> UNCHECK 'accept third party Cookies'> Set Keep until 'they expire'. This will allow you to keep Cookies for registered sites and prevent or remove others. (Note: for Firefox v3.5, after Privacy click on 'use custom settings for History.')

I suggest using the following two add-on for Firefox. They will prevent the Tracking Cookies that come from ads and banners and other sources:
AdBlock Plus
Easy List

For Chrome: Tools> Options> Under The Hood> Privacy Section> CHECK 'Restrict how third party Cookies can be used'> Close.
(First-party and third-party cookies can be set by the website you're visiting and websites that have items embedded in the website you're visiting. But when you next visit the website, only first-party cookie information is sent to the website. Third-party cookie information isn't sent back to the websites that originally set the third-party cookies.)
=======================================
Please post the Combofix log when ready.

 

[JesusIsmylife]

Hi,

ComboFix Logs as follows: -

ComboFix 12-02-13.01 - Cllr Edwards 15/02/2012 15:28:24.2.1 - x86
Microsoft Windows XP Professional 5.1.2600.3.1252.44.1033.18.894.465 [GMT 0:00]
Running from: F:\ComboFix.exe
AV: Sophos Anti-Virus *Enabled/Updated* {3F13C776-3CBE-4DE9-8BF6-09E5183CA2BD}
.
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
.
((((((((((((((((((((((((( Files Created from 2012-01-15 to 2012-02-15 )))))))))))))))))))))))))))))))
.
.
2012-02-14 22:28 . 2012-02-15 07:34 -------- d-----w- c:\program files\SUPERAntiSpyware
2012-02-14 21:39 . 2011-12-10 15:24 20464 ----a-w- c:\windows\system32\drivers\mbam.sys
2012-02-14 21:39 . 2012-02-14 21:40 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2012-02-14 18:22 . 2012-02-14 18:22 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\SUPERAntiSpyware.com
2012-02-14 18:21 . 2012-02-14 18:21 -------- dc----w- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2012-02-13 13:36 . 2012-02-13 23:13 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\Myke
2012-02-13 13:36 . 2012-02-13 23:12 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\Vuvy
2012-02-13 13:06 . 2012-02-13 13:06 -------- dc----w- c:\documents and settings\cllr edwards\Application Data\Malwarebytes
2012-02-13 13:06 . 2012-02-13 13:06 -------- dc----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2012-02-12 12:52 . 2012-02-15 08:04 0 --sha-w- c:\windows\system32\dds_trash_log.cmd
.
.
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2012-01-02 17:28 . 2011-10-22 08:13 414368 ----a-w- c:\windows\system32\FlashPlayerCPLApp.cpl
2011-12-26 18:23 . 2008-03-09 21:51 164880 ----a-w- c:\documents and settings\cllr edwards\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
2011-12-17 19:46 . 2004-08-04 12:00 43520 ----a-w- c:\windows\system32\licmgr10.dll
2011-12-17 19:46 . 2004-08-04 12:00 1469440 ----a-w- c:\windows\system32\inetcpl.cpl
2011-12-16 12:22 . 2004-08-04 12:00 385024 ----a-w- c:\windows\system32\html.iec
2011-12-05 14:00 . 2011-12-05 14:00 229224 ----a-w- c:\windows\system32\drivers\VMM.sys
2011-11-25 21:57 . 2004-08-04 12:00 293376 ----a-w- c:\windows\system32\winsrv.dll
2011-11-23 13:25 . 2004-08-04 12:00 1859584 ----a-w- c:\windows\system32\win32k.sys
2011-11-18 12:35 . 2004-08-04 12:00 60416 ----a-w- c:\windows\system32\packager.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
.
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
2008-07-17 16:20 279944 ----a-w- c:\program files\AskBarDis\bar\bin\askBar.dll
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
"{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-07-17 279944]
.
[HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
[HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
.
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ISUSPM"="c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe" [2006-09-11 218032]
"SUPERAntiSpyware"="c:\program files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2012-02-14 4617600]
.
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Broadcom Wireless Manager UI"="c:\windows\system32\WLTRAY.exe" [2006-11-01 1392640]
"ATICCC"="c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe" [2006-05-10 90112]
"SigmatelSysTrayApp"="stsystra.exe" [2006-07-27 282624]
"SynTPLpr"="c:\program files\Synaptics\SynTP\SynTPLpr.exe" [2004-11-04 98394]
"SynTPEnh"="c:\program files\Synaptics\SynTP\SynTPEnh.exe" [2004-11-04 688218]
"DLA"="c:\windows\System32\DLA\DLACTRLW.EXE" [2005-09-08 122940]
"ISUSPM Startup"="c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2006-09-11 218032]
"ISUSScheduler"="c:\program files\Common Files\InstallShield\UpdateService\issch.exe" [2006-09-11 86960]
"IntelAPMClient"="c:\program files\LANDesk\LDClient\amclient.exe" [2005-12-09 311296]
"LANDeskInventoryClient"="c:\program files\LANDesk\LDClient\LDIScn32.exe" [2006-07-10 839680]
"SDClientMonitor"="c:\program files\LANDesk\LDClient\webportal\sdclientmonitor.exe" [2005-12-09 258048]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
"TkBellExe"="c:\program files\Common Files\Real\Update_OB\realsched.exe" [2009-11-15 198160]
"LifeCam"="c:\program files\Microsoft LifeCam\LifeExp.exe" [2009-07-24 118640]
"VX1000"="c:\windows\vVX1000.exe" [2009-07-24 762208]
"DVD or CD Sharing"="c:\program files\DVD or CD Sharing\ODSAgent.exe" [2008-02-20 619832]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-18 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]
"DVDLauncher"="c:\program files\CyberLink\PowerDVD\DVDLauncher.exe" [2006-04-06 49152]
"Sophos AutoUpdate Monitor"="c:\program files\Sophos\AutoUpdate\almon.exe" [2010-09-21 439536]
"LogMeIn GUI"="c:\program files\LogMeIn\x86\LogMeInSystray.exe" [2010-05-31 63048]
.
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="c:\windows\system32\CTFMON.EXE" [2008-04-14 15360]
.
c:\documents and settings\Default User\Start Menu\Programs\Startup\
kafiy.exe [2012-2-13 161792]
.
c:\documents and settings\SCDCICTA\Start Menu\Programs\Startup\
wuqo.exe [2012-2-13 161792]
.
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Cisco Systems VPN Client.lnk - c:\program files\Cisco Systems\VPN Client\vpngui.exe [2008-9-23 1462104]
hp psc 2000 Series.lnk - c:\program files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe [2003-4-6 323646]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [2000-1-21 65588]
SSH Accession.lnk - c:\program files\SSH Communications Security\SSH Sentinel\Accession\ssh_accession.exe [2007-11-25 1691648]
.
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2011-07-19 113024]
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2011-05-04 17:54 551296 ----a-w- c:\program files\SUPERAntiSpyware\SASWINLO.DLL
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
2010-05-26 14:27 16680 ----a-w- c:\program files\Citrix\GoToAssist\570\g2awinlogon.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
2011-04-28 15:04 87424 ----a-w- c:\windows\system32\LMIinit.dll
.
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
2003-10-31 11:01 8704 ----a-w- c:\windows\system32\PCANotify.dll
.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\!SASCORE]
@=""
.
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
"DisableMonitoring"=dword:00000001
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\cba\\pds.exe"=
"c:\\WINDOWS\\system32\\msgsys.exe"=
"c:\\Program Files\\LANDesk\\LDClient\\issuser.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awhost32.exe"=
"c:\\Program Files\\Symantec\\pcAnywhere\\awrem32.exe"=
"c:\\Program Files\\SSH Communications Security\\SSH Sentinel\\Accession\\ssh_accession.exe"=
"c:\\Program Files\\Common Files\\Sonic Shared\\Sonic Central\\Main\\Mediahub.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeCam.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeEnC2.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeExp.exe"=
"c:\\Program Files\\Microsoft LifeCam\\LifeTray.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\wlcsdk.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Sync\\WindowsLiveSync.exe"=
"c:\\Program Files\\Skype\\Plugin Manager\\skypePM.exe"=
"c:\\Program Files\\Skype\\Phone\\Skype.exe"=
"c:\\Program Files\\LANDesk\\Shared Files\\residentagent.exe"=
.
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"85:TCP"= 85:TCP:BroadWave Web Server
"86:TCP"= 86:TCP:BroadCam Video Streaming Server Web Server
"1935:TCP"= 1935:TCP:BroadCam Video Streaming Server Flash Video Server
"4100:UDP"= 4100:UDP:uPNP Router Control Port
.
R0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys [x]
R2 gupdate1caa329fb6e5dc2;Google Update Service (gupdate1caa329fb6e5dc2);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 133104]
R2 HidCom;USB-HID -> COM Driver Service;c:\windows\system32\DRIVERS\HidCom.sys [2005-04-04 69575]
R3 gupdatem;Google Update Service (gupdatem);c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 133104]
R3 npggsvc;nProtect GameGuard Service;c:\windows\system32\GameMon.des [2009-02-15 2794234]
R3 sshvnic;SSH Virtual Network Adapter (sshvnic);c:\windows\system32\DRIVERS\sshvnic5.sys [x]
R3 TEUSBMU;Panasonic Analog PBX USB Main Unit driver;c:\windows\system32\Drivers\TEUSBMU.sys [2005-01-14 20992]
R4 SophosBootDriver;SophosBootDriver;c:\windows\system32\DRIVERS\SophosBootDriver.sys [2010-03-02 14976]
S0 atiide;atiide;c:\windows\system32\DRIVERS\atiide.sys [2006-09-13 3456]
S0 sptd;sptd;c:\windows\System32\Drivers\sptd.sys [2009-05-20 717296]
S1 SASDIFSV;SASDIFSV;c:\program files\SUPERAntiSpyware\SASDIFSV.SYS [2011-07-22 12880]
S1 SASKUTIL;SASKUTIL;c:\program files\SUPERAntiSpyware\SASKUTIL.SYS [2011-07-12 67664]
S1 SAVOnAccessControl;SAVOnAccessControl;c:\windows\system32\DRIVERS\savonaccesscontrol.sys [2010-10-08 153344]
S1 SAVOnAccessFilter;SAVOnAccessFilter;c:\windows\system32\DRIVERS\savonaccessfilter.sys [2010-10-08 24064]
S1 StarPortLite;StarPort Storage Controller (Lite);c:\windows\system32\DRIVERS\StarPortLite.sys [2008-01-23 85760]
S2 !SASCORE;SAS Core Service;c:\program files\SUPERAntiSpyware\SASCORE.EXE [2011-08-11 116608]
S2 CBA8;LANDesk(R) Management Agent;c:\program files\LANDesk\Shared Files\residentagent.exe [2006-01-11 122880]
S2 DLPortIO;DriverLINX Port I/O Driver; [x]
S2 LMIGuardianSvc;LMIGuardianSvc;c:\program files\LogMeIn\x86\LMIGuardianSvc.exe [2011-04-28 374152]
S2 LMIInfo;LogMeIn Kernel Information Provider;c:\program files\LogMeIn\x86\RaInfo.sys [2010-05-31 12856]
S2 NPF;NetGroup Packet Filter Driver;c:\windows\system32\drivers\npf.sys [2009-10-20 50704]
S2 SAVAdminService;Sophos Anti-Virus status reporter;c:\program files\Sophos\Sophos Anti-Virus\SAVAdminService.exe [2010-10-08 163056]
S2 SAVService;Sophos Anti-Virus;c:\program files\Sophos\Sophos Anti-Virus\SavService.exe [2010-06-14 97520]
S2 Softmon;LANDesk(R) Software Monitoring Service;c:\program files\LANDesk\LDClient\softmon.exe [2006-06-29 245760]
S2 swi_service;Sophos Web Intelligence Service;c:\program files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe [2010-10-08 1541360]
S3 iTurns;iTurns;c:\windows\system32\DRIVERS\iTurnsDriver.sys [2008-11-28 10704]
S3 ldblank;Screen Blanking driver for Remote Control;c:\windows\system32\DRIVERS\ldblank.sys [2005-07-01 11904]
S3 ldmirror;ldmirror;c:\windows\system32\DRIVERS\ldmirror.sys [2005-07-01 3328]
S3 mirrorflt;Mirror Filter Driver for Uninstall;c:\windows\system32\DRIVERS\mirrorflt.sys [2005-07-01 3712]
.
.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
CnxTrLan
noipducservice
tsdhd
mssql$sqlexpress
nalntservice
vwd
vmusb
QPCapSvc
avgntflt
ASLDRService
StkScan
wfxsvc
wlluc48
CTEXFIFX.DLL
fa_scheduler
uisp
Airgo
olcamsrv
ofcpfwsvc
aksfridge
bthidenum
tphkdrv
nnsvc
vaiomediaplatform-integratedserver-http
pclepci
GameConsoleService
SE2Eobex
viaudio
ntsecure
kl1
SDdriver
zmxpzip
SaiClass
PAR1284
msgame
pnmsrv
.
Contents of the 'Scheduled Tasks' folder
.
2012-02-15 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 10:50]
.
2008-08-12 c:\windows\Tasks\Calculator.job
- c:\windows\system32\calc.exe [2007-06-12 12:00]
.
2012-02-14 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8195135653.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
2012-02-13 c:\windows\Tasks\FRU Task 2003-04-06 08:52ewlett-Packard2003-04-06 08:52p psc 2170 series5E771253C1676EBED677BF361FDFC537825E15B8195144289.job
- c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe [2003-04-06 00:52]
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineCore1caceb92e6a6044.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:33]
.
2012-02-15 c:\windows\Tasks\GoogleUpdateTaskMachineUA.job
- c:\program files\Google\Update\GoogleUpdate.exe [2010-02-01 10:33]
.
2012-02-15 c:\windows\Tasks\SDMsgUpdate (TE).job
- c:\progra~1\SMARTD~1\Messages\SDNotify.exe [2011-07-29 17:29]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.co.uk/ig?hl=en&source=iglk
uInternet Connection Wizard,ShellNext = iexplore
uInternet Settings,ProxyOverride = *.local
LSP: c:\documents and settings\All Users\Application Data\Sophos Web Intelligence\swi_lsp.dll
LSP: mswsock.dll
TCP: Interfaces\{2B30221D-39B4-439D-9B06-D3D5AF6680E7}: NameServer = 212.139.132.4
DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} - hxxp://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_IKEA_Win32.cab
.
- - - - ORPHANS REMOVED - - - -
.
HKCU-Run-dplaysvr - c:\documents and settings\cllr edwards\Application Data\dplaysvr.exe
HKLM-Run-btbb_McciTrayApp - c:\program files\BT Business Broadband Desktop Help\btbb\BTHelpNotifier.exe
HKLM-Run-dplaysvr - c:\documents and settings\cllr edwards\Application Data\dplaysvr.exe
HKLM-Run-XAyrXMNieLwFUhF.exe - c:\documents and settings\All Users\Application Data\XAyrXMNieLwFUhF.exe
AddRemove-DVD Burner v1.30 Trial (ActiveX) - c:\windows\UNWISE.EXE
.
.
.
**************************************************************************
.
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2012-02-15 16:01
Windows 5.1.2600 Service Pack 3 NTFS
.
scanning hidden processes ...
.
scanning hidden autostart entries ...
.
scanning hidden files ...
.
scan completed successfully
hidden files: 0
.
**************************************************************************
.
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\npggsvc]
"ImagePath"="c:\windows\system32\GameMon.des -service"
.
--------------------- LOCKED REGISTRY KEYS ---------------------
.
[HKEY_USERS\S-1-5-21-776561741-1336601894-839522115-1010\Software\Microsoft\SystemCertificates\AddressBook*]
@Allowed: (Read) (RestrictedCode)
@Allowed: (Read) (RestrictedCode)
.
[HKEY_LOCAL_MACHINE\software\DeterministicNetworks\DNE\Parameters]
"SymbolicLinkValue"=hex(6):5c,00,52,00,65,00,67,00,69,00,73,00,74,00,72,00,79,
00,5c,00,4d,00,41,00,43,00,48,00,49,00,4e,00,45,00,5c,00,53,00,79,00,73,00,\
.
--------------------- DLLs Loaded Under Running Processes ---------------------
.
- - - - - - - > 'winlogon.exe'(1828)
c:\program files\SUPERAntiSpyware\SASWINLO.DLL
c:\windows\system32\WININET.dll
c:\windows\system32\Ati2evxx.dll
c:\program files\Citrix\GoToAssist\570\G2AWinLogon.dll
c:\windows\system32\LMIinit.dll
c:\windows\system32\LMIRfsClientNP.dll
.
- - - - - - - > 'lsass.exe'(1892)
c:\documents and settings\All Users\Application Data\Sophos Web Intelligence\swi_lsp.dll
.
- - - - - - - > 'explorer.exe'(4024)
c:\windows\system32\WININET.dll
c:\windows\system32\ieframe.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.4053_x-ww_e6967989\MSVCR80.dll
c:\windows\system32\webcheck.dll
c:\windows\system32\WPDShServiceObj.dll
c:\program files\Microsoft Virtual PC\VPCShExH.DLL
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
c:\windows\system32\LMIRfsClientNP.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\Ati2evxx.exe
c:\windows\system32\Ati2evxx.exe
c:\windows\System32\WLTRYSVC.EXE
c:\windows\System32\bcmwltry.exe
c:\program files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
c:\program files\Bonjour\mDNSResponder.exe
c:\program files\Cisco Systems\VPN Client\cvpnd.exe
c:\program files\LANDesk\LDClient\LocalSch.EXE
c:\windows\system32\CBA\pds.exe
c:\program files\LANDesk\LDClient\tmcsvc.exe
c:\progra~1\LANDesk\LDClient\issuser.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Microsoft LifeCam\MSCamS32.exe
c:\windows\system32\PnkBstrA.exe
c:\program files\Sophos\AutoUpdate\ALsvc.exe
c:\windows\system32\wscntfy.exe
c:\windows\stsystra.exe
c:\program files\ATI Technologies\ATI.ACE\CLI.EXE
c:\program files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
c:\program files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
c:\program files\iPod\bin\iPodService.exe
c:\program files\ATI Technologies\ATI.ACE\cli.exe
.
**************************************************************************
.
Completion time: 2012-02-15 16:12:55 - machine was rebooted
ComboFix-quarantined-files.txt 2012-02-15 16:12
.
Pre-Run: 3,441,438,720 bytes free
Post-Run: 4,334,768,128 bytes free
.
- - End Of File - - C15C668E74C4ED3532E171CAF89791ED


Thanks for editting the previous post. I genuinely have no idea how some of those entries got there. Questions will be asked at home as you can imagine.

The Combfix program ran several times, in that it automatically rebooted the PC I think at least 3 times, and when it re-started, and I had logged on, it continued doing its stuff.

I noticed in the blue window the line Access Denied a number of times. I dont know if this is significant or not?

Anyway, over to you again......

 

[Bobbye]

Do you know what these are?

c:\documents and settings\Default User\Start Menu\Programs\Startup\
kafiy.exe [2012-2-13 161792]
.
c:\documents and settings\SCDCICTA\Start Menu\Programs\Startup\
wuqo.exe [2012-2-13 161792]
===================================
Please download sUBs' SvcQuery.exe and save to your desktop.

• Double click the file to Open
• A window will open. When prompted to provide a service name, type in the following:
  PAR1284
• Press Enter
• The tool will create a log. Please leave that in your next reply.

=====================================
If you cannot run the following in Normal Mode:

Boot into Safe Mode with Networking

• Restart your computer and start pressing the F8 key on your keyboard.
• Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, and then press ENTER.

I am concerned about the finding of the IRC.bot. This is frequently associated with the Ramnit malware. Let's check the following please:

• Make sure to use Internet Explorer for this
• Please go to VirSCAN.org free on-line scan service
• Copy and paste each of the following file paths into the "Suspicious files to scan" box on the top of the page, one at a time:
  
  c:\windows\system32\userinit.exe
  
  c:\windows\explorer.exe
  
  c:\window\system32\svchost.exe
  
  
• Click on the Upload button
• If a pop-up appears saying the file has been scanned already, please select the ReScan button.
• Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
• Paste the contents of the Clipboard in your next reply.

=====================================
And another:
To run the Eset Online Virus Scan:
If you use Internet Explorer:

1. Open the ESETOnlineScan
2. Skip to #4 to "Continue with the directions"
   
   If you are using a browser other than Internet Explorer
3. Open Eset Smart Installer
   [o] Click on the esetsmartinstaller_enu.exelink and save to the desktop.
   [o] Double click on the desktop icon to run.
   [o] After successful installation of the ESET Smart Installer, the ESET Online Scanner will be launched in a new Window
   
4. Continue with the directions.
   
5. Check 'Yes I accept terms of use.'
6. Click Start button
7. Accept any security warnings from your browser.
   
   
8. Uncheck 'Remove found threats'
9. Check 'Scan archives/
10. Leave remaining settings as is.
11. Press the Start button.
12. ESET will then download updates for itself, install itself, and begin scanning your computer. Please wait for the scan to finish.
13. When the scan completes, press List of found threats
14. Push Export of text file and save the file to your desktop using a unique name, such as ESETScan. Paste this log in your next reply.
15. Push the Back button, then Finish

NOTE: If no malware is found then no log will be produced. Let me know if this is the case.

 

[JesusIsmylife]

Do you know what these are?

c:\documents and settings\Default User\Start Menu\Programs\Startup\
kafiy.exe [2012-2-13 161792]
.
c:\documents and settings\SCDCICTA\Start Menu\Programs\Startup\
wuqo.exe [2012-2-13 161792]
===================================
QUOTE]

No, I'm afraid I have no idea what these are.

SVCQuesry log is :-

- - - - - - - - - - - BEFORE - - - - - - - - - - -

netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0CnxTrLan\0noipducservice\0tsdhd\0mssql$sqlexpress\0nalntservice\0vwd\0vmusb\0QPCapSvc\0avgntflt\0ASLDRService\0StkScan\0wfxsvc\0wlluc48\0CTEXFIFX.DLL\0fa_scheduler\0uisp\0Airgo\0olcamsrv\0ofcpfwsvc\0aksfridge\0bthidenum\0tphkdrv\0nnsvc\0vaiomediaplatform-integratedserver-http\0pclepci\0GameConsoleService\0SE2Eobex\0viaudio\0ntsecure\0kl1\0SDdriver\0zmxpzip\0SaiClass\0PAR1284\0msgame\0pnmsrv\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0

- - - - - - - - - - - AFTER - - - - - - - - - - -

netsvcs REG_MULTI_SZ 6to4\0AppMgmt\0AudioSrv\0Browser\0CryptSvc\0DMServer\0DHCP\0ERSvc\0EventSystem\0FastUserSwitchingCompatibility\0HidServ\0Ias\0Iprip\0Irmon\0LanmanServer\0LanmanWorkstation\0Messenger\0Netman\0Nla\0Ntmssvc\0NWCWorkstation\0Nwsapagent\0Rasauto\0CnxTrLan\0noipducservice\0tsdhd\0mssql$sqlexpress\0nalntservice\0vwd\0vmusb\0QPCapSvc\0avgntflt\0ASLDRService\0StkScan\0wfxsvc\0wlluc48\0CTEXFIFX.DLL\0fa_scheduler\0uisp\0Airgo\0olcamsrv\0ofcpfwsvc\0aksfridge\0bthidenum\0tphkdrv\0nnsvc\0vaiomediaplatform-integratedserver-http\0pclepci\0GameConsoleService\0SE2Eobex\0viaudio\0ntsecure\0kl1\0SDdriver\0zmxpzip\0SaiClass\0msgame\0pnmsrv\0Rasman\0Remoteaccess\0Schedule\0Seclogon\0SENS\0Sharedaccess\0SRService\0Tapisrv\0Themes\0TrkWks\0W32Time\0WZCSVC\0Wmi\0WmdmPmSp\0winmgmt\0wscsvc\0xmlprov\0BITS\0wuauserv\0ShellHWDetection\0helpsvc\0WmdmPmSN\0napagent\0hkmsvc\0\0

Virscan.org log is :-

VirSCAN.org Scanned Report :
Scanned time : 2012/02/18 19:58:09 (GMT)
Scanner results: Scanners did not find malware!
File Name : userinit.exe
File Size : 26112 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : a93aee1928a9d7ce3e16d24ec7380f89
SHA1 : 513f8bdf67a5a9e09803cfb61f590b39f2683853
Online report : http://r.virscan.org/b0f62ef6bd1167f35fcd4b09dfa4ba72

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120218230150 2012-02-18 0.30 -
AhnLab V3 2012.02.18.01 2012.02.18 2012-02-18 4.90 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.17 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.27 -
Arcavir 2011 201202170436 2012-02-17 3.60 -
Authentium 5.1.1 201202181425 2012-02-18 1.50 -
AVAST! 4.7.4 120218-0 2012-02-18 0.17 -
AVG 10.0.1405 2090/4817 2012-02-18 0.22 -
BitDefender 7.90123.7600126 7.41056 2012-02-18 3.84 -
ClamAV 0.97.3 14479 2012-02-18 0.17 -
Comodo 5.1 11542 2012-02-17 2.15 -
CP Secure 1.3.0.5 2012.02.19 2012-02-19 0.20 -
Dr.Web 7.0.0.11250 2012.02.18 2012-02-18 13.12 -
F-Prot 4.6.2.117 20120218 2012-02-18 0.83 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 2.67 -
Fortinet 4.3.388 15.223 2012-02-18 0.23 -
GData 22.3911 20120219 2012-02-19 5.34 -
ViRobot 20120218 2012.02.18 2012-02-18 0.38 -
Ikarus T3.1.32.20.0 2012.02.18.80511 2012-02-18 5.16 -
JiangMin 13.0.900 2012.02.18 2012-02-18 2.23 -
Kaspersky 5.5.10 2012.02.16 2012-02-16 0.35 -
KingSoft 2009.2.5.15 2012.2.18.9 2012-02-18 0.92 -
McAfee 5400.1158 6624 2012-02-18 10.69 -
Microsoft 1.8001 2012.02.18 2012-02-18 3.33 -
NOD32 3.0.21 6841 2012-01-30 0.16 -
Panda 9.05.01 2012.02.18 2012-02-18 2.30 -
Trend Micro 9.500-1005 8.786.02 2012-02-18 0.20 -
Quick Heal 11.00 2012.02.18 2012-02-18 0.95 -
Rising 20.0 23.97.04.01 2012-02-17 2.72 -
Sophos 3.28.1 4.74 2012-02-19 5.19 -
Sunbelt 3.9.2527.2 11562 2012-02-18 0.84 -
Symantec 1.3.0.24 20120217.004 2012-02-17 0.31 -
nProtect 20120218.01 11609568 2012-02-18 1.48 -
The Hacker 6.7.0.1 v00402 2012-02-17 0.56 -
VBA32 3.12.16.4 20120217.0737 2012-02-17 3.11 -
VirusBuster 5.4.1.7 14.1.224.0/78573152012-02-17 0.17 -



VirSCAN.org Scanned Report :
Scanned time : 2012/02/18 20:02:43 (GMT)
Scanner results: Scanners did not find malware!
File Name : svchost.exe
File Size : 14336 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 27c6d03bcdb8cfeb96b716f3d8be3e18
SHA1 : 49083ae3725a0488e0a8fbbe1335c745f70c4667
Online report : http://r.virscan.org/594f976752b4fd9ad20d8d0298757943

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 5.1.0.4 20120218230150 2012-02-18 0.30 -
AhnLab V3 2012.02.18.01 2012.02.18 2012-02-18 4.32 -
AntiVir 8.2.8.44 7.11.21.199 2012-01-27 0.17 -
Antiy 2.0.18 2.0.18. 0002-18-00 0.28 -
Arcavir 2011 201202170436 2012-02-17 3.75 -
Authentium 5.1.1 201202181425 2012-02-18 1.56 -
AVAST! 4.7.4 120218-0 2012-02-18 0.17 -
AVG 10.0.1405 2090/4817 2012-02-18 0.23 -
BitDefender 7.90123.7600126 7.41056 2012-02-18 4.08 -
ClamAV 0.97.3 14479 2012-02-18 0.17 -
Comodo 5.1 11542 2012-02-17 2.42 -
CP Secure 1.3.0.5 2012.02.19 2012-02-19 0.19 -
Dr.Web 7.0.0.11250 2012.02.18 2012-02-18 12.88 -
F-Prot 4.6.2.117 20120218 2012-02-18 0.83 -
F-Secure 7.02.73807 2012.02.07.03 2012-02-07 2.63 -
Fortinet 4.3.388 15.223 2012-02-18 0.32 -
GData 22.3911 20120219 2012-02-19 5.50 -
ViRobot 20120218 2012.02.18 2012-02-18 0.37 -
Ikarus T3.1.32.20.0 2012.02.18.80511 2012-02-18 5.38 -
JiangMin 13.0.900 2012.02.18 2012-02-18 2.19 -
Kaspersky 5.5.10 2012.02.16 2012-02-16 0.27 -
KingSoft 2009.2.5.15 2012.2.18.9 2012-02-18 0.91 -
McAfee 5400.1158 6624 2012-02-18 10.41 -
Microsoft 1.8001 2012.02.18 2012-02-18 4.47 -
NOD32 3.0.21 6841 2012-01-30 0.16 -
Panda 9.05.01 2012.02.18 2012-02-18 2.38 -
Trend Micro 9.500-1005 8.786.02 2012-02-18 0.27 -
Quick Heal 11.00 2012.02.18 2012-02-18 0.96 -
Rising 20.0 23.97.04.01 2012-02-17 2.50 -
Sophos 3.28.1 4.74 2012-02-19 4.92 -
Sunbelt 3.9.2527.2 11562 2012-02-18 0.97 -
Symantec 1.3.0.24 20120217.004 2012-02-17 0.42 -
nProtect 20120218.01 11609568 2012-02-18 2.37 -
The Hacker 6.7.0.1 v00402 2012-02-17 0.79 -
VBA32 3.12.16.4 20120217.0737 2012-02-17 3.24 -
VirusBuster 5.4.1.7 14.1.224.0/78573152012-02-17 0.18 -


VirSCAN.org Scanned Report :
Scanned time : 2008/04/28 13:50:23 (BST)
Scanner results: 3% Scanner(s) (1/36) found malware!
File Name : explorer.exe
File Size : 1033728 byte
File Type : MS-DOS executable (EXE), OS/2 or MS Windows
MD5 : 12896823fb95bfb3dc9b46bcaedc9923
SHA1 : 9d2bf84874abc5b6e9a2744b7865c193c08d362f
Online report : http://r.virscan.org/bc10cdd8fc1b56e4518b094b5da3a210

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 3.5.0.16 2008.04.27 2008-04-27 3.84 -
AhnLab V3 2008.04.28.00 2008.04.28 2008-04-28 1.13 -
AntiVir 7.8.0.10 7.0.3.220 2008-04-28 2.78 -
Arcavir 1.0.4 200804271350 2008-04-27 2.30 -
AVAST! 1.0.8 080428-0 2008-04-28 3.06 -
AVG 7.5.51.442 269.23.5/1401 2008-04-28 2.87 -
BitDefender 7.60825.1184481 7.18704 2008-04-28 4.08 -
CA (VET) 9.0.0.143 31.3.5741 2008-04-28 6.55 -
ClamAV 0.93 6863 2008-04-21 0.27 -
Comodo 2.11 2.0.0.509 2008-04-28 1.03 -
CP Secure 1.1.0.715 2008.04.28 2008-04-28 7.54 -
Dr.Web 4.44.0.9170 2008.04.28 2008-04-28 6.33 -
ewido 4.0.0.2 2008.04.28 2008-04-28 2.55 -
F-Prot 4.4.1.52 20080427 2008-04-27 1.60 -
F-Secure 5.51.6100 2008.04.28.01 2008-04-28 5.04 -
Fortinet 2.81-3.11 9.25 2008-04-28 2.31 -
ViRobot 20080428 2008.04.28 2008-04-28 0.39 -
Ikarus T3.1.01.26 2008.04.28.70668 2008-04-28 2.51 -
JiangMin 10.00.650 2008.04.28 2008-04-28 1.53 -
Kaspersky 5.5.10 2008.04.28 2008-04-28 10.89 -
KingSoft 2007.6.20.249 2008.4.28 2008-04-28 1.18 -
McAfee 5.2.00 5282 2008-04-25 6.31 -
Microsoft 1.3408 2008.04.24 2008-04-24 7.22 -
mks_vir 2.01 2008.04.28 2008-04-28 5.72 -
Norman 5.91.10 5.90 2008-04-22 16.99 -
Panda 9.04.03.0001 2008.04.27 2008-04-27 9.46 -
Trend Micro 8.500-1001 5.244.03 2008-04-28 0.04 -
Prevx V2 20080428 2008-04-28 8.40 TROJAN.DOWNLOADER.GEN
Quick Heal 9.00 2008.04.26 2008-04-26 6.32 -
Rising 20.0 20.42.01.00 2008-04-28 2.57 -
Sophos 2.72.0 4.28 2008-04-28 18.16 -
Symantec 1.3.0.24 20080427.009 2008-04-27 0.62 -
nProtect 2008-04-28.00 1437905 2008-04-28 13.80 -
The Hacker 6.2.92 v00294 2008-04-26 3.66 -
VBA32 3.12.6.5 20080428.0807 2008-04-28 5.85 -
VirusBuster 4.3.19:9 9.126.6/11.0 2008-04-27 6.81 -


NOTE: - I am not convinced the log for explorer.exe is valid. I did not have the option to rescan this file, the button was greyed out. I also tried it from a known clean coputer and I got the same result, so I don't think that test is valid.

 

[JesusIsmylife]

Here is the result of Eset

C:\Documents and Settings\cllr edwards\Application Data\Sun\Java\Deployment\cache\6.0\21\3cd12b15-3c6ed10f Win32/TrojanDownloader.Vespula.AH trojan cleaned by deleting - quarantined
C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201231.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201770.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201786.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP592\A0201897.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP593\A0202168.exe a variant of Win32/Kryptik.AANP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP593\A0202169.dll a variant of Win32/Kryptik.AANP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP593\A0202170.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP594\A0203167.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP595\A0203475.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP595\A0203483.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP599\A0204414.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
C:\System Volume Information\_restore{D1C69D2E-26DF-4D43-B0EA-A90A57D739D7}\RP599\A0204415.exe a variant of Win32/Injector.OCP trojan cleaned by deleting - quarantined
C:\WINDOWS\system32\drivers\VMM.sys a variant of Win32/Rootkit.Kryptik.JA trojan cleaned by deleting - quarantined


Over to you again......

 

[Bobbye]

There are some entries for the Symantec pcAnywhere: this is Remote Desktop & Remote Access Software.There are also entries for Citrix GoToAssist & LogMeIn. Unless you are actively using these processes now, they should be stopped/disabled.
-----------------------------------
There is a Scheduled Tasks set in 2007 ad/or 2008 for the Calculator:
2008-08-12 c:\windows\Tasks\Calculator.job
- c:\windows\system32\calc.exe [2007-06-12 12:00]
What kind of Tasks do you have a calculator doing?
Advise delete task as follows:
Opening scheduled tasks to modify or delete them:
Access Scheduled Tasks with Click on Start> All Programs> Accessories> System Tools> Scheduled Tasks.

• 
  To delete the task: right-click the Task> click Delete.
  (c:\windows\system32\calc.exe)
  ==================================
  Did you miss my direction in the Eset scan to [*] Uncheck 'Remove found threats'
  
  Run the following please: It will give me more information. There are 4 new malware entries. Those from System Volume are Restore Points. They are no longer active in the system and will be removed when we are finished. You are instructed no to do a System Restore while cleaning, so they shouldn't be a problem.
  
  Please download OTMovit by Old Timer and save to your desktop.
  • Double-click OTMoveIt3.exe to run it. (Vista users, please right click on OTMoveit3.exe and select "Run as an Administrator")
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
    

    :Files 
    C:\Documents and Settings\cllr edwards\Application Data\Sun\Java\Deployment\cache\6.0\21\3cd12b15-3c6ed10f 
    C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe 
    C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe 
    C:\WINDOWS\system32\drivers\VMM.sys 
    :Commands
    [purity]
    [emptytemp]
    [start explorer]
    [Reboot]

  • Return to OTMoveIt3, right click in the "Paste Instructions for Items to be Moved" window and choose Paste.
  • Click the red Moveit! button.
  • A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
  • Close OTMoveIt3
    =========================================
    The two entries I asked about were malware, as I suspected. So we need to find how they are getting in:
    Download Security Check by screen317 and save to the desktop
    • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
    • A Notepad document should open automatically called checkup.txt please
    • Post the contents of that document.
  If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  --------------------------
  You also need to find and remove these from Startup:
  C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe
  C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe
  Use the msconfig utility to access the Startup Menu. Expand the Command section if needed by holding the lfet mouse button down on the line in th frame above between process and Command and move to the right to expand.
  =======================================
  Please run this Custom CFScript:
  • 
    [1]. Close any open browsers.
    [2]. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
    [3]. Open notepad> click on Format> Uncheck 'Word Wrap> and copy/paste the text in the code below into it:

  File::
  c:\documents and settings\Default User\Start Menu\Programs\Startup\kafiy.exe 
  c:\documents and settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe 
  Folder::
  c:\documents and settings\cllr edwards\Application Data\Myke
  c:\documents and settings\cllr edwards\Application Data\Vuvy
  Registry::
  [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{201f27d4-3704-41d6-89c1-aa35e39143ed}]
  [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
  "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"=- 
  [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
  [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
  [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
  "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"=- 
  [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
  [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]
  [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SophosAntiVirus]
  "DisableMonitoring"=-
  
  FileLook::
  par1284.*
  
  Clearjavacache::

  Save this as CFScript.txt, in the same location as ComboFix.exe
  
  
  
  
  Referring to the picture above, drag CFScript into ComboFix.exe
  
  When finished, it will produce a log for you at C:\ComboFix.txt . Please paste into to your next reply.
  ====================
  Please describe remaining problems after you are finished with the above.

 

[JesusIsmylife]

Sorry, I did miss your instructions in the Eset scan to [*] Uncheck 'Remove found threats'

Apologies - my bad.

Anyway, I tried to run OTM but it wouldn't run on my laptop. I tried downloading direct from the web site to the laptop desktop, and also I downloaded it to a clean pc and copied it over using a usb stick.

When I try to run it I get a window saying OTM has encountered a problem and needs to close. We are sorry for the inconvenience. I can then either click to send microsoft an error report or click dont send. I chose dont send.

I ran security check and here is the log:



Results of screen317's Security Check version 0.99.31
Windows XP Service Pack 3 x86
Internet Explorer 8
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
ESET Online Scanner v3
Sophos Anti-Virus
Antivirus up to date!
```````````````````````````````
Anti-malware/Other Utilities Check:
Java(TM) 6 Update 22
Java version out of date!
Adobe Flash Player 9.0.47.0 Flash Player out of Date!
Adobe Reader 8 Adobe Reader out of date!
````````````````````````````````
Process Check:
objlist.exe by Laurent
Sophos Sophos Anti-Virus SAVAdminService.exe
``````````End of Log````````````


I ran the msconfig untility and looked in the Startup tab, but neither

C:\Documents and Settings\Default User\Start Menu\Programs\Startup\kafiy.exe
C:\Documents and Settings\SCDCICTA\Start Menu\Programs\Startup\wuqo.exe

were listed there.

I then tried dragging the txt file to combofix, and that wouldn't run either.

I get a window come up with a title bar NSIS Error. In the box it says "Installer integrity check has failed. Common causes include incomplete download and damaged media. Contact the installers author to obtain a new copy."

I have downloaded a new combofix.exe to my clean PC and it runs fine. I copied this over to the infected laptop using a USB stick and I get the same error.

I dont seem to be winning this battle !!

any further ideas?

 

[Bobbye]

There are some entries for the Symantec pcAnywhere: this is Remote Desktop & Remote Access Software.There are also entries for Citrix GoToAssist & LogMeIn. Unless you are actively using these processes now, they should be stopped/disabled.

Are you working on your computer or are you doing remote help on someone else's system? You also run LaunchAnywhere. There is very little security on the system and several outdated programs that are vulnerabilities.

As far as I can tell by your description, the installer error began after you ran Malwarebytes, then got stuck trying to uninstall it. I don't have much to go on missing the logs. You aren't able to remove the malware entries we find. You mention an infected laptop and using a flash drive.

Please see if you can run this very basic program, HijackThis:
First, set up a Directory for HijackThis as follows:
Right click Taskbar> Explore> My Computer> Local Drive (C)> File> New> Folder> Name folder HijackThis
Exit Explorer
You now have a folder C:\HijackThis
-----------------------------------------
Download HijackThis http://download.bleepingcomputer.com/hijackthis/HijackThis.zipand save to your desktop.

• Click on the HJT icon> 'Extract all files'> Extraction Wizard> Click on Browse to right of dialogue box that says 'Select a folder'
• Extract it to the directory on your hard drive you created C:\HijackThis.
• Then navigate to that directory and double-click on the hijackthis.exe file.
• When started click on the Scan button and then the Save Log button to create a log of your information.
• The log file and then the log will open in notepad. Be sure to click on Format> Uncheck Word Wrap when you open Notepad
• Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
• Come back here to this thread and paste (Ctrl+V) the log in your next reply.

NOTE: Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.
====================================
When you finish with the above, I'd like you to use the Windows Installer Cleanup Utility to remove all entries related to the following:
OTM
Malwarebytes

Do not click on any error messages! Not even with just OK. Ignore them and try to continue.

Please connect long enough if you can and run the Eset scan again. Please remember to Uncheck the box for removal of the entries.

I am still concerned about the Backdoor.IRC bot and the possibility of a file infector.
------------------------------------------------
Let's check the system:
Please run the MGA Diagnostics tool

• You will be prompted to either “Run” or “Save” the tool. Choose to “Run” the tool and follow the on-screen prompts.
• You will receive an Internet Explorer-Security Warning dialog box for the Windows Genuine Advantage Diagnostic Tool>
• You must choose to Run this tool when prompted.
• Once you are presented with the Diagnostics tool choose Continue to run the diagnostic report.
• If the RESOLVE button is available after running the diagnostics, please click RESOLVE to allow the diagnostic tool to attempt a repair.
• After running the MGA Diagnostic tool, click on the Windows tab and then click on Copy
• Please return to this thread and Paste the results here for review.

------------------------------------------
This tool will is to look on the computer itself, in the documentation you received with the computer or with your retail purchase of Windows to see if you have a Certificate of Authenticity (COA). If you have one, tell us about the COA. Tell us:

1. What edition of Windows XP is it for, Home, Pro, or Media Center, or another version of Windows?
2. Does it read "OEM Software" or "OEM Product" in black lettering?
3. Or, does it have the computer manufacturer's name in black lettering?
4. DO NOT post the Product Key.

NOTE: The data collected with the Genuine Diagnostics Tool does NOT contain any information that can personally identify you and can be fully reviewed, by you, before being posted.

 

[JesusIsmylife]

I am working on my Laptop which is infected, and which I have disconnetced from the internet.

I have a clean PC here as well which I use to download all the apps you instruct me to, and I copy these onto a ZIP drive, which I then plug into the Laptop and copy from the ZIP onto the laptop.

I use the Laptop for remote access to other systems, and my laptop also has software on so I can access this from remote locations.

the HijackThis log is :-

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 12:48:41, on 26/02/2012
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\LANDesk\Shared Files\residentagent.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\LANDesk\LDClient\LocalSch.EXE
C:\WINDOWS\system32\CBA\pds.exe
C:\Program Files\LANDesk\LDClient\tmcsvc.exe
C:\PROGRA~1\LANDesk\LDClient\issuser.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\LANDesk\LDClient\softmon.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe
C:\WINDOWS\vVX1000.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Sophos\AutoUpdate\almon.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\SSH Communications Security\SSH Sentinel\Accession\ssh_accession.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/ig?hl=en&source=iglk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: AskBar BHO - {201f27d4-3704-41d6-89c1-aa35e39143ed} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - c:\program files\real\realplayer\rpbrowserrecordplugin.dll
O2 - BHO: Sophos Web Content Scanner - {39EA7695-B3F2-4C44-A4BC-297ADA8FD235} - C:\Program Files\Sophos\Sophos Anti-Virus\SophosBHO.dll
O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.7.7227.1100\swg.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [IntelAPMClient] "C:\Program Files\LANDesk\LDClient\amclient.exe" /apm /s /ro /Retry=2 /Tspan=60 /Rstart
O4 - HKLM\..\Run: [LANDeskInventoryClient] "C:\Program Files\LANDesk\LDClient\LDIScn32.exe" /NTT=SCDCLANDESK:5007 /S=SCDCLANDESK /I=HTTP://SCDCLANDESK/ldlogon/ldappl3.ldz /NOUI /rstart=60
O4 - HKLM\..\Run: [SDClientMonitor] "C:\Program Files\LANDesk\LDClient\webportal\sdclientmonitor.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LifeCam] "C:\Program Files\Microsoft LifeCam\LifeExp.exe"
O4 - HKLM\..\Run: [VX1000] C:\WINDOWS\vVX1000.exe
O4 - HKLM\..\Run: [DVD or CD Sharing] "C:\Program Files\DVD or CD Sharing\ODSAgent.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [Sophos AutoUpdate Monitor] C:\Program Files\Sophos\AutoUpdate\almon.exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKCU\..\Run: [ISUSPM] "C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe" -scheduler
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: SSH Accession.lnk = ?
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra 'Tools' menuitem: Skype add-on for Internet Explorer - {5067A26B-1337-4436-8AFE-EE169C2DA79F} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\documents and settings\all users\application data\sophos web intelligence\swi_lsp.dll
O10 - Unknown file in Winsock LSP: c:\documents and settings\all users\application data\sophos web intelligence\swi_lsp.dll
O10 - Unknown file in Winsock LSP: c:\documents and settings\all users\application data\sophos web intelligence\swi_lsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1ABA5FAC-1417-422B-BA82-45C35E2C908B} (20-20 3D Viewer for IKEA) - http://kitchenplanner.ikea.com/gb/Core/Player/2020PlayerAX_IKEA_Win32.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resources/MSNPUpld.cab
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset.com/special/eos/OnlineScanner.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B30221D-39B4-439D-9B06-D3D5AF6680E7}: NameServer = 212.139.132.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{2B30221D-39B4-439D-9B06-D3D5AF6680E7}: NameServer = 212.139.132.4
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\570\G2AWinLogon.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: LANDesk(R) Management Agent (CBA8) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\Shared Files\residentagent.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\570\g2aservice.exe
O23 - Service: Google Update Service (gupdate1caa329fb6e5dc2) (gupdate1caa329fb6e5dc2) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Intel Local Scheduler Service - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\LocalSch.EXE
O23 - Service: Intel PDS - LANDesk Software Ltd. - C:\WINDOWS\system32\CBA\pds.exe
O23 - Service: LANDesk Targeted Multicast (Intel Targeted Multicast) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\tmcsvc.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LANDesk Remote Control Service (ISSUSER) - LANDesk Software, Ltd. - C:\PROGRA~1\LANDesk\LDClient\issuser.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: LMIGuardianSvc - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LMIGuardianSvc.exe
O23 - Service: nProtect GameGuard Service (npggsvc) - Unknown owner - C:\WINDOWS\system32\GameMon.des.exe (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies, Inc. - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: LANDesk(R) Software Monitoring Service (Softmon) - LANDesk Software, Ltd. - C:\Program Files\LANDesk\LDClient\softmon.exe
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Web Intelligence Service (swi_service) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\Web Intelligence\swi_service.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

--
End of file - 14266 bytes


The MGA Log is :-

Diagnostic Report (1.9.0027.0):
-----------------------------------------
Windows Validation Data-->
Validation Status: Genuine
Validation Code: 0
Cached Validation Code: N/A
Windows Product Key: *****-*****
Windows Product Key Hash: 871+b8eemJZ0IlPs98De/x8U9e0=
Windows Product ID: 76487-641-3620845-23234
Windows Product ID Type: 1
Windows License Type: Volume
Windows OS version: 5.1.2600.2.00010100.3.0.pro
ID: {45C0BDDB-C9D5-48B3-89D1-E9E5CEF94964}(3)
Is Admin: Yes
TestCab: 0x0
LegitcheckControl ActiveX: Registered, 1.9.9.1
Signed By: Microsoft
Product Name: N/A
Architecture: N/A
Build lab: N/A
TTS Error: N/A
Validation Diagnostic: 025D1FF3-230-1
Resolution Status: N/A

Vista WgaER Data-->
ThreatID(s): N/A
Version: N/A

Windows XP Notifications Data-->
Cached Result: 0
File Exists: Yes
Version: 1.8.31.9
WgaTray.exe Signed By: Microsoft
WgaLogon.dll Signed By: Microsoft

OGA Notifications Data-->
Cached Result: N/A, hr = 0x80070002
Version: 2.0.48.0
OGAExec.exe Signed By: Microsoft
OGAAddin.dll Signed By: Microsoft

OGA Data-->
Office Status: 109 N/A
OGA Version: Registered, 2.0.48.0
Signed By: Microsoft
Office Diagnostics: 025D1FF3-230-1

Browser Data-->
Proxy settings: N/A
User Agent: Mozilla/4.0 (compatible; MSIE 8.0; Win32)
Default Browser: C:\Program Files\Internet Explorer\iexplore.exe
Download signed ActiveX controls: Prompt
Download unsigned ActiveX controls: Disabled
Run ActiveX controls and plug-ins: Allowed
Initialize and script ActiveX controls not marked as safe: Disabled
Allow scripting of Internet Explorer Webbrowser control: Disabled
Active scripting: Allowed
Script ActiveX controls marked as safe for scripting: Allowed

File Scan Data-->

Other data-->
Office Details: <GenuineResults><MachineData><UGUID>{45C0BDDB-C9D5-48B3-89D1-E9E5CEF94964}</UGUID><Version>1.9.0027.0</Version><OS>5.1.2600.2.00010100.3.0.pro</OS><Architecture>x32</Architecture><PKey>*****-*****-*****-*****-2FV7Y</PKey><PID>76487-641-3620845-23234</PID><PIDType>1</PIDType><SID>S-1-5-21-776561741-1336601894-839522115</SID><SYSTEM><Manufacturer>Dell Inc.</Manufacturer><Model>Latitude 131L </Model></SYSTEM><BIOS><Manufacturer>Dell Inc.</Manufacturer><Version>2.1.0 </Version><SMBIOSVersion major="2" minor="4"/><Date>20061218000000.000000+000</Date></BIOS><HWID>117834E701842E6C</HWID><UserLCID>0809</UserLCID><SystemLCID>0409</SystemLCID><TimeZone>GMT Standard Time(GMT+00:00)</TimeZone><iJoin>0</iJoin><SBID><stat>3</stat><msppid></msppid><name></name><model></model></SBID><OEM/><GANotification><File Name="WgaTray.exe" Version="1.8.31.9"/><File Name="WgaLogon.dll" Version="1.8.31.9"/><File Name="OGAAddin.dll" Version="2.0.48.0"/></GANotification></MachineData><Software><Office><Result>109</Result><Products/><Applications/></Office></Software></GenuineResults>

Licensing Data-->
N/A

Windows Activation Technologies-->
N/A

HWID Data-->
N/A

OEM Activation 1.0 Data-->
BIOS string matches: yes
Marker string from BIOS: 1E832ell Inc|10BBCell Inc|F2BA:HITACHI, Ltd|F2BA:HITACHI, Ltd|F2BA:HITACHI, Ltd|10BBC:Microsoft Corporation
Marker string from OEMBIOS.DAT: N/A, hr = 0x80004005

OEM Activation 2.0 Data-->
N/A


Over to you again.....

 

[Bobbye]

It appears that you are on your work computer, operating under a volume license. You are running LANDesk® Management Suite software including the Targeted Multicast Client Service Executable. This file is not digitally signed. This also includes the Intel Ping Discovery Service (PDS). Part of Intel's LANDesk Management Suite 6 and the Common Base Agent (CBA) - used for communicating between the core server and managed clients.

There is IT Management software running, processes for remote connections. There is a keylogger on the system which most likely is from the company you are working for. A volume license is being used and no key numbers are given.

In the absence of some of the logs, I am not able to determine what the update status. I asked and repeated the following in my Replies 17 & 19: It was never addressed:

There are some entries for the Symantec pcAnywhere: this is Remote Desktop & Remote Access Software.There are also entries for Citrix GoToAssist & LogMeIn. Unless you are actively using these processes now, they should be stopped/disabled.

Are you working on your computer or are you doing remote help on someone else's system? You also run LaunchAnywhere. There is very little security on the system and several outdated programs that are vulnerabilities.

Please contact the IT person at your work for help with this system.